AU2013101209A4 - Trustability Based on Beta Distribution Detecting Abnormal Behaviour Nodes in WSN - Google Patents

Abstract

Abstract Large numbers of low-power, low-cost, and multifunctional sensor nodes being integrated as a network are improved with wireless communication and electronics updated technologies. Wireless sensor network (WSN) has been engaged as one of most important parts in our daily life. Common application areas include hospitals, homes, battle fields, and transportation systems. However, those nodes deployed in a wireless sensor network run on batteries with limited power and computation ability. The communication channels can be unreliable and the performance can be vulnerable to attacks and sensor failures such as wormhole, sinkhole attacks, denial of-service (DoS), and other pollution attacks. Many algorithms have been published relating to these areas, but few research papers discuss the internal attacks. One type of internal attack is focusing on a deployed WSN. Our major focus in this patent is to ensure the designed WSN correct status, such as if the functions are within the original design. In our proposed algorithm we investigated three scenarios with the trustability based on the beta distribution detecting those nodes in a WSN showing abnormal behavior. Furthermore, our algorithm can present how weighting is effective as a viable security measure in the targeted WSN. Our proposed algorithm does not have any previous information about the targeted network when it is applied to a WSN. It can offer entirely consistent results, detecting malicious nodes with all nodes achieving a trust value inside a 0.003 range within two-hops of the assessing node in a WSN. Keywords: wireless sensor network, trustability, beta function, abnormal behavior, network security S'Lv N o C mWe Nee Fig. 1: Direct Observation with Multiple Observing Node Recommendations Fa Fig. 1 Diret Obsevatio withultietOsrn Node eomnain Uderae satisfied dereadissatisfied observed vaIlues Fig. 2. Simulation control

Description

1 DESCRIPTION OF THE ART [1] Wireless sensor networks (WSNs) are distributed networks exposed to an open environment, a collection of self-organized nodes with limited computation, energy and communication capabilities, covering deployed areas that are of interested by the controllers. [2] While wireless communication is becoming increasingly integrated into all sectors of daily life, the security threats to WSNs become increasingly diversified due to the open nature of the wireless medium. Different cryptographic methods can be used to defend against some types of attacks but are always very limited due to WSN's nature. Due to the mesh architecture of the network and potentially changing network layout, nodes must be able to adjust to changes to be able to keep the network live without interruption. An adversary can easily eavesdrop and replay or inject fabricated messages so WSNs are always vulnerable to malicious nodes. When a node in a WSN becomes compromised, which means this node will not work for the original design and even could betray the whole network. Hence, it becomes a major problem of WSN security since it allows an adversary to enter inside the security perimeter of the network and launch attacks, which raises a serious challenge for WSNs. [3] Just like humans evaluating the people close to them, nodes can build trust values for other nodes within a network. By doing this, nodes are able to make calculated decisions on whether a target node within the network is performing as expected and not compromising the performance of the WSN. But in most situations, the nodes own opinion of a target node is not enough to fully understand the characteristics of that node. So just like in society, friends can recommend other friends to be trust worthy individuals through their own experiences. As humans we then gather all the information available to us and make informed decisions about the target individual, often rating our personal opinions higher than that of others. [4] However, we face the problem of whether trustworthiness can be transformed or not, and if so, how much trust can be passed from one individual to another. It is how we assess the recommendations of friends that are of most interest. Previous person recommendations are studied and to be determined as either favourable to the recommenders reputation or detrimental. By using these previous outcomes humans are able to make a calculated decision on whether this new recommendation will be welcomed or shunned, which will be extended to the relationship or the trustworthiness among those nodes in a WSN. Furthermore, we can apply our proposed algorithm to a WSN to detect the compromised node that has abnormal behaviour in a WSN. [5] As the internal attacks becomes more serious due to WSNs higher demands and the characterisers of open natures for a WSN. In our current paper we focus on the simplest way to detect compromised node based on beta function by estimating the trustiness. [6] For a node to have a greater understanding of the network surrounding them (the neighbour nodes), a node will use the recommendation of other nodes in combination with its own findings to revaluate the target node to gain a clearer picture of its current behavioural state, and thus the network.

