CN103338451A - Method for detecting distributed malicious nodes in wireless sensor network - Google Patents

Abstract

The invention discloses a method for detecting distributed malicious nodes in a wireless sensor network. The method comprises the steps as follows: (1) determining suspected nodes of all nodes according to different request data RTS (request to send) sent by the nodes; (2) voting surrounding neighbor nodes by all the nodes in a local range, if the nodes are not the suspected nodes, voting by 1, and if the nodes are the suspected nodes, voting by -1; (3) calculating the voted mean values of all the nodes; (4) calculating the Bayes values of all the nodes according to a credibility-based Bayes algorithm; and (5) comparing the mean values and the Bayes values of all the nodes to determine the malicious nodes. Compared with the prior art, the method has the advantages of strong expandability, high detection rate, low false alarm rate and the like and can be used for detecting the malicious nodes in the wireless sensor network on different scales.

Description

Distributed malicious node detection method in a kind of wireless sensor network

Technical field

The malicious node Bayes who the present invention relates in the technical field of communication safety and comprising detects.Be specifically related to a kind of distributed malicious node detection algorithm, can be used for improving the verification and measurement ratio of malicious node in the wireless sensor network, be beneficial to better get rid of malicious node to the influence of network.

Background technology

Because advanced wireless communication technology and the fast development of microelectric technique make that sensor node becomes littler, the cost power consumption is lower, and have calculating and the ability of communicating by letter.Therefore, the research of wireless sensor network has become hot issue.Wireless sensor network is a kind of network of noninfrastructure, and it is to form by disposing a large amount of sensor nodes.But because the finite energy of sensor node, be that the mode by multi-hop communicates between node, can reduce the energy consumption of node like this.Wireless sensor network is mainly used in collecting the information of monitoring particular surroundings, for example: commerce, military affairs, health care, environmental monitoring.Node monitoring of environmental or target, and send the data to the SINK node by wireless communication technology.By analyzing the situation that data can obtain target.Yet because the design of transducer hardware, WSN is subjected to the restriction of many resources, and is little as computing capability, internal memory is little, finite energy etc.

Because wireless sensor network is made up of the brief biography sensor node of a large amount of cheapnesss, is deployed in usually in the not shielded zone of an opening.They are easy to be subjected to various dissimilar attacks.For example when wireless sensor network was applied to the battlefield, sensor node may be destroyed owing to enemy's invasion.Therefore we need consider the safety problem of sensor network.At typical attack pattern, people have proposed a prevention mechanism, according to the characteristics of various attack, have proposed corresponding prevention method.Yet prevention mechanism can not be resisted all attacks.So we need detect attack.Intruding detection system (IDS) often is used to detect the packet in the network, determines whether they are attackers.IDS can also improve the prevention system of network according to the character of the attack that obtains in addition.

IDS plays the effect of network monitoring and alarm in network.It can be reported to the police with the equipment in the protection system before the invader attacks.Two main models of invader's monitoring are respectively that abnormality detection and misuse detect. the abnormality detection model is exactly that the model of setting up a normal behaviour compares with the behavior that needs to detect.Abnormality detection has higher recall rate, but rate of false alarm is also big.The accuracy of detection height that misuse detects, but the speed that detects is very low.Particularly misuse detects and can not detect unknown attack.Can many researchers have discussed and the advantage of abnormality detection and misuse detection mixed.Like this, the detection of mixing has just had the advantage that can detect unknown attack of abnormality detection and misuse to detect the high advantage of accuracy of detection.The intruding detection system (HIDS) of mixing has just reached the target of doing verification and measurement ratio and low rate of false alarm.

At present in the wireless sensor network, because the assailant has multiple attack mode to network, the malicious node of the more ratios of layout certainly will cause the reinforcement to network attack in network, if carrying out malicious node according to the mode of ballot in the past detects, just be difficult to detect malicious node, can make normal node greatly be detected as malicious node on the contrary.

More than these drawbacks limit the performance of wireless sensor network, under the situation that can not better detect malicious node, caused the probability that network attacked to increase, certainly will cause network cisco unity malfunction or the data that have been stolen.

Summary of the invention

The objective of the invention is to overcome the deficiency of above-mentioned prior art, a kind of distributed malicious node detection algorithm is provided, introduce the Bayes's detection algorithm according to confidence level, to improve the verification and measurement ratio of malicious node in network.

Technical scheme of the present invention is: by the suspicious malicious node that comes to determine each node suspection unusually of request message, introduce confidence level by two kinds of dissimilar nodes (malicious node and normal node) in the network, determine malicious node by Bayes's average then, network just can carry out Heal Thyself, eliminates the influence of malicious node.

To achieve these goals, the technical solution used in the present invention is as follows:

Distributed malicious node detection method has gateway node SINK in a kind of wireless sensor network in network, and wireless sensor node, said method comprising the steps of:

(1) in area is the plane domain of S=L * L, shed the wireless sensor node of N isomorphism at random, gateway node SINK is positioned at the edge, monitored area, is responsible for receiving image data and carrying out analyzing and processing;

(2) the malicious node attack mode adopts the ID of the normal node that disguises oneself as, and sends a plurality of requests then and accepts data packet, when it receives the data that just can receive other node after data are accepted in the allowance of other node;

(3) node is received when data demand information is accepted in the request of its neighbor node transmission, by with network in default request accept data interval and compare, the neighbours of this node are suspected by this node and are malicious node if the request that these neighbours send accepts that data surpass the preset threshold value scope;

(4) continuing execution in step (2)～(3) in the next time period continues malicious node is detected;

Wherein, described preset threshold value scope is [1,2].

Need to prove that described comparative approach is as follows:

(1) suppose that network always has N node, NI normal node wherein arranged, NM malicious node is for node v _iWith node v _jIf throw positive ticket, node v is described then _iDetect v _jBe normal, this seasonal v _Ij=1 representative detects normal, otherwise v _Ij=-1 detection is undesired, and definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$\mathrm{KM}=\frac{\mathrm{NM}}{\mathrm{NI}+\mathrm{NM}}$

By following formula for node v _iThe sum of overall ballot calculate better accuracy arranged, namely

${\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}=\mathrm{KI}*{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}}{v}_{\mathrm{ji}}+\mathrm{KM}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NM}}{v}_{\mathrm{ji}}$

Wherein

The ballot sum of representation node i,

Represent the ballot value of normal node in the communication radius scope,

Represent the ballot value of malicious node in the communication radius scope;

Then the overall ballot average of network is:

$\mathrm{ave}\_\mathrm{voting}=\frac{{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{\mathrm{NI}+\mathrm{NM}}$

The average of network equals:

$\mathrm{ave}\_\mathrm{neibor}=\frac{{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}+\mathrm{NM}}{v}_i\_\mathrm{neibor}}{\mathrm{NI}+\mathrm{NM}}$

V wherein _i_ neibor representation node v _iVotes;

According to Bayesian model

Can obtain node v _iBayes's detected value:

$\mathrm{WR}\left(v_i\right)=\frac{\mathrm{ave}\_\mathrm{neibor}*\mathrm{ave}\_\mathrm{voting}+{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{v_i\_\mathrm{neibor}+\mathrm{ave}\_\mathrm{neibor}}$

Wherein

Be Bayes's average of this user, C is each user's average votes, and n is this user's existing votes, and m is the average of totally voting, x _iBe the value of every ballot paper, WR (v wherein _i) representation node v _iBayes's average, ave_neibor represents the average votes of network, ave_voting represents the overall ballot average of network, The ballot sum of representation node i;

(2) suppose v _i_ voting representation node v _iThe ballot value, if itself and Bayes average WR (v that votes itself _i) difference surpass preset threshold value, think that then it is exactly malicious node:

|WR(v _i)-v _i_voting|＞Threshold;

Wherein said pre-set threshold value Threshold=1.

The present invention has following advantage:

1, the present invention is applicable to the wireless sensor network of multiple topology, and (link change, node motion) can detect mobile malicious node by the detection of next time period is more effective under dynamic network condition;

What 2, propose among the present invention detects based on the Bayes under the confidence level situation, and the inefficiencies of having avoided average ballot to detect still can detect malicious node under the situation that the malicious node ratio increases in network efficiently;

3, the present invention is applicable to large-scale wireless sensor network, has good expandability.

Description of drawings

Fig. 1 is general flow chart of the present invention;

Fig. 2 is verification and measurement ratio the comparison diagram under different node numbers of the present invention with prior art;

Fig. 3 is rate of false alarm the comparison diagram under different node numbers of the present invention with prior art;

Fig. 4 is the comparison diagram of verification and measurement ratio under the different communication radius of the present invention and prior art;

Fig. 5 is the comparison diagram of rate of false alarm under the different communication radius of the present invention and prior art;

Fig. 6 is verification and measurement ratio the comparison diagram under different malicious node numbers of the present invention with prior art;

Fig. 7 is rate of false alarm the comparison diagram under different malicious node numbers of the present invention with prior art.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention will be further described below in conjunction with accompanying drawing.

