Sage Journals: Discover world-class research

Abstract

If a wireless sensor network (WSN) is deployed in a hostile environment, the intrinsic limitations of the nodes lead to many security issues. In this paper, we address a particular attack to the location and neighbor discovery protocols, carried out by two colluding nodes that set a wormhole to try to deceive an isolated remote WSN node into believing that it is a neighbor of a set of local nodes. To counteract such threat, we present a framework generically called detection of wormhole attacks using range-free methods (DWARF) under which we derive two specific wormhole detection schemes: the first approach, DWARFLoc, performs jointly the detection and localization procedures employing range-free techniques, while the other, DWARFTest, uses a range-free method to check the validity of the estimated position of a node once the location discovery protocol is finished. Simulations show that both strategies are effective in detecting wormhole attacks, and their performances are compared with that of a conventional likelihood ratio test (LRT).

1. Introduction

Wireless sensor networks (WSNs) are composed of a potentially large number of low-cost and resource-constrained devices which are often distributed over a wide area. Thus, if a WSN is deployed in an unfriendly environment, providing security to the involved network protocols is a challenging task that usually requires the use of different combined strategies [1].

A protocol that deserves special attention from a security point of view is neighbor discovery (ND). This is because one of the most basic requirements in a WSN is the ability of every node to reliably determine which of the other nodes are within its radio range so that it can establish single-hop links with them. Trustworthy ND is a cornerstone for securing higher-level network protocols and system functionalities, such as physical and network access control, data routing, and node localization [2].

In a hostile environment, a WSN can be compromised by different threats, but the so-called wormhole or relay attack lies among the most devastating [3]. A wormhole is a high-speed direct communication link between two malicious nodes that act in collusion by capturing network packets on one end, sending them through the wormhole and replaying them at the other end. Thus, to launch a wormhole attack, an adversary does not need to infect any network node or break any cryptographic system, making it a quite severe threat to WSNs.

Wormholes completely distort the network topology, making distant nodes to appear as local for a given node looking for its neighbors. As a side effect of a failed ND due to a wormhole, most location discovery (LD) protocols will also be compromised; this is because the wormhole severely distorts all the measurements related to the relative positions of the nodes. However, in some cases, the high sensitivity of LD protocols to wormholes can be turned into an advantage, because the localization process can be suitably modified to detect the presence of an attack.

In this paper we address this approach for the detection of wormholes. Specifically, we propose a general framework called detection of wormhole attacks using range-free methods (DWARF) that has two modes of operation: the first one (DWARFLoc) performs the detection of a wormhole simultaneously with the localization procedure, while the second one (DWARFTest) is a postlocalization detector that tries to validate the node position after this latter is obtained. The principles of DWARF are rooted in the exploitation of the ideas underlying the operation of a range-free localization method, namely, the so-called “sensor localization with Ring Overlapping based on Comparison of Received Signal Strength Indicator” (ROCRSSI) algorithm [4].

The main contributions of this paper are as follows.

(i)

The formulation of a simplified attack model for which the detection of a wormhole can be rigorously formulated as a binary hypothesis testing problem.

(ii)

The derivation of the likelihood ratio test (LRT) as the asymptotically optimal solution for the wormhole detection problem. However, the LRT requires a precise statistical model for the observations.

(iii)

The derivation of DWARFLoc and DWARFTest as robust alternatives to the LRT, because they are not tied to any particular channel model.

(iv)

The evaluation of the relative performances of both categories of tests (LRT and DWARF) through simulations.

The rest of the paper is organized as follows. Section 2 reviews related work concerning wormhole detection. Section 3 presents basic ideas about range-free localization and briefly describes the ROCRSSI algorithm. Section 4 defines the particular attack to be counteracted. Section 5 formulates the wormhole detection problem under the framework of statistical hypothesis testing and derives the LRT. Section 6 presents the two wormhole detection strategies DWARFLoc and DWARFTest. Section 7 evaluates the performance of the different wormhole detection strategies through simulations. Finally, section 8 draws some conclusions.

2. Related Work

In recent years, the topic of secure ND has been extensively studied and a lot of different defensive measures against wormhole attacks are described in the related literature.

For instance, it is proposed in [3] the use of location and time stamps, that is, geographical and temporal “leashes”, attached to network packets to detect wormhole attacks; therefore, this strategy assumes that all the nodes know their exact positions and are synchronized in time, which are probably unrealistic hypotheses if the network is under attack.

In [5], a wormhole detection algorithm for a multihop wireless network is presented, based on a search of forbidden substructures in the connectivity graph.

The authors of [6] present different preventive mechanisms against wormholes and propose an intruder detection system, LIDeA, in which every node analyzes their neighbors and collaborates to detect suspicious nodes using a voting strategy.

In [7], the authors introduce a graph-based and beacon-less solution that detects wormholes visually by reconstructing the network topology using only inaccurate distances between the nodes; however, an irregular-shaped network or multiple wormholes may lead to an incorrect detection.

The cryptographic concept of “pairing” is introduced in [8]. The article describes a node-to-node neighborhood authentication protocol based on location-based keys (private keys of individual nodes that are bound to their identities and positions), to avoid malicious nodes to join the network.

Wu et al. [9] propose a localization scheme based on hop counts (DV-Hop) by labeling the neighboring nodes of beacon nodes according to different algorithms to detect wormhole attacks; nevertheless, the proposed scheme does not work well if the network has packet losses or the transmission ranges of all nodes are not identical.

Robust localization techniques were described in [10, 11], using the concept of “verifiable multilateration.” Both are range-based approaches: while ROPE [10] provides secure localization and location verification using directional antennas and distance bounding, SPINE [11] estimates the distances between the nodes by measuring the time of flight of the radio signal. These solutions require either perfectly known directional antennas or specific transceivers capable of measuring the time of flight.

A secure range-free localization method called SeRLoc was proposed in [12], where the nodes are supposed to be equipped with static directional antennas with a fixed communication range, the nodes are localized by overlapping regions within communication range, and the wormholes are detected by checking the properties of message uniqueness and communication range violation. HiRLoc [13] is the evolution of SeRLoc and provides a high-resolution localization by adding two variables to the localization algorithm, the angle of rotation of the antennas, and the transmission power, increasing the complexity of the nodes.

Recently, ConSetLoc [14] proposes a robust range-free localization scheme based on evaluating the relationship between hops and distances and then applying convex constraints in geometry to reduce localization errors induced by wormholes.

For moving nodes, a secure ND protocol called MSDN [15] has been proposed, applying the notion of graph rigidity to aid moving network nodes in the verification of neighbors.

All the procedures for secure ND described above assume that the two colluding nodes forming a wormhole are located within the network deployment area. However, as we will see in Section 4, the particular threat we will address in this paper assumes that one of the wormhole nodes is situated out of the range of the WSN nodes but in the vicinity of an isolated node which is the target of the attack. So, this particular wormhole attack to the LD and ND protocols cannot be detected by conventional techniques.

3. Range-Free Localization

Traditional localization techniques rely on providing network nodes with auxiliary devices capable of self-acquiring their coordinates in a geographical reference system, such as global positioning system (GPS) receivers. Such solutions, however, have severe drawbacks in terms of their cost and energy consumption and are unable to operate indoors. A much more flexible approach to LD is obtained if we assume that only a small number of network nodes are assumed to know their own locations (through GPS receivers or system configuration), while the other nodes are only able to measure their relative distances to other neighbor nodes and use these data to position themselves. Focusing on the physical layer (PHY) level, received signal strength (RSS) is a parameter readily available in most commercial sensor nodes, usually in a coarsely quantized form called RSS indicator (RSSI). RSS measurements can be used for localization, because they are related to the distances between nodes [16, 17]; however, as they strongly depend on the particular hardware used and also on often unpredictable environment conditions, in many cases they cannot be used to directly estimate distances. Therefore, in recent times several “range-free” alternatives to localization have been proposed; these methods use an indirect approach and provide localization without the need of accurate distance estimations.

We point here that there is some controversy regarding the expression “range-free” when applied to localization because, for some authors, this term only refers to techniques based on connectivity information, which can be interpreted as a binary quantization of RSS. We will, however, adopt a broader interpretation of “range-free” schemes as those that use RSS values but do not rely on the existence of any precise relationship between RSSs and distances, only assuming there is a loose link between these parameters [18]. We will also call these methods “nonparametric,” as opposed to “parametric” or “range-based” approaches, which require a precise model relating RSS values to distances.

For instance, if we denote the Euclidean distance between two arbitrary network nodes at positions x and y as $d (x, y) \equiv | | x - y | |$ and the RSS (in dBm) measured at the receiver of node y for a signal transmitted by node x as $r (x, y)$ , a common basic assumption in many range-free methods is the validity of a simple monotonicity constraint:

\begin{matrix} r (x, y) > r (x, y) ⟺ d (x, y) < d (x, y), \forall x, y, z \in ℝ^{2} . \end{matrix}

(1)

Notice that because the transmitted power is assumed to be unknown, RSS measurements are not expected to be symmetric that is, $r (x, y) \neq r (y, x)$ . One of the most straightforward approaches to the solution of the problem of localizing a node based on the restriction (1) is given by the so-called ROCRSSI algorithm [4].

This range-free localization method assumes that there is a node trying to estimate its own unknown position p, surrounded by N “anchor nodes” located at known positions $a_{1}, a_{2}, \dots, a_{N}$ . Every anchor node is continuously broadcasting beacon packets that include, along with its own location, the RSS values corresponding to beacon signals received from all the other anchor nodes in its vicinity. Therefore, for every anchor $a_{i}$ $(i = 1,2, \dots, N)$ in the neighborhood of p, we will assume that the following RSS values are available:

One anchor-to-node RSS: $r (a_{_{i}}, p)$ ,

$N - 1$ anchor-to-anchor RSSs: $r (a_{_{i}}, a_{j})$ , for all $i \neq j$ .

Now, by applying the monotonicity constraint (1) to this set of RSS measurements, the localization algorithm obtains the tightest possible lower and upper bounds, $ρ_{1}^{(i)}$ and $ρ_{2}^{(i)}$ , respectively, for the possible values of the distance between the ith anchor and the node to be located; this, in turn, translates to a restriction in the position of the node as a ring $R (a_{i}, ρ_{1}^{(i)}, ρ_{2}^{(i)})$ , centered around $a_{i}$ and with inner and outer radii $ρ_{1}^{(i)}$ and $ρ_{2}^{(i)}$ ; respectively,

\begin{array}{l} R (a_{i}, ρ_{1}^{(i)}, ρ_{2}^{(i)}) = {p \in ℝ^{2} : ρ_{1}^{(i)} < d (a_{i}, p) < ρ_{2}^{(i)}}, \\ i = 1,2, \dots, N, \end{array}

(2)

with $ρ_{1}^{(i)}$ and $ρ_{2}^{(i)}$ obtained as

\begin{matrix} ρ_{1}^{(i)} = {\begin{cases} d (a_{i}, a_{m}), & if \exists r (a_{i}, a_{m}) \\ = \inf {r (a_{i}, a_{j}), j \neq i : r (a_{i}, a_{j}) > r (a_{i}, p)}, \\ 0, & otherwise, \end{cases} \\ ρ_{2}^{(i)} = {\begin{cases} d (a_{i}, a_{n}), & if \exists r (a_{i}, a_{n}) \\ = \sup {r (a_{i}, a_{j}), j \neq i : r (a_{i}, a_{j}) < r (a_{i}, p)}, \\ \infty, & otherwise, \end{cases} \end{matrix}

(3)

where $\inf (S)$ and $\sup (S)$ denote the infimum and supremum of the set S, respectively.