2 [7] This patent is organized into four sections. After introducing our topic of work, the second section describes how the data is processed and analysed in order to achieve a trust value for a target node. The third section gives an overview of how the simulation program establishes this. It also illustrates how the simulation program was specifically created to test the proposed algorithm and outlines the algorithms implementation into a usable software method. Then it will cover the different scenarios that the new algorithm was tested in, with a detailed analysis of the results. The final section concludes the paper. [8] We will cover how a beta distribution is used to compute a trust value for a target node in mesh network architecture. The proposed algorithm is based on the beta distribution which is a suitable model for making calculations where an element of uncertainty is present. Using a unique weighted value for each recommending node, we will show how each nodes recommendation can be assessed, with the result either punished or reward as expected. [9] A target node is periodically queried for information regarding its interactions with the assessing node and its activity in a wireless sensor network. These accumulations will allow this target node to have some information statistically. Using these collected statistical data and the known statistical data held by the assessing node, an intermediate trust value can be determined for the target node in the wireless sensor network. By then gathering information from other connecting nodes in the network, the assessing node is able to create a more accurate representation of the target nodes actual behaviourally traits, thus a final trust value. [10] In the simplest scenario as shown in Fig. 1, Node A, the assessing node, has a direct connection to Node B, the target node, in addition to that, Nodes C, D, E are connected to both the assessor and the target, allowing them to give their individual recommendations. [11] For the assessing node to calculate the trust value for the target node the first step is for Node A to count how many Nodes will be giving a recommendation on the performance of the target node, let this be represented by countA-B [12] Let XA-B and YA-B be the current satisfied and dissatisfied observation respectively, with xA-Bpast and yA Bpast be the satisfied and dissatisfied observation respectively at the last trust calculation. These are values that Node A has calculated based on good and bad experiences with Node B. Let aD and AD equal the sum of good- and bad- interactions/observations respectively. Obviously the following equations exist due to the definitions described above. 1 !XA-B 100 (1) YA-B 101- XA-B (2) [13] In order to make it clear we have to define two factors as weight values to assess the node either by direct observation or recommendation. The target node must next calculate two weight values, which are WD and WR representing the weight applied to the direct observation (with the subscript "D") and the weight applied to the recommendation (with the subscript "R") respectively, the sum of the two weights must equal unity as either "direct observation" or "recommendation"). The weights are used 3 to determine how much of the direct/indirect observation value and recommendation value are used to calculate the final trust value. WD is then applied to the current aD and 'OD. To ensure that malicious nodes are detected efficiently and effectively, events based biasing is employed. This creates a comparison between the current observation and the last one to occur, by doing this function nodes can punish bad behaviour quicker, leading to efficient malicious detection. cD =W x (1F x X,, + X_) (3) P-- W x (F, xyABpast YA-B (4) [14] Here we have introduced two factors, F, and Fy, to represent the factors in which past observations are biased, i.e., Fx E [0,1] and Fy E [0,1]. Each value is independent of the other, but by having a high F, and a low Fx,, which, in other words, shows that the bad behaviour is punished more, with little reward for the good behaviour. [15] In addition to satisfied and dissatisfied observations being held for nodes within the wireless sensor network, when an assessing node uses observing nodes given data to assess a target node, following, it also uses an honest and dishonest recommendation value, tA-node and SA-node respectively, which has been determined independently of that nodes own trust value in the network, (with the subscript "node" representing the corresponding node, e.g. Node C, tA-c and sA-c). The honest and dishonest recommendation values are calculated by doing a comparison with the final trust value for the target node and the recommendation data the observing node gave to help in the calculation. In general, an observing node's honest recommendation value will increase when the data it gives closely represents the same value as the assessing node already has for the target node. Honest and Dishonest values are just like satisfied and dissatisfied observation values, being normalized and limited to 1 to 100, which are: 1 tA-node 100 (5) SA-node= 101 - tA-node (6) [16] The assessing node must now make a calculation to create a weight to apply to each recommending nodes observation, this weight is determined by comparing the recommending nodes previous recommendations with the other recommending nodes, this ranks each node based on their honest recommendations. count, aR A-node (7) no de1 COuntAB = YSA-node (8) node-i TotaiR = beta (aR , OR (9) E[TotalR aR (10) aR + PR [17] Here we have used the beta function as beta, aR and OR equal the honest and dishonest sum of all the past recommendations respectively. In order to obtain the total value of the recommendation, we have introduced TotaIR, which represents the beta distribution for the sum of total honest and dishonest recommendations and E[Tota/R] is taking the mean of the function.

4 IndivA-node = beta-(tAnode' SA-node) E[IndivA-node = A-node (12) tA-node + SA-node [18] Here, /ndivAnode represents the beta distribution for each nodes honest and dishonest recommendations, with E[lndivAnode] taking the mean of the function. By finding the percentage that each individual node contributes to the total, each nodes weight, denoted by WAnOde, can be calculated that accurately represents the nodes previous honesty in relation to the other recommending nodes. W = E[IndivA-node (13) E[TotalR [19] Now that the individual weights for each recommending node have been calculated, the actual recommendations have to be calculated, weights applied and summed together. [20] Let ao and #o equal the sum of all satisfied and dissatisfied recommendations from observing nodes, following we have: count-, aO= Y [WRXWnode X node-1 x 2t~A-nodeCnode-BI (SA-node + 2 node-B nodeB + A-node) (14) countl A0 = X [W xW x x nod=1 x 2A-node node-B (SA-node n+ 2 )(XodeB +YnodeB ±2) + 2tA-node (15) [21] With the direct/indirect observation aD and flD calculated, the sum of all recommendations with recommendation weight and individual recommending weights applied ao and po0, the two pairs are now summed together to give an overall alpha and beta, aF and /3F: aF = aD + a 0 (16) ,OF = flD + (17) [22] Now that the final alpha and beta are calculated, the trust value for the target node, Node B, from assessing, Node A's point of view, TA-B, can be calculated. Here, TA-B is the final trust value for the target node and TA-B E [0, 1]. Obviously, the higher the number the more trust worthy the target node is. Below we have the final beta distribution for the sum of all satisfied and dissatisfied observations. FinaA-B beta (aF,,OF) (18) E[FinalAB = F (19) F F TA-B = E[FinalA-B] (20) [23] Here, Fina/A-B equals the beta distribution for the sum of all satisfied and dissatisfied observations, again E[Fina/A-B]is the mean of that beta distribution, Fina/A-B [24] After the final trust value for Node B has been calculated, the honest and dishonest recommendation values for each recommending node have to be updated. This is done by using the satisfied and 5 dissatisfied observation values, Onode-B, held by Node A given by each recommending node, node, on Node B. Onode-B = beta(Xnode-B n Ynode-B (21) E[Onode-B I Xnode-B (22) XnodeB + Ynode-B Comparison Value = |TA-B - E[Onode-B] (23) [25] Here we have defined Comparison Value as the value of the difference between TA-B and the mean of the observation value from Node B. [26] We can assess the calculated comparison value from equation (23) with a threshold value. If the comparison value is below the threshold value then, it can be said that as an example, Node C, has given an honest recommendation, therefore its honest recommendations as stored by Node A and the reputation would increase by one unit. But in the event that this value was greater than the given threshold, it can be said that, as another example, Node C has given a dishonest recommendation and therefore it should be punished by increasing Node C's dishonest recommendations value by one unit. After this, in the future when Node variable "node" gives another recommendation about its opinion, it will either be regarded higher or lower respectively, depending on the accumulated record. And we can make the decision about the target node, whether it is "good" or "bad." Furthermore we even can make judgement and final decision for the nodes being "grey" in the network. [27] Written in C#, the simulation program aims to create a high level overview of the WSN, with the goal to effectively test the beta distribution based algorithm instead of the networking components and protocols. To achieve this, the operating system(OS) or simulation controller gives each node the satisfied and dissatisfied observation values directly depending on the set behavior type of the given target node at the current time in the given scenario. [28] For ease of simulation we have an "Operating system (OS)" controlling the actions of the nodes sequentially so we assume the network has already been connected and configured, meaning each node has an initial trust value for the other nodes in the network (Trustworthy). The simulation then runs through every scenario 10 times, so from 0 malicious nodes, up to the maximum number of malicious nodes possible. Upon configuration the OS will set the nodes BehaviourType. After a designated time the simulation will stop and the results are exported to a ".csv" format, as well as being exported at the end of the simulation the results can also be viewed live as the simulation is running. The Program is established as below: while (running) { 1.Randomly picks a source node. 2.Randomly picks a destination node making sure its not the same as the source. 3.From the source node's observed nodes list, we can bring up the source nodes current opinion and statistics on the corresponding destination node. 4.Then based on the destination node's behaviour type, the Operating system will increment or decrement the source nodes observed satisfied 6 and dissatisfied values of the destination node. } [29] In order to check our proposed algorithm, we carefully design the following three cases. This is because the performance and effectiveness of the beta distribution based algorithm is done case by case for different scenarios. These cases have been designed to test the algorithm in the network not only with malicious nodes, but when the network is 100% healthy as a control measurement. Fig. 3 is the 20 Node sample network design the tests have been run over. Each scenario was repeated 10 times with randomly configured malicious nodes. The scenarios were tested for a short and long time period, 6 and 60 seconds respectively and every possible scenario, from 0 to 20 malicious nodes. [30] In this scenario we are confirming the correct functioning of the algorithm when the network is 100% healthy and no malicious behavior present. The Trust values range from 0.990-0.992 indicating high certainty that it is safe to communicate in the network. As seen in Fig. 4, all target nodes have closely the same trust value, indicated there is a general theme to all nodes that the network is safe. [31] In this scenario we are testing the algorithms ability to detect five random malicious nodes within the network, which is exactly matching the 0.25 malicious nodes in this network; these nodes will all become malicious at a set time and will continue to act in this way. The test correct rate is 100%. [32] Fig.5, represents the data from a test where Nodes 4, 8, 10, 11 and 16 are all being found as malicious nodes. It is noted that for each malicious target node, there is a low point in the trust value from every observing node, excluding the nodes opinion of itself. This is more evident in Fig. 6 where all nodes are malicious. [33] The values of trusted nodes again range from 0.990 to 0.992 while the value of malicious nodes was from 0.004 to 0.005. In both the 60 second and 6 second test indicating that it is able to achieve these relative values of certainty quite efficiently. [34] In this scenario we are testing the algorithms ability to detect 5 random malicious nodes within the network, these nodes will all become malicious at a set time but will alternate between malicious and normal operation intermittently. [35] Again all nodes were detected in both the 6 second test and the 60 second test even if they behaved well at the start, and produced almost exactly the same results as scenario B, with the anomalies only occurring because a different 5 malicious nodes were assumed. [36] It has been shown all the trust values for above descriptions. When the trust values were observed live, it is easy to see it only takes a fraction of the test for the values to achieve a stable state of certainty. This stable state demonstrates something interesting, that for every target node there are three types of trust values; the trust value of itself, the trust value from a directly contactable node and that of a node not directly contactable. The very minor differences seen in different target nodes trust value is due to the number of directly neighboring observing nodes. Further analysis of the network configuration was able to support this theory. The more nodes there are to back up the untrustworthiness of a node, the closer the beta distribution will allow it to become closer to the end of the scale.

Claims (6)

1. A method is established for trustability based on beta distribution detecting abnormal behavior nodes in wireless sensor network (WSN).

2. A program, based on claim 1, to detect abnormal behavior nodes in wireless sensor network.

3. A method according to claim 1, does not have any previous information about the targeted network.

4. A method, according to claims 1 and 3, two factors are calculated as weight values to assess the node either by direct observation or recommendation: a = W.x X( x x _,"'' + x _) (3) P - W= x (F, x YA-Bpast Y (4) And all satisfied and dissatisfied recommendations from observing nodes count-, a 0 = I [WxW ,x node1 K + 2 )(x"o:A-noden 2)ode-B +2 2 (SA-node node-B + node-B tA-node) (14) countl 1fo= Y [WR X W-,ode x nodel (15) x 2 tA odYynodeB (SA-node 2 )(XnodeB + Ynod-B +2)+2tA-nod

5. A method, according to claim 4, to calculate final trust value via the "honest" and "dishonest" factors, (aR,)R) aR =YA-node (7) node=1 countAB R= SA-node (8) node=1

6. A method, according to claim 5, to obtain comparison value to tell the difference between threshold (node A and Node B) and the mean of the observation value. Comparison Value = TA-B - E[Onode-Bi (23)