A kind of MANET network attack detecting method based on artificial immunity
Technical field
Present invention relates in general to network communications technology field, relate more specifically to a kind of network attack method for comprehensive detection of MANET network MAC layer.
Background technology
The distributed system that MANET is made up of a lot of autonomous nodes, owing to lack the management control of concentrating, autonomous node is a target with malicious sabotage or pursuit number one, and network is initiated security attack, reduces the credibility of network.These attacks mainly comprise: the grouping that other nodes is produced at the route layer or do not participate in route or do not transmit data; Seize with illegal means or the interference channel use at the MAC layer; Adjust transmission of power wantonly in physical layer,, perhaps select suitable waveform to reduce interference etc. to obtain better signal to noise ratio.Wherein typical with the MAC layer attacks.This be because: the security attack of MAC layer directly has influence on access, channel utilization and the overall performance of network of wireless channel; Most of radio node uses identical MAC layer access protocol-IEEE802.11, and this just makes the MAC layer attacks more effective than other each layer attacks; Because the random nature of IEEE 802.11 DCF agreement inherences and the unreliability of wireless medium itself, people are difficult to the attack of node and accidental protocol malfunctions are distinguished, make that the behavior of MAC layer attacks is hidden, bring bigger challenge for the detection of attacking node.How detecting the MAC layer attacks effectively becomes the research focus of wireless trustable network.
The domestic and international at present security attack to the MAC layer detects and is broadly divided into two classes, and a class need be revised IEEE802.11 MAC agreement, so that detect and the opposing node attack.The common drawback of this class algorithm is incompatible with the prior protocols standard, thereby causes method infeasible; Another kind of is by more statistical notions, and the statistical nature that related parameter is arranged is detected, and has determined whether attack, and for example SPRT (sequential probability ratio test) detects.This detection method is applicable to simple selfish the attack, and those intelligent behaviors can use adaptability to hide detection.The Sequence Detection statistic algorithm that proposes of people such as Toledo and for example based on K-S; this algorithm does not need to know in advance the attack strategies of node; but need know the probability Distribution Model of detected sequence in home in advance, this MAC layer access protocol to dynamic Ad Hoc network and stochastic behaviour is a difficult problem.Central-limit theorem detection algorithm and Markov chain multistep detection model have lower False Rate and detection speed faster, but it is the same with classical DOMINO algorithm, only be applicable to that those by revising the selfishness attack of back off time strategy contention wireless channel, have bigger limitation.
There is polytype in the MAC layer attacks of IEEE 802.11 agreements, every type attack means has nothing in common with each other, intelligent attack is difficult to distinguish with legal nodes ' behavior owing to the stochastic behaviour of 802.11 agreement back off times, has therefore increased the difficulty that detects.Attack at MAC layer IEEE 802.11 agreements exists diversity, dynamic and intelligent, detect the bigger limitation of existence with traditional mode, along with going deep into to immune system research, various Artificial Immune Algorithm constantly are suggested, artificial immunity has been used in many fields such as engineering optimization, data mining, control, failure diagnosis more and more, becomes the hot research of artificial intelligence.
Summary of the invention
In view of this, the present invention adopts a kind of MAC layer network with low False Rate and very fast detection speed to attack method for comprehensive detection.To malicious attack, be characteristic sequence with the biography frame count of channel in the Δ t time, adopt the sliding window detection method of double base accumulation; State difference according to detection node, selfish type attack detecting adopts two kinds of different modes respectively: the node of saturation condition is carried out fast detecting based on the sliding window threshold value of residual error diagnostic method to the attack of neighbor node, and the unsaturated state node is based on gene matching detection method.The inventive method can be carried out quickly and efficiently the various MAC layer attacks of IEEE802.11 agreement and detect as a kind of more satisfactory, time-delay is little, accuracy rate is high, practical technical scheme, be applicable to various complexity, dynamic wireless network environment.
In order to achieve the above object, the invention provides a kind of MANET network attack detecting method, it is characterized in that: comprise following few component parts based on artificial immunity:
(1) malicious attack is target to stop channel to use and destroy node data, and is of a serious nature, can cause the serious decline of each performance index such as network delay, throughput, packet loss usually.When having malicious attack in the network, selfish harm of attacking becomes very little.Therefore, malicious attack is detected as the first road barrier for artificial immunity.The common result of different malicious attack behaviors is to cause channel seriously to descend every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel, adopts the sliding window detection method of double base accumulation.
(2) selfish attack is a purpose to increase channel contention priority and then to seize channel, bandwidth and time-delay with other competition node are the raising that cost exchanges self performance for, though its selfish behavior changes various, but common result is: selfish node every the biography frame count of Δ t time obviously greater than biography frame count with legal node of time, but when detection node is in unsaturated state, the difference at interval because application layer is given out a contract for a project can not be as declaring.Therefore, at selfish attack detecting district in two kinds of situation: when detection node is in saturation condition, be parameter, adopt the sliding window threshold value of residual error diagnostic method that fast detecting is carried out in the attack of neighbor node with the biography frame count sequence of node every the Δ t time; When node is in unsaturated state, carry out detection based on the gene matching method.
Described part (1) MAC layer malicious attack detection mainly comprises following step:
(11) malicious attack is target to stop channel to use and destroy node data, attack changes various, attack result is not quite similar, or cause network delay, or cause the serious decline of each performance index such as throughput, packet loss, but its common result is: channel seriously descends every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel.
(12) adopt the sliding window detection method of double base accumulation, channel is passed the frame count sequence to carry out linear process to make its average is zero, then when occurring the malicious attack behavior in the network, serial mean becomes on the occasion of the interval, in order to accelerate detection speed, further new sequence is slided the window accumulated process, definition malicious attack decision function, given differentiation is carried out judgement based on interval and sliding window cumulative statistics result at interval.
The selfish attack detecting of described part (2) MAC layer mainly comprises following step:
(21) when detection node is in saturation condition, write down self node in biography frame count sequence every the Δ t time, the self-assembly of the virtual thymus gland of corresponding immune system, neighbor node every the biography frame count sequence of Δ t time to being the T cell in the virtual thymus gland, realize the self-tolerance process of T cell by the sliding window threshold value of residual error method of discrimination, " the negative selection " process of corresponding immunity principle, finish the initial examination and measurement of attacking node, the back off time sequence of the selfish node that be detected this moment will go on record, and through further coding and geneticization are handled, as genetic test body-maturation immunity cell antibody, these antibody can be in or detect neighbor node during unsaturated state whether have attack saturated in detection node.
(22) for selfish sexual assault, when detection node was in unsaturated state, the back off time sequence of the tested node that can only handle based on the genetic test body with through coding and geneticization adopted the gene matching method to carry out detection.
Described part (21) further comprises following content of operation:
(211) detection node is through calculating the biography frame count sequence of differences and the sequence of differences average of self node and each neighbor node;
(212) the sliding window that each sequence of differences is carried out in the certain hour is handled;
(213) rule of thumb choose discrimination threshold, determine selfish node based on discrimination formula.
(214) the back off time sequence of record selfish node;
(215) the back off time sequence of selfish node is encoded, give a code value to each back off time interval, the back off time that is in same interval is given unified code value.
(216) whether occur unusually in order to analyze keeping out of the way in a period of time, need be divided into the short sequence that is used to detect according to a large amount of back off time code value sequences that certain method will obtain.The back off time sequence of attacking node is that the sliding window of L is divided into some short sequences according to length for the R step-length, and these are lacked arrangement sets and have constituted the genetic test body.
Described part (22) further comprises following content of operation:
(221) the back off time sequence of the tested node of record, and be that the sliding window of L is divided into some short sequences according to length for the R step-length.These short arrangement sets have constituted tested antigen.
(222) because the back off time randomicity of sequences, traditional hamming distance and the similarity that R position matching algorithm can not two sequences of accurate description continuously, establishing length is two sequence U=(u of R
1, u
2..., u
R) and V=(v
1, v
2..., v
R), definition gene coupling discriminant function:
<math><mrow><msub><mi>d</mi><mi>T</mi></msub><mrow><mo>(</mo><mi>Sim</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow><mo>)</mo></mrow><mtext>=</mtext><mfenced open='{' close=''><mtable><mtr><mtd><mn>0</mn></mtd><mtd><mtext>Sim</mtext><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow><mtext><T</mtext></mtd></mtr><mtr><mtd><mn>1</mn></mtd><mtd><mi>Sim</mi><mrow><mo>(</mo><mi>U</mi><mo>,</mo><mi>V</mi><mo>)</mo></mrow><mo>&GreaterEqual;</mo><mi>T</mi></mtd></mtr></mtable></mfenced></mrow></math>
The present invention adopts a kind of MAC layer attacks method for comprehensive detection with low False Rate and very fast detection speed.Have following advantage:
Adopt channel to pass frame count, node biography frame count and back off time respectively at the detection that difference is attacked as characteristic sequence, only solved with the limitation problem of back off time, can carry out quite good detecting the various attack behavior as the traditional detection of characteristic sequence.
Detection method based on artificial immunity makes detection node no matter be in saturated and unsaturated state, can both the attack of neighbor node be detected.
From negative selection course as can be seen, select the self-assembly in the environment few and accurate, take less memory space and processing expenditure; Obtaining of self-assembly has less time-delay, and can adjust automatically according to network condition, has very strong dynamic; Each detects physical efficiency functionating independently, need not interchange and coordination between the detection bodies, and attack detects does not need to predict empirical data, has stronger robustness.
The present invention detects the MAC layer attacks has low False Rate and very fast detection speed, need not through change just can be by simple applications in existing network on a large scale, and satisfactory for result, application prospect is good.
Description of drawings
Fig. 1 is an attack detection method basic flow sheet of the present invention.
Fig. 2 is back off time sequential coding figure of the present invention.
Embodiment
For making purpose of the present invention, implementation and advantage more clear, the present invention is described in further detail below in conjunction with accompanying drawing.
Referring to Fig. 1, introduce the basic procedure of attack detection method of the present invention:
(1) malicious attack detection: malicious attack is target to stop channel to use and destroy node data, can cause the serious decline of each performance index such as network delay, throughput, packet loss usually, and is of a serious nature.Therefore, malicious attack is detected as the first road barrier for artificial immunity.The common result of different malicious attack behaviors is to cause channel seriously to descend every the biography frame count of Δ t time.Therefore, malicious attack is characteristic sequence with the biography frame count every Δ t time channel, adopts the sliding window detection method of double base accumulation.
(2) the selfish initial examination and measurement of attacking: selfish attack cause usually selfish node every the biography frame count of Δ t time obviously greater than biography frame count with legal node of time, but when detection node is in unsaturated state, the difference at interval because application layer is given out a contract for a project can not be as declaring.Therefore, when detection node is in saturation condition, be parameter with the biography frame count sequence of node every the Δ t time, adopt the sliding window threshold value of residual error diagnostic method that fast detecting is carried out in the attack of neighbor node.
(3) generate the genetic test body: the back off time of the selfish node that initial examination and measurement is obtained writes down, coding and geneticization, generates the genetic test body.
(4) genetic test: when node is in unsaturated state, carry out detection based on the gene matching method.
The sliding window detection method of the described double base accumulation of described part (1) malicious attack detection mainly comprises following steps:
(11) make Y
n=μ-X
n, Y then
nAverage be zero.X wherein
nFor channel passes frame count sequence, μ=E (X
n), when occurring the malicious attack behavior in the network, Y
nAverage at change point j place from 0 step to δ ∈ [a, b].
(12) in order to accelerate detection speed, to Y
nValue in u Δ t time, accumulate, obtain
Value,
(13) definition malicious attack decision function d
h(D
u), given differentiation is h at interval, carries out to attack and judges
Wherein,
The selfish sliding window threshold value of the described residual error of the initial examination and measurement diagnostic method of attacking of described part (2) mainly comprises following steps:
(21)
detection node 0 is calculated the biography frame count sequence of differences of neighbor node i
And average μ
i:
Wherein
Be node 0 j biography frame count,
J biography frame count for node i.
(22) with { Y of node i
jIn u Δ t time, slide window accumulation:
(23) attacking decision function is:
Described part (3) generates the genetic test body and mainly comprises following steps:
(31) the selfish back off time of attacking node of record;
(32) back off time of selfishness attack node is encoded, referring to shown in Figure 2, wherein backoff_time represents the node back off time, range represents a back off time interval, give a code value to each back off time interval, the back off time that is in same interval is given unified code value, thinks as broad as long between them.Upper_limit represents the back off time upper limit, also gives same code value for the back off time more than or equal to the upper limit.
(33) the back off time sequence behind the coding is carried out geneticization: the back off time sequence that will attack node is that the sliding window of L is divided into some short sequences according to length for the R step-length.As node back off time sequence is (3,6,18,7,27,5,10,4,1,6,9,3,6,33), then works as interval and gets 8, and upperlimit got 1024 o'clock, and its code value sequence is: (0,0,2,0,3,0,1,0,0,0,1,0,0,4).When getting R=8, during the sliding window of L=3, above-mentioned code value sequence is divided into 3 short sequences (0,0,2,0,3,0,1,0); (0,3,0,1,0,0,0,1); (1,0,0,0,1,0,0,4), these short arrangement set β={ β
1, β
2... β
nFormation genetic test body.
Described part (4) genetic test mainly comprises following steps:
(41) because the back off time randomicity of sequences, traditional hamming distance and the similarity that R position matching algorithm can not two sequences of accurate description continuously, the present invention adopts the gene matching process:
If length is two sequence U=(u of R
1, u
2..., u
R) and V=(v
1, v
2..., v
R), wherein U is the genetic test body, V is the short sequence of the back off time of tested node.Gene matching detection method is differentiated as follows:
Sim(U,V)=Cor(U,V)/Cor
max
Cor
max=Cor(U,U)
The above only is preferred embodiment of the present invention, not in order to restriction the present invention, all any modifications of being done within the spirit and principles in the present invention, is equal to and replaces and improvement etc., all should be included within protection scope of the present invention.