As shown in Figure 1, performing step of the present invention is as follows:

(1) in area is the plane domain of S=L * L, shed the wireless sensor node of N isomorphism at random, the SINK node is positioned at the edge, monitored area, is responsible for receiving image data and carrying out analyzing and processing;

(2) the malicious node attack mode adopts the ID of the normal node that disguises oneself as, and sends a plurality of requests then and accepts data packet, just can receive the data of other node after data are accepted in the allowance of receiving other node;

(3) node receives that the request msg that its neighbor node sends requires information request to accept data, by with network in default request accept data interval and compare, if the request that this neighbours send accept data surpass preset threshold value scope [1,2] then the neighbours of this node suspected by this node and be malicious node;

(3a) the hypothesis network always has N node, and NI normal node wherein arranged, and NM malicious node is for node v _iWith node v _jIf throw positive ticket, node v is described then _iDetect v _jBe normal, this seasonal v _Ij=1 representative detects normal, otherwise v _Ij=-1 detection is undesired.Definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$\mathrm{KI}=\frac{\mathrm{NI}}{\mathrm{NI}+\mathrm{NM}},$ $\mathrm{KM}=\frac{\mathrm{NM}}{\mathrm{NI}+\mathrm{NM}};$

By following formula for node v _iThe sum of overall ballot calculate better accuracy arranged, namely

${\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}=\mathrm{KI}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}}{v}_{\mathrm{ji}}+\mathrm{KM}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NM}}{v}_{\mathrm{ji}};$

Wherein The ballot sum of representation node i,

Represent the ballot value of normal node in the communication radius scope,

Represent the ballot value of malicious node in the communication radius scope.

Then the overall ballot average of network is:

$\mathrm{ave}\_\mathrm{voting}=\frac{{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{\mathrm{NI}+\mathrm{NM}};$

The average of network equals

$\mathrm{ave}\_\mathrm{neibor}=\frac{{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}+\mathrm{NM}}{v}_i\_\mathrm{neibor}}{\mathrm{NI}+\mathrm{NM}};$

V wherein _i_ neibor representation node v _iVotes.

According to Bayesian model

Can obtain node v _iBayes's detected value:

$\mathrm{WR}\left(v_i\right)=\frac{\mathrm{ave}\_\mathrm{neibor}*\mathrm{ave}\_\mathrm{voting}+{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{v_i\_\mathrm{neibor}+\mathrm{ave}\_\mathrm{neibor}};$

Wherein

Be Bayes's average of this user, C is each user's average votes, and n is this user's existing votes, and m is the average of totally voting, x _iBe the value of every ballot paper, WR (v wherein _i) representation node v _iBayes's average, ave_neibor represents the average votes of network, ave_voting represents the overall ballot average of network,

The ballot sum of representation node i;

(3b) we suppose v _i_ voting representation node v _iThe ballot value, if it and the Bayes average WR (v that votes itself _i) difference surpass certain threshold value, think that then it is exactly malicious node:

|WR(v _i)-v _i_voting|＞Threshold。

Need to prove described pre-set threshold value Threshold=1

(4) continuing execution in step (2)～(3) in the next time period continues malicious node is detected.

For a better understanding of the present invention, specific algorithm of the present invention is as follows:

Node v _iDistributed Bayes's detection algorithm

1:Input: node v _iThe information table N of neighbor node _i

2:v _iThe information table S of the suspection node of node _i=NULL

3: input node v _iThe information table Q that receives _i=NULL

4: node v _iStatistics table N _iIn the RTS value of each neighbor node, the RTS information table is C _i=0

5：if?time≠0

6: the information Q that collects neighbor node _i

7：end?if

The number of 8:for j=1 to neighbor node

9：if?C _i[j]＞RTS?Threshold

10：

11:else?if?v _ij＝1

12:end?if

13：end?if

14：end?for

The number of node in the 15:for i=1to network

16: computing node v _iBallot average m[i] and Bayes's average Bys[i]

17：end?if

18：end?for

The number of node in the 19:for i=1 to network

20：if?|m[i]-Bys[i]|＞Threshold

21: node v _iBe detected as the attack node of malice

22：end?if

23：end?for

24:Output: malicious node set

Effect of the present invention can be further detailed by following The simulation experiment result.

Verification and measurement ratio: testing process is defined as the ratio that malicious node is detected in the network.

Rate of false alarm: rate of false alarm is defined as in the network normal node by as the detected ratio of malicious node.

1, simulated conditions:

In area is the plane domain of S=L * L, shed the wireless sensor node of N isomorphism at random, the SINK node is positioned at the edge, monitored area, is responsible for receiving image data and carrying out analyzing and processing.Carry out local communication between node.

2, emulation content and simulation result:

Emulation 1, to the verification and measurement ratio of the present invention and prior art DDD and rate of false alarm along with the variation of node number in the network is carried out emulation relatively, simulation result such as Fig. 2, shown in Figure 3 can draw the present invention and have the higher detection rate under different node numbers, and have lower rate of false alarm.Though this is because the integral node number has increased, because the present invention has considered the ratio of malicious node in the node in the detection of malicious node, has increased the influence of confidence level.

Emulation 2, to the verification and measurement ratio of the present invention and prior art DDD and rate of false alarm along with the variation of node communication radius in the network is carried out emulation relatively, simulation result such as Fig. 4, shown in Figure 5, can draw the present invention and under different node communication radiuses, have the higher detection rate, and have lower rate of false alarm.

Emulation 3, to the verification and measurement ratio of the present invention and prior art DDD and rate of false alarm along with the variation of malicious node number in the network is carried out emulation relatively, simulation result such as Fig. 6, Fig. 7 can draw the present invention and have the higher detection rate under different malicious node numbers, and have lower rate of false alarm.This is because in ballot, increase along with the malicious node number, normal node is easy to be thrown negative ticket, so just cause a plurality of nodes that he is thrown negative ticket and finally causes being detected as malicious node, and our algorithm has been considered the ratio of ballot, so just effectively limited the total value of negative ticket, and made that detection is more accurate.

For a person skilled in the art, can make other various corresponding changes and distortion according to technical scheme described above and design, and these all changes and distortion should belong within the protection range of claim of the present invention all.

Claims (2)

1. distributed malicious node detection method in the wireless sensor network has gateway node SINK in network, and wireless sensor node, it is characterized in that, said method comprising the steps of:

(1) in area is the plane domain of S=L * L, shed the wireless sensor node of N isomorphism at random, gateway node SINK is positioned at the edge, monitored area, is responsible for receiving image data and carrying out analyzing and processing;

(2) the malicious node attack mode adopts the ID of the normal node that disguises oneself as, and sends a plurality of requests then and accepts data packet, when it receives the data that just can receive other node after data are accepted in the allowance of other node;

(3) node is received when data demand information is accepted in the request of its neighbor node transmission, by with network in default request accept data interval and compare, the neighbours of this node are suspected by this node and are malicious node if the request that these neighbours send accepts that data surpass the preset threshold value scope;

(4) continuing execution in step (2)～(3) in the next time period continues malicious node is detected;

Wherein, described preset threshold value scope is [1,2].

2. malicious node detection method according to claim 1 is characterized in that, described comparative approach is as follows:

(1) suppose that network always has N node, NI normal node wherein arranged, NM malicious node is for node v _iWith node v _jIf throw positive ticket, node v is described then _iDetect v _jBe normal, this seasonal v _Ij=1 representative detects normal, otherwise v _Ij=-1 detection is undesired, and definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$\mathrm{KI}=\frac{\mathrm{NI}}{\mathrm{NI}+\mathrm{NM}},$ $\mathrm{KM}=\frac{\mathrm{NM}}{\mathrm{NI}+\mathrm{NM}};$

By following formula for node v _iThe sum of overall ballot calculate better accuracy arranged, namely

${\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}={\mathrm{KI}*\mathrm{\Σ}}_{j=1}^{\mathrm{NI}}{v}_{\mathrm{ji}}+\mathrm{KM}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NM}}{v}_{\mathrm{ji}};$

Wherein

The ballot sum of representation node i,

Represent the ballot value of normal node in the communication radius scope,

Represent the ballot value of malicious node in the communication radius scope;

Then the overall ballot average of network is:

$\mathrm{ave}\_\mathrm{voting}=\frac{{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{\mathrm{NI}+\mathrm{NM}};$

The average of network equals:

$\mathrm{ave}\_\mathrm{neibor}=\frac{{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}+\mathrm{NM}}{v}_i\_\mathrm{neibor}}{\mathrm{NI}+\mathrm{NM}};$

V wherein _i_ neibor representation node v _iVotes;

According to Bayesian model

Can obtain node v _iBayes's detected value:

$\mathrm{WR}\left(v_i\right)=\frac{\mathrm{ave}\_\mathrm{neibor}*\mathrm{ave}\_\mathrm{voting}+{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{v_i\_\mathrm{neibor}+\mathrm{ave}\_\mathrm{neibor}};$

Wherein Be Bayes's average of this user, C is each user's average votes, and n is this user's existing votes, and m is the average of totally voting, x _iBe the value of every ballot paper, WR (v wherein _i) representation node v _iBayes's average, ave_neibor represents the average votes of network, ave_voting represents the overall ballot average of network, The ballot sum of representation node i;

(2) suppose v _i_ voting representation node v _iThe ballot value, if itself and Bayes average WR (v that votes itself _i) difference surpass preset threshold value, think that then it is exactly malicious node:

|WR(v _i)-v _i_voting|＞Threshold；

Wherein said pre-set threshold value Threshold=1.

Images