After repeating this procedure for all the anchors, the node is found to be located on the intersection of a set of rings $R (a_{i}, ρ_{1}^{(i)}, ρ_{2}^{(i)})$ , $i = 1,2, \dots, N$ , of the form (2); finally, the node position is estimated as the centroid of the intersection region. Notice that unlike range-based methods, range-free localization techniques cannot obtain the exact node position p, even in the absence of measurement errors, because they only provide bounds for the location; however, these bounds tend to be tighter as the number of anchors N increases.

With actual measurements, the condition (1) does not hold for every pair of nodes because the radio channel is usually anisotropic, so that not all the rings (2) have a common intersection. The compromise solution in such cases is to assume the UN to be in the region of the plane where most of the rings intersect. This is equivalent to assume that every anchor “votes” for a given ring as a candidate to hold the UN, and the region of the plane that gets the higher number of votes is finally elected. Such voting strategy has the added benefit of providing a good degree of robustness to attacks to the localization process triggered by malicious anchors [19, 20].

On the other hand, the achieved number of votes (i.e., intersecting rings) for the region of the plane finally elected is also an indicator of the “degree of success” of the localization process: a high value for this number (relative to its absolute maximum, i.e., the number of anchors N) implies that RSS measurements are highly correlated to actual distances between nodes, so that the monotonicity constraint (1) is fulfilled in most situations. This fact is illustrated in Figure 1, where we can see examples of two extreme cases: Figure 1(a) represents the distribution of the number of votes when the node to be located receives RSS measurements that are independent of distances, while Figure 1(b) illustrates a situation where RSSs are deterministically related to distances; notice the presence of a sharp peak in this latter case, highlighting the area where the node is located.

Figure 1

Spatial distributions of the number of intersecting rings with $N = 10$ anchors. (a) RSS measurements independent of distances. (b) RSS measurements inversely related to distances.

The ROCRSSI algorithm, unlike other range-free approaches, does not require any special hardware at the nodes (like directive antennas) and its implementation does not depend on parameters that are somewhat imprecisely defined such as the “communication range,” commonly employed by range-free methods based on connectivity.

4. Attack Model

We will assume the existence of an adversary who tries to deceive both the location and neighborhood discovery protocols by forcing a remote compromised node to appear as a neighbor of the local network nodes. To accomplish this, the attacker uses a wormhole link with two endpoints: one in the vicinity of the anchor nodes, and the other within the radio range of the compromised node (see Figure 2); the wormhole local node captures beaconing packets sent from the anchor nodes and tunnels them to the wormhole remote node through a dedicated high-speed link, so that they arrive unmodified at the compromised node. This latter node, then, applies the localization procedure using these packets as if they came directly from the anchors, therefore resulting in a fake position within the deployment area of the local network. As the wormhole nodes act as simple relays and do not manipulate the information contained in the packets, wormhole attacks resist defensive measures solely based on cryptographic protocols.

Figure 2

Wormhole attack to location and neighbor discovery.

Once the compromised node is falsely positioned, the network can become vulnerable to different exploits. For instance, the compromised node could inadvertently inject misleading information into the local network or obtain sensitive data from other nodes and flow them through the wormhole link. Another possibility for an adversary comes from the fact that the wormhole local node can be easily masqueraded as an authenticated local node by impersonating the compromised node; in this way, anyone who physically bears the wormhole local node could gain access to restricted areas or secret information [2].

The model of Figure 2, in spite of its simplicity, captures the essential mechanism of a wormhole attack to LD and ND protocols. Ironically, however, most existing wormhole detection schemes cannot cope with this simple attack for several reasons as follows.

(i)

The simple scenario of Figure 2 assumes that in a normal situation (no attack), all the active nodes are neighbors; this precludes the use of secure LD or ND techniques solely based on connectivity information or hop counts. Obviously, methods for wormhole detection based on the analysis of “network layer” parameters (routes, traffic, etc.) are also inapplicable.

(ii)

The compromised node only communicates with the remote wormhole node, so it cannot get cooperation from “real” neighbors in the localization process or the detection of the attack.

(iii)

A wormhole attack is undetectable by “network-based” localization techniques [21]: if the position of the node is obtained from signals received by the anchors, the compromised node will be always located at the position of the wormhole local node. Therefore, the LD procedure should be performed at the unlocalized node, using data it received from the anchors, because the unlocalized node is the only one that can detect inconsistencies caused by a wormhole attack.

On the other hand, the model of Figure 2 is simple enough to allow the application of standard tools of statistical decision theory to the problems of node localization and wormhole detection.

As a wormhole attack challenges higher-level protocols, most effective procedures to detect such attacks are based on looking for inconsistencies in measurements performed at the physical layer level. In the next sections, we develop different detection strategies that analyze the RSS values measured by the nodes interacting in the localization procedure.

5. Wormhole Detection Using RSS: Parametric Approach

Any wormhole detection procedure can be stated as a binary hypothesis testing problem: given a vector of N RSS observations $r = {[r_{1}, r_{2}, \dots, r_{N}]}^{T}$ , we must decide between hypothesis $H_{0}$ (no wormhole is present) and $H_{1}$ (a wormhole attack is active). However, to formalize the test we need a suitable statistical description of the observations. In the sequel, we will use the standard log-distance path-loss model [22] that links RSS values (in logarithmic scale) to distances as

\begin{matrix} r (x, y) = K - 10 α \log_{10} d (x, y) + e, \end{matrix}

(4)

where x and y are the positions of the transmitter and receiver, respectively, K is the mean received power (in dBm) at unit distance, α is the path-loss exponent (which depends on the environment), and e is a zero-mean Gaussian random variable with standard deviation σ (in dB) that takes into account shadowing effects. Therefore, $r (x, y)$ is also a Gaussian random variable with standard deviation σ and mean $μ (x, y)$ , with

\begin{matrix} μ (x, y) = K - 10 α \log_{10} d (x, y) . \end{matrix}

(5)

Now, assuming that the observations are independent and identically distributed (IID), the distribution of r is multivariate normal with mean vector $μ = {[μ_{1}, μ_{2}, \dots, μ_{N}]}^{T}$ and covariance matrix $σ^{2} I$ , where I is the identity matrix, so that the joint probability density function (PDF) of the RSS measurements is

\begin{matrix} f (r; μ) = {(2 π σ^{2})}^{- N / 2} \exp [- \frac{1}{2 σ^{2}} {(r - μ)}^{T} (r - μ)], \end{matrix}

(6)

where the superscript T denotes “transpose.” The assumption of IID observations is valid whenever they are associated to transmitters and/or receivers located at different positions and shadow fading is spatially uncorrelated.

