CN111405512B - Method for rapidly detecting compromised node in wireless sensor network - Google Patents

Method for rapidly detecting compromised node in wireless sensor network Download PDF

Info

Publication number
CN111405512B
CN111405512B CN202010182311.XA CN202010182311A CN111405512B CN 111405512 B CN111405512 B CN 111405512B CN 202010182311 A CN202010182311 A CN 202010182311A CN 111405512 B CN111405512 B CN 111405512B
Authority
CN
China
Prior art keywords
node
compromised
false
trust
cos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010182311.XA
Other languages
Chinese (zh)
Other versions
CN111405512A (en
Inventor
王江涛
尹辉
刘志雄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Changsha University
Original Assignee
Changsha University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Changsha University filed Critical Changsha University
Priority to CN202010182311.XA priority Critical patent/CN111405512B/en
Publication of CN111405512A publication Critical patent/CN111405512A/en
Application granted granted Critical
Publication of CN111405512B publication Critical patent/CN111405512B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/38Services specially adapted for particular environments, situations or purposes for collecting sensor information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method for rapidly detecting a compromised node in a wireless sensor network, which can analyze, position and backtrack scenes where false data injection behaviors occur, wherein each node confirms a suspicious compromised node according to self observation and records a negative behavior of the suspicious compromised node in a trust model, and a voting mechanism is adopted to finally confirm the compromised node when a target trust degree lower than a preset threshold value exists along with accumulation of the negative behaviors of the suspicious compromised node. The method can detect and position the compromised nodes in the wireless sensor network, has less misjudgment and does not additionally increase larger energy consumption.

Description

Method for rapidly detecting compromised node in wireless sensor network
Technical Field
The invention relates to the technical field of Internet of things, in particular to a method for rapidly detecting compromised nodes in a wireless sensor network.
Background
The wireless sensor network is an effective tool for remote environment monitoring and is suitable for the following scenes such as battlefield monitoring, forest fire monitoring and the like. A large number of sensor nodes are randomly deployed in or near a monitoring area, and monitored data are propagated to remote sink nodes hop by hop through an ad hoc network.
Generally speaking, sensor nodes are easy to be targets of attackers due to limited energy, poor processing capability and lack of tamper-proof devices. Once a node is captured by an attacker, all information stored on the node is exposed, and the attacker can easily implement false data injection attacks through the compromised nodes, which not only cause false alarms, but also waste a large amount of limited energy resources and communication resources. Therefore, security becomes an urgent problem to be solved in the wireless sensor network.
In order to ensure the security of the wireless sensor network, a false data midway filtering scheme is often adopted for processing. Most of the existing virtual false data midway filtering schemes are changed and supplemented on the basis of a false data midway filtering model (SEF model), and the SEF model can filter most false data packets injected by compromised nodes before the false data reaches sink nodes (sink nodes), namely filters false data midway, thereby saving precious network resources; even if part of the spurious data packets get lucky to the sink node, the sink node can filter out the remaining spurious data since the sink node has all the key resources and is equipped with sufficient security devices and techniques (i.e., cannot be compromised).
However, the existing false data midway filtering scheme based on the SEF model can only prove that the data packet is false or is modified midway by a malicious compromise node, so as to filter the data packet; the method can not analyze, position and backtrack several possible scenes of the occurrence of the false data injection behavior, so that the compromised nodes cannot be detected and positioned, and the false data injection problem caused by the compromised nodes cannot be really solved.
Therefore, a method for rapidly detecting compromised nodes in a wireless sensor network is needed.
Disclosure of Invention
Technical problem to be solved
In order to solve the above problems in the prior art, the present invention provides a method for rapidly detecting compromised nodes in a wireless sensor network. Compromised nodes in a wireless sensor network can be detected and located.
(II) technical scheme
In order to achieve the purpose, the invention adopts the main technical scheme that:
a method for rapidly detecting compromised nodes in a wireless sensor network is provided, each node in the wireless sensor network can monitor the behavior of a next-hop neighbor node, and the method comprises the following steps:
in the course of filtering the false data packet midway, if the transit node detects that the received data packet is the false data packet, sending a false data injection report to an event source; the false data injection report comprises false information in a false data packet and node information corresponding to the false information; according to the false data injection report at the event source, the COS node judges whether the corresponding backup data packet is tampered; if yes, the COS node ignores the false data injection report; if not, respectively recording a negative action for the COS node and the node corresponding to the false information to the other side according to the false data injection report; and according to the number of negative behaviors between the COS node and the node corresponding to the false information, punishing the trust degree between the COS node and the node corresponding to the false information by the trust model.
In the process of filtering the false data packet midway, when the monitoring node monitors the behavior that the next hop transit node falsifies the data packet, sending a malicious falsification report to the next hop transit node; according to the malicious tampering report, the monitoring node and the next hop transit node thereof respectively record a negative action for the other side; and according to the negative behavior times between the monitoring node and the next hop relay node, the trust model punishs the trust between the monitoring node and the next hop relay node.
If the target trust degree lower than the preset threshold exists, carrying out trust evaluation on the suspected compromised node by a common one-hop neighbor node of the target node and the suspected compromised node to obtain a trust evaluation result; the target node confirms whether the suspected compromise node is a compromise node or not according to the trust evaluation result; the target trust degree is the trust degree of the target node on the suspected compromise node.
As an improvement of the method, each node in the wireless sensor network monitors the behavior of the neighbor node of the next hop by adopting the watchdog technology.
As an improvement of the method of the present invention, the method for a transit node to determine that a received data packet is a false data packet includes: the transfer node judges whether the received data packet has the false MAC or not, and if the data packet has the false MAC, the data packet received by the transfer node is the false data packet. The key which is the same as the key corresponding to the false MAC exists in the transit node key pool, but the MAC generated according to the key which is the same as the key corresponding to the false MAC in the transit node key pool is different from the false MAC.
As an improvement of the method of the invention, the trust model comprises:
Figure BDA0002412988720000031
Figure BDA0002412988720000032
wherein, R (A, C)newFor updated direct trust of node A to node C, R (A, C)newHas a value range of [0,1 ]];R(A,C)oldDirect trust of the node A to the node C before updating; totalaThe number of times of the overall interaction between the node A and the node C; a. theNIs the number of negative actions; waInteraction weight that is negative behavior; m is a safety sensitive factor; β is the historical interaction weight.
As an improvement of the method, before being sent, a COS node in the wireless sensor network duplicates a backup data packet to the data packet, and the backup data packet is reserved by the COS node for at least twice the time from the network edge to the sink node.
As an improvement of the method of the invention, the method comprises the following steps: when the sink node detects a false data packet, sending a false data injection report to an event source; according to the false data injection report at the event source, the COS node judges whether the corresponding backup data packet is tampered; if yes, the COS node ignores the false data injection report; if not, according to the false data injection report, the COS node and the node corresponding to the false information in the false data packet record one negative behavior to the other side, and according to the times of the negative behaviors between the COS node and the node corresponding to the false information, the trust model punishs the trust between the COS node and the node corresponding to the false information.
As an improvement of the method, the method comprises the following steps that a common one-hop neighbor node of a target node and a suspected compromised node carries out trust evaluation on the suspected compromised node to obtain a trust evaluation result, and the method comprises the following steps: and the target node generates a compromised node alarm message and sends the compromised node alarm message to all one-hop neighbor nodes of the target node, and the one-hop neighbor nodes of the suspected compromised node which receive the compromised node alarm message carry out trust evaluation on the suspected compromised node to obtain a trust evaluation result.
As an improvement of the method of the present invention, the step of performing trust evaluation on the suspected compromised node by using a one-hop neighbor node of the suspected compromised node that receives the compromised node alarm message to obtain a trust evaluation result includes: the one-hop neighbor node of the suspected compromised node receiving the compromised node alarm message checks whether the trust degree of the one-hop neighbor node to the suspected compromised node is lower than the preset threshold value; if YES, returning YES to the target node; if not, replying NO to the target node.
As an improvement of the method of the present invention, the target node determining whether the suspected compromised node is a compromised node according to the trust evaluation result includes: according to the reply of all received compromised node alarm messages, if the number of the nodes which reply YES accounts for more than 50% of the number of all the reply nodes, the target node confirms that the suspected compromised node is a compromised node; otherwise, the suspected compromised node cannot be determined to be a compromised node.
As an improvement of the method of the present invention, after confirming that the suspected compromised node is a compromised node, the method further includes: and the target node deletes the compromised node from the neighbor list, transmits a compromised node confirmation message to the two-hop range, and deletes the compromised node from the neighbor list by the node receiving the compromised node confirmation message.
(III) advantageous effects
The invention has the beneficial effects that:
1. the method for rapidly detecting the compromised node in the wireless sensor network can analyze, position and backtrack scenes where the false data injection behavior occurs, each node confirms the suspicious compromised node according to self observation and records a negative behavior for the node in a trust model, and the suspicious compromised node can be finally confirmed as the compromised node and isolated along with accumulation of the negative behaviors of the relevant suspicious compromised node. The method can effectively detect the compromised nodes, adopts a lightweight method on the aspect of processing suspicious compromised nodes causing false data injection, does not adopt group behaviors and multi-hop communication related to local parