CN101977129A - Artificial immunization-based MANET network attack detection method - Google Patents

Abstract

The invention discloses an artificial immunization-based MANET network attack detection method, which achieves low error judgment rate and high detection speed. The method comprises five parts, namely recording of a node transmission frame counting sequence, recording of a channel transmission frame counting sequence, a double-element accumulation sliding window detection method, a residual sliding window threshold judgment method and a gene matching detection method. When the transmission frame counting sequence at intervals of delta t time aiming at a hostile attack recording channel is used as a characteristic sequence, the double-element accumulation sliding window detection method id adopted; the private attack detection is divided into two conditions, namely when the detection node is in a saturated state, the transmission frame counting sequence of each node t intervals of delta t time is recorded, initial detection is performed by adopting the residual sliding window threshold judgment method, and the withdrawal time sequence of the private node is recorded, coded and geneticized and then used as a gene detection body; and when the detection node is in an unsaturated state, the gene matching detection method is adopted. The method is suitable for comprehensive detection of MAC layer attack of an MANET network.

Description

A kind of MANET network attack detecting method based on artificial immunity

Technical field

Present invention relates in general to network communications technology field, relate more specifically to a kind of network attack method for comprehensive detection of MANET network MAC layer.

Background technology

The distributed system that MANET is made up of a lot of autonomous nodes, owing to lack the management control of concentrating, autonomous node is a target with malicious sabotage or pursuit number one, and network is initiated security attack, reduces the credibility of network.These attacks mainly comprise: the grouping that other nodes is produced at the route layer or do not participate in route or do not transmit data; Seize with illegal means or the interference channel use at the MAC layer; Adjust transmission of power wantonly in physical layer,, perhaps select suitable waveform to reduce interference etc. to obtain better signal to noise ratio.Wherein typical with the MAC layer attacks.This be because: the security attack of MAC layer directly has influence on access, channel utilization and the overall performance of network of wireless channel; Most of radio node uses identical MAC layer access protocol-IEEE802.11, and this just makes the MAC layer attacks more effective than other each layer attacks; Because the random nature of IEEE 802.11 DCF agreement inherences and the unreliability of wireless medium itself, people are difficult to the attack of node and accidental protocol malfunctions are distinguished, make that the behavior of MAC layer attacks is hidden, bring bigger challenge for the detection of attacking node.How detecting the MAC layer attacks effectively becomes the research focus of wireless trustable network.

The domestic and international at present security attack to the MAC layer detects and is broadly divided into two classes, and a class need be revised IEEE802.11 MAC agreement, so that detect and the opposing node attack.The common drawback of this class algorithm is incompatible with the prior protocols standard, thereby causes method infeasible; Another kind of is by more statistical notions, and the statistical nature that related parameter is arranged is detected, and has determined whether attack, and for example SPRT (sequential probability ratio test) detects.This detection method is applicable to simple selfish the attack, and those intelligent behaviors can use adaptability to hide detection.The Sequence Detection statistic algorithm that proposes of people such as Toledo and for example based on K-S; this algorithm does not need to know in advance the attack strategies of node; but need know the probability Distribution Model of detected sequence in home in advance, this MAC layer access protocol to dynamic Ad Hoc network and stochastic behaviour is a difficult problem.Central-limit theorem detection algorithm and Markov chain multistep detection model have lower False Rate and detection speed faster, but it is the same with classical DOMINO algorithm, only be applicable to that those by revising the selfishness attack of back off time strategy contention wireless channel, have bigger limitation.

There is polytype in the MAC layer attacks of IEEE 802.11 agreements, every type attack means has nothing in common with each other, intelligent attack is difficult to distinguish with legal nodes ' behavior owing to the stochastic behaviour of 802.11 agreement back off times, has therefore increased the difficulty that detects.Attack at MAC layer IEEE 802.11 agreements exists diversity, dynamic and intelligent, detect the bigger limitation of existence with traditional mode, along with going deep into to immune system research, various Artificial Immune Algorithm constantly are suggested, artificial immunity has been used in many fields such as engineering optimization, data mining, control, failure diagnosis more and more, becomes the hot research of artificial intelligence.

Summary of the invention

In view of this, the present invention adopts a kind of MAC layer network with low False Rate and very fast detection speed to attack method for comprehensive detection.To malicious attack, be characteristic sequence with the biography frame count of channel in the Δ t time, adopt the sliding window detection method of double base accumulation; State difference according to detection node, selfish type attack detecting adopts two kinds of different modes respectively: the node of saturation condition is carried out fast detecting based on the sliding window threshold value of residual error diagnostic method to the attack of neighbor node, and the unsaturated state node is based on gene matching detection method.The inventive method can be carried out quickly and efficiently the various MAC layer attacks of IEEE802.11 agreement and detect as a kind of more satisfactory, time-delay is little, accuracy rate is high, practical technical scheme, be applicable to various complexity, dynamic wireless network environment.

In order to achieve the above object, the invention provides a kind of MANET network attack detecting method, it is characterized in that: comprise following few component parts based on artificial immunity:

(1) malicious attack is target to stop channel to use and destroy node data, and is of a serious nature, can cause the serious decline of each performance index such as network delay, throughput, packet loss usually.When having malicious attack in the network, selfish harm of attacking becomes very little.Therefore, malicious attack is detected as the first road barrier for artificial immunity.The common result of different malicious attack behaviors is to cause channel seriously to descend every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel, adopts the sliding window detection method of double base accumulation.

(2) selfish attack is a purpose to increase channel contention priority and then to seize channel, bandwidth and time-delay with other competition node are the raising that cost exchanges self performance for, though its selfish behavior changes various, but common result is: selfish node every the biography frame count of Δ t time obviously greater than biography frame count with legal node of time, but when detection node is in unsaturated state, the difference at interval because application layer is given out a contract for a project can not be as declaring.Therefore, at selfish attack detecting district in two kinds of situation: when detection node is in saturation condition, be parameter, adopt the sliding window threshold value of residual error diagnostic method that fast detecting is carried out in the attack of neighbor node with the biography frame count sequence of node every the Δ t time; When node is in unsaturated state, carry out detection based on the gene matching method.

Described part (1) MAC layer malicious attack detection mainly comprises following step:

(11) malicious attack is target to stop channel to use and destroy node data, attack changes various, attack result is not quite similar, or cause network delay, or cause the serious decline of each performance index such as throughput, packet loss, but its common result is: channel seriously descends every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel.

(12) adopt the sliding window detection method of double base accumulation, channel is passed the frame count sequence to carry out linear process to make its average is zero, then when occurring the malicious attack behavior in the network, serial mean becomes on the occasion of the interval, in order to accelerate detection speed, further new sequence is slided the window accumulated process, definition malicious attack decision function, given differentiation is carried out judgement based on interval and sliding window cumulative statistics result at interval.

The selfish attack detecting of described part (2) MAC layer mainly comprises following step:

(21) when detection node is in saturation condition, write down self node in biography frame count sequence every the Δ t time, the self-assembly of the virtual thymus gland of corresponding immune system, neighbor node every the biography frame count sequence of Δ t time to being the T cell in the virtual thymus gland, realize the self-tolerance process of T cell by the sliding window threshold value of residual error method of discrimination, " the negative selection " process of corresponding immunity principle, finish the initial examination and measurement of attacking node, the back off time sequence of the selfish node that be detected this moment will go on record, and through further coding and geneticization are handled, as genetic test body-maturation immunity cell antibody, these antibody can be in or detect neighbor node during unsaturated state whether have attack saturated in detection node.

(22) for selfish sexual assault, when detection node was in unsaturated state, the back off time sequence of the tested node that can only handle based on the genetic test body with through coding and geneticization adopted the gene matching method to carry out detection.

Described part (21) further comprises following content of operation:

(211) detection node is through calculating the biography frame count sequence of differences and the sequence of differences average of self node and each neighbor node;

(212) the sliding window that each sequence of differences is carried out in the certain hour is handled;

(213) rule of thumb choose discrimination threshold, determine selfish node based on discrimination formula.

(214) the back off time sequence of record selfish node;

(215) the back off time sequence of selfish node is encoded, give a code value to each back off time interval, the back off time that is in same interval is given unified code value.

(216) whether occur unusually in order to analyze keeping out of the way in a period of time, need be divided into the short sequence that is used to detect according to a large amount of back off time code value sequences that certain method will obtain.The back off time sequence of attacking node is that the sliding window of L is divided into some short sequences according to length for the R step-length, and these are lacked arrangement sets and have constituted the genetic test body.

Described part (22) further comprises following content of operation:

(221) the back off time sequence of the tested node of record, and be that the sliding window of L is divided into some short sequences according to length for the R step-length.These short arrangement sets have constituted tested antigen.

(222) because the back off time randomicity of sequences, traditional hamming distance and the similarity that R position matching algorithm can not two sequences of accurate description continuously, establishing length is two sequence U=(u of R ₁, u ₂..., u _R) and V=(v ₁, v ₂..., v _R), definition gene coupling discriminant function:

&lt;math><mrow><msub><mi>d</mi><mi>T</mi></msub><mrow><mo>(</mo><mi>Sim</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow><mo>)</mo></mrow>&lt;mtext>=</mtext>&lt;mfenced open='{' close=''>&lt;mtable>&lt;mtr>&lt;mtd><mn>0</mn></mtd>&lt;mtd>&lt;mtext>Sim</mtext><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow>&lt;mtext>&lt;T</mtext></mtd></mtr>&lt;mtr>&lt;mtd><mn>1</mn></mtd>&lt;mtd><mi>Sim</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow><mo>&amp;GreaterEqual;</mo><mi>T</mi></mtd></mtr></mtable></mfenced></mrow></math>

The present invention adopts a kind of MAC layer attacks method for comprehensive detection with low False Rate and very fast detection speed.Have following advantage:

Adopt channel to pass frame count, node biography frame count and back off time respectively at the detection that difference is attacked as characteristic sequence, only solved with the limitation problem of back off time, can carry out quite good detecting the various attack behavior as the traditional detection of characteristic sequence.

Detection method based on artificial immunity makes detection node no matter be in saturated and unsaturated state, can both the attack of neighbor node be detected.

From negative selection course as can be seen, select the self-assembly in the environment few and accurate, take less memory space and processing expenditure; Obtaining of self-assembly has less time-delay, and can adjust automatically according to network condition, has very strong dynamic; Each detects physical efficiency functionating independently, need not interchange and coordination between the detection bodies, and attack detects does not need to predict empirical data, has stronger robustness.

The present invention detects the MAC layer attacks has low False Rate and very fast detection speed, need not through change just can be by simple applications in existing network on a large scale, and satisfactory for result, application prospect is good.

Description of drawings

Fig. 1 is an attack detection method basic flow sheet of the present invention.

Fig. 2 is back off time sequential coding figure of the present invention.

Embodiment

For making purpose of the present invention, implementation and advantage more clear, the present invention is described in further detail below in conjunction with accompanying drawing.

Referring to Fig. 1, introduce the basic procedure of attack detection method of the present invention:

(1) malicious attack detection: malicious attack is target to stop channel to use and destroy node data, can cause the serious decline of each performance index such as network delay, throughput, packet loss usually, and is of a serious nature.Therefore, malicious attack is detected as the first road barrier for artificial immunity.The common result of different malicious attack behaviors is to cause channel seriously to descend every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel, adopts the sliding window detection method of double base accumulation.

(2) the selfish initial examination and measurement of attacking: selfish attack cause usually selfish node every the biography frame count of Δ t time obviously greater than biography frame count with legal node of time, but when detection node is in unsaturated state, the difference at interval because application layer is given out a contract for a project can not be as declaring.Therefore, when detection node is in saturation condition, be parameter with the biography frame count sequence of node every the Δ t time, adopt the sliding window threshold value of residual error diagnostic method that fast detecting is carried out in the attack of neighbor node.

(3) generate the genetic test body: the back off time of the selfish node that initial examination and measurement is obtained writes down, coding and geneticization, generates the genetic test body.

(4) genetic test: when node is in unsaturated state, carry out detection based on the gene matching method.

The sliding window detection method of the described double base accumulation of described part (1) malicious attack detection mainly comprises following steps:

(11) make Y _n=μ-X _n, Y then _nAverage be zero.X wherein _nFor channel passes frame count sequence, μ=E (X _n), when occurring the malicious attack behavior in the network, Y _nAverage at change point j place from 0 step to δ ∈ [a, b].

(12) in order to accelerate detection speed, to Y _nValue in u Δ t time, accumulate, obtain

Value,

${\stackrel{\&OverBar;}{Y}}_n=\left\{\begin{array}{cc}\frac{\underset{k=1}{\overset{n}{\mathrm{\&Sigma;}}}{\left(Y_n\right)}^{+}}{n}& n<u\\ \frac{\underset{k=n-u+1}{\overset{n}{\mathrm{\&Sigma;}}}{\left(Y_n\right)}^{+}}{u}& n\&GreaterEqual;u\end{array}\right.$

(13) definition malicious attack decision function d _h(D _u), given differentiation is h at interval, carries out to attack and judges

Wherein, $k_1=\frac{3a+b}{8},$ $k_2=\frac{a+3b}{8},$ $D_u=\max \{k_1{\stackrel{\&OverBar;}{Y}}_n-{k_1}^2,k_2{\stackrel{\&OverBar;}{Y}}_n-{k_2}^2\}$

The selfish sliding window threshold value of the described residual error of the initial examination and measurement diagnostic method of attacking of described part (2) mainly comprises following steps:

(21) detection node 0 is calculated the biography frame count sequence of differences of neighbor node i

And average μ ⁱ:

$\left\{Y_j^i\right\}=\{X_j^i-X_j^0\}$

Wherein Be node 0 j biography frame count,

J biography frame count for node i.

(22) with { Y of node i _jIn u Δ t time, slide window accumulation:

${y^{\&prime;}}_j=\left\{\begin{array}{cc}\underset{k=1}{\overset{j}{\mathrm{\&Sigma;}}}{y}_k& j<u\\ \underset{k=j-u+1}{\overset{j}{\mathrm{\&Sigma;}}}{y}_k& j\&GreaterEqual;u\end{array}\right.$

(23) attacking decision function is:

$d_h\left({y^{\&prime;}}_j\right)=\left\{\begin{array}{cc}0& {y^{\&prime;}}_j<h\\ 1& {y^{\&prime;}}_j\&GreaterEqual;h\end{array}\right.$

Described part (3) generates the genetic test body and mainly comprises following steps:

(31) the selfish back off time of attacking node of record;

(32) back off time of selfishness attack node is encoded, referring to shown in Figure 2, wherein backoff_time represents the node back off time, range represents a back off time interval, give a code value to each back off time interval, the back off time that is in same interval is given unified code value, thinks as broad as long between them.Upper_limit represents the back off time upper limit, also gives same code value for the back off time more than or equal to the upper limit.

(33) the back off time sequence behind the coding is carried out geneticization: the back off time sequence that will attack node is that the sliding window of L is divided into some short sequences according to length for the R step-length.As node back off time sequence is (3,6,18,7,27,5,10,4,1,6,9,3,6,33), then works as interval and gets 8, and upperlimit got 1024 o'clock, and its code value sequence is: (0,0,2,0,3,0,1,0,0,0,1,0,0,4).When getting R=8, during the sliding window of L=3, above-mentioned code value sequence is divided into 3 short sequences (0,0,2,0,3,0,1,0); (0,3,0,1,0,0,0,1); (1,0,0,0,1,0,0,4), these short arrangement set β={ β ₁, β ₂... β _nFormation genetic test body.

Described part (4) genetic test mainly comprises following steps:

(41) because the back off time randomicity of sequences, traditional hamming distance and the similarity that R position matching algorithm can not two sequences of accurate description continuously, the present invention adopts the gene matching process:

If length is two sequence U=(u of R ₁, u ₂..., u _R) and V=(v ₁, v ₂..., v _R), wherein U is the genetic test body, V is the short sequence of the back off time of tested node.Gene matching detection method is differentiated as follows:

Sim(U，V)＝Cor(U，V)/Cor _max

Cor _max＝Cor(U，U)

$\mathrm{Cor}(U,V)=\underset{i}{\mathrm{\&Sigma;}}w(U,V,i)$

$w(U,V,i)=(R-1)+\underset{j}{\mathrm{\&Sigma;}}w(U,V,i,j)-\left|{\mathrm{\&lambda;}}_i\right|$

$\left\{\begin{array}{cc}w(U,V,i,j)=1+w(U,V,i,j-1)& ,U_{i,j}=V_{i,j}\\ w(U,V,i,j)=0& ,j<0\mathrm{or}{U}_{i,j}\&NotEqual;V_{i,j}\end{array}\right.$

The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.

Claims (4)

1. MANET network attack detecting method based on artificial immunity, it is characterized in that: described detection method comprises the steps:

1), adopts the sliding window detection method of double base accumulation to malicious attack;

2) to selfish sexual assault detection zone in two kinds of situation: when detection node is in saturation condition, adopt the sliding window threshold value of residual error diagnostic method to carry out initial examination and measurement, and with the back off time sequence of detected attack node write down, after coding and the geneticization as the genetic test body; When being in unsaturated state, detection node adopts gene matching detection method.

2. network attack detecting method as claimed in claim 1 is characterized in that, described malicious attack detection step is:

1) detection node record channel is every the biography frame count sequence of Δ t time;

2) with the biography frame count sequence of channel as characteristic sequence, adopt the sliding window detection method of double base accumulation.

3. network attack detecting method as claimed in claim 1 is characterized in that, the detection step when described detection node is in saturation condition is:

1) writes down self and the biography frame count sequence of each neighbor node every the Δ t time;

2) be parameter with above-mentioned sequence, adopt the sliding window threshold value of residual error diagnostic method to carry out initial examination and measurement;

The back off time of beat time point of attacking against each other writes down, coding and geneticization, generates the genetic test body.

4. network attack detecting method as claimed in claim 1 is characterized in that, the gene matching detection method step when described detection node is in unsaturated state is:

1) matching degree of calculating genetic test body and tested node antigen;

2) judge according to discriminant function whether tested node is suspicious.

Images