According to (5), the only parameter of (6) that depends on the position is μ , so we will formulate the wormhole detection problem as a test of the mean vector of r:

\begin{matrix} H_{0} : μ = μ_{0}, \\ H_{1} : μ \neq μ_{0}, \end{matrix}

(7)

where $μ_{0}$ is determined assuming there is no wormhole present.

Now, depending on the origin of the measurements, we can define two different tests. The first one is carried out by the unlocalized node, which performs the localization and wormhole detection processes simultaneously, using RSS values obtained from packets supposedly transmitted by the anchors. The second strategy can be applied after the node is localized and is performed by the anchors, which analyze the RSS measurements obtained from packets supposedly transmitted by the localized node. Both schemes are presented in Sections 5.1 and 5.2, respectively.

5.1. Simultaneous Localization and Wormhole Detection: Likelihood Ratio Test

In this scheme, the anchors broadcast beaconing packets containing their positions, conveniently enciphered and authenticated to prevent other kinds of attacks. These packets are intended to be received by the unlocalized node, which measures their RSS values and then decrypts them to obtain the positions of the anchors. As stated previously, assuming that the statistical model for the RSS observations (6) is valid, then the wormhole detection procedure can be formulated as a hypothesis testing problem of the form (7), where the measurements $r {= [r_{1}, r_{2}, \dots, r_{N}]}^{T}$ are, in our case, collected by the unlocalized node.

Therefore, if the hypothesis $H_{0}$ (no wormhole) is true, then the observations are RSS values of packets transmitted by the anchors at known positions ${a_{1}, a_{2}, \dots, a_{N}}$ (see Figure 3(a)), so that we have the null hypothesis

\begin{matrix} H_{0} : r_{i} = r (a_{i}, p), i = 1,2, \dots, N \end{matrix}

(8)

and according to (5), the elements of vector $μ_{0}$ in (7) are

\begin{matrix} μ_{0, i} = K - 10 α \log_{10} d (a_{i}, p), i = 1,2, \dots, N . \end{matrix}

(9)

Figure 3

Scenarios for secure neighbor discovery assuming no wormhole is present. (a) Simultaneous localization and wormhole detection. (b) Wormhole detection after localization.

However, under $H_{1}$ (wormhole attack), the packets obtained by the unlocalized node come from the remote wormhole node, as shown in Figure 2; therefore, the RSS values for these packets will be totally unrelated to the anchors positions We will further assume that the remote wormhole node “randomizes” the observations (e.g., by changing its transmitted power) to avoid that they all take the same value and so circumvent a trivial detection; thus, the assumption of IID observations also holds true under $H_{1}$ .

Notice that, as the position of the node p is unknown, both $H_{0}$ and $H_{1}$ of (7) are composite hypotheses. Therefore, we can obtain the likelihood ratio test (LRT) [23] as

\begin{matrix} Decide H_{1} (wormhole present) iff Λ (r) > η, \end{matrix}

(10)

where $Λ (r)$ is the likelihood ratio

\begin{matrix} Λ (r) = \frac{\max_{μ} f (r; μ)}{\max_{μ_{0}} f (r; μ_{0})} \end{matrix}

(11)

and η is a threshold selected so that we have a given probability of false alarm (PFA). Taking into account (6) and (9), we have

\begin{matrix} f (r; μ_{0}) = {(2 π σ^{2})}^{- N / 2} \exp [- \frac{1}{2 σ^{2}} V (p)] \end{matrix}

(12)

with

\begin{matrix} V (p) = \sum_{i = 1}^{N} {[r_{i} - K + 10 α \log_{10} d (a_{i}, p)]}^{2} . \end{matrix}

(13)

The numerator of (11) is easily obtained, according to (6), as

\begin{matrix} \max_{μ} f (r; μ) = {(2 π σ^{2})}^{- N / 2} \end{matrix}

(14)

while the denominator of (11) is, according to (12),

\begin{matrix} \max_{μ_{0}} f (r; μ_{0}) = {(2 π σ^{2})}^{- N / 2} \exp [- \frac{1}{2 σ^{2}} V (\hat{p})], \end{matrix}

(15)

where $\hat{p}$ is the maximum likelihood estimate (MLE) of p under $H_{0}$ , defined as

\begin{matrix} \hat{p} = \arg \max_{p} f (r; μ_{0}) . \end{matrix}

(16)

Taking into account the inverse relationship between $f (r; μ_{0})$ and $V (p)$ , (16) can be also expressed as

\begin{matrix} \hat{p} = \arg \min_{p} V (p) \end{matrix}

(17)

so that $\hat{p}$ is obtained as the solution of a nonlinear least square (NLS) problem. Finding the global solution of (17) is, in general, a difficult optimization problem because of the existence of multiple local minima in the objective function. Therefore, it is customary to resort to simpler suboptimal alternatives to the exact MLE that guarantee a single local minimum [24, 25].

Now, taking into account (11), (14), and (15), we can compute the logarithm of the likelihood ratio as

\begin{matrix} \ln Λ (r) = \frac{V (\hat{p})}{2 σ^{2}} \end{matrix}

(18)

so that a test equivalent to (10) is

\begin{matrix} Decide H_{1} iff V (\hat{p}) > η^{'}, \end{matrix}

(19)

where $η'$ is another suitable threshold, selected so that

\begin{matrix} P [V (\hat{p}) > η^{'} ∣ H_{0}] = P_{FA} \end{matrix}

(20)

with $P_{FA}$ the probability of false alarm. The LRT is summarized in Algorithm 1.

