CN101442413A - Method for detecting ad hoc network helminth based on neighbor synergic monitoring - Google Patents
Method for detecting ad hoc network helminth based on neighbor synergic monitoring Download PDFInfo
- Publication number
- CN101442413A CN101442413A CNA2008102364079A CN200810236407A CN101442413A CN 101442413 A CN101442413 A CN 101442413A CN A2008102364079 A CNA2008102364079 A CN A2008102364079A CN 200810236407 A CN200810236407 A CN 200810236407A CN 101442413 A CN101442413 A CN 101442413A
- Authority
- CN
- China
- Prior art keywords
- node
- suspicious
- neighbor
- neighbors
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention provides a method for detecting ad hoc network worm based on neighbor collaborative monitoring. The method does not require special hardware support, and uses a collaborative relationship of nodes in the ad hoc network to realize simple and feasible worm attack detection. Against attack feature of worm in the ad hoc network, the detection method provided by the invention is divided into three stages, namely malicious node detection, warning information scatter and malicious node isolation, thereby simply and feasibly detecting the worm attack.
Description
Technical field
The invention belongs to wireless mobile ad hoc network safety filed, particularly a kind of ad hoc network worm detection method based on neighbor synergic monitoring.
Background technology
Existing relatively more classical Worm detection method mainly contains in the ad hoc network: multipath statistical analysis technique, timestamp and position stamp method, based on neighbours' detection method of trusted node.
The multipath statistical analysis technique is judged worm attack by the static statistics amount for routing iinformation.This method does not need to change Routing Protocol or introduce extra safety service system, only when statistical analysis, need very little expense, also be fit to other attack detecting, but shortcoming is the communication of node in the network must be waited all link more than two to connect just to begin, communication delay becomes greatly.
The method that stab timestamp and position has been introduced the notion of timestamp and position stamp, relies on them and detects worm attack.The position is stabbed and need be known loose time synchronized between accurate positional information of node and node in this method, and timestamp needs between node precise time synchronous.Need authentication information to come guard time to stab in this method or position stamp information, this need waste very big memory space, and does not isolate malicious node.
In neighbours' detection method hypothesis network based on trusted node a credible authorization node (CA) that resource is not limited is arranged, other nodes obtain the logical address of node by CA, neighbor node is judged suspect node by the positional information of node then, the core of this algorithm is to confirm node location accurately, but too in complexity.
Summary of the invention
The object of the present invention is to provide a kind of ad hoc network worm detection method based on neighbor synergic monitoring, this method does not need the easy detection defence of hardware supports, can discern and isolate malicious node, and can make detect delay and expense as far as possible little.
The present invention comprises isolated three processes of malicious node detection, warning message stroll and malicious node.
Technical scheme of the present invention is achieved in that
The detection-phase of malicious node: each node in the network all is set to listen mode, monitors when neighbor node sends packet.In expire time, to receive the packet number that arrives destination node D be μ when monitoring certain neighbor node M, and the correct number of transmitting is v, and then packet loss adds up to μ-v.If μ-v, thinks then that node M is a suspect node greater than β, put it in the suspicious neighbor list; Otherwise, empty the lost data packets counting, begin the monitoring of next expire time.
The warning message stroll stage: suppose when node detection when neighbors M is suspect node, broadcast oneself suspicious neighbor list, three jumping end to its neighbors.Receive of the suspicious report of other neighborss, the suspicious counting territory about the M catalogue in the suspicious tabulation is added 1 about node M.When counting surpassed r, can judge node M was malicious node, puts into blacklist.
The isolated stage of malicious node: suppose node M in the blacklist of its neighbor node, then neighbor node is given the node M marking, and the state of node M is converted into suspicious state.Beat suspicious status indication if having above r node to M, then the state-transition of node M is an isolated state.Therefore no matter node M moves to any position in the network after, is always isolated state, can not transmit packet.Only after virus was removed in manual intervention, this node just can revert to normal condition, with other node communications.
The present invention utilizes neighbor node to assist to detect worm attack in the ad hoc network, does not need special hardware supports, and is all more simple than detection method before, and the overhead that needs is very little.
Embodiment
Based on being divided into of the ad hoc network worm detection method of neighbor synergic monitoring following three parts describe:
1) variable of using in the definition model
A) be that following three states are distinguished with node division in the testing process:
N
Normal: normal condition;
N
Suspicious: suspicious state;
N
Isolated: isolated state;
B) suspicious factor r: the binding occurrence of node state conversion is provided with α neighbor node and reports that node i is
Malicious node, the physical relationship of the suspicious factor is as follows:
C) monitoring periods expire time: the time cycle of monitoring buffer update;
D) packet loss: the data packet number of losing in the unit interval, packet loss higher limit β to certain specific purpose node;
2) internodal state transforms
In the method, all increase an assessment territory E at first for each node, the credibility of node is mainly assessed in this territory, is the parameter that the decision node state transforms, and malicious node is done permanent marks.Value in the assessment territory is a read message, and the authority that node is not revised without authorization can only be provided with according to neighbor node, specifically is divided into following three kinds of situations:
A) during initialization, each node all is set to normal condition;
B) suppose that it is malicious node that neighbor node i monitors node j, then node i is promptly revised the assessment territory just to node j marking, and suspicious Count of Status adds 1;
C) when the suspicious Count of Status of arbitrary node j reached r, the state of node j became isolated state by suspicious state automatically, and this is a permanent identification.No matter node j moves to Anywhere, and other nodes can obtain its state, therefore is easy to it is isolated.
3) based on the core of the ad hoc network worm detection method of neighbor synergic monitoring
I. the detection of malicious node
Step1: each node in the network all is set to listen mode, monitors when neighbor node sends packet;
Step2: the monitoring buffer memory all is initialized as sky;
Step3: in expire time,, just in monitoring buffer memory W, write down the packet loss number of node M when node N monitors the packet that neighbors M is lost to destination node D;
Step4: to receive the packet number that arrives destination node D be μ when monitoring neighbor node M, and the correct number of transmitting is v, and then packet loss adds up to μ-v, if μ-v, thinks then that node M is a suspect node greater than β, puts it in the suspicious neighbor list; Otherwise, empty the lost data packets counting, begin the monitoring of next expire time, return step3.
Ii. warning message is taken a walk the stage
Step1: suppose when node N detects neighbors M and is suspect node, to upgrade suspicious neighbor list;
Step2:N controls the broadcasting jumping figure to its all jumping neighbors and the own up-to-date suspicious neighbor list of double bounce neighbors broadcasting by the value of TTL.For the situation that common neighbor node is arranged, TTL is set to 2 and gets final product; For the situation of no common neighbor node, it is bigger that TTL will be provided with, and is traditionally arranged to be 3 or 4;
Step3: when node N receives the up-to-date suspicious neighbor list of other neighborss, by the suspicious neighbor list of the content update of receiving oneself;
Step4: when the count value of certain node M in the suspicious tabulation surpassed r, can judge this node M was malicious node, puts into blacklist list.
Iii. isolated stage of malicious node
Step1: suppose node M in the blacklist of its neighbors N, then neighbors N gives the node M marking, promptly revises the value in the assessment territory of node M, and the state of node M is converted into suspicious state by normal condition;
Step2: beat suspicious status indication if having above r node to M, then the state of node M is an isolated state by suspicious state-transition.Therefore no matter node M moves to any position in the network after, is always isolated state, can not transmit packet.Only after virus was removed in manual intervention, this node just can revert to normal condition, with other node communications.
Claims (1)
1. the ad hoc network worm detection method based on neighbor synergic monitoring is characterized in that, may further comprise the steps:
1) detection of malicious node
Step1: each node in the network all is set to listen mode, monitors when neighbor node sends packet;
Step2: the monitoring buffer memory all is initialized as sky;
Step3: in expire time,, just in monitoring buffer memory W, write down the packet loss number of node M when node N monitors the packet that neighbors M is lost to destination node D;
Step4: to receive the packet number that arrives destination node D be μ when monitoring neighbor node M, the correct number of transmitting is v, then packet loss adds up to μ-v, if μ-v, thinks then that node M is a suspect node greater than β, put it in the suspicious neighbor list, otherwise, empty the lost data packets counting, begin the monitoring of next expire time, return step3;
2) the warning message stroll stage
Step1: suppose when node N detects neighbors M and is suspect node, to upgrade suspicious neighbor list;
Step2:N controls the broadcasting jumping figure to its all jumping neighbors and the own up-to-date suspicious neighbor list of double bounce neighbors broadcasting by the value of TTL.For the situation that common neighbor node is arranged, TTL is set to 2 and gets final product; For the situation of no common neighbor node, it is bigger that TTL will be provided with, and is traditionally arranged to be 3 or 4;
Step3: when node N receives the up-to-date suspicious neighbor list of other neighborss, by the suspicious neighbor list of the content update of receiving oneself;
Step4: when the count value of certain node M in the suspicious tabulation surpassed r, can judge this node M was malicious node, puts into blacklist list;
3) the isolated stage of malicious node
Step1: suppose node M in the blacklist of its neighbors N, then neighbors N gives the node M marking, promptly revises the value in the assessment territory of node M, and the state of node M is converted into suspicious state by normal condition;
Step2: beat suspicious status indication to M if having above r node, then the state of node M is an isolated state by suspicious state-transition, therefore no matter node M moves to any position in the network after, be always isolated state, can not transmit packet, only after virus was removed in manual intervention, this node just can revert to normal condition, with other node communications.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102364079A CN101442413B (en) | 2008-12-22 | 2008-12-22 | Method for detecting ad hoc network helminth based on neighbor collaborative monitoring |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008102364079A CN101442413B (en) | 2008-12-22 | 2008-12-22 | Method for detecting ad hoc network helminth based on neighbor collaborative monitoring |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101442413A true CN101442413A (en) | 2009-05-27 |
| CN101442413B CN101442413B (en) | 2011-04-06 |
Family
ID=40726674
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008102364079A Expired - Fee Related CN101442413B (en) | 2008-12-22 | 2008-12-22 | Method for detecting ad hoc network helminth based on neighbor collaborative monitoring |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101442413B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895889A (en) * | 2010-08-13 | 2010-11-24 | 深圳市兆讯达科技实业有限公司 | Method for detecting black hole attack in wireless ad hoc network |
| CN101977384A (en) * | 2010-10-19 | 2011-02-16 | 河源市特灵通通讯有限公司 | Active protection method of wireless MESH network intrusion based on signal detection |
| CN102567656A (en) * | 2010-12-14 | 2012-07-11 | 上海三旗通信科技股份有限公司 | Ad Hoc based mobile terminal virus searching and removing method |
| CN103297973A (en) * | 2013-06-04 | 2013-09-11 | 河海大学常州校区 | Method for detecting Sybil attack in underwater wireless sensor networks |
| CN103327032A (en) * | 2013-07-11 | 2013-09-25 | 中国科学院微电子研究所 | Detection method for malicious packet dropping attack of Internet of things and Internet of things tree system |
| CN106604279A (en) * | 2016-12-30 | 2017-04-26 | 西安电子科技大学 | Feature-based Ad Hoc network attack detection method |
| CN110381082A (en) * | 2019-08-07 | 2019-10-25 | 北京邮电大学 | The attack detection method and device of powerline network based on Mininet |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100493088C (en) * | 2005-09-23 | 2009-05-27 | 北京交通大学 | Method for applying cooperative enhancement mechanism to adhoc network |
