CN109862017A - Wireless sensor network malicious detection method based on SPRT algorithm - Google Patents

Wireless sensor network malicious detection method based on SPRT algorithm Download PDF

Info

Publication number
CN109862017A
CN109862017A CN201910128848.5A CN201910128848A CN109862017A CN 109862017 A CN109862017 A CN 109862017A CN 201910128848 A CN201910128848 A CN 201910128848A CN 109862017 A CN109862017 A CN 109862017A
Authority
CN
China
Prior art keywords
node
worm
network
detection
sprt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910128848.5A
Other languages
Chinese (zh)
Other versions
CN109862017B (en
Inventor
杨立君
郑文添
吴蒙
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201910128848.5A priority Critical patent/CN109862017B/en
Publication of CN109862017A publication Critical patent/CN109862017A/en
Application granted granted Critical
Publication of CN109862017B publication Critical patent/CN109862017B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention proposes the wireless sensor network malicious detection methods based on SPRT algorithm, which comprises the following steps: step 1, network pretreatment;Step 2, communication mode collects storage;Step 3, SPRT worm detecting;The particular content of the step 1 is as follows: step 1.1, in the communication distributed simultaneously before sensor network disposition the unique ID number of each sensor node of system distribution between private key progress node, so as to when a node u receives the grouping packet that another node v is sent, prevent from worm-type virus from copying node ID capable of leading to too small amount of time slot and number of sampled samples increasing the rate of false alarm of worm detecting to detect worm node between key authentication node by communicating, invermination node can be limited between 2%~5% by the detection scheme, the program can reduce loss of communications and computed losses in network simultaneously, the worm node in sensor network can efficiently be checked.