Algorithm 1: Simultaneous localization and wormhole detection. Parametric approach: likelihood ratio test.

Inputs:

Set of trustworthy anchor positions: ${a_{i}, i = 1,2, \dots, N}$

Set of untrustworthy anchor to node RSSs: ${r_{i} = r (a_{i}, p), i = 1,2, \dots, N}$

Parameters of the path-loss model: K and α.

Detection threshold: $η^{'}$

Steps:

(1) Obtain $\hat{p}$ as the maximum likelihood estimate (MLE) of the position of the node using (17) and (13).

(2) Compute the test statistic $V (\hat{p})$ using (13).

(3) if $V (\hat{p}) > η^{'}$ then

(4) set wormhole_flag ←true

(5) else

(6) set wormhole_flag←false

(7) end if

(8) return wormhole_flag and estimated position $\hat{p}$

We can see from (13) that $V (\hat{p})$ is the sum of the squared residuals, so it represents a measure of the “quality” of the MLE $\hat{p}$ .

5.2. Wormhole Detection after Localization: Likelihood Ratio Test

Another wormhole detection strategy could be implemented after a given node has completed the localization procedure, and as a result of this, it has obtained a position within the local network deployment area. The idea now is to use the anchor nodes to check the validity of the node location.

To accomplish this, the localized node broadcasts cryptographically secured packets containing its position p to be verified. These packets are received by the anchors, which use them to obtain RSS measurements and the declared node position. So, in this case, the observations $r = {[r_{1}, r_{2}, \dots, r_{N}]}^{T}$ are collected by the anchors and under $H_{0}$ (no wormhole), correspond to the RSS values of packets transmitted by the node at position p and received by the anchors at positions ${a_{1}, a_{2}, \dots, a_{N}}$ (see Figure 3(b)). Therefore, we have the null hypothesis

\begin{matrix} H_{0} : r_{i} = r (p, a_{i}), i = 1,2, \dots, N, \end{matrix}

(21)

and according to (5) and taking into account that $d (x, y) = d (y, x)$ , for all x, y, the elements of vector $μ_{0}$ are also given by (9).

On the other hand, under $H_{1}$ (wormhole attack), the packets received by the anchors are transmitted by the local wormhole node, as shown in Figure 2; therefore, the RSS values for these packets will be unrelated to the declared position of the compromised node p.

Therefore, the only difference with the previous case is that now the position of the node p is known, so $H_{0}$ is a simple hypothesis and the likelihood ratio is

\begin{matrix} Λ (r) = \frac{\max_{μ} f (r; μ)}{f (r; μ_{0})}, \end{matrix}

(22)

where $f (r; μ)$ and $f (r; μ_{0})$ are given by (6) and (12), respectively.

Following analogous steps to the previous section, we arrive at a test similar to (19) but using the reported position instead of the MLE (see Algorithm 2):

\begin{matrix} Decide H_{1} iff V (p) > η^{''}, \end{matrix}

(23)

where $V (p)$ was defined in (13) and $η^{''}$ is chosen so that

\begin{matrix} P [V (p) > η^{''} ∣ H_{0}] = P_{FA} . \end{matrix}

(24)

Again, the test statistic $V (p)$ is a measure of “goodness of fit” of the declared position to the observations.

Algorithm 2: Detection after localization. Parametric approach: likelihood ratio test.

Inputs:

Set of trustworthy anchor positions: ${a_{i}, i = 1,2, \dots, N}$

Untrustworthy node position: p

Set of untrustworthy node to anchor RSSs: ${r_{i} = r (p, a_{i}), i = 1,2, \dots, N}$

Parameters of the path-loss model: K and α

Detection threshold: $η^{''}$

Steps:

(1) Obtain the anchor to node distances ${d (a_{i}, p), i = 1,2, \dots, N}$ .

(2) Compute the test statistic $V (p)$ using (13).

(3) if $V (p) > η^{''}$ then

(4) set wormhole_flag←true

(5) else

(6) set wormhole_flag←false

(7) end if

(8) return wormhole_flag

6. Wormhole Detection Using RSS: Nonparametric Approach

The detection strategies of Section 5 assume the existence of a well-defined measurement model that describes the statistical relationship between observed RSS values and distances. However, in most instances, such model can only be stated under idealized conditions or is tied to a specific scenario; in this latter case, estimating its parameters often requires a costly calibration phase which must be repeated every time the environmental conditions change.

Therefore, it would be desirable to devise wormhole detection procedures that are “nonparametric” in the sense that unlike the test (7), these strategies do not impose a particular distribution for the observations; thus, such tests will be robust against departures from any predefined model. In particular, we will base our derivations of nonparametric detection schemes on the underlying ideas of the range-free positioning techniques described in Section 3.

As above, depending on the source of the measurements, we will derive a procedure for simultaneous localization and wormhole detection performed by the unlocalized node, using RSS values obtained from packets transmitted by the anchors, and a postlocalization wormhole detection scheme performed by the anchors, employing RSS measurements obtained from packets transmitted by the localized node. Both schemes are presented in Sections 6.1 and 6.2, respectively.

6.1. Simultaneous Localization and Wormhole Detection: DWARFLoc

We can check the presence of a wormhole without assuming any specific model for the observations by exploiting the fact that under no attack, the RSS values collected by the unlocalized node will be related to the distances from the node to the anchors, no matter which is the exact form of this relationship; on the other hand, if a wormhole is present, the RSS values measured by the compromised node are totally unrelated to its actual position.

Thus, under a wormhole attack and assuming that the compromised node uses the ROCRSSI scheme described in Section 3 to localize itself, it is very unlikely for the rings provided by the anchor nodes to share a common intersection, even in the absence of measurement errors; so, if a voting strategy is adopted to estimate the unknown node position, the number of votes received by any region in the plane will be well below the maximum attainable score (see Figure 1(a)). On the other hand, if no wormhole is present, we should expect that most anchors agree on the existence of a region of the plane that satisfies the set of constraints (2); this region, therefore, will receive a high number of votes (relative to the number of anchors), as Figure 1(b) illustrates. For these reasons, the test statistic proposed for this nonparametric detection strategy is the deviation of the maximum number of votes attained by any region of the plane from the average number of votes.

Therefore, in this scheme the anchor nodes broadcast beaconing packets that contain their positions and the RSSs they measure for packets transmitted by other anchor nodes; such packets should be conveniently enciphered and authenticated. Then, the unlocalized node collects and decrypts the beaconing packets and computes RSS values for them (see Figure 3(a)); these measurements, along with the positions of the anchors and the anchor-to-anchor RSSs, are used to estimate the position of the node, via the ROCRSSI method. The quality of the estimated position is determined by the number of votes it received, and if this number (after mean centering) is above a predefined threshold, the localization process is considered valid; otherwise, an attack is presumed and the unlocated node refrains from joining the network. As usual, the detection threshold is selected to obtain a given PFA. The whole DWARFLoc procedure is described in Algorithm 3.

Algorithm 3: Simultaneous localization and wormhole detection. Nonparametric approach: DWARFLoc.

Inputs:

Set of anchor positions: ${a_{i}, i = 1,2, \dots, N}$

Set of untrustworthy anchor to node RSSs: ${r (a_{i}, p), i = 1,2, \dots, N}$

Set of trustworthy anchor to anchor RSSs: ${r (a_{i}, a_{j}), i = 1,2, \dots, N; j = 1,2, \dots, N; i \neq j}$

Detection threshold: η

Steps:

(1) Define a grid G of L points in the plane, covering the WSN deployment region and an array V of L counters.

(2) set $V \leftarrow 0$

(3) for every anchor $a_{i}, i = 1,2, \dots, N$ do

(4) Obtain a ring $R (a_{i}, ρ_{1}^{(i)}, ρ_{2}^{(i)})$ of the form (2) that should ideally contain the node position, using (3)

(5) for every point of the grid $g \in G$ do

(6) if $g \in R (a_{i}, r_{1}^{(i)}, r_{2}^{(i)})$ then

(7) Increment counter of votes for point g: $V (g) \leftarrow V (g) + 1$

(8) end if

(9) end for

(10) end for

(11) Obtain the intersection region as the set of grid points with maximum number of “votes”:

$v_{M} = \max_{g \in G} V (g)$

$M = {g \in G : V (g) = = v_{M}}$

(12) Estimate the position of the node as the centroid of the intersection area:

$\hat{p} = \frac{1}{| M |} \sum_{g \in M}^{} g$

(13) Compute the sample mean of the number of votes:

$\bar{v} = \frac{1}{L} \sum_{g \in G}^{} V (g)$

(14) if $v_{M} - \bar{v} \leq η$ then

(15) set wormhole_flag←true

(16) else

(17) set wormhole_flag←false

(18) end if

(19) return wormhole_flag and estimated position $\hat{p}$

6.2. Wormhole Detection after Localization: DWARFTest

Once the node is successfully located, we can proceed to verify the validity of the node position p by reversing the previous roles of the tested node and the anchor nodes (see Figure 3(b)): now the former broadcasts packets containing its estimated location, while the latter receive these transmissions, compute RSS values, and use them to look for possible violations of the monotonicity constraint (1). If the tested node has been compromised by a wormhole attack like that of Figure 2, the source of those packets will be the wormhole local node, whose position is, with a high probability, different from that reported by the compromised node, so that many of the anchor nodes will find that the measured RSSs do not agree with the expected ones. Obviously, beside the anchor nodes, any other node whose position has been previously validated can also participate in this wormhole detection procedure. Notice also that the RSS values collected by the anchors should be transmitted to a central node in order to process them.

As a measure of dissimilarity between distances and RSS measurements, we have used a slight modification of the classical Kendall tau distance [26], which is a metric that counts the number of pairwise disagreements between two lists. In our case, the test statistic counts the number of violations of the monotonicity constraint (1) for every possible pair of node-to-anchor distances and their corresponding measured RSS values as

\begin{array}{l} τ (p) = | {(i, j), i < j : (d (p, a_{i}) < d (p, a_{j}) \land r (p, a_{i}) < r (p, a_{j})) \\ \lor (d (p, a_{i}) > d (p, a_{j}) \land r (p, a_{i}) > r (p, a_{j}))} |, \end{array}

(25)

where $| S |$ denotes the cardinal number of a set S.

As the test statistic $τ (p)$ is a discrete random variable (it only takes integer values), the decision procedure should include two parameters to exactly obtain a predefined PFA: an integer detection threshold η and a real number γ ( $0 \leq γ \leq 1$ ), such that

\begin{matrix} P [τ (p) > η ∣ H_{0}] + γ P [τ (p) = η ∣ H_{0}] = P_{FA}, \end{matrix}

(26)

where $P_{FA}$ is the desired probability of false alarm. The steps to implement the DWARFTest procedure are illustrated in Algorithm 4.

Algorithm 4: Wormhole detection after localization. Nonparametric approach: DWARFTest.

Inputs:

Set of trustworthy anchor positions: ${a_{i}, i = 1,2, \dots, N}$

Untrustworthy node position: p

Set of untrustworthy node to anchor RSSs: ${r (p, a_{i}), i = 1,2, \dots, N}$

Detection threshold and “PFA adjustment” parameter: $η, γ$

Steps:

(1) Obtain the node to anchor distances ${d (p, a_{i}), i = 1,2, \dots, N}$ .

(2) Compute the test statistic $τ (p)$ , using (25)

(3) if $τ (p) > η$ then

(4) set wormhole_flag←true

(5) else if $τ (p) = η$

(6) set wormhole_flag←true with probability γ

(7) else

(8) set wormhole_flag←true

(9) end if

(10) return wormhole_flag

7. Simulation Results

We have conducted some simulations to evaluate and compare the performance of the wormhole detection strategies described in Sections 5 and 6. The simulated WSN is composed of a set of anchor nodes whose positions are uniformly distributed in a square room of 20 m × 20 m. For RSS values, we have assumed the log-distance path-loss model (4) for which we set $α = 3$ as a typical value for indoor environments.

The range-free localization scheme uses a square grid of $20 \times 20$ elements, which implies a spatial resolution of 1 m in the proposed scenario. The range-based (parametric) approach uses as an approximation for the MLE the best linear unbiased estimator (BLUE) of the node position, because it is much simpler to implement than the exact MLE and its variance is close to the Cramér-Rao lower bound [25].

A wormhole attack is simulated according to the model of Figure 2. The distance between the wormhole remote node and the compromised node, $d (w, c)$ , is randomly chosen, and both nodes are assumed to be located beyond the radio range of any other WSN node. To avoid a trivial detection, the remote wormhole node performs random changes in its transmitted power, so that the RSS values measured by the compromised node are obtained as

\begin{matrix} r_{i}^{c} = K - 10 α \log_{10} d (w, c) + e + u_{i}, i = 1,2, \dots, N, \end{matrix}

(27)

where $d (w, c)$ is uniformly distributed between 0 and 20 m, e is a zero-mean Gaussian random variable with standard deviation σ, and ${u_{i}, i = 1,2, \dots, N}$ are IID random variables with uniform distribution in the interval $(- 6,6)$ . These RSSs are first processed by the simultaneous detection and localization schemes of Sections 5.1 and 6.1.

Once the node has been located, the detection procedures of Sections 5.2 and 6.2 are started and the tested node begins to broadcast its estimated position. However, according to Figure 2, if this node has been compromised by a wormhole attack, the RSS values measured by the anchors are related to their distances to the wormhole local node, because this node is acting as a repeater.

To determine the detection thresholds for the tests, we have also simulated the scenarios of Figure 3, using a reference node whose position is uniformly distributed in the WSN deployment area. Then, for each of the four tests, the empirical cumulative distribution function (CDF) of the test statistic is used to obtain the critical value that ensures a given PFA.

Some results are represented in Figures 4 and 5, where we have plotted the attained probability of detection for the wormhole detection schemes of Sections 5 and 6 under different situations. The PFA is fixed at 0.05 and we conducted 1000 simulation runs in all cases.

Figure 4

Probability of wormhole detection for the proposed strategies with varying number of anchor nodes ( $P_{FA} = 0.05$ and $σ = 3$ dB). (a) Simultaneous localization and detection. (b) Detection after localization.

Figure 5

Probability of wormhole detection for the proposed strategies with varying path-loss standard deviation ( $P_{FA} = 0.05$ and $N = 40$ ). (a) Simultaneous localization and detection. (b) Detection after localization.

By examining Figures 4(a) and 5(a), we can observe that the parametric approach for simultaneous wormhole detection and localization (LRT-BLUE) performs clearly better than the range-free procedure (DWARFLoc); this was expected, because range-free localization methods do not use a priori information about any model for the RSS observed values. However, we can see form Figures 4(b) and 5(b) that the range-free version of the scheme for detection after localization (DWARFTest) competes in performance with its parametric counterpart (LRT) and even surpasses it for high values of the path-loss standard deviation; this is attributable to the rapid degradation of the BLUE estimator when the RSS measurements are subject to significant errors.

8. Conclusions

In this paper we presented a minimalist model for a wormhole attack to a WSN that can be effectively counteracted by two different detection procedures, based on the underlying ideas of RSS-based range-free localization methods. The first one (DWARFLoc) operates simultaneously with the localization procedure, and the second one (DWARFTest) is a postlocalization detector that tries to validate a posteriori the estimated node position. Simulations suggest that DWARFTest has much better detection performance than DWARFLoc but requires more transmissions to be carried out.

Furthermore, assuming that the RSS values follow the standard log-normal path-loss model, we have also derived exact likelihood ratio tests for the detection of a wormhole, which can be used as benchmarks for any other detection scheme.

Footnotes

Acknowledgments

This research was partially supported by the Spanish Ministry of Science and Innovation under Grant TEC2009-14219-C03 (AMURA) and the European Commission under Grant FP7-ICT-2009-4-248894 (WHERE2).

References

Chen

H. H.

Security in wireless sensor networks

IEEE Wireless Communications 2008 15 4 60 66

2-s2.0-49749084392

10.1109/MWC.2008.4599222

Papadimitratos

Poturalski

Schaller

Lafourcade

Basin

Capkun

Hubaux

J.-P.

Secure neighborhood discovery: a fundamental element for mobile ad hoc networking

IEEE Communications Magazine 2008 46 2 132 139

Y. C.

Perrig

Wormhole attacks in wireless networks

IEEE Journal on Selected Areas in Communications 2006 24 2 370 379

2-s2.0-33144475784

10.1109/JSAC.2005.861394

Liu

Sensor localization with ring overlapping based on comparison of received signal strength indicator

Proceedings of IEEE International Conference on Mobile Ad-Hoc and Sensor Systems

October 2004

516 518

2-s2.0-20344402298

Maheshwari

Gao

Das

S. R.

Detecting wormhole attacks in wireless networks using connectivity information

Proceedings of the 26th IEEE International Conference on Computer Communications (INFOCOM '07)

May 2007

107 115

2-s2.0-34548321774

10.1109/INFCOM.2007.21

Giannetsos

Dimitriou

Prasad

N. R.

State of the art on defenses against wormhole attacks in wireless sensor networks

Proceedings of the 1st International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace and Electronic Systems Technology (Wireless VITAE '09)

May 2009

313 318

2-s2.0-70350752592

10.1109/WIRELESSVITAE.2009.5172466

Wang

Bhargava

Visualization of wormholes in sensor networks

Proceedings of the 3rd ACM Workshop on Wireless Security (WiSe '04)

October 2004

51 60

2-s2.0-11244309139

Zhang

Liu

Lou

Fang

Location-based compromise-tolerant security mechanisms for wireless sensor networks

IEEE Journal on Selected Areas in Communications 2006 24 2 247 260

2-s2.0-33144476837

10.1109/JSAC.2005.861382

Chen

Lou

Wang

Waang

Label-based DV-Hop localization againstwormhole attacks in wireless sensor networks

Proceedings of the 5th IEEE International Conference on Networking, Architecture and Storage (NAS '10)

July 2010

79 88

2-s2.0-77958144705

10.1109/NAS.2010.41

10.

Lazos

Poovendran

Čapkun

ROPE: Robust position estimation in wireless sensor networks

Proceedings of the 4th International Symposium on Information Processing in Sensor Networks (IPSN '05)

April 2005

324 331

2-s2.0-33144472023

10.1109/IPSN.2005.1440942

11.

Čapkun

Secure positioning in wireless networks

IEEE Journal on Selected Areas in Communications 2006 24 2 221 232

2-s2.0-33144454801

10.1109/JSAC.2005.861380

12.

Lazos

Poovendran

SeRLoc: secure range-independent localization for wireless sensor networks

Proceedings of the 2004 ACM Workshop on Wireless Security (WiSe '04)

October 2004

21 30

2-s2.0-11244264140

13.

Lazos

Poovendran

HiRLoc: high-resolution robust localization for wireless sensor networks

IEEE Journal on Selected Areas in Communications 2006 24 2 233 246

2-s2.0-33144475948

10.1109/JSAC.2005.861381

14.

Niu

Gao

Chen

A robust localization in wireless sensor networks against wormhole attack

Journal of Networks 2012 7 1 187 194

2-s2.0-83255188106

10.4304/jnw.7.1.187-194

15.

Stoleru

Chenji

Secure neighbor discovery and wormhole localization in mobile ad hoc networks

Ad Hoc Networks 2012 10 7 1179 1190

2-s2.0-83355172473

10.1016/j.adhoc.2012.03.004

16.

Patwari

Hero

A. O.

Perkins

Correal

N. S.

O'Dea

R. J.

Relative location estimation in wireless sensor networks

IEEE Transactions on Signal Processing 2003 51 8 2137 2148

2-s2.0-0042665374

10.1109/TSP.2003.814469

17.

Gustafsson

Gunnarsson

Mobile positioning using wireless networks: possibilities and fundamental limitations based on available wireless network measurements

IEEE Signal Processing Magazine 2005 22 4 41 53

2-s2.0-22544466135

10.1109/MSP.2005.1458284

18.

Huang

Blum

B. M.

Stankovic

J. A.

Abdelzaher

Range-free localization and its impact on large scale sensor networks

ACM Transactions on Embedded Computing Systems 2005 4 4 877 906

19.

Liu

Pan

Huang

Robust range-free localization in wireless sensor networks

Mobile Networks and Applications 2007 12 5-6 392 405

2-s2.0-45849146150

10.1007/s11036-008-0041-9

20.

García-Otero

Zahariadis

Álvarez

Leligou

H. C.

Poblacin-Hernández

Karkazis

Casajús-Quirós

F. J.

Secure geographic routing in ad hoc and wireless sensor networks

Eurasip Journal on Wireless Communications and Networking 2010 2010 1 12

2-s2.0-78249287540

10.1155/2010/975607

975607

21.

Sayed

A. H.

Tarighat

Khajehnouri

Network-based wireless location: Challenges faced in developing techniques for accurate wireless location information

IEEE Signal Processing Magazine 2005 22 4 24 40

2-s2.0-22544485079

10.1109/MSP.2005.1458275

22.

Rappaport

T. S.

Wireless Communications, Principles and Practice 2002 2nd

Prentice Hall

23.

Kay

S. M.

Fundamentals of Statistical Signal Processing, Volume II: Detection Theory 1998

Prentice Hall

24.

Tarrío

Bernardos

A. M.

Besada

J. A.

Casar

J. R.

A new positioning technique for RSS-based localization based on a weighted least squares estimator

Proceedings of IEEE International Symposium on Wireless Communication Systems (ISWCS '08)

October 2008

633 637

2-s2.0-62449285675

10.1109/ISWCS.2008.4726133

25.

Lin

H. C.

Best linear unbiased estimator algorithm for received signal strength based localization

Proceedings of the 19th European Signal Processing Conference (EUSIPCO '11)

August 2011

1989 1993

26.

Kendall

Stuart

The Advanced Theory of Statistics 1979 2

Charles Griffin

Secure Neighbor Discovery in Wireless Sensor Networks Using Range-Free Localization Techniques

Abstract

1. Introduction

2. Related Work

3. Range-Free Localization

4. Attack Model

5. Wormhole Detection Using RSS: Parametric Approach

5.1. Simultaneous Localization and Wormhole Detection: Likelihood Ratio Test

Algorithm 1: Simultaneous localization and wormhole detection. Parametric approach: likelihood ratio test.

5.2. Wormhole Detection after Localization: Likelihood Ratio Test

Algorithm 2: Detection after localization. Parametric approach: likelihood ratio test.

6. Wormhole Detection Using RSS: Nonparametric Approach

6.1. Simultaneous Localization and Wormhole Detection: DWARFLoc

Algorithm 3: Simultaneous localization and wormhole detection. Nonparametric approach: DWARFLoc.

6.2. Wormhole Detection after Localization: DWARFTest

Algorithm 4: Wormhole detection after localization. Nonparametric approach: DWARFTest.

7. Simulation Results

8. Conclusions

Footnotes

Acknowledgments

References