CN103338451B - Distributed malicious node detection method in a kind of wireless sensor network - Google Patents

Abstract

The invention discloses distributed malicious node detection method in a kind of wireless sensor network, implementation step is: the difference of request data RTS that (1) sends according to node determines the suspection node of each node；(2) in subrange, surrounding neighbours node is voted by each node, if not suspecting that node throws positive ticket 1, if suspecting that node throws negative ticket 1；(3) each node calculate oneself be voted-for mean value；(4) each node calculates the Bayes's value of oneself according to the bayesian algorithm based on confidence level；(5) it is worth size determines malicious node by comparing the average of each node and Bayes.The present invention compared with prior art, has the advantages such as extensibility is strong, verification and measurement ratio is high, rate of false alarm is low, can be used for realizing the malicious node detection of different scales wireless sensor network.

Description

Distributed malicious node detection method in a kind of wireless sensor network

Technical field

The present invention relates to the malicious node Bayesian detection in technical field of communication safety and comprising.It is specifically related to a kind of distributed Malicious node detection algorithm, can be used for improving the verification and measurement ratio of malicious node in wireless sensor network, is beneficial to preferably get rid of The impact on network for the malicious node.

Background technology

Fast development due to advanced wireless communication technology and microelectric technique so that sensor node become less, Cost power consumption is lower, and has the ability calculating and communicating.Therefore, the research of wireless sensor network has had changed into focus Problem.Wireless sensor network is the network of a kind of noninfrastructure, and it is to be formed by disposing substantial amounts of sensor node 's.But it due to the finite energy of sensor node, is to communicate by way of multi-hop between node, so can reduce The energy ezpenditure of node.Wireless sensor network be mainly used in collect monitoring particular surroundings information, for example: business, military affairs, Health care, environmental monitoring.Node monitors environment or target, and send the data to SINK node by wireless communication technology. The situation of target can be obtained by analyzing data.But, due to the design of sensor hardware, WSN is limited by many resources System, as computing capability is little, internal memory is little, finite energy etc..

It owing to wireless sensor network is made up of little sensor node cheap in a large number, is usually deployed in an opening The region being not protected in.They are highly susceptible to various types of attack.For example when wireless sensor network is answered During for battlefield, sensor node may be destroyed due to enemy's invasion.Therefore we need to consider sensor network Safety problem.For typical attack pattern, there has been proposed a prevention mechanism, according to the feature of various attacks, it is proposed that Corresponding prevention method.But, prevention mechanism can not resist all of attack.So, it would be desirable to attack detected.Invasion inspection Examining system (IDS) is usually utilized to detect the packet in network, determines whether they are attackers.In addition IDS can also root According to the character of the attack obtaining, improve the prevention system of network.

IDS plays the effect of network monitoring and alarm in a network.It can be reported to the police before invader attacks With the equipment in protection system.Two main models of invader's monitoring are abnormality detection and misuse detection respectively. abnormality detection Model is exactly that the behavior of the model and needs detection of setting up a normal behaviour compares.Abnormality detection has higher detection Rate, but rate of false alarm is also big.The accuracy of detection of misuse detection is high, but the speed of detection is very low.Particularly misuse detection can not Detect the unknown attack.Can many researchers have discussed and the advantage of abnormality detection and misuse detection has been blended in one Rise.So, the detection of mixing has just had the advantage that can detect unknown attack of abnormality detection and misuse detection accuracy of detection high Advantage.The intruding detection system (HIDS) of mixing has just reached to do the target of verification and measurement ratio and low rate of false alarm.

In current wireless sensor network, owing to assailant has various attacks pattern to network, arrange in a network more The malicious node of many ratios certainly will cause the reinforcement to network attack, saves if carrying out malice according to the mode of conventional ballot It if some detection, is difficult to detect malicious node, substantial portion of normal node can be made on the contrary to be detected as malice and save Point.

The above defect limits the performance of wireless sensor network, in the feelings that can not preferably detect malicious node Result in the probability increase that network is hacked under condition, network cisco unity malfunction or the data that have been stolen certainly will be caused.

Content of the invention

It is an object of the invention to overcome the deficiency of above-mentioned prior art, provide the detection of a kind of distributed malicious node to calculate Method, introduces the Bayesian detection algorithm according to confidence level, to improve the verification and measurement ratio of malicious node in a network.

The technical scheme is that and determine, by the exception asking message, the suspected malicious joint that each node is suspected Point, introduces confidence level by node two distinct types of in network (malicious node and normal node), then passes through Bayes Average determines malicious node, and network can be carried out Heal Thyself, eliminates the impact of malicious node.

To achieve these goals, the technical solution used in the present invention is as follows:

Distributed malicious node detection method in a kind of wireless sensor network, has gateway node in a network SINK, and wireless sensor node, said method comprising the steps of:

(1) in the plane domain that area is S=L × L, shedding the wireless sensor node of N number of isomorphism at random, gateway saves Point SINK is positioned at edge, monitored area, is responsible for receiving collection data and is analyzed processing；

(2) malicious node attack mode uses the ID of the normal node that disguises oneself as, and then sends multiple request and accepts data number According to bag, after its allowance receiving other nodes accepts data, just can receive the data of other nodes；

(3) node receives the request that its neighbor node sends when accepting data demand information, by presetting in network Request accepts data interval and compares, if the request that this neighbours send accepts data and exceedes default threshold range, and this joint It is malicious node that the neighbours of point are suspected by this node；

(4) within the next time period, continue executing with step (2)～(3) to continue to detect malicious node;

Wherein, described default threshold range is [1,2].

It should be noted that described comparative approach is as follows:

(1) assuming that network always has N number of node, wherein having NI normal node, NM malicious node, for node v_iAnd joint Point v_jIf throwing positive ticket, then node v is described_iDetection v_jIt is normal, this seasonal v_ij=1 represents detection normally, otherwise v_ij=-1 Detecting abnormal, definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$\mathrm{KM}=\frac{\mathrm{NM}}{\mathrm{NI}+\mathrm{NM}}$

By above formula for node v_iOverall ballot sum calculate have more preferable accuracy, i.e.

${\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}=\mathrm{KI}*{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}}{v}_{\mathrm{ji}}+\mathrm{KM}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NM}}{v}_{\mathrm{ji}}$

WhereinRepresent the ballot sum of node i,Represent normal node in the range of communication radius Ballot value,Represent the ballot value of malicious node in the range of communication radius；

Then the overall ballot average of network is:

$\mathrm{ave}\_\mathrm{voting}=\frac{{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{\mathrm{NI}+\mathrm{NM}}$

The average of network is equal to:

$\mathrm{ave}\_\mathrm{neibor}=\frac{{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}+\mathrm{NM}}{v}_i\_\mathrm{neibor}}{\mathrm{NI}+\mathrm{NM}}$

Wherein v_i_ neibor represents node v_iVotes；

According to Bayesian modelNode v can be obtained_iBayesian detection value:

$\mathrm{WR}\left(v_i\right)=\frac{\mathrm{ave}\_\mathrm{neibor}*\mathrm{ave}\_\mathrm{voting}+{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{v_i\_\mathrm{neibor}+\mathrm{ave}\_\mathrm{neibor}}$

WhereinFor Bayes's average of this user, C is the average votes of each user, and n is the existing throwing of this user Poll, m is average of totally voting, x_iIt is the value of every ballot paper, wherein WR (v_i) represent node v_iBayes's average, ave_ Neibor represents the average votes of network, and ave_voting represents the overall ballot average of network,Represent node The ballot sum of i；

(2) v is assumed_i_ voting represents node v_iBallot value, the average WR (v if it is voted with Bayes itself_i) Difference exceed default threshold value, then it is assumed that it is exactly malicious node:

|WR(v_i)-v_i_ voting | ＞ Threshold;

Wherein said pre-set threshold value Threshold=1.

Present invention have the advantage that:

1st, the present invention is applicable to the wireless sensor network of multiple topology, (link change, joint under dynamic network condition Point is mobile) malicious node of movement can be more effectively detected by the detection of next time period；

2nd, the present invention proposes based on the Bayesian detection in the case of confidence level, it is to avoid the poor efficiency of average ballot detection Property, malicious node ratio still can detect malicious node in the case of increase efficiently in a network；

3rd, the present invention is applicable to large-scale wireless sensor network, has good extensibility.

Brief description

Fig. 1 is the general flow chart of the present invention；

Fig. 2 is the present invention and comparison diagram under different nodes for the verification and measurement ratio of prior art；

Fig. 3 is the present invention and comparison diagram under different nodes for the rate of false alarm of prior art；

Fig. 4 is the present invention and comparison diagram under different communication radius for the verification and measurement ratio of prior art；

Fig. 5 is the present invention and comparison diagram under different communication radius for the rate of false alarm of prior art；

Fig. 6 is the present invention and comparison diagram under different malicious node numbers for the verification and measurement ratio of prior art；

Fig. 7 is the present invention and comparison diagram under different malicious node numbers for the rate of false alarm of prior art.

Detailed description of the invention

For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings the present invention is done further Description.

As it is shown in figure 1, the present invention's realizes that step is as follows:

(1) in the plane domain that area is S=L × L, shedding the wireless sensor node of N number of isomorphism at random, SINK saves Point is positioned at edge, monitored area, is responsible for receiving collection data and is analyzed processing；

(2) malicious node attack mode uses the ID of the normal node that disguises oneself as, and then sends multiple request and accepts data number According to bag, after the allowance receiving other nodes accepts data, just can receive the data of other nodes；

(3) node receive its neighbor node send request data require information request accept data, by with in network The request preset accepts data interval and compares, if the request that this neighbours send accepts data and exceedes default threshold range [1,2] then the neighbours of this node are suspected to be malicious node by this node；

(3a) assuming that network always has N number of node, wherein having NI normal node, NM malicious node, for node v_iWith Node v_jIf throwing positive ticket, then node v is described_iDetection v_jIt is normal, this seasonal v_ij=1 represents detection normally, otherwise v_ij=- 1 detection is abnormal.Definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$\mathrm{KI}=\frac{\mathrm{NI}}{\mathrm{NI}+\mathrm{NM}},$ $\mathrm{KM}=\frac{\mathrm{NM}}{\mathrm{NI}+\mathrm{NM}};$

By above formula for node v_iOverall ballot sum calculate have more preferable accuracy, i.e.

${\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}=\mathrm{KI}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}}{v}_{\mathrm{ji}}+\mathrm{KM}*{\mathrm{\Σ}}_{j=1}^{\mathrm{NM}}{v}_{\mathrm{ji}};$

WhereinRepresent the ballot sum of node i,Represent normal node in the range of communication radius Ballot value,Represent the ballot value of malicious node in the range of communication radius.

Then the overall ballot average of network is:

$\mathrm{ave}\_\mathrm{voting}=\frac{{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{\mathrm{NI}+\mathrm{NM}};$

The average of network is equal to

$\mathrm{ave}\_\mathrm{neibor}=\frac{{\mathrm{\Σ}}_{i=1}^{\mathrm{NI}+\mathrm{NM}}{v}_i\_\mathrm{neibor}}{\mathrm{NI}+\mathrm{NM}};$

Wherein v_i_ neibor represents node v_iVotes.

According to Bayesian modelNode v can be obtained_iBayesian detection value:

$\mathrm{WR}\left(v_i\right)=\frac{\mathrm{ave}\_\mathrm{neibor}*\mathrm{ave}\_\mathrm{voting}+{\mathrm{\Σ}}_{j=1}^{\mathrm{NI}+\mathrm{NM}}{v}_{\mathrm{ji}}}{v_i\_\mathrm{neibor}+\mathrm{ave}\_\mathrm{neibor}};$

WhereinFor Bayes's average of this user, C is the average votes of each user, and n is the existing throwing of this user Poll, m is average of totally voting, x_iIt is the value of every ballot paper, wherein WR (v_i) represent node v_iBayes's average, ave_ Neibor represents the average votes of network, and ave_voting represents the overall ballot average of network,Represent node The ballot sum of i；

(3b) we assume that v_i_ voting represents node v_iBallot value, average WR if it is voted with Bayes itself (v_i) difference exceed certain threshold value, then it is assumed that it is exactly malicious node:

|WR(v_i)-v_i_ voting | ＞ Threshold.

It should be noted that described pre-set threshold value Threshold=1

(4) within the next time period, continue executing with step (2)～(3) to continue to detect malicious node.

In order to be better understood from the present invention, the specific algorithm of the present invention is as follows:

Node v_iDistributed Bayesian detection algorithm

1:Input: node v_iThe information table N of neighbor node_i

2:v_iThe information table S of the suspection node of node_i=NULL

3: input node v_iThe information table Q receiving_i=NULL

4: node v_iStatistics table N_iIn the RTS value of each neighbor node, RTS information table is C_i=0

5:if time ≠ 0

6: collect information Q of neighbor node_i

7:end if

The number of 8:for j=1 to neighbor node

9:if C_i[j] ＞ RTS Threshold

10:

11:else if v_ij=1

12:end if

13:end if

14:end for

The number of 15:for i=1to nodes

16: calculate node v_iBallot average m [i] and Bayes's average Bys [i]

17:end if

18:end for

The number of 19:for i=1 to nodes

20:if | m [i]-Bys [i] | ＞ Threshold

21: node v_iIt is detected as the attack node of malice

22:end if

23:end for

24:Output: malicious node set

The effect of the present invention can be further detailed by following the simulation experiment result.

Verification and measurement ratio: testing process is defined as the ratio that malicious node in network is detected.

Rate of false alarm: rate of false alarm is defined as normal node in network and is taken as the ratio that malicious node detects.

1st, simulated conditions:

In the plane domain that area is S=L × L, shed the wireless sensor node of N number of isomorphism, SINK node at random It is positioned at edge, monitored area, be responsible for receiving collection data and be analyzed processing.Carry out local communication between node.

2nd, content and simulation result are emulated:

Emulation 1, to the verification and measurement ratio and rate of false alarm of the present invention and prior art DDD with the change of nodes number Carrying out emulation to compare, simulation result is as shown in Figure 2 and Figure 3, it can be deduced that the present invention has higher detection under different nodes Rate, and there is relatively low rate of false alarm.It is because while that integral node number adds, because the present invention is at detection malice joint Consider the ratio of malicious node in node when point, add the impact of confidence level.

Emulation 2, to the verification and measurement ratio and rate of false alarm of the present invention and prior art DDD with nodes communication radius Change carries out emulation and compares, and simulation result is as shown in Figure 4, Figure 5, it can be deduced that the present invention has under different node communication radiuses Higher verification and measurement ratio, and there is relatively low rate of false alarm.

Emulation 3, verification and measurement ratio and the rate of false alarm malicious node number in network to the present invention and prior art DDD Change carries out emulation and compares, simulation result such as Fig. 6, Fig. 7, it can be deduced that the present invention has higher under different malicious node numbers Verification and measurement ratio, and there is relatively low rate of false alarm.This is because when ballot, with the increase of malicious node number, just Chang Jiedian is easy to be thrown negative ticket, thus causes multiple node to throw negative ticket to him and ultimately result in and be detected as malicious node, And our algorithm considers the ratio of ballot, thus effectively limit the total value of negative ticket, and make to detect more accurate.

For a person skilled in the art, can technical scheme as described above and design, make other each Plant corresponding change and deformation, and all these changes and deforms the protection model that all should belong to the claims in the present invention Within enclosing.

Claims (1)

1. a distributed malicious node detection method in wireless sensor network, has gateway node SINK in a network, And wireless sensor node, it is characterised in that said method comprising the steps of:

(1) in the plane domain that area is S=L × L, the wireless sensor node of N number of isomorphism, gateway node are shed at random SINK is positioned at edge, monitored area, is responsible for receiving collection data and is analyzed processing；

(2) malicious node attack mode uses the ID of the normal node that disguises oneself as, and then sends multiple request and accepts data packet, Just the data of other nodes can be received after its allowance receiving other nodes accepts data；

(3) node receives the request that its neighbor node sends when accepting data demand information, by with the request preset in network Accept data interval to compare, if the request that this neighbours send accepts data and exceedes default threshold range, this node It is malicious node that neighbours are suspected by this node；

(4) within the next time period, continue executing with step (2)～(3) to continue to detect malicious node；

Wherein, described default threshold range is [1,2]；

Comparative approach in described step (3) is as follows:

(1) assuming that network always has N number of node, wherein having NI normal node, NM malicious node, for node v_iWith node v_j If throwing positive ticket, then node v is described_iDetection v_jIt is normal, this seasonal V_ji=1 represents detection normally, otherwise V_ji=-1 detection Abnormal, definition KI is the confidence level of normal node, and KM is the confidence level of malicious node:

$KI=\frac{NI}{NI+NM},KM=\frac{NM}{NI+NM};$

By above formula for node v_iOverall ballot sum calculate have more preferable accuracy, i.e.

${\mathrm{\Σ}}_{j=1}^{NI+NM}{v}_{ji}=KI*{\mathrm{\Σ}}_{j=1}^{NI}{v}_{ji}+KM*{\mathrm{\Σ}}_{j=1}^{NM}{v}_{ji};$

WhereinRepresent the ballot sum of node i,Represent the ballot value of normal node in the range of communication radius,Represent the ballot value of malicious node in the range of communication radius；

Then the overall ballot average of network is:

$ave\_voting=\frac{{\mathrm{\Σ}}_{j=1}^{NI+NM}{v}_{ji}}{NI+NM};$

The average of network is equal to:

$ave\_neibor=\frac{{\mathrm{\Σ}}_{i=1}^{NI+NM}{v}_i\_neibor}{NI+NM};$

Wherein v_i_ neibor represents node v_iVotes；

According to Bayesian modelNode v can be obtained_iBayesian detection value:

$WR\left(v_i\right)=\frac{ave\_neibor*ave\_voting+{\Σ}_{j=1}^{NI+NM}{v}_{ji}}{v_i\_neibor+ave\_neibor};$

WhereinFor Bayes's average of this user, C is the average votes of each user, and n is the existing votes of this user, m It is average of totally voting, x_iIt is the value of every ballot paper, wherein WR (v_i) represent node v_iBayes's average, ave_neibor generation The average votes of table network, ave_voting represents the overall ballot average of network,Represent the ballot of node i Sum；

(2) v is assumed_i_ voting represents node v_iBallot value, the average WR (v if it is voted with Bayes itself_i) difference Value exceedes default threshold value, then it is assumed that it is exactly malicious node:

|WR(v_i)-v_i_ voting | ＞ Threshold；

Wherein said pre-set threshold value Threshold=1.