CN108040325B - Sybil node detection method based on RSSI value and credit degree - Google Patents

Abstract

The invention discloses a Sybil node detection method based on RSSI value and credibility, which adopts a credibility model and a self-adaptive threshold to select a plurality of monitoring nodes meeting conditions to check suspicious nodes proposed by monitoring nodes, thereby achieving the purpose of detecting Sybil attack. The method comprises the steps of firstly roughly selecting suspected Sybil nodes by using the monitoring nodes, then selecting two monitoring nodes with high credibility, and determining the Sybil nodes by using the RSSI value.

Description

Sybil node detection method based on RSSI value and credit degree

Technical Field

The invention belongs to the technical field of wireless sensor networks, and particularly relates to a design of a Sybil node detection method based on RSSI (received signal strength indicator) values and credibility.

Background

A Wireless Sensor Network (WSN) is an ad hoc Network system formed by a large number of miniature and cheap Sensor nodes deployed in a monitoring area and in a Wireless multi-hop communication manner. The safety protection system is widely applied to various fields, and the safety of the safety protection system is more and more prominent in medical accident rescue, city management, smart home, military and other applications.

There are attacks from the outside and attacks mixed into the inside to the wireless sensor network attack. The external attack refers to an attack which is not obtained by a key and can not be accessed to a node of a network, such as physical layer blocking and normal communication of an interference node, and for the attack, the attack can be responded by mechanisms such as isolation blocking areas or frequency hopping communication; for network eavesdropping, the confidentiality of the communication link may be guaranteed by encryption techniques. The internal attack means that an attacker breaks through a defense mechanism set by an encryption technology and the like through a certain technical means, pretends to be a normal node to submerge into the network, and actively initiates a targeted malicious attack behavior from the inside. Such as wormhole attacks, witch attacks, selective forwarding attacks, black hole attacks, and the like.

The witch attack has unique attack characteristics, so it is extremely destructive. Generally, a malicious node (e.g., S in fig. 1) refers to a node tampered with by external capture, and a witch node (e.g., S1, S2 in fig. 1) refers to a node identity forged by the malicious node, and does not actually exist. The Sybil attack means that malicious nodes forge a plurality of Sybil nodes and attract neighbor nodes to forward data packets to the Sybil nodes, so that transmission paths of the data packets are changed, selective forwarding is implemented to discard the data packets, or network segmentation and even rapid death are caused by rapid consumption of energy of the neighbor nodes.

The method has the advantages that Sybil nodes are detected quickly, the detection accuracy is improved, the node energy is consumed as little as possible, and the method is important for detecting the Sybil attack of the wireless sensor network. According to the characteristic that multiple identities forged by malicious nodes appear in the network but actual geographic positions are consistent, various Sybil attack detection methods can be divided into two main categories: an identity-based authentication method and a location-based detection method.

Identity-based authentication methods detect Sybil attacks by limiting the generation of valid node information. Due to the limitation of energy and computing power of the sensor nodes, the detection method needs a large amount of time consumption and computing cost, which become a disadvantage, and the detection rate of the detection method is not very high.

Location-based detection methods are proposed based on the fact that multiple witch nodes are multiple identities of malicious nodes, and in fact, they are the nature of the same physical node. In the existing position-based Sybil attack detection method, two monitoring nodes are adopted, and more than 3 monitoring nodes are also adopted, but the selection conditions of the monitoring nodes are basically not considered, so that the possibility that malicious nodes serve as the monitoring nodes exists, and the detection accuracy rate is low easily.

Research shows that compared with other methods, the detection method based on the RSSI (Received Signal Strength) value has no node hardware requirement and relatively small energy consumption. In addition, the RSSI has the characteristics of monotonous increasing distance, simple calculation and high detection precision. Therefore, the method for detecting the witch attack based on the RSSI is more suitable for the wireless sensor network with limited resources, and has become a mainstream method.

The credibility model is a mechanism for judging whether a node is trustworthy or not by calculating and evaluating the trustworthiness of the node. Malicious nodes can be effectively identified by examining the credit values of the nodes, and the most trusted nodes are selected for communication, so that the safety and reliability of the network are improved. The credit calculation is the core of a credit mechanism and is the comprehensive evaluation of the overall performance of the nodes. The reputation of the target node is analyzed using a reputation mechanism prior to communication to determine whether the transaction can be performed.

Disclosure of Invention

The invention aims to provide a Sybil node detection method based on RSSI value and credibility, so as to improve the accuracy of Sybil attack detection.

The technical scheme of the invention is as follows: a Sybil node detection method based on RSSI values and credibility comprises the following steps:

and S1, carrying out wireless sensor network layout to realize regional control of the monitoring nodes.

And S2, searching suspicious nodes based on the RSSI value and the credibility according to the network layout condition.

S3, selecting two monitoring nodes with high credibility, checking suspicious nodes based on the RSSI values, and determining Sybil nodes.

The invention has the beneficial effects that: the method comprises the steps of firstly roughly selecting suspected Sybil nodes by using the monitoring nodes, then selecting two monitoring nodes with high credibility, and determining the Sybil nodes by using the RSSI value.

Further, step S1 includes the following substeps:

and S11, randomly and uniformly throwing the common nodes in a certain range, collecting surrounding data by using the common nodes, forwarding data of other nodes by using the common nodes as routing nodes, and converging the data to a sink node.

S12, the sink node broadcasts the Hello message to the surrounding, the first group of ordinary nodes which receive the Hello message reply the ACK message to the sink node, and is marked as the first hop node.

S13, the first hop node broadcasts the Hello message to the surrounding, the non-first hop node which receives the Hello message is marked as a second hop node, and meanwhile, an ACK message is replied to the first hop node which sends the Hello message; mutually listing the first hop node and the second hop node as neighbor nodes of the other party, and establishing a neighbor list; the neighbor list includes neighbor node information and RSSI values from itself to neighbor nodes.

And S14, sequentially obtaining a third hop node and a fourth hop node by adopting the same method as the step S13, and establishing a neighbor list of each common node.

And S15, randomly and uniformly throwing the monitoring nodes, wherein the number of the monitoring nodes is 10% of that of the common nodes.

S16, each monitoring node controls and sends radius broadcast information, sends a data packet containing ID information of the monitoring node, and neighboring nodes receiving the data packet feed back information to the monitoring node and join the monitoring area of the monitoring node.

S17, each monitoring node compiles ID information for the ordinary nodes in the own monitoring area, sends Hello information to the ordinary nodes in the own monitoring area, and determines the own neighbor list.

The beneficial effects of the further scheme are as follows: the wireless sensor network layout can realize the regional control of the monitoring nodes and provide an operating environment for the subsequent detection of the Sybil nodes.

Further, the radius of the monitoring area of the monitoring node is 1/2 of the communication radius of the common node.

The beneficial effects of the further scheme are as follows: the radius of the monitoring area of the monitoring node is determined to be 1/2 of the communication radius of the common node while ensuring that the monitoring node can have two monitoring nodes meeting the threshold value, so that in the monitoring area of the monitoring node, each common node is in the communication range of the other side, and the RSSI value of the other side can be known.

Further, step S2 includes the following substeps:

s21, monitoring node n_MPeriodically finding out common nodes with similar RSSI values in the monitoring area, if two common nodes n are found_p、n_qSatisfy | d_Mp-d_MqIf | is less than or equal to e, n is_p、n_qAs a set of suspect nodes, join the suspect list double [ i ]]Performing the following steps; wherein d is_MpRepresenting a node n_pTo n_MRSSI value of d_MqRepresenting a node n_qTo n_ME is the error and i is the suspected node number.

S22, for monitoring node n_MCalculating the credit degree of common nodes in the monitoring area, and finding out the common node n with the credit degree lower than the self-adaptive threshold value_SThen according to the monitoring node n_MSelf neighbor list Nei_M[j]The RSSI value information in (1) is selected and compared with the RSSI value d_MSSimilar common node n_a、n_bWhen | d_MS-d_aSE is less than or equal to and d_MS-d_bSWhen | ≦ e, n is added_S、n_a、n_bJoin the suspicion list double [ i ] as a new set of suspicion nodes]Performing the following steps; wherein d is_MSRepresenting a node n_STo n_MRSSI value of d_aSRepresenting a node n_aTo n_MRSSI value of d_bSRepresenting a node n_bTo n_MJ represents node n_MThe neighbor node number of (2).

S23, checking the header of the data packet monitored and obtained by the monitoring node, if finding the ordinary node n with unregistered identity_jAnd newly added ordinary node n in the monitoring area_iN is to be_i，n_jJoin in the suspicion list double i as another set of suspicion nodes]In (1).

The beneficial effects of the further scheme are as follows: suspicious nodes are searched layer by layer in three steps, all suspicious nodes which can become Sybil nodes are added into a suspicious list, and the missing rate of the whole algorithm is reduced.

Further, step S3 includes the following substeps:

s31, monitoring node n_MSelecting the nodes n with the highest and the next highest credit degrees_r，n_yAs a monitoring node (ordinary node n)_r、n_yCannot exist in the suspicion list double [ i ]]In) get node n_MTo n_rRSSI value d of_MrNode n_MTo n_yRSSI value d of_MyAnd node n_rTo n_yRSSI value d of_ryJudging whether the three points can form a triangle by utilizing the trilateral sum theorem of the triangle, if so, containing a monitoring sectionPoint n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_rStep S32 is entered, otherwise another node n with inferior reputation degree is selected_z(ordinary node n)_zCannot exist in the suspicion list double [ i ]]In), the decision is repeated until a node satisfying the triangle trilateral sum theorem is found.

S32, according to the monitoring node n_rNeighbor list Nei_r[k]Information of (2), search for n_rSelf-to-suspicion list double [ i ]]Respectively comparing the RSSI values of the suspicious nodes, and if the RSSI values of the suspicious nodes reach n_rIf the RSSI difference is greater than the error e, the set of suspect nodes is selected from the suspect list, Doubt [ i ]]Removing; wherein k represents a node n_rThe neighbor node number of (2).

S33, if Doubt list, Doubt]If there are still remaining suspicious nodes, it will contain monitoring node n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_yBy monitoring node n_yRepeating the operation of step S32; otherwise the suspicion list Doubt [ i ]]None of the suspect nodes in (a) are witch nodes.

S34, if the Doubt [ i ] has the remaining suspicious nodes, determining the Doubt [ i ] as the Sybil nodes, diffusing the Sybil node information to the whole network, and excluding the Sybil nodes; otherwise, doubting that all suspicious nodes in the double [ i ] are not Sybil nodes.

The beneficial effects of the further scheme are as follows: in a large number of common nodes, the monitoring node is used for selecting the common node reaching the credit threshold and in the communication range of the monitored node as the monitoring node, and the suspicious node is checked, so that the accuracy rate of detection is greatly improved.

Further, the calculation formula of the reputation degree is as follows:

Val＝a×Pr+b×Power (1)

wherein Val represents the node reputation, a and b are two weight coefficients, 0< a <1, 0< b <1, a + b is 1, Power is the residual energy of the node, Pr is the total forwarding rate of the node, and the calculation formula is:

wherein f represents the number of the forwarded data packets counted by the monitoring node from the beginning of the work, and r represents the number of the received data packets counted by the monitoring node from the beginning of the work.

The beneficial effects of the further scheme are as follows: malicious nodes can be effectively identified by examining the credit values of the nodes, and the most trusted nodes are selected for communication, so that the safety and reliability of the network are improved.

Further, the calculation formula of the adaptive threshold value is as follows:

T(n)＝T(n-1)*{Pt+[1-Pt]*p(n)} (3)

wherein T (n) represents the adaptive threshold value of the nth monitoring period, the initial value T (0) of T (0) is 0.7, p (n) represents the node forwarding rate of the nth monitoring period, Pt represents the total forwarding rate of the monitoring area from the beginning of operation to the nth monitoring period, and the calculation formula is as follows:

wherein p (i) represents the node forwarding rate of the ith monitoring period, and A represents the number of data packets received by the monitoring area in the ith monitoring period.

The beneficial effects of the further scheme are as follows: and a self-adaptive detection threshold is provided, and the requirements of the network under various environments are ensured.

Drawings

Fig. 1 is a schematic diagram of a witch attack model.

Fig. 2 is a flowchart of a witch node detection method based on RSSI values and reputation provided by an embodiment of the present invention.

Fig. 3 is a schematic diagram illustrating a layout of a wireless sensor network according to an embodiment of the present invention.

Fig. 4 is a schematic diagram illustrating a change of a total forwarding rate of network data corresponding to values of different a and b according to an embodiment of the present invention.

Fig. 5 is a schematic diagram illustrating a change of values of different a and b corresponding to the number of remaining nodes in the network according to the embodiment of the present invention.

Fig. 6 is a comparison graph of the witch node detection accuracy rate with the change of the number of the witch nodes according to the embodiment of the present invention.

Fig. 7 is a comparison graph of the witch node detection accuracy rate varying with the total node number according to the embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It is to be understood that the embodiments shown and described in the drawings are merely exemplary and are intended to illustrate the principles and spirit of the invention, not to limit the scope of the invention.

Before describing specific embodiments of the present invention, several points in the embodiments of the present invention are first defined and explained:

the embodiment of the invention mainly relates to three types of nodes: one is a common node responsible for collecting data and forwarding the data; one is that the monitoring node reaches the credit self-adaptive threshold and is temporarily changed into by a common node, and the RSSI value comparison and check are carried out on the own neighbor list; the other is a monitoring node which is responsible for monitoring the behaviors of the common nodes, calculating the comprehensive credibility of the common nodes and selecting the monitoring nodes, and each monitoring node is responsible for managing the common nodes in a certain area.

The embodiment of the invention provides a Sybil node detection method based on RSSI values and credibility, and as shown in FIG. 2, the method comprises the following steps of S1-S3:

and S1, carrying out wireless sensor network layout to realize regional control of the monitoring nodes.

The step S1 specifically includes the following substeps S11-S17:

and S11, randomly and uniformly throwing the common nodes in a certain range, collecting surrounding data by using the common nodes, forwarding data of other nodes by using the common nodes as routing nodes, and converging the data to a sink node.

S12, the sink node broadcasts the Hello message to the surrounding, the first group of ordinary nodes which receive the Hello message reply the ACK message to the sink node, and is marked as the first hop node.

S13, the first hop node broadcasts the Hello message to the surrounding, the non-first hop node which receives the Hello message is marked as a second hop node, and meanwhile, an ACK message is replied to the first hop node which sends the Hello message; and mutually listing the first hop node and the second hop node as neighbor nodes of the opposite side, and establishing a neighbor list. The neighbor list includes neighbor node information and RSSI values from itself to neighbor nodes. The subsequent algorithm of the embodiment of the invention is based on the RSSI value, and the distance between the transmitter and the receiver can be deduced through the strength of the received wireless signal without additional hardware for the distance measurement based on the RSSI value.

And S14, sequentially obtaining a third hop node and a fourth hop node by adopting the same method as the step S13, and establishing a neighbor list of each common node.

And S15, randomly and uniformly throwing the monitoring nodes. The number of the monitoring nodes is in fixed proportion to the number of the common nodes, and the number of the monitoring nodes in the embodiment of the invention is 10% of the number of the common nodes.

S16, each monitoring node controls and sends radius broadcast information, sends a data packet containing ID information of the monitoring node, and neighboring nodes receiving the data packet feed back information to the monitoring node and join the monitoring area of the monitoring node.

In the embodiment of the invention, the radius of the monitoring area of the monitoring node is 1/2 of the communication radius of the common node, so that in the monitoring area of the monitoring node, each common node is in the communication range of the other side, and the RSSI value of the other side can be known.

S17, each monitoring node compiles ID information for the ordinary nodes in the own monitoring area, sends Hello information to the ordinary nodes in the own monitoring area, and determines the own neighbor list.

The wireless sensor network layout is completed via step S1 as shown in fig. 3.

And S2, searching suspicious nodes based on the RSSI value and the credibility according to the network layout condition.

The step S2 specifically includes the following substeps S21-S23:

s21, monitoring node n_MPeriodically find itself in the monitored areaIf two common nodes n are the common nodes with similar RSSI values_p、n_qSatisfy | d_Mp-d_MqIf | is less than or equal to e, n is_p、n_qAs a set of suspect nodes, join the suspect list double [ i ]]Performing the following steps; wherein d is_MpRepresenting a node n_pTo n_MRSSI value of d_MqRepresenting a node n_qTo n_ME is the error and i is the suspected node number.

S22, for monitoring node n_MCalculating the credit degree of common nodes in the monitoring area, and finding out the common node n with the credit degree lower than the self-adaptive threshold value_SThen according to the monitoring node n_MSelf neighbor list Nei_M[j]The RSSI value information in (1) is selected and compared with the RSSI value d_MSSimilar common node n_a、n_bWhen | d_MS-d_aSE is less than or equal to and d_MS-d_bSWhen | ≦ e, n is added_S、n_a、n_bJoin the suspicion list double [ i ] as a new set of suspicion nodes]Performing the following steps; wherein d is_MSRepresenting a node n_STo n_MRSSI value of d_aSRepresenting a node n_aTo n_MRSSI value of d_bSRepresenting a node n_bTo n_MJ represents node n_MThe neighbor node number of (2).

In the embodiment of the invention, the calculation formula of the credibility is as follows:

Val＝a×Pr+b×Power (1)

wherein Val represents the node reputation, a and b are two weight coefficients, 0< a <1, 0< b <1, a + b is 1, Power is the residual energy of the node, Pr is the total forwarding rate of the node, and the calculation formula is:

wherein f represents the number of the forwarded data packets counted by the monitoring node from the beginning of the work, and r represents the number of the received data packets counted by the monitoring node from the beginning of the work.

The calculation formula of the self-adaptive threshold value is as follows:

T(n)＝T(n-1)*{Pt+[1-Pt]*p(n)} (3)

wherein T (n) represents the adaptive threshold value of the nth monitoring period, the initial value T (0) of T (0) is 0.7, p (n) represents the node forwarding rate of the nth monitoring period, Pt represents the total forwarding rate of the monitoring area from the beginning of operation to the nth monitoring period, and the calculation formula is as follows:

wherein p (i) represents the node forwarding rate of the ith monitoring period, and A represents the number of data packets received by the monitoring area in the ith monitoring period.

The setting of the adaptive threshold value must also satisfy a most basic requirement: the threshold value cannot be higher than the total forwarding rate of the normal node and network, i.e. 0< t (n) <1, t (n) < p (n), t (n) < Pt. Since p (n) ≦ 1, the threshold T (n) apparently satisfies 0< T (n) < 1.

S23, checking the header of the data packet monitored and obtained by the monitoring node, if finding the ordinary node n with unregistered identity_jAnd newly added ordinary node n in the monitoring area_iN is to be_i，n_jJoin in the suspicion list double i as another set of suspicion nodes]In (1).

In the embodiment of the invention, the monitoring node mainly plays a role in three aspects: firstly, when a new node is added in the area, a verification message needs to be sent to the new node to obtain an RSSI value for further observation and comparison; secondly, periodically checking the RSSI value of the neighbor list of the node to deal with a second Sybil attack form (the Sybil node attracts the data flow of the surrounding nodes, but does not perform illegal operation on the data, and only forwards the data normally to cause premature death of the normal nodes); and thirdly, playing a role in the process of forwarding the data packets in the region, monitoring the data packet flow (not participating in the forwarding of the data packets), counting the number of the data packets received and forwarded by the common nodes in the region, estimating the energy consumption condition of each common node, updating the comprehensive credit degree of each common node in real time, listing the common nodes lower than the threshold value as suspicious nodes, and selecting the common nodes higher than the threshold value as monitoring nodes in the region. And in consideration of the storage of the credibility, storing the credibility in a neighbor list of the monitoring node, wherein the neighbor list corresponds to each common node.

S3, selecting two monitoring nodes with high credibility, checking suspicious nodes based on the RSSI values, and determining Sybil nodes.

Step S3 includes the following substeps S31-S34:

s31, monitoring node n_MSelecting the nodes n with the highest and the next highest credit degrees_r，n_yAs a monitoring node (ordinary node n)_r、n_yCannot exist in the suspicion list double [ i ]]In) get node n_MTo n_rRSSI value d of_MrNode n_MTo n_yRSSI value d of_MyAnd node n_rTo n_yRSSI value d of_ryJudging whether the three points can form a triangle or not by utilizing the trilateral sum theorem of the triangle, and if so, containing a monitoring node n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_rStep S32 is entered, otherwise another node n with inferior reputation degree is selected_z(ordinary node n)_zCannot exist in the suspicion list double [ i ]]In), the decision is repeated until a node satisfying the triangle trilateral sum theorem is found.

S32, according to the monitoring node n_rNeighbor list Nei_r[k]Information of (2), search for n_rSelf-to-suspicion list double [ i ]]Respectively comparing the RSSI values of the suspicious nodes, and if the RSSI values of the suspicious nodes reach n_rIf the RSSI difference is greater than the error e, the set of suspect nodes is selected from the suspect list, Doubt [ i ]]Removing; wherein k represents a node n_rThe neighbor node number of (2).

S33, if Doubt list, Doubt]If there are still remaining suspicious nodes, it will contain monitoring node n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_yBy monitoring node n_yRepeating the operation of step S32; otherwise the suspicion list Doubt [ i ]]None of the suspect nodes in (a) are witch nodes.

S34, if the Doubt [ i ] has the remaining suspicious nodes, determining the Doubt [ i ] as the Sybil nodes, diffusing the Sybil node information to the whole network, and excluding the Sybil nodes; otherwise, doubting that all suspicious nodes in the double [ i ] are not Sybil nodes.

The following further describes, by a specific example, a witch node detection method based on RSSI values and reputation provided by an embodiment of the present invention:

the operation condition of the wireless sensor network under a distributed system is considered, the nodes with fixed positions are uniformly distributed, the specific geographic positions of the nodes and the neighboring nodes are not known, and the simulation environment is stable and reliable. In addition, the transmission power of each node (including a malicious node) cannot be changed. In the embodiment of the invention, the number of the sensor nodes is changed within 50-600; uniformly distributed in a sensor motion area E, E is 500m². The node attributes and communication parameters are set as shown in table 1.

TABLE 1

In consideration of the ranging accuracy of the RSSI value, the ranging error e in the embodiment of the present invention is 50 cm.

As shown in equation (1), in the calculation of the node reputation value Val, the values of the parameter a and the parameter b will influence the selection of the monitoring node: a is too large, b is smaller, and the forwarding rate is emphasized when the monitoring node is selected, so that the energy consumption of each common node is uneven, and the common node with high forwarding rate is overused, thereby causing premature death; when a is smaller and b is too large, the energy consumption is considered preferentially by selecting the monitoring nodes, and each common node is selected according to the residual energy, so that although the service life of the whole network is prolonged, a malicious node is easy to select.

36000s are simulated in the embodiment of the invention until the nodes (10 nodes) in the region are completely dead. Fig. 4 and 5 show the assignment of different values of a and b, the data forwarding rate of the corresponding network (fig. 4), and the survival of the network nodes (fig. 5). From fig. 4 and fig. 5, it can be seen that when a is 0.9 and b is 0.1, the total data forwarding rate of the network is overall higher, but the node dies too fast and the network life cycle is shorter; when a is 0.1 and b is 0.9, although the life cycle of the network reaches the longest, the overall forwarding rate of the network is low and the network quality is poor. Considering comprehensively, the embodiment of the present invention selects a ═ 0.5 and b ═ 0.5 as parameters for calculating the reputation value.

Assume that the interval time of each round is 50 seconds, i.e. the monitoring period of the monitoring node is 50 seconds. In practical situations, the forwarding rate of the node cannot reach 100% generally, and a random number is introduced to control the forwarding rate of the node.

The Sybil attack has two forms, and the first data packet attack form aiming at the Sybil node can be specifically expressed as black hole attack and selective forwarding attack. For black hole attack, setting the forwarding rate of the malicious node to be 0%, namely completely losing packets; for selective forwarding attack, the simulation discusses the condition that the forwarding rate of the malicious node is 30% -50%. For the routing attack, which is the second form of the Sybil attack, malicious nodes are normal in performance, the forwarding rate of the routing attack is the same as that of common nodes, only local nodes are targeted during routing, and network faults can be caused after a long time.

Simulation is carried out for 36000 seconds (720 rounds), and the second and third tables show that when the forwarding rate of a malicious node with two Sybil identities is set to be suddenly reduced from 70% -100% to 0% -50% in the 50 th round and the 500 th round respectively, the rounds of the Sybil nodes are detected by the method.

TABLE 2

TABLE 3

The second and third tables show that the present invention can be detected quickly and accurately no matter what form of witch attack. In particular, in the second form of the Sybil attack, the system can be found immediately when the Sybil nodes have malicious behaviors; for the selective forwarding attack in the first form, the total forwarding rate of the node is considered in the credibility adopted by the invention, and for the common node which is captured later to become a malicious node, the node is normally represented at the early stage, and sudden drop of the forwarding rate cannot be detected immediately. The invention adds the judgment condition, so that the detection can be carried out after 3 rounds.

The detection accuracy rate is represented by dividing the number of discovered Sybil nodes by the total number of malicious nodes existing in the system, wherein the total number of malicious nodes comprises false nodes with Sybil identities and malicious nodes. Considering that the UWB approach is consistent with the detection principle of the present invention, the following two schemes are compared.

Two cases were mainly considered in the present simulation. One is the condition that the number of common nodes is fixed, and the detection rate changes along with the number of Sybil nodes; the other is the condition that the number of Sybil nodes is in fixed proportion to the number of common nodes, and the detection rate changes along with the number of the nodes.

Fig. 6 shows the change of the detection rate with the increase of the number of witch nodes with the total number of nodes being fixed (150 nodes). In general, the detection rate of the invention is 96% on average, and the average detection rate of the UWB method is 94%. With the increase of the number of Sybil nodes, the detection rates of the two methods slightly fluctuate and have a trend of decreasing, but compared with a UWB scheme, the trend of the invention is not obvious.

FIG. 7 shows the effect of node density on detection rate. The node density represents the composition of the deployment area, wherein the number of witch nodes is 20% of the total legal nodes. As can be seen from fig. 7, the detection rates of the two methods are both affected by the node density, and in the case of a large node density, the detection rate is wholly in a descending trend, but the descending trend of the present invention is slow, the whole fluctuation is not large, and the detection rate of the UWB method is linearly reduced; when the number of the nodes reaches 600, the detection rate of the UWB method is reduced to 80% from about 97%, and the detection rate of the UWB method is reduced to 92% from about 97%.

Therefore, the Sybil node detection method based on the RSSI value and the credibility has high detection rate, stability and small influence of node density. The main reason is that for the distributed wireless sensor network with limited energy, the malice of the malicious node is considered, the node is screened by using the credit degree model, and a plurality of high credit monitoring nodes are selected to check the suspicious node, so that the false alarm rate is reduced, and the high detection accuracy rate is achieved. For the factor that the energy of the sensor node is limited, the invention adopts the monitoring nodes (the other settings are the same) with different communication radiuses with the common nodes to monitor the data packet and calculate the credibility, selects two monitoring nodes with high credibility to detect the Sybil attack, does not need the participation of redundant nodes, reduces the overall energy consumption of the network and prolongs the life cycle of the network.

It will be appreciated by those of ordinary skill in the art that the embodiments described herein are intended to assist the reader in understanding the principles of the invention and are to be construed as being without limitation to such specifically recited embodiments and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.

Claims (8)

1. A Sybil node detection method based on RSSI values and credibility is characterized by comprising the following steps:

s1, carrying out wireless sensor network layout to realize regional control of the monitoring nodes;

s2, searching suspicious nodes based on the RSSI value and the credit degree according to the network layout condition;

s3, selecting two monitoring nodes with high credibility, checking suspicious nodes based on RSSI values, and determining Sybil nodes;

the step S2 includes the following sub-steps:

s21, monitoring node n_MPeriodically finding out common nodes with similar RSSI values in the monitoring area, if two common nodes n are found_p、n_qSatisfy | d_Mp-d_MqIf | is less than or equal to e, n is_p、n_qAs a set of suspect nodes, join the suspect list double [ i ]]Performing the following steps; wherein d is_MpRepresenting a node n_pTo n_MRSSI value of d_MqRepresenting a node n_qTo n_ME is an error, i is a suspected node number;

s22, for monitoring node n_MCalculating the credit degree of common nodes in the monitoring area, and finding out the common node n with the credit degree lower than the self-adaptive threshold value_SThen according to the monitoring node n_MSelf neighbor list Nei_M[j]The RSSI value information in (1) is selected and compared with the RSSI value d_MSSimilar common node n_a、n_bWhen | d_MS-d_aSE is less than or equal to and d_MS-d_bSWhen | ≦ e, n is added_S、n_a、n_bJoin the suspicion list double [ i ] as a new set of suspicion nodes]Performing the following steps; wherein d is_MSRepresenting a node n_STo n_MRSSI value of d_aSRepresenting a node n_aTo n_MRSSI value of d_bSRepresenting a node n_bTo n_MJ represents node n_MThe neighbor node number of (1);

s23, checking the header of the data packet monitored and obtained by the monitoring node, if finding the ordinary node n with unregistered identity_jAnd newly added ordinary node n in the monitoring area_iN is to be_i，n_jJoin in the suspicion list double i as another set of suspicion nodes]Performing the following steps;

the step S3 includes the following sub-steps:

s31, monitoring node n_MSelecting common nodes n with highest and second highest credibility_r，n_yAs a monitoring node, obtain node n_MTo n_rRSSI value d of_MrNode n_MTo n_yRSSI value d of_MyAnd node n_rTo n_yRSSI value d of_ryJudging whether the three points can form a triangle or not by utilizing the trilateral sum theorem of the triangle, and if so, containing a monitoring node n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_rStep S32 is entered, otherwise another ordinary node n with inferior reputation degree is selected_zRepeating the determination until a satisfaction is foundThree sides of the triangle and nodes of the theorem;

s32, according to the monitoring node n_rNeighbor list Nei_r[k]Information of (2), search for n_rSelf-to-suspicion list double [ i ]]Respectively comparing the RSSI values of the suspicious nodes, and if the RSSI values of the suspicious nodes reach n_rIf the RSSI difference is greater than the error e, the set of suspect nodes is selected from the suspect list, Doubt [ i ]]Removing; wherein k represents a node n_rThe neighbor node number of (1);

s33, if Doubt list, Doubt]If there are still remaining suspicious nodes, it will contain monitoring node n_r、n_yNumbering and suspicion list Doubt [ i ]]Is sent to n_yBy monitoring node n_yRepeating the operation of step S32; otherwise the suspicion list Doubt [ i ]]None of the suspicious nodes in the set of nodes are Sybil nodes;

s34, if the Doubt [ i ] has the remaining suspicious nodes, determining the Doubt [ i ] as the Sybil nodes, diffusing the Sybil node information to the whole network, and excluding the Sybil nodes; otherwise, doubting that all suspicious nodes in the double [ i ] are not Sybil nodes.

2. The method of detecting Sybil nodes of claim 1, wherein the step S1 includes the following sub-steps:

s11, randomly and uniformly throwing the common nodes in a certain range, collecting surrounding data by using the common nodes, simultaneously forwarding data of other nodes as routing nodes, and converging the data to a convergent node;

s12, the sink node broadcasts the Hello message to the surrounding, the first group of common nodes which receive the Hello message reply the ACK message to the sink node, and is marked as a first hop node;

s13, the first hop node broadcasts the Hello message to the surrounding, the non-first hop node which receives the Hello message is marked as a second hop node, and meanwhile, an ACK message is replied to the first hop node which sends the Hello message; mutually listing the first hop node and the second hop node as neighbor nodes of the other party, and establishing a neighbor list;

s14, sequentially obtaining a third hop node and a fourth hop node by adopting the same method as the step S13, and establishing a neighbor list of each common node;

s15, randomly and uniformly throwing the monitoring nodes;

s16, each monitoring node controls and sends radius broadcast information, sends a data packet containing ID information of the monitoring node, and neighboring nodes receiving the data packet feed back information to the monitoring node and join the monitoring area of the monitoring node;

s17, each monitoring node compiles ID information for the ordinary nodes in the own monitoring area, sends Hello information to the ordinary nodes in the own monitoring area, and determines the own neighbor list.

3. The method of claim 2, wherein the neighbor list includes neighbor node information and RSSI values from itself to neighbor nodes.

4. The Sybil node detection method of claim 2, wherein the number of monitoring nodes is 10% of normal nodes.

5. The Sybil node detection method of claim 2, wherein a radius of a monitoring area of the monitoring nodes is 1/2 of a communication radius of a common node.

6. The method of detecting Sybil nodes of claim 1, wherein the common nodes n are_r、n_yAnd n_zCannot exist in the suspicion list double [ i ]]In (1).

7. The Sybil node detection method of claim 1, wherein the reputation is calculated by the formula:

Val＝a×Pr+b×Power (1)

wherein Val represents the node reputation, a and b are two weight coefficients, 0< a <1, 0< b <1, a + b is 1, Power is the residual energy of the node, Pr is the total forwarding rate of the node, and the calculation formula is:

wherein f represents the number of the forwarded data packets counted by the monitoring node from the beginning of the work, and r represents the number of the received data packets counted by the monitoring node from the beginning of the work.

8. The method of detecting witch nodes in claim 1, wherein the adaptive threshold value is calculated by the following formula:

T(n)＝T(n-1)*{Pt+[1-Pt]*p(n)} (3)

wherein T (n) represents the adaptive threshold value of the nth monitoring period, the initial value T (0) of T (0) is 0.7, p (n) represents the node forwarding rate of the nth monitoring period, Pt represents the total forwarding rate of the monitoring area from the beginning of operation to the nth monitoring period, and the calculation formula is as follows:

wherein p (i) represents the node forwarding rate of the ith monitoring period, and A represents the number of data packets received by the monitoring area in the ith monitoring period.

Images