Description

Wireless sensor network malicious detection method based on SPRT algorithm
Technical field
The present invention relates to a kind of Worm detection method, specifically a kind of Worm detection method using SPRT algorithm, Belong to technical field of virus detection.
Background technique
In its field environment for being deployed in unmanned guard of wireless sensor network because, it is extremely easy attacking for person under attack It hits.Attacker can steal the information such as node key id, carry out node duplication, inject into network by capturing physical node Malicious node destroys network.However replicated by node, the scheme cost for injecting malicious node one by one into network is too high, and And it is easy to be found.Therefore for attacker, a kind of efficiently method is that worm-type virus is used so that phase between node It mutually infects, attacker can save a large amount of attack resource under this mode, and be not easy to be found by network manager.Current nothing For malicious node, there is no effectively nodal test schemes in line sensor network.Signature detection algorithm needs a large amount of Computing cost generates and safeguards signature, this is not suitable for resource-constrained sensor network.Poplar et al. proposes based on software The scheme of diversity techniques prevents worm propagation, and the core concept of the program is that whole network is divided into a series of grid list Then member distributes different FLASH programs in each node, in this case, the FLASH program between neighbor node is also different Sample.It is different due to being used between node after attacker captures some node by the loophole of some FLASH program FLASH program, then worm will be unable to be propagated very in the case where maximum probability.The precondition that above-mentioned mechanism can work Be, the loophole of the FLASH program of each node be it is different, otherwise can not prevent the propagation of worm node.If worm propagation It is not easy to be interrupted, can be then removed by detection worm node, guarantee the robustness of sensor network.However, actually It is difficult to accomplish to make the different editions of FLASH program that there is different loopholes, if us it can be found that if the loophole of FLASH program Actively to repair them, infected without waiting worm node again.On the other hand, if two or more versions generation Different loopholes is found in code, and worm code can use that institute is leaky to be programmed.This worm can infect one first Then node switches loophole, an adjacent node is infected, to propagate in a network.Remote software certificate scheme is another The scheme of kind detection worm node, the core concept of the program are that the complete of node procedure is proved on the basis of software or hardware Whole property since any node can carry out software authentication for other nodes, and can be detected without using specialized hardware Be damaged node out, thus remote software certificate scheme detected in resource-constrained sensor network worm node have it is very big excellent Gesture.The software authentication scheme of existing wireless sensor network, main thought are to allow each node in each time slot A group node is randomly choosed to be authenticated, when the node receives the data packet of this group node transmission, they are carried out long-range Certification, so that detection is by the node of invermination.Although this method can detect the section of the worm in network to a certain extent Point, but cause detectability to decline since the infection node being not included in randomly selected set can not be detected.Therefore, it seeks It looks for a kind of efficient worm nodal test scheme to detect and to reject malicious node most important
Summary of the invention
The technical problem to be solved by the present invention is to the worm nodal test rate in network is low, rate of false alarm is high, the meter of node Calculation resource cost is big, provides the wireless sensor network malicious inspection based on SPRT algorithm in order to overcome the deficiencies of the prior art Survey method.
The present invention provides the wireless sensor network malicious detection method based on SPRT algorithm, which is characterized in that packet Include following steps: step 1, network pretreatment;Step 2, communication mode collects storage;Step 3, SPRT worm detecting.
As further technical solution of the present invention, the particular content of the step 1 is as follows:
Step 1.1, private is distributed simultaneously to the unique ID number of each sensor node of system distribution before sensor network disposition Key carries out the communication between node, to pass through key when a node u receives the grouping packet that another node v is sent Communication increases the rate of false alarm of worm detecting to prevent the worm-type virus from copying node ID between verifying node;
Step 1.2, after sensor network disposition completion, each node needs to find the neighbor node of oneself and with Pd Probability periodically by oneself election for monitoring node so that node successively becomes monitoring node, by periodically electing Monitoring node avoids its under attack, while each node can be allowed successively to become monitoring node, saves the energy of each node.
Further, the particular content of the step 2 is as follows:
Step 2.1, when node u receives the data packet from another node v, node u will check the purpose of grouping packet Address is the neighbor nodes that itself and node v are own node, then node u will grouping packet source node ID and destination node ID is with probability PfIts neighbor node is broadcast to, the above process is referred to as communication pattern;
Step 2.2, the neighbor node of node u is when receiving communication pattern, if the neighbor node is detection section Otherwise point abandons the communication pattern then the neighbor node receives and saves the communication pattern;
Step 2.3, defining detection node is w, then detection node is the communication pattern that w receives neighbor node broadcast, is carried out Worm detecting.
Further, specific step is as follows for the step 2.3:
Entire detection time domain is divided into a series of time slot by step 2.3.1, detection node w, is saved in each time slot Communication mode information, whenever detection node w receives a communication pattern (si,di), detect siAnd diIt is detection node w Neighbor node, then node w stores (s in memoryi,di);
Step 2.3.2 then has existed (s when detecting in the memory of detection node wj,dj), wherein di=sjOr si =dj, then converged communication mode (s can be combined intoi,di,dj) or (sj,dj,si), while counter M is carried out to add a behaviour Make;Wherein counter M is used to count the synthesis number of converged communication mode, M initialization or resetting when each time slot starts It is 0, adds one whenever there is communication pattern to merge counter;
Under the propagation of worm node, detection node w has several converged communication modes and generates, thus the value of M at least more than 1, whether the neighbours region that the value of M all can serve as node w in each time slot has the foundation of worm propagation, in each time slot In, work as M=0, can directly receive empty hypothesis H0There is no worm propagation in network;Work as M > 1, then chooses M according to the size of M value Sampled value accelerates to receive H1There is worm propagation in network, this process is defined as to be biased to sampling plan, can generate more Sample accelerate SPRT algorithm receive H1It is assumed that can simultaneously be quickly detected the worm propagation region in network.
Further, the particular content of the step 3 is as follows:
Worm assumes H without propagating in a network to be empty0, worm is propagated in a network assumes H for selectivity1, detection node The value of counter M in k-th of time slot is Mk, pass through MkDefine Bernoulli random variable AkIt is shown below:
The successful probability of Bernoulli random variable is the probability for having converged communication mode to occur in γ namely network are as follows:
γ=Pr (Ak=1)=1-Pr (Ak=0)
As it is assumed that H0With hypothesis H1It is independent in entire sample space, so having:
Pr(Ak)=Pr (Ak|H0)×Pr(H0)+Pr(Ak|H1)×Pr(H1)
Individually consider Pr (Ak=1), following formula can be obtained:
Pr (A can be released by the formulak=1 | H0) with Pr (Ak|H1)×Pr(H1) reduce and increase, Pr (Ak=1 | H1) With Pr (Ak|H0)×Pr(H0) reduction and increase, the more high then rate of failing to report of the verification and measurement ratio of worm node is lower;
The threshold value of γ is γ0And γ1, when detection node operation SPRT algorithm detects γ < γ0, then in network not There is worm propagation;When detecting γ > γ1Worm propagation then has occurred in network;So judging whether to have in sensor network compacted Worm, which is propagated, can be grouped into a Hypothesis Testing Problem, and the sky of problem is assumed to be H0, select to be assumed to be H1
Description based on the problem, provides detection node w and how to pass through n sample combination SPRT algorithm and make a policy, Middle AkFor a sample, the log probability ratio R of SPRTnAre as follows:
Because generating converged communication mode between each time slot to be independent of each other, it is assumed that each sample AkBetween be independent same Distribution, then RnIt can rewrite are as follows:
A in n samplek=1 the case where is δn, γ0=Pr (Ak=1 | H0),γ1=Pr (Ak=1 | H1), then having:
Based on log probability ratio Rn, the operation rule of SPRT is as follows:
Wherein α ' represents the maximum allowable rate of false alarm of user configuration, and β ' represents the maximum allowable of user configuration and fails to report Rate then has:
So the operation rule of SPRT algorithm can be modified as follow:
H is assumed when SPRT algorithm receives0, continued to test then detection node w restarts SPRT algorithm;When SPRT algorithm connects By hypothesis H1, then detection node w, which sends broadcast to neighbor node, illustrates locally have node by invermination;Then detection node Worm detecting is carried out to its neighbor node respectively using software authentication scheme with its neighbor node, after detecting worm node Communicate other nodes in network no longer with worm node.
Further, when the rate of a worm node infection neighbor node is slow, then in a network would not be frequent There is converged communication mode in ground, and so worm node can be regarded as benign node, then needs to dynamically change sample Threshold value;
Due to γ0Representing does not have worm virus spreading in network, and the probability of converged communication mode occurs in detection node, It the probability namely represents sensor node and is capable of the maximum prison born when there is no worm-type virus infection in judging network The probability that control node has converged communication mode to occur, when worm-type virus will appreciate that this information, then it can dynamically change The pairs of infection rate for becoming oneself, by the benign node that oneself disguises oneself as;
Therefore, by γ0It is substituted for γ0 κ, and using random parameter κ dynamic modification γ0 κ, the value of random parameter κ is greater than 1, That is γ0 κ< γ0;Random parameter κ obeys [1, θmax] be uniformly distributed, each time slot run SPRT algorithm when randomly select κ Value can detect the slow worm-type virus of spread speed so that attacker can not dynamically change the pairs of infection rate of worm;
Then the log probability ratio of SPRT algorithm is extended to following formula:
Therefore the alteration ruler of SPRT algorithm is modified accordingly are as follows:
Wherein L0(n),L1(n) as follows:
The invention adopts the above technical scheme compared with prior art, have following technical effect that can lead to it is too small amount of Time slot and number of sampled samples detect worm node, which can be limited in 2%~5% for invermination node Between, while the program can reduce loss of communications and computed losses in network, can efficiently check in sensor network Worm node.
Detailed description of the invention
Fig. 1 is the present invention with s0For the schematic diagram of the network structure of leader cluster node.
Fig. 2 is that required detection time slot compares figure under different infection rates in the present invention.
Fig. 3 is that average sample number required under different infection rates in the present invention compares figure.
Fig. 4 is that the communication resource of different infection rate lower networks in the present invention compares figure.
Fig. 5 is the computing resource expense figure of different infection rate lower networks in the present invention.
Fig. 6 is that different infection rate lower sensor networks detect infected number of nodes when worm node in the present invention Figure.
Specific embodiment
1-6 is described in further detail technical solution of the present invention with reference to the accompanying drawing:
The present embodiment proposes the wireless sensor network malicious detection method based on SPRT algorithm, including following step It is rapid:
Step 1, network pre-processes, and particular content is as follows:
Step 1.1, private is distributed simultaneously to the unique ID number of each sensor node of system distribution before sensor network disposition Key carries out the communication between node, to pass through key when a node u receives the grouping packet that another node v is sent Communication increases the rate of false alarm of worm detecting to prevent the worm-type virus from copying node ID between verifying node;
Step 1.2, after sensor network disposition completion, each node needs to find the neighbor node of oneself and with Pd Probability periodically by oneself election for monitoring node so that node successively becomes monitoring node, by periodically electing Monitoring node avoids its under attack, while each node can be allowed successively to become monitoring node, saves the energy of each node.
Step 2, communication mode collects storage, and particular content is as follows:
Step 2.1, when node u receives the data packet from another node v, node u will check the purpose of grouping packet Address is the neighbor nodes that itself and node v are own node, then node u will grouping packet source node ID and destination node ID is with probability PfIts neighbor node is broadcast to, the above process is referred to as communication pattern;
Step 2.2, the neighbor node of node u is when receiving communication pattern, if the neighbor node is detection section Otherwise point abandons the communication pattern then the neighbor node receives and saves the communication pattern;
Step 2.3, defining detection node is w, then detection node is the communication pattern that w receives neighbor node broadcast, is carried out Worm detecting, specific step is as follows for the step 2.3:
Entire detection time domain is divided into a series of time slot by step 2.3.1, detection node w, is saved in each time slot Communication mode information, whenever detection node w receives a communication pattern (si,di), detect siAnd diIt is detection node w Neighbor node, then node w stores (s in memoryi,di);
Step 2.3.2 then has existed (s when detecting in the memory of detection node wj,dj), wherein di=sjOr si =dj, then converged communication mode (s can be combined intoi,di,dj) or (sj,dj,si), while counter M is carried out to add a behaviour Make;Wherein counter M is used to count the synthesis number of converged communication mode, M initialization or resetting when each time slot starts It is 0, adds one whenever there is communication pattern to merge counter;
Under the propagation of worm node, detection node w has several converged communication modes and generates, thus the value of M at least more than 1, whether the neighbours region that the value of M all can serve as node w in each time slot has the foundation of worm propagation, in each time slot In, work as M=0, can directly receive empty hypothesis H0There is no worm propagation in network;Work as M > 1, then chooses M according to the size of M value Sampled value accelerates to receive H1There is worm propagation in network, this process is defined as to be biased to sampling plan, can generate more Sample accelerate SPRT algorithm receive H1It is assumed that can simultaneously be quickly detected the worm propagation region in network.
Step 3, SPRT worm detecting, particular content are as follows:
Worm assumes H without propagating in a network to be empty0, worm is propagated in a network assumes H for selectivity1, detection node The value of counter M in k-th of time slot is Mk, pass through MkDefine Bernoulli random variable AkIt is shown below:
The successful probability of Bernoulli random variable is the probability for having converged communication mode to occur in γ namely network are as follows:
γ=Pr (Ak=1)=1-Pr (Ak=0)
As it is assumed that H0With hypothesis H1It is independent in entire sample space, so having:
Pr(Ak)=Pr (Ak|H0)×Pr(H0)+Pr(Ak|H1)×Pr(H1)
Individually consider Pr (Ak=1) following formula can, be obtained;
Pr (A can be released by the formulak=1 | H0) with Pr (Ak|H1)×Pr(H1) reduce and increase, Pr (Ak=1 | H1) With Pr (Ak|H0)×Pr(H0) reduction and increase, the more high then rate of failing to report of the verification and measurement ratio of worm node is lower;
The threshold value of γ is γ0And γ1, when detection node operation SPRT algorithm detects γ < γ0, then in network not There is worm propagation;When detecting γ > γ1Worm propagation then has occurred in network;So judging whether to have in sensor network compacted Worm, which is propagated, can be grouped into a Hypothesis Testing Problem, and the sky of problem is assumed to be H0, select to be assumed to be H1
Description based on the problem, provides detection node w and how to pass through n sample combination SPRT algorithm and make a policy, Middle AkFor a sample, the log probability ratio R of SPRTnAre as follows:
Because generating converged communication mode between each time slot to be independent of each other, it is assumed that each sample AkBetween be independent same Distribution, then RnIt can rewrite are as follows:
A in n samplek=1 the case where is δn, γ0=Pr (Ak=1 | H0),γ1=Pr (Ak=1 | H1), then having:
Based on log probability ratio Rn, the operation rule of SPRT is as follows:
Wherein α ' represents the maximum allowable rate of false alarm of user configuration, and β ' represents the maximum allowable of user configuration and fails to report Rate then has:
So the operation rule of SPRT algorithm can be modified as follow:
H is assumed when SPRT algorithm receives0, continued to test then detection node w restarts SPRT algorithm;When SPRT algorithm connects By hypothesis H1, then detection node w, which sends broadcast to neighbor node, illustrates locally have node by invermination;Then detection node Worm detecting is carried out to its neighbor node respectively using software authentication scheme with its neighbor node, after detecting worm node Communicate other nodes in network no longer with worm node.
When the rate of a worm node infection neighbor node is slow, then would not continually merge in a network Communication pattern, so worm node can be regarded as benign node, then need the threshold value for dynamically changing sample;
Due to γ0Representing does not have worm virus spreading in network, and the probability of converged communication mode occurs in detection node, It the probability namely represents sensor node and is capable of the maximum prison born when there is no worm-type virus infection in judging network The probability that control node has converged communication mode to occur, when worm-type virus will appreciate that this information, then it can dynamically change The pairs of infection rate for becoming oneself, by the benign node that oneself disguises oneself as;
Therefore, by γ0It is substituted for γ0 κ, and using random parameter κ dynamic modification γ0 κ, the value of random parameter κ is greater than 1, That is γ0 κ< γ0;Random parameter κ obeys [1, θmax] be uniformly distributed, each time slot run SPRT algorithm when randomly select κ Value can detect the slow worm-type virus of spread speed so that attacker can not dynamically change the pairs of infection rate of worm;
Then the log probability ratio of SPRT algorithm is extended to following formula:
Therefore the alteration ruler of SPRT algorithm is modified accordingly are as follows:
Wherein L0(n),L1(n) as follows:
In the present invention, the sub-clustering of network node: the data acquired between wireless sensor network node have very strong phase The data dependence acquired between Guan Xing, especially neighbor node is stronger.The core of cluster algorithm is exactly to say that acquisition data are similar Node point in a group, and select a leader cluster node (group leader) in this group to carry out the transmission of the group node data And processing, cluster algorithm just need to run after network structure completion.
SPRT is detected as sequential probability ratio test (Sequential Probability Ration Test, SPRT), is A kind of statistical decision scheme, the program also referred to as serialize hypothesis testing.The difference of the program and other hypothesis testing models Be the hits of sequential probability ratio test be before inspection it is unfixed, it increases sample according to the result of inspection dynamic Number, the number of samples in other words sampled in SPRT algorithm is random.This feature enables SPRT detection algorithm to exist Meet given rate of false alarm and terminates to detect faster under conditions of rate of failing to report.SPRT detection algorithm is with upper limit value and lower limit The one-dimensional random migration strategy of value, when the strategy starts, first definition is empty assumes corresponding lower limit value, defines selectivity and assumes to correspond to Upper limit value.Some value of SPRT algorithm in bound section starts gradually to draw close to upper limit value or lower limit value, if new reach Sample value value that SPRT is calculated terminate to examine lower than lower limit value so SPRT, receive empty to assume.If newly arrived sample The value that this value calculates SPRT is greater than upper limit value, then SPRT terminates that receiving selectivity is examined to assume.Otherwise, it needs to be further added by One sample value is tested.
Packet transmission: worm node is propagated in a manner of hop-by-hop, can generate the communication link of a chain type, therefore when one We can observe that one " worm chain " slowly increases when worm node is propagated, more in link connection sensor network A node.In contrast, the communication pattern between benign node is partial to many-to-one communication pattern, multiple data source nodes to One data aggregator sends data, is difficult to observe " chain type " communication pattern in such a mode, therefore in normal network We can be difficult discovery packet re-transmission phenomenon in communication pattern.Based on above theory, whether SPRT detection scheme in network have Packet retransmits phenomenon as sample, and lowest threshold and highest threshold value are dynamically configured according to sample type.We define empty vacation It is set as worm not propagate in a network, is selectively assumed to be worm and propagates in a network, when SPRT detects current network In " Bao Chongchuan " quantity when being lower than lowest threshold, receive empty to assume.When " Bao Chongchuan " phenomenon quantity is higher than highest threshold value, receive Selectivity is assumed.
It includes the pretreatment (Packet Preprocessing Unit, PPU) for being grouped packet in storage that communication mode, which is collected, Its algorithm works in MAC layer, and pseudocode is as shown in the table:
Input: the data packet packet received
If pkt.destination==u and pkt.source==u ' s neighbor then
Broadcast < pkt.sourceID, pkt.destinationID > to neighbors with probability Pf
SPRT worm detecting scheme (original scheme κ can be assessed by following performance indicator for the above method =1 and κ is [1, κmax] random value scheme).
Sample number required for i.SPRT worm detection algorithm decision, average sample sample number
Ii. required timeslot number when worm propagation has been detected, average timeslot number
When iii. detecting worm virus spreading, infected number of nodes in network
Iv. the communication resource and memory source consumption
Fig. 2 is described and is detected time slot needed for the detection method under different infection rates in SPRT worm detection algorithm and the present invention Several.With the growth of worm-type virus infection rate, the detection time slot of whole network is gradually decreased, this is because the sense of worm node Dye rate increases, and the worm packet transmission in network is frequent, it may appear that a large amount of packet retransmits phenomenon and accelerates SPRT detection algorithm to compacted The detection of worm.Meanwhile it can clearly find that the detection method in the present invention can effectively reduce institute compared to SPRT algorithm The timeslot number that need to be detected, earlier detect worm node.The infection rate of worm is lower, when the detection method in the present invention detects Gap number is better relative to the effect of SPRT algorithm.
Fig. 3 illustrates the detection method under different infection rates in SPRT worm detection algorithm and the present invention and removes in network Average sample number required for worm node.Number of samples is detected with the increase of infection rate, under two kinds of algorithms all reducing, this It is that packet largely occurs in network and retransmits phenomenon, the great amount of samples in network is effective sample energy because invermination rate increases Enough accelerate the detection of worm node.The average sample number that the detection method in the present invention needs simultaneously is less than SPRT worm detecting Algorithm, the detection time slot that can be simply interpreted as needs is few, and required average sample value is relatively fewer.And work as the infection of worm When rate is 0.001, the detection method in the present invention only needs about 5 sample value to carry out worm detecting.
Figure 4 and 5 respectively describe the communication resource loss and computing resource loss of whole network under different infection rates.With The increase of infection rate, the communication resource and computing resource all gradually decrease.This is because network is to worm with the increase of infection rate The detection of node is accelerated, and required timeslot number is reduced, and internetwork communication overhead and computing resource expense decrease, simultaneously Resource consumption ratio SPRT algorithm of the detection method under each infectious rate in the present invention is low.
Fig. 6 illustrates two schemes infected node when different infection rate lower sensor networks detect worm node The infection rate of quantity, worm node is higher, easier to be detected, and the node infected in a network will be relatively less, Detection method ratio SPRT detection scheme of the ratio of enough effective limitation infection nodes in 2%~5% or so, the present invention will be more Add superior.
The above, the only specific embodiment in the present invention, but scope of protection of the present invention is not limited thereto, appoints What is familiar with the people of the technology within the technical scope disclosed by the invention, it will be appreciated that expects transforms or replaces, and should all cover Within scope of the invention, therefore, the scope of protection of the invention shall be subject to the scope of protection specified in the patent claim.

Claims (6)

1. the wireless sensor network malicious detection method based on SPRT algorithm, which comprises the following steps:
Step 1, network pre-processes;
Step 2, communication mode collects storage;
Step 3, SPRT worm detecting.
2. the wireless sensor network malicious detection method according to claim 1 based on SPRT algorithm, feature Be: the particular content of the step 1 is as follows:
Step 1.1, before sensor network disposition to the unique ID number of each sensor node of system distribution simultaneously distribute private key into Communication between row node, to pass through key authentication when a node u receives the grouping packet that another node v is sent It is communicated between node to prevent the worm-type virus from copying node ID and increase the rate of false alarm of worm detecting;
Step 1.2, after sensor network disposition completion, each node needs to find the neighbor node of oneself and with PdIt is general Oneself election is periodically monitoring node by rate, so that node successively becomes monitoring node, by periodically electing monitoring Node avoids its under attack, while each node can be allowed successively to become monitoring node, saves the energy of each node.
3. the wireless sensor network malicious detection method according to claim 2 based on SPRT algorithm, feature Be: the particular content of the step 2 is as follows:
Step 2.1, when node u receives the data packet from another node v, node u will check the destination address of grouping packet The neighbor nodes that itself and node v are own node, then node u will grouping packet source node ID and destination node ID with Probability PfIts neighbor node is broadcast to, the above process is referred to as communication pattern;
Step 2.2, the neighbor node of node u is when receiving communication pattern, if the neighbor node is detection node, that The neighbor node receives and saves the communication pattern, otherwise abandons the communication pattern;
Step 2.3, defining detection node is w, then detection node is the communication pattern that w receives neighbor node broadcast, carries out worm Detection.
4. wireless sensor network malicious detection method its feature according to claim 3 based on SPRT algorithm exists In: specific step is as follows for the step 2.3:
Entire detection time domain is divided into a series of time slot by step 2.3.1, detection node w, and communication is saved in each time slot Pattern information, whenever detection node w receives a communication pattern (si,di), detect siAnd diIt is the neighbours of detection node w Node, then node w stores (s in memoryi,di);
Step 2.3.2 then has existed (s when detecting in the memory of detection node wj,dj), wherein di=sjOr si= dj, then converged communication mode (s can be combined intoi,di,dj) or (sj,dj,si), while counter M is carried out to add a behaviour Make;Wherein counter M is used to count the synthesis number of converged communication mode, M initialization or resetting when each time slot starts It is 0, adds one whenever there is communication pattern to merge counter;
Under the propagation of worm node, detection node w has several converged communication modes and generates, therefore the value of M is at least more than 1, often Whether the neighbours region that the value of M all can serve as node w in one time slot has the foundation of worm propagation, in each time slot, Work as M=0, can directly receive empty hypothesis H0There is no worm propagation in network;Work as M > 1, then chooses M according to the size of M value and adopt Sample value accelerates to receive H1There is worm propagation in network, this process is defined as to be biased to sampling plan, can generate more Sample accelerates SPRT algorithm to receive H1It is assumed that can simultaneously be quickly detected the worm propagation region in network.
5. the wireless sensor network malicious detection method according to claim 4 based on SPRT algorithm, feature Be: the particular content of the step 3 is as follows:
Worm assumes H without propagating in a network to be empty0, worm is propagated in a network assumes H for selectivity1, detection node is The value of counter M when k time slot is Mk, pass through MkDefine Bernoulli random variable AkIt is shown below:
The successful probability of Bernoulli random variable is the probability for having converged communication mode to occur in γ namely network are as follows:
γ=Pr (Ak=1)=1-Pr (Ak=0)
As it is assumed that H0With hypothesis H1It is independent in entire sample space, so having:
Pr(Ak)=Pr (Ak|H0)×Pr(H0)+Pr(Ak|H1)×Pr(H1)
Individually consider Pr (Ak=1), following formula can be obtained:
Pr (A can be released by the formulak=1 | H0) with Pr (Ak|H1)×Pr(H1) reduce and increase, Pr (Ak=1 | H1) with Pr (Ak|H0)×Pr(H0) reduction and increase, the more high then rate of failing to report of the verification and measurement ratio of worm node is lower;
The threshold value of γ is γ0And γ1, when detection node operation SPRT algorithm detects γ < γ0, then there is no compacted in network Worm is propagated;When detecting γ > γ1Worm propagation then has occurred in network;So judging whether there is worm biography in sensor network A Hypothesis Testing Problem can be grouped by broadcasting, and the sky of problem is assumed to be H0, select to be assumed to be H1
Description based on the problem, provides detection node w and how to pass through n sample combination SPRT algorithm and make a policy, wherein AkFor One sample, the log probability ratio R of SPRTnAre as follows:
Because generating converged communication mode between each time slot to be independent of each other, it is assumed that each sample AkBetween be independent same distribution , then RnIt can rewrite are as follows:
A in n samplek=1 the case where is δn, γ0=Pr (Ak=1 | H0),γ1=Pr (Ak=1 | H1), then having:
Based on log probability ratio Rn, the operation rule of SPRT is as follows:
Wherein α ' represents the maximum allowable rate of false alarm of user configuration, and β ' represents the maximum allowable rate of failing to report of user configuration, then Have:
So the operation rule of SPRT algorithm can be modified as follow:
H is assumed when SPRT algorithm receives0, continued to test then detection node w restarts SPRT algorithm;When SPRT algorithm receives vacation If H1, then detection node w, which sends broadcast to neighbor node, illustrates locally have node by invermination;Then detection node and its Neighbor node carries out worm detecting to its neighbor node respectively using software authentication scheme, makes net after detecting worm node Other nodes in network are no longer communicated with worm node.
6. the wireless sensor network malicious detection method according to claim 5 based on SPRT algorithm, feature It is: when the rate of a worm node infection neighbor node is slow, then it is logical continually to occur fusion in a network Letter mode, so worm node can be regarded as benign node, then need the threshold value for dynamically changing sample;
Due to γ0Representing does not have worm virus spreading in network, and the probability of converged communication mode occurs in detection node, this is general It rate namely represents sensor node and is capable of the maximum monitoring section born when there is no worm-type virus infection in judging network The probability that point has converged communication mode to occur, when worm-type virus will appreciate that this information, then it can be dynamically changed certainly Oneself pairs of infection rate, by the benign node that oneself disguises oneself as;
Therefore, by γ0It is substituted for γ0 κ, and using random parameter κ dynamic modification γ0 κ, the value of random parameter κ is greater than 1 namely γ0 κ < γ0;Random parameter κ obeys [1, θmax] be uniformly distributed, each time slot run SPRT algorithm when randomly select κ value, make The pairs of infection rate of worm can not dynamically be changed by obtaining attacker, can detect the slow worm-type virus of spread speed;
Then the log probability ratio of SPRT algorithm is extended to following formula:
Therefore the alteration ruler of SPRT algorithm is modified accordingly are as follows:
Wherein L0(n),L1(n) as follows:
CN201910128848.5A 2019-02-21 2019-02-21 Method for detecting malicious worms in wireless sensor network based on SPRT algorithm Active CN109862017B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910128848.5A CN109862017B (en) 2019-02-21 2019-02-21 Method for detecting malicious worms in wireless sensor network based on SPRT algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910128848.5A CN109862017B (en) 2019-02-21 2019-02-21 Method for detecting malicious worms in wireless sensor network based on SPRT algorithm

Publications (2)

Publication Number Publication Date
CN109862017A true CN109862017A (en) 2019-06-07
CN109862017B CN109862017B (en) 2021-04-13

Family

ID=66898495

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910128848.5A Active CN109862017B (en) 2019-02-21 2019-02-21 Method for detecting malicious worms in wireless sensor network based on SPRT algorithm

Country Status (1)

Country Link
CN (1) CN109862017B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013976A (en) * 2007-02-05 2007-08-08 南京邮电大学 Mixed intrusion detection method of wireless sensor network
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101478756A (en) * 2009-01-16 2009-07-08 南京邮电大学 Method for detecting Sybil attack
CN108645436A (en) * 2018-06-20 2018-10-12 首都师范大学 A kind of attack detecting of sensor when there are transient fault and recognition methods

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101013976A (en) * 2007-02-05 2007-08-08 南京邮电大学 Mixed intrusion detection method of wireless sensor network
CN101286872A (en) * 2008-05-29 2008-10-15 上海交通大学 Distributed intrusion detection method in wireless sensor network
CN101478756A (en) * 2009-01-16 2009-07-08 南京邮电大学 Method for detecting Sybil attack
CN108645436A (en) * 2018-06-20 2018-10-12 首都师范大学 A kind of attack detecting of sensor when there are transient fault and recognition methods

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
郭强,张重阳: "基于远程软件认证和序贯概率比分析的蠕虫检测", 《华中师范大学学报(自然科学版)》 *

Also Published As

Publication number Publication date
CN109862017B (en) 2021-04-13

Similar Documents

Publication Publication Date Title
Bortnikov et al. Brahms: Byzantine resilient random membership sampling
Kim et al. Measurement and analysis of worm propagation on Internet network topology
US7353539B2 (en) Signal level propagation mechanism for distribution of a payload to vulnerable systems
Gelenbe et al. Energy life-time of wireless nodes with network attacks and mitigation
Manjula et al. The replication attack in wireless sensor networks: Analysis and defenses
Krishna et al. Intrusion detection and prevention system using deep learning
Almusaylim et al. Detection and mitigation of rpl rank and version number attacks in smart internet of things
CN114115068A (en) Heterogeneous redundancy defense strategy issuing method of endogenous security switch
Ho et al. Distributed detection of sensor worms using sequential analysis and remote software attestations
Shin et al. Reactive jamming attacks in multi-radio wireless sensor networks: an efficient mitigating measure by identifying trigger nodes
CN109862017A (en) Wireless sensor network malicious detection method based on SPRT algorithm
Gao et al. Defense against software-defined network topology poisoning attacks
Zhang et al. Proactive worm propagation modeling and analysis in unstructured peer-to-peer networks
KR100930902B1 (en) Attack traceback method in mobile adhook network
Ho Distributed software-attestation defense against sensor worm propagation
Yuan et al. KAEF: An en-route scheme of filtering false data in wireless sensor networks
Sumathi et al. A survey on detecting compromised nodes in wireless sensor networks
Gray et al. Rapid detection of worms using ICMP-T3 analysis
CN115051825B (en) Malicious software propagation defense method for heterogeneous equipment of Internet of things
Geetha et al. Fuzzy logic based compromised node detection and revocation in clustered wireless sensor networks
Shang et al. Data Splitting Method based on Air-Sea Cross-Domain Gateway Communication Information Transmission
Yao et al. Dynamic window based multihop authentication for WSN
Zhang et al. 6FloodDetector: an IPv6 flooding behaviors detection technology based on eigenvalues and thresholds
Zhang et al. Detection and location of malicious nodes based on homomorphic fingerprinting in wireless sensor networks
Ogli METHODS AND MEANS OF BLOCKING BOTNETS BASED ON INTELLIGENT DATA ANALYSIS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant