Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information 梁紀翔 王謙志 NETLab

Outline Wormhole Attack ? Wormhole Attack ? Some detecting methods and limitations Some detecting methods and limitations Using Bound distance or Time Using Bound distance or Time Using Graph theory and Geometric Using Graph theory and Geometric Using Connectivity Information Using Connectivity Information Unit Disk Graph model Unit Disk Graph model Other models Other models Wormhole removal Wormhole removal Simulation result & Conclusion Simulation result & Conclusion

What is Wormhole ? Shortcut through space and time

Wormhole Attack

Threats Dropping or modifying packets Dropping or modifying packets Generating unnecessary routing activities by turning off the wormhole link periodically Generating unnecessary routing activities by turning off the wormhole link periodically Record traffic for later analysis Record traffic for later analysis Break protocol relies on geographic proximity Break protocol relies on geographic proximity

Bound distance or Time Use node location info. to bound the distance a packet can traverse Use node location info. to bound the distance a packet can traverse But … hard to determine “ legal ” distance But … hard to determine “ legal ” distance Use global clock to bound propagation time Use global clock to bound propagation time Useless against physical layer attacks Useless against physical layer attacks Besides … they all need additional hardware Besides … they all need additional hardware

Graph theory and Geometric Use combination of one-time authenticated neighbor discovery and Guard nodes to attest the source of transmission Use combination of one-time authenticated neighbor discovery and Guard nodes to attest the source of transmission What if attack begin before discovery ? What if attack begin before discovery ? Special Guard nodes knows their “ correct ” location and with higher RF power and different RF charactertics Special Guard nodes knows their “ correct ” location and with higher RF power and different RF charactertics Impractical Impractical

Graph theory and Geometric cont. Use Directional antennas Use Directional antennas Need a cooperative protocol share directional info. between nodes to detect wormhole Need a cooperative protocol share directional info. between nodes to detect wormhole Use neighbor distance estimation and Multi- dimensional scaling to draw a “ network layout ” Use neighbor distance estimation and Multi- dimensional scaling to draw a “ network layout ” The layout should be “ flat ” The layout should be “ flat ” Centralized computation Centralized computation Physical layer authentication in packet modulation/demodulation Physical layer authentication in packet modulation/demodulation Special RF hardware Special RF hardware

Limitations Additional hardware is not affordable on large scale sensor networks, such as Additional hardware is not affordable on large scale sensor networks, such as Directional antennas Directional antennas GPS GPS Ultrasound Ultrasound Guard nodes with correct location Guard nodes with correct location Global clock synchronization or computation Global clock synchronization or computation Localized algorithm is the solution Localized algorithm is the solution Use info. collected by upper layer Use info. collected by upper layer

Algorithm concept Looks for forbidden substructure that should not present in a legal connectivity graph Looks for forbidden substructure that should not present in a legal connectivity graph

Unit Disk Graph model Idealized model for multi-hop wireless network Idealized model for multi-hop wireless network Node modeled as a disk with unit radius Node modeled as a disk with unit radius Unit radius is the communication range with omni- directional antenna Unit radius is the communication range with omni- directional antenna Each node is a neighbor of all nodes within its disk Each node is a neighbor of all nodes within its disk

Hardness NP-Hard to detect wormhole in UDG NP-Hard to detect wormhole in UDG Equivalence of finding UDG embedded in 2D graph Equivalence of finding UDG embedded in 2D graph Proven NP-Hard problem Proven NP-Hard problem The algorithm looks for structures that do not allow UDG embedding The algorithm looks for structures that do not allow UDG embedding Due to hardness, 100% wormhole detection will not guaranteed Due to hardness, 100% wormhole detection will not guaranteed But provides sufficiently high detection rate But provides sufficiently high detection rate

Disk packing In a fix region, one can not pack too many nodes without having edges in between In a fix region, one can not pack too many nodes without having edges in between Packing number － Packing number － Maximum number of points inside region S such that every pair of points is strictly more then distance r away from each other Maximum number of points inside region S such that every pair of points is strictly more then distance r away from each other

Disk packing cont. － A unit disk D of radius R centered at u － A unit disk D of radius R centered at u Lune － Lune － Intersection of 2 disks of radius R centered at u, v, with distance r away Intersection of 2 disks of radius R centered at u, v, with distance r away

