CN109862017B - Method for detecting malicious worms in wireless sensor network based on SPRT algorithm - Google Patents

Abstract

The invention provides a wireless sensor network malicious worm detection method based on an SPRT algorithm, which is characterized by comprising the following steps: step 1, network pretreatment; step 2, collecting and storing the communication mode; step 3, SPRT worm detection; the specific content of the step 1 is as follows: step 1.1, before sensor network deployment, each sensor node is assigned with a unique ID number and a private key for inter-node communication, so that when a node u receives a packet sent by another node v, false alarm rate of worm detection can be increased by preventing worm viruses from imitating node IDs through inter-node communication through key verification, worm nodes can be detected through a small number of time slots and sampling sample numbers, worm infected nodes can be limited to 2% -5%, meanwhile, communication loss and calculation loss in the network can be reduced, and worm nodes in the sensor network can be efficiently searched.

Description

Method for detecting malicious worms in wireless sensor network based on SPRT algorithm

Technical Field

The invention relates to a worm detection method, in particular to a worm detection method adopting an SPRT algorithm, and belongs to the technical field of virus detection.

Background

The wireless sensor network is extremely easy to be attacked by attackers because the wireless sensor network is deployed in an unattended field environment. An attacker can copy nodes by capturing physical nodes and stealing information such as node key id and the like, and inject malicious nodes into the network to destroy the network. However, the solution of injecting malicious nodes into the network one by node replication is too costly and easy to discover. Therefore, for an attacker, an efficient method is to use a worm virus to infect nodes with each other, in this way, the attacker can save a large amount of attack resources and is not easy to discover by a network manager. At present, no effective node detection scheme is provided for malicious worm nodes in the wireless sensor network. Signature detection algorithms require a significant amount of computational overhead to generate and maintain signatures, which is not suitable for resource-constrained sensor networks. Yang et al propose a solution based on software diversity technology to prevent worm propagation, the core idea of which is to divide the whole network into a series of grid cells and then allocate different flash memory programs in each node, so that the flash memory programs between neighboring nodes are different. After an attacker captures a certain node through a bug of a certain flash program, because different flash programs are used among the nodes, the worm cannot be spread under the condition of high probability. The mechanism can work on the premise that the vulnerability of the flash program of each node is different, otherwise, the propagation of the worm node cannot be prevented. If worm propagation is not easily interrupted, the robustness of the sensor network can be ensured by detecting worm nodes and then removing the worm nodes. However, it is difficult to make different versions of flash programs have different vulnerabilities, and if we can find the vulnerabilities of the flash programs, we can repair them actively without waiting for a worm node to infect. On the other hand, if different bugs are found in two or more versions of code, worm code may be programmed with all of the bugs. Such a worm may first infect a node and then switch the vulnerability to infect a neighboring node, thereby propagating through the network. The remote software authentication scheme is another scheme for detecting the worm node, and the core idea of the scheme is to prove the integrity of a node program on the basis of software or hardware, and because any node can carry out software authentication on other nodes and can detect a damaged node without using special hardware, the remote software authentication scheme has great advantage in detecting the worm node in a sensor network with limited resources. The main idea of the existing software authentication scheme of the wireless sensor network is to let each node randomly select a group of nodes for authentication in each time slot, and when the node receives data packets sent by the group of nodes, the node remotely authenticates the data packets, thereby detecting the nodes infected by worms. Although this method can detect worm nodes in the network to some extent, the detection capability is degraded due to the inability to detect infected nodes that are not included in the randomly selected set. Therefore, finding an efficient worm node detection scheme to detect and eliminate malicious worm nodes is crucial

Disclosure of Invention

The invention aims to solve the technical problems that worm nodes in a network are low in detection rate, high in false alarm rate and high in consumption of computing resources of the nodes, and provides a wireless sensor network malicious worm detection method based on an SPRT algorithm for overcoming the defects of the prior art.

The invention provides a wireless sensor network malicious worm detection method based on an SPRT algorithm, which is characterized by comprising the following steps: step 1, network pretreatment; step 2, collecting and storing the communication mode; and 3, detecting the SPRT worm.

As a further technical solution of the present invention, the specific content of step 1 is as follows:

step 1.1, before sensor network deployment, assigning a unique ID number to each sensor node and assigning a private key to carry out communication among the nodes, so that when a node u receives a packet sent by another node v, a false alarm rate of worm detection is increased by preventing worm viruses from imitating the node ID through communication among key verification nodes;

step 1.2, after the deployment of the sensor network is completed, each node needs to find its own neighbor node and uses P as the neighbor node_dThe probability of the monitoring node is periodically elected as the monitoring node, so that the monitoring node becomes the monitoring node in sequence, the monitoring node is prevented from being attacked by periodically electing the monitoring node, and meanwhile, each node can become the monitoring node in sequence, and the energy of each node is saved.

Further, the specific content of step 2 is as follows:

step 2.1, when node u receives data packet from another node v, node u will check that the destination address of packet is itself and node v is neighbor node of its own node, then node u will packet source node ID and destination node ID with probability P_fBroadcast to its neighbor nodes, a process referred to as communication mode;

step 2.2, when the neighbor node of the node u receives the communication mode, if the neighbor node is a detection node, the neighbor node receives and stores the communication mode, otherwise, the communication mode is discarded;

and 2.3, defining the detection node as w, and receiving the communication mode broadcasted by the neighbor node for the detection node as w to detect the worm.

Further, the specific steps of step 2.3 are as follows:

step 2.3.1, the detecting node w divides the whole detecting time domain into a series of time slots, and communication mode information is stored in each time slot, and each time the detecting node w receives a communication mode(s)_i,d_i) Detecting s_iAnd d_iIf the node is a neighbor node of the detected node w, the node w is stored in the memory(s)_i,d_i)；

Step 2.3.2, then when detecting the existence of the node w in the memory(s)_j,d_j) Wherein d is_i＝s_jOr s_i＝d_jThen combined into a converged communication mode(s)_i,d_i,d_j) Or(s)_j,d_j,s_i) Simultaneously, adding one to the counter M; the counter M is used for counting the synthesis times of the converged communication mode, the M is initialized or reset to be 0 at the beginning of each time slot, and the converged counter is increased by one every time when the communication mode exists;

under the propagation of a worm node, a detection node w can generate a plurality of converged communication modes, so that the value of M is at least greater than 1, the value of M in each time slot can be used as a basis for judging whether a neighbor area of the node w has worm propagation, and in each time slot, when M is 0, null hypothesis H can be directly accepted₀No worm propagation in the network; when M is>1, selecting M sampling values according to the magnitude of the M value to accelerate the receiving of H₁Worm propagation exists in the network, the process is defined as a biased sampling scheme, more samples can be generated, and the SPRT algorithm is accelerated to accept H₁The worm propagation area in the network can be assumed and detected quickly.

Further, the specific content of step 3 is as follows:

the assumption H that a worm does not propagate as null in the network₀Propagation of worms in a network is a selective assumption H₁The value of the counter M of the detection node at the k time slot is M_kDisclosure of the inventionOver M_kDefining Bernoulli random variable A_kAs shown in the following formula:

the probability of success of the bernoulli random variable is γ, i.e., the probability of occurrence of a converged communication mode in the network is:

γ＝Pr(A_k＝1)＝1-Pr(A_k＝0)

because it is assumed that H₀And hypothesis H₁Is independent in the whole sample space, so there are:

Pr(A_k)＝Pr(A_k|H₀)×Pr(H₀)+Pr(A_k|H₁)×Pr(H₁)

considering Pr (A) alone_k1), the following formula is obtained:

pr (A) can be derived from this formula_k＝1|H₀) With Pr (A)_k|H₁)×Pr(H₁) Decrease and increase, Pr (A)_k＝1|H₁) With Pr (A)_k|H₀)×Pr(H₀) The detection rate of the worm node is higher, and the missing report rate is lower;

the threshold value of gamma is gamma₀And gamma₁When the detection node runs the SPRT algorithm to detect that gamma is less than gamma₀Then there is no worm propagation in the network; when gamma > gamma is detected₁Worm propagation in the network occurs; therefore, judging whether worm propagation exists in the sensor network can be classified as a hypothesis test problem, and the null hypothesis of the problem is H₀Select hypothesis as H₁；

Based on the description of the problem, it is given how the detection node w makes a decision by combining n samples with the SPRT algorithm, where A_kLogarithmic probability ratio R of SPRT for one sample_nComprises the following steps:

since the generation of the converged communication pattern between each time slot is independent of each other, assume that each sample A_kAre independently and identically distributed, then R_nCan be rewritten as:

a of n sampled samples_kIn the case of 1, δ_n，γ₀＝Pr(A_k＝1|H₀),γ₁＝Pr(A_k＝1|H₁) Then, there are:

based on the log-probability ratio R_nThe operation rule of SPRT is as follows:

where α 'represents the maximum allowable false alarm rate configured by the user, and β' represents the maximum allowable false alarm rate configured by the user, then:

the operation rules of the SPRT algorithm may be modified as follows:

when the SPRT algorithm accepts the assumption H₀Then the detection node w restarts the SPRT algorithm to continue detection; when the SPRT algorithm accepts the hypothesis H₁Then the detection node w sends a broadcast to the neighbor nodes to indicate that the local nodes are infected by worms; then the detecting node and the neighbor nodes thereof use a software authentication scheme to respectively carry out worm detection on the neighbor nodes thereof, and other nodes in the network are enabled not to communicate with the worm nodes after the worm nodes are detected.

Furthermore, when the rate of infecting the neighbor nodes by a worm node is slow, the converged communication mode does not frequently occur in the network, so that the worm node is regarded as a benign node, and the threshold value of the sampling sample needs to be dynamically changed;

due to gamma₀When the worm virus can master the information, the worm virus can dynamically change the paired infection rate of the worm virus and disguise the worm virus as a benign node;

thus, gamma will be₀By substitution into gamma₀ ^κAnd dynamically modifying gamma by using a random parameter kappa₀ ^κThe value of the random parameter k is greater than 1, i.e. gamma₀ ^κ＜γ₀(ii) a Random parameter kappa obeys [1, theta ]_max]The kappa value is randomly selected when the SPRT algorithm is operated in each time slot, so that an attacker cannot dynamically change the paired infection rate of the worm, and can detect the worm virus with low propagation speed;

the log probability ratio of the SPRT algorithm is extended to the following equation:

therefore, the modification rule of the SPRT algorithm is modified correspondingly as follows:

wherein L is₀(n),L₁(n) is as follows:

compared with the prior art, the invention adopting the technical scheme has the following technical effects: the worm node can be detected by a small number of time slots and sampling samples, the detection scheme can limit the worm infected nodes to be between 2 and 5 percent, meanwhile, the scheme can reduce communication loss and calculation loss in the network, and the worm nodes in the sensor network can be efficiently checked.

Drawings

FIG. 1 shows a diagram of s according to the present invention₀Is a schematic diagram of a network structure of cluster head nodes.

FIG. 2 is a comparison graph of the required detection time slots for different infection rates in the present invention.

FIG. 3 is a graph comparing the average number of samples required for different infection rates in the present invention.

Fig. 4 is a communication resource comparison diagram of networks with different infection rates in the present invention.

FIG. 5 is a graph of computational resource overhead for a network at different infection rates in the present invention.

Fig. 6 is a diagram showing the number of infected nodes when a worm node is detected by a sensor network under different infection rates in the present invention.

Detailed Description

The technical scheme of the invention is further explained in detail by combining the attached drawings 1-6:

the embodiment provides a method for detecting malicious worms in a wireless sensor network based on an SPRT algorithm, which comprises the following steps:

step 1, network preprocessing, specifically comprising the following steps:

step 1.1, before sensor network deployment, assigning a unique ID number to each sensor node and assigning a private key to carry out communication among the nodes, so that when a node u receives a packet sent by another node v, a false alarm rate of worm detection is increased by preventing worm viruses from imitating the node ID through communication among key verification nodes;

step 1.2, after the deployment of the sensor network is completed, each node needs to find its own neighbor node and uses P as the neighbor node_dThe probability of the monitoring node is periodically elected as the monitoring node, so that the monitoring node becomes the monitoring node in sequence, the monitoring node is prevented from being attacked by periodically electing the monitoring node, and meanwhile, each node can become the monitoring node in sequence, and the energy of each node is saved.

Step 2, collecting and storing the communication modes, wherein the specific contents are as follows:

step 2.1, when node u receives data packet from another node v, node u will check that the destination address of packet is itself and node v is neighbor node of its own node, then node u will packet source node ID and destination node ID with probability P_fBroadcast to its neighbor nodes, a process referred to as communication mode;

step 2.2, when the neighbor node of the node u receives the communication mode, if the neighbor node is a detection node, the neighbor node receives and stores the communication mode, otherwise, the communication mode is discarded;

step 2.3, if the detection node is defined as w, the detection node receives the communication mode broadcasted by the neighbor node for w, and performs worm detection, wherein the specific steps of step 2.3 are as follows:

step 2.3.1, the detecting node w divides the whole detecting time domain into a series of time slots, and communication mode information is stored in each time slot, and each time the detecting node w receives a communication mode(s)_i,d_i) Detecting s_iAnd d_iIf the node is a neighbor node of the detected node w, the node w is stored in the memory(s)_i,d_i)；

Step 2.3.2, then when detecting the existence of the node w in the memory(s)_j,d_j) Wherein d is_i＝s_jOr s_i＝d_jThen combined into a converged communication mode(s)_i,d_i,d_j) Or(s)_j,d_j,s_i) Simultaneously, adding one to the counter M; the counter M is used for counting the synthesis times of the converged communication mode, the M is initialized or reset to be 0 at the beginning of each time slot, and the converged counter is increased by one every time when the communication mode exists;

under the propagation of a worm node, a detection node w can generate a plurality of converged communication modes, so that the value of M is at least greater than 1, the value of M in each time slot can be used as a basis for judging whether a neighbor area of the node w has worm propagation, and in each time slot, when M is 0, null hypothesis H can be directly accepted₀No worm propagation in the network; when M is>1, selecting M sampling values according to the magnitude of the M value to accelerate the receiving of H₁Worm propagation exists in the network, the process is defined as a biased sampling scheme, more samples can be generated, and the SPRT algorithm is accelerated to accept H₁The worm propagation area in the network can be assumed and detected quickly.

Step 3, SPRT worm detection, which comprises the following specific contents:

the assumption H that a worm does not propagate as null in the network₀Propagation of worms in a network is a selective assumption H₁The value of the counter M of the detection node at the k time slot is M_kThrough M_kDefining Bernoulli random variable A_kAs shown in the following formula:

the probability of success of the bernoulli random variable is γ, i.e., the probability of occurrence of a converged communication mode in the network is:

γ＝Pr(A_k＝1)＝1-Pr(A_k＝0)

because it is assumed that H₀And hypothesis H₁Is independent in the whole sample space, so there are:

Pr(A_k)＝Pr(A_k|H₀)×Pr(H₀)+Pr(A_k|H₁)×Pr(H₁)

considering Pr (A) alone_k1), the following formula is obtained;

pr (A) can be derived from this formula_k＝1|H₀) With Pr (A)_k|H₁)×Pr(H₁) Decrease and increase, Pr (A)_k＝1|H₁) With Pr (A)_k|H₀)×Pr(H₀) The detection rate of the worm node is higher, and the missing report rate is lower;

the threshold value of gamma is gamma₀And gamma₁When the detection node runs the SPRT algorithm to detect that gamma is less than gamma₀Then there is no worm propagation in the network; when gamma > gamma is detected₁Worm propagation in the network occurs; therefore, judging whether worm propagation exists in the sensor network can be classified as a hypothesis test problem, and the null hypothesis of the problem is H₀Select hypothesis as H₁；

Based on the description of the problem, it is given how the detection node w makes a decision by combining n samples with the SPRT algorithm, where A_kLogarithmic probability ratio R of SPRT for one sample_nComprises the following steps:

since the generation of the converged communication pattern between each time slot is independent of each other, assume that each sample A_kAre independently and identically distributed, then R_nCan be rewritten as:

a of n sampled samples_kIn the case of 1, δ_n，γ₀＝Pr(A_k＝1|H₀),γ₁＝Pr(A_k＝1|H₁) Then, there are:

based on the log-probability ratio R_nThe operation rule of SPRT is as follows:

where α 'represents the maximum allowable false alarm rate configured by the user, and β' represents the maximum allowable false alarm rate configured by the user, then:

the operation rules of the SPRT algorithm may be modified as follows:

when the SPRT algorithm accepts the assumption H₀Then the detection node w restarts the SPRT algorithm to continue detection; when the SPRT algorithm accepts the hypothesis H₁Then the detection node w sends a broadcast to the neighbor nodes to indicate that the local nodes are infected by worms; then the detecting node and the neighbor nodes thereof use a software authentication scheme to respectively carry out worm detection on the neighbor nodes thereof, and other nodes in the network are enabled not to communicate with the worm nodes after the worm nodes are detected.

When the rate of infecting the neighbor nodes by a worm node is slow, a converged communication mode does not frequently occur in the network, so that the worm node is regarded as a benign node, and the threshold value of a sampling sample needs to be dynamically changed;

due to gamma₀When the worm virus can master the information, the worm virus can dynamically change the paired infection rate of the worm virus and disguise the worm virus as a benign node;

thus, gamma will be₀By substitution into gamma₀ ^κAnd dynamically modifying gamma by using a random parameter kappa₀ ^κThe value of the random parameter k is greater than 1, i.e. gamma₀ ^κ＜γ₀(ii) a Random parameter kappa obeys [1, theta ]_max]The kappa value is randomly selected when the SPRT algorithm is operated in each time slot, so that an attacker cannot dynamically change the paired infection rate of the worm, and can detect the worm virus with low propagation speed;

the log probability ratio of the SPRT algorithm is extended to the following equation:

therefore, the modification rule of the SPRT algorithm is modified correspondingly as follows:

wherein L is₀(n),L₁(n) is as follows:

in the invention, the clustering of network nodes: the data collected between the nodes of the wireless sensor network has strong relativity, and particularly the relativity of the data collected between the adjacent nodes is stronger. The core of the clustering algorithm is to say that the nodes with similar collected data are divided into a group, and a cluster head node (group length) is selected from the group to transmit and process the data of the group of nodes, and the clustering algorithm needs to be operated after the network structure is completed.

The SPRT Test is a Sequential Probability Ratio Test (SPRT), which is a statistical decision scheme also called a serialized hypothesis Test. The difference between this scheme and other hypothesis testing models is that the sequential probability ratio test is not fixed before testing, and it dynamically increases the number of samples according to the test result, in other words the number of samples sampled in the SPRT algorithm is random. The characteristic enables the SPRT detection algorithm to finish detection more quickly under the condition of meeting the given false alarm rate and the given false alarm rate. The SPRT detection algorithm is a one-dimensional random walk strategy with an upper limit value and a lower limit value, wherein the lower limit value corresponding to an empty hypothesis is defined at the beginning of the strategy, and the upper limit value corresponding to a selective hypothesis is defined. The SPRT algorithm starts to gradually get close to the upper limit value or the lower limit value at a certain value in the upper and lower limit intervals, and if the newly arrived sample value enables the value calculated by the SPRT to be lower than the lower limit value, the SPRT finishes the test and accepts the null hypothesis. The SPRT end check accepts the selectivity hypothesis if the newly arrived sample value causes the SPRT calculated value to be greater than the upper limit value. Otherwise, a sample value needs to be added for checking.

Packet retransmission detection: the propagation of worm nodes in a hop-by-hop manner results in a chain communication link, so that when a worm node propagates, we can observe a "worm chain" that grows slowly, the link connecting multiple nodes in the sensor network. In contrast, the benign communication mode between nodes is biased to a many-to-one communication mode, in which a plurality of data source nodes send data to one data aggregator, it is difficult to observe a "chain" communication mode, and therefore it is difficult to find a packet retransmission phenomenon in a normal network communication mode. Based on the above theory, the SPRT detection scheme takes whether there is a packet retransmission phenomenon in the network as a sampling sample, and dynamically configures a lowest threshold and a highest threshold according to the sample type. We define a null hypothesis as a worm not propagating in the network, a selective hypothesis as a worm propagating in the network, and accept the null hypothesis when the SPRT detects that the number of "packet retransmissions" in the current network is below a minimum threshold. When the number of "packet retransmission" phenomena is above a highest threshold, the selectivity assumption is accepted.

The communication mode collection storage includes Packet Preprocessing Unit (PPU), the algorithm of which operates in the MAC layer, and the pseudo code of which is shown in the following table:

inputting: received packet
	If pkt.destination＝＝u and pkt.source＝＝u’s neighbor then
Broadcast＜pkt.sourceID,pkt.destinationID＞to neighbors with probability Pf

The SPRT worm detection scheme can be evaluated for the above methods by several performance indicators (original scheme κ ═ 1 and κ [1, κ)_max]A random value scheme).

Number of samples required for decision making of SPRT worm detection algorithm, average number of samples

Number of slots required to detect worm propagation, average number of slots

Number of infected nodes in the network upon detection of worm virus propagation

Communication resource and memory resource consumption

FIG. 2 depicts the number of detection slots required by the SPRT worm detection algorithm and the detection method of the present invention for different infection rates. With the increase of the infection rate of the worm virus, the detection time slot of the whole network is gradually reduced, because the infection rate of the worm node is increased, the worm packets in the network are frequently transmitted, and a large number of packet retransmission phenomena occur to accelerate the detection of the worm by the SPRT detection algorithm. Meanwhile, compared with the SPRT algorithm, the detection method can obviously reduce the number of time slots required to be detected and detect the worm node earlier. The lower the infection rate of the worm, the better the detection method of the invention has the effect of detecting the time slot number relative to the SPRT algorithm.

Fig. 3 shows the average number of samples required by the SPRT worm detection algorithm and the detection method of the present invention to clean up worm nodes in the network at different infection rates. With the increase of the infection rate, the number of detection samples under the two algorithms is reduced, because the worm infection rate is increased, a large amount of packet retransmission phenomena occur in the network, and the detection of worm nodes can be accelerated by the large amount of samples in the network which are effective samples. Meanwhile, the average sample number required by the detection method is smaller than that of the SPRT worm detection algorithm, and the detection method can be simply understood as requiring less detection time slots and requiring less average sample values. And when the infection rate of the worm is 0.001, the detection method in the invention only needs about 5 sample values for worm detection.

Fig. 4 and 5 depict the communication resource consumption and the computational resource consumption of the entire network at different infection rates, respectively. As the infection rate increases, both communication resources and computing resources are gradually reduced. This is because as the infection rate increases, the network detects the worm node more quickly, the number of time slots needed is reduced, the communication overhead and the calculation resource overhead between networks are reduced, and the resource consumption of the detection method in the invention is lower than that of the SPRT algorithm under each infection rate.

Fig. 6 shows the number of infected nodes when the sensor network detects a worm node under different infection rates, the higher the infection rate of the worm node is, the easier it is to detect, the fewer nodes infected in the network can be, the effective limit of the infected nodes is about 2% -5%, the detection method of the present invention is superior to the SPRT detection scheme.

The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can understand that the modifications or substitutions within the technical scope of the present invention are included in the scope of the present invention, and therefore, the scope of the present invention should be subject to the protection scope of the claims.

Claims (1)

1. The method for detecting the malicious worms in the wireless sensor network based on the SPRT algorithm is characterized by comprising the following steps:

step 1, network preprocessing, specifically comprising the following steps:

step 1.1, before sensor network deployment, assigning a unique ID number to each sensor node and assigning a private key to carry out communication among the nodes, so that when a node u receives a packet sent by another node v, a false alarm rate of worm detection is increased by preventing worm viruses from imitating the node ID through communication among key verification nodes;

step 1.2, after the deployment of the sensor network is completed, each node needs to find its own neighbor node and uses P as the neighbor node_dThe probability of the node is periodically elected as a monitoring node, so that the node becomes a monitoring node in sequence, the monitoring node is prevented from being attacked by periodically electing the monitoring node, and each node can become a monitoring node in sequence, so that the energy of each node is saved;

step 2, collecting and storing the communication modes, wherein the specific contents are as follows:

step 2.1, when node u receives data packet from another node v, node u will check that the destination address of packet is itself and node v is neighbor node of its own node, then node u will packet source node ID and destination node ID with probability P_fBroadcast to its neighbor nodes, a process referred to as communication mode;

step 2.2, when the neighbor node of the node u receives the communication mode, if the neighbor node is a detection node, the neighbor node receives and stores the communication mode, otherwise, the communication mode is discarded;

step 2.3, defining the detection node as w, and if the detection node receives the communication mode broadcasted by the neighbor node, carrying out worm detection; the method comprises the following specific steps:

step 2.3.1, the detecting node w divides the whole detecting time domain into a series of time slots, and communication mode information is stored in each time slot, and each time the detecting node w receives a communication mode(s)_i,d_i) Detecting s_iAnd d_iIf the node is a neighbor node of the detected node w, the node w is stored in the memory(s)_i,d_i)；

Step 2.3.2, then when detecting the existence of the node w in the memory(s)_j,d_j) Wherein d is_i＝s_jOr s_i＝d_jThen combined into a converged communication mode(s)_i,d_i,d_j) Or(s)_j,d_j,s_i) Simultaneously, adding one to the counter M; the counter M is used for counting the synthesis times of the converged communication mode, the M is initialized or reset to be 0 at the beginning of each time slot, and the converged counter is increased by one every time when the communication mode exists;

under the propagation of a worm node, a detection node w can generate a plurality of converged communication modes, so that the value of M is greater than 1, the value of M in each time slot can be used as a basis for judging whether a neighbor area of the node w has worm propagation, and in each time slot, when M is 0, a null hypothesis H can be directly accepted₀No worm propagation in the network; when M is>1, selecting M sampling values according to the magnitude of the M value to accelerate the receiving of H₁Worm propagation exists in the network, the process is defined as a biased sampling scheme, more samples can be generated, and the SPRT algorithm is accelerated to accept H₁The worm propagation area in the network can be assumed and detected quickly;

step 3, SPRT worm detection, which comprises the following specific contents:

the assumption H that a worm does not propagate as null in the network₀Propagation of worms in a network is a selective assumption H₁The value of the counter M of the detection node at the k time slot is M_kThrough M_kDefining Bernoulli random variable A_kAs shown in the following formula:

the probability of success of the bernoulli random variable is γ, i.e., the probability of occurrence of a converged communication mode in the network is:

γ＝Pr(A_k＝1)＝1-Pr(A_k＝0)

because it is assumed that H₀And hypothesis H₁Is independent in the whole sample space, so there are:

Pr(A_k)＝Pr(A_k|H₀)×Pr(H₀)+Pr(A_k|H₁)×Pr(H₁)

considering Pr (A) alone_k1), the following formula is obtained:

pr (A) can be derived from this formula_k＝1|H₀) With Pr (A)_k|H₁)×Pr(H₁) Decrease and increase, Pr (A)_k＝1|H₁) With Pr (A)_k|H₀)×Pr(H₀) The detection rate of the worm node is higher, and the missing report rate is lower;

the threshold value of gamma is gamma₀And gamma₁When the detection node runs the SPRT algorithm to detect that gamma is less than gamma₀Then there is no worm propagation in the network; when gamma > gamma is detected₁Worm propagation in the network occurs; therefore, judging whether worm propagation exists in the sensor network can be classified as a hypothesis test problem, and the null hypothesis of the problem is H₀Select hypothesis as H₁；

Based on the description of the problem, how to detect how node w combines SPRT by n samples is givenMaking a decision by an algorithm, wherein A_kLogarithmic probability ratio R of SPRT for one sample_nComprises the following steps:

since the generation of the converged communication pattern between each time slot is independent of each other, assume that each sample A_kAre independently and identically distributed, then R_nCan be rewritten as:

a of n sampled samples_kIn the case of 1, δ_n，γ₀＝Pr(A_k＝1|H₀),γ₁＝Pr(A_k＝1|H₁) Then, there are:

based on the log-probability ratio R_nThe operation rule of SPRT is as follows:

where α 'represents the maximum allowable false alarm rate configured by the user, and β' represents the maximum allowable false alarm rate configured by the user, then:

the operation rules of the SPRT algorithm may be modified as follows:

when the SPRT algorithm accepts the assumption H₀Then the detection node w restarts the SPRT algorithm to continue detection; when the SPRT algorithm accepts the hypothesis H₁Then the detection node w sends a broadcast to the neighbor nodes to indicate that the local nodes are infected by worms; then the detection node and the neighbor nodes thereof use a software authentication scheme to respectively carry out worm detection on the neighbor nodes thereof, and other nodes in the network are enabled not to communicate with the worm nodes after the worm nodes are detected;

when the rate of infecting the neighbor nodes by a worm node is slow, a converged communication mode does not frequently occur in the network, so that the worm node is regarded as a benign node, and the threshold value of a sampling sample needs to be dynamically changed;

due to gamma₀When the worm virus can master the information, the worm virus can dynamically change the paired infection rate of the worm virus and disguise the worm virus as a benign node;

thus, gamma will be₀By substitution into gamma₀ ^κAnd dynamically modifying gamma by using a random parameter kappa₀ ^κThe value of the random parameter k is greater than 1, i.e. gamma₀ ^κ＜γ₀(ii) a Random parameter kappa obeys [1, theta ]_max]The kappa value is randomly selected when the SPRT algorithm is operated in each time slot, so that an attacker cannot dynamically change the paired infection rate of the worm, and can detect the worm virus with low propagation speed;

the log probability ratio of the SPRT algorithm is extended to the following equation:

therefore, the modification rule of the SPRT algorithm is modified correspondingly as follows:

wherein L is₀(n),L₁(n) is as follows:

Images