| CN101217396B (en) * | 2007-12-29 | 2010-08-11 | 华中科技大学 | An Ad hoc network invasion detecting method and system based on trust model |
-
2008
- 2008-12-22 CN CN2008102364079A patent/CN101442413B/en not_active Expired - Fee Related
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101895889A (en) * | 2010-08-13 | 2010-11-24 | 深圳市兆讯达科技实业有限公司 | Method for detecting black hole attack in wireless ad hoc network |
| CN101977384A (en) * | 2010-10-19 | 2011-02-16 | 河源市特灵通通讯有限公司 | Active protection method of wireless MESH network intrusion based on signal detection |
| CN101977384B (en) * | 2010-10-19 | 2012-11-21 | 河源市特灵通通讯有限公司 | Active protection method of wireless MESH network intrusion based on signal detection |
| CN102567656A (en) * | 2010-12-14 | 2012-07-11 | 上海三旗通信科技股份有限公司 | Ad Hoc based mobile terminal virus searching and removing method |
| CN103297973A (en) * | 2013-06-04 | 2013-09-11 | 河海大学常州校区 | Method for detecting Sybil attack in underwater wireless sensor networks |
| CN103297973B (en) * | 2013-06-04 | 2016-09-07 | 河海大学常州校区 | Witch's intrusion detection method in underwater sensor network |
| CN103327032A (en) * | 2013-07-11 | 2013-09-25 | 中国科学院微电子研究所 | Detection method for malicious packet dropping attack of Internet of things and Internet of things tree system |
| CN103327032B (en) * | 2013-07-11 | 2016-06-15 | 中国科学院微电子研究所 | A kind of Internet of Things bag abandons detection method and the Internet of Things tree system of attack |
| CN106604279A (en) * | 2016-12-30 | 2017-04-26 | 西安电子科技大学 | Feature-based Ad Hoc network attack detection method |
| CN110381082A (en) * | 2019-08-07 | 2019-10-25 | 北京邮电大学 | The attack detection method and device of powerline network based on Mininet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101442413B (en) | 2011-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101442413B (en) | Method for detecting ad hoc network helminth based on neighbor collaborative monitoring | |
| KR20090055887A (en) | Time synchronization method wireless sensor network | |
| UA91516C2 (en) | Method and device for control of group membership at the time of group communications | |
| CN102334371A (en) | Scheduling and protection of quiet periods in a quiet zone for incumbent signal detection | |
| WO2007049159A3 (en) | Resource matched topology database synchronization in communications networks having topology state routing protocols | |
| EP2237587A1 (en) | Radio communication system, base station device, gateway device, and radio communication method | |
| CN101931478B (en) | Relay transmission-based cognitive network spectrum sensing method | |
| CN101626269A (en) | Downlink synchronous emission control method and system | |
| CN101854633B (en) | Self-configuration method of PCI of balanced self-organizing network cell | |
| JP2007509549A5 (en) | ||
| CN105338566A (en) | Method and device for measurement enhancement in communication system | |
| DE602007008768D1 (en) | ADVANCED DATA TRANSPORT PROTOCOL FOR A MULTISATIONAL NETWORK | |
| KR20140031970A (en) | Method for establishing x2 connection between base stations, base station and communication system | |
| WO2011054286A1 (en) | Key generation method, device and system | |
| KR20120137423A (en) | Method for configuring a wireless network having a plurality of home base stations | |
| CN101594271B (en) | Wireless self-organization network establishing and operating method as well as related networks and devices thereof | |
| WO2007148017A3 (en) | Method of communication, associated sending and receiving stations and computer programs | |
| EP3915304A1 (en) | Iab initial access | |
| KR100686241B1 (en) | Time synchronization method for wireless sensor networks | |
| EP2930908B1 (en) | Time check method and base station | |
| CN104684020A (en) | Signaling congestion processing method, device, base station and system | |
| CN106454812A (en) | Method and device for receiving data | |
| JPWO2012063849A1 (en) | Communication system, radio base station, and communication control method | |
| CN103428711B (en) | For managing the method and apparatus of multipoint cooperative | |
| CN101615998A (en) | A kind of method and system and access switch of in Ethernet, realizing clock synchronization |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110406 Termination date: 20131222 |