Disk packing cont. Lemma 1 Lemma 1 When R = r = 1 When R = r = 1 Lemma 2 Lemma 2 for for

Forbidden substructure a and b (non-neighbors) have three common independent neighbor c, d, e a and b (non-neighbors) have three common independent neighbor c, d, e By Lemma 1, this can not happen By Lemma 1, this can not happen If only c, d in region B. It will fail If only c, d in region B. It will fail

Forbidden substructure cont. For low density case For low density case Look among k -hop neighbors Look among k -hop neighbors Find common independent k -hop neighbors of two non-neighbor nodes Find common independent k -hop neighbors of two non-neighbor nodes Forbidden substructures used in algorithm Forbidden substructures used in algorithm 3 independent common 1 -hop neighbors 3 independent common 1 -hop neighbors independent common k -hop neighbors independent common k -hop neighbors － Forbidden parameter － Forbidden parameter

Forbidden substructure cont. must be more than the packing number for unit distance inside the lune of two disks of radii k placed at distance 1 must be more than the packing number for unit distance inside the lune of two disks of radii k placed at distance 1 Radius k for modeling k -hop neighborhood Radius k for modeling k -hop neighborhood 1 for modeling the lower bound of distance between non-neighbors 1 for modeling the lower bound of distance between non-neighbors

Forbidden substructure cont. If a network has forbidden substructure If a network has forbidden substructure There must be a wormhole There must be a wormhole For a given node density with wormhole present For a given node density with wormhole present Higher k, higher detection possibility Higher k, higher detection possibility Larger neighborhood provide more nodes to work with Larger neighborhood provide more nodes to work with

Algorithm 1. Find the forbidden parameter 2. Each node u determines its 2k -hop neighbor list, execute following steps for each non-neighboring node v in

Algorithm cont. 3. u determines the set of common k -hop neighbors with v from their k -hop neighbor list can be obtained by simply exchanging lists can be obtained by simply exchanging lists 4. u determines the maximal independent set of Find maximum independent set is NP-Hard Find maximum independent set is NP-Hard Use greedy algorithm Use greedy algorithm

Algorithm cont. 5. If the maximal independent set size is equal or larger than, u declares the presence of a wormhole For most case, k = 1 is sufficient, with For most case, k = 1 is sufficient, with to check non-neighbor nodes in 2-hop neighborhood to check non-neighbor nodes in 2-hop neighborhood to find maximal independent set to find maximal independent set d is the average degree of nodes d is the average degree of nodes k = 2 for fairly low density cases k = 2 for fairly low density cases

Node distribution is theoretical worst case is theoretical worst case With known distribution, can be much smaller With known distribution, can be much smaller Smaller, higher detection rate Smaller, higher detection rate But … too small will have false positives But … too small will have false positives Unless node density is very high Unless node density is very high It ’ s unlikely to find that many common independent 2-hop neighbors It ’ s unlikely to find that many common independent 2-hop neighbors

Communication models UDG is overly simplified UDG is overly simplified Packet reception range is not prefect disk Packet reception range is not prefect disk For other communication models For other communication models Same algorithm applied Same algorithm applied But finding by Mathematical or Geometrical ways But finding by Mathematical or Geometrical ways

Known models Quasi-UDG Quasi-UDG Distance within α ≦ 1 － link Distance within α ≦ 1 － link Distance larger than 1 － no link Distance larger than 1 － no link Run simulation with target distribution to obtain connectivity graph Run simulation with target distribution to obtain connectivity graph Then estimate forbidden parameter Then estimate forbidden parameter

Known models cont. For any pair of non-neighboring nodes For any pair of non-neighboring nodes Find the maximal independent set among their common k -hop neighbors Find the maximal independent set among their common k -hop neighbors Take the maximum as Take the maximum as Used in simulation result to obtain tight bound Used in simulation result to obtain tight bound If model is probabilistic If model is probabilistic is also probabilistic is also probabilistic Notice that false positives still possible Notice that false positives still possible

Unknown model Parametric search for unknown Parametric search for unknown Use large initial value to run the algorithm Use large initial value to run the algorithm If no detection, half the value, re run If no detection, half the value, re run Until vary small fraction of nodes report wormhole Until vary small fraction of nodes report wormhole Or minimum number of tolerable false positives Or minimum number of tolerable false positives Run this search in safe part of network Run this search in safe part of network

Unknown model cont. If there is no safe place If there is no safe place Assume a “ threat level ” Assume a “ threat level ” Guidance for what fraction of nodes must report wormhole Guidance for what fraction of nodes must report wormhole So will not reduced any further So will not reduced any further

Wormhole removal Manually isolate links effected Manually isolate links effected Process for 1-hop, UDG Process for 1-hop, UDG Corrupted nodes verify its neighbor list with uncorrupted nodes Corrupted nodes verify its neighbor list with uncorrupted nodes Ignore transmission from suspicious nodes Ignore transmission from suspicious nodes

Simulation environment Models Models UDG UDG Quasi-UDG Quasi-UDG Model used in TOSSIM simulator Model used in TOSSIM simulator Distributions Distributions Perturbed grid (a planed sensor deployment) Perturbed grid (a planed sensor deployment) Random Random 144 nodes, single wormhole, k ≤ 2, repeat 10,000 times 144 nodes, single wormhole, k ≤ 2, repeat 10,000 times

Quasi-UDG Transmission radius － R Transmission radius － R Quasi-UDG factor － 0 ≤α≤ 1 Quasi-UDG factor － 0 ≤α≤ 1 Link － distance d within αR Link － distance d within αR No link － d ＞ R No link － d ＞ R d in [α R, R ] － link with probability d in [α R, R ] － link with probability Use α = 0.75 in simulation Use α = 0.75 in simulation TOSSIM model － link probability TOSSIM model － link probability － bit error probability － bit error probability

Distributions Perturbed 12×12 grid Perturbed 12×12 grid [ x-px, x+px ], [ y-py, y+py ] [ x-px, x+px ], [ y-py, y+py ] Perturbation parameter － 0.0 ≤ p ≤ 0.5 Perturbation parameter － 0.0 ≤ p ≤ 0.5 Randomly chosen x, y coordinates Randomly chosen x, y coordinates Node density Node density Change R for (Quasi-)UDG Change R for (Quasi-)UDG Change geographic area for TOSSIM Change geographic area for TOSSIM

Experiments Create topology Create topology Check connectivity Check connectivity Disconnected if any two node do not have route Disconnected if any two node do not have route Run algorithm to see false positive Run algorithm to see false positive Apply wormhole, run algorithm to detect Apply wormhole, run algorithm to detect

Results Perturbed grid Perturbed grid p = 0.2 p = 0.2 UDG Quasi-UDG TOSSIM

Random Random TOSSIM UDG Quasi-UDG

100% detecting and no false alarms when network is connected 100% detecting and no false alarms when network is connected 90% detection when 50% chance disconnected 90% detection when 50% chance disconnected Detection drop for low density cases, but network disconnected also increase Detection drop for low density cases, but network disconnected also increase Detection performance get worse as the randomness Detection performance get worse as the randomness Estimation of is more accurate if less randomness Estimation of is more accurate if less randomness

1 -hop dose not perform well in non-UDG cases 1 -hop dose not perform well in non-UDG cases Quasi-UDG, random distribution Quasi-UDG, random distribution 1-hop detection rate when increase 1-hop detection rate when increase

Parametric search for Parametric search for k = 1, quasi-UDG, Perturbed grid with p = 0.2, average degree = 6 k = 1, quasi-UDG, Perturbed grid with p = 0.2, average degree = 6 Suitable can be estimated by observing false positive probability Suitable can be estimated by observing false positive probability Detection show first before false positive Detection show first before false positive Critical value of is 4 Critical value of is 4

Conclusion Pros Pros Simple and localized Simple and localized Universal to node distribution and communication model Universal to node distribution and communication model Cons Cons Not suitable for frequent connectivity change (VANET, MANET) Not suitable for frequent connectivity change (VANET, MANET) Can not detect short wormhole link Can not detect short wormhole link

References R. Maheshwari, J. Gao and S. R. Das,“Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information,” in INFOCOM th IEEE International Conference on Computer Communications. IEEE, 2007, pp R. Maheshwari, J. Gao and S. R. Das,“Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information,” in INFOCOM th IEEE International Conference on Computer Communications. IEEE, 2007, pp Wikipedia ( Wikipedia ( Wormhole Attack Detection in Wireless Network ( Wormhole Attack Detection in Wireless Network (

Any Questions ? and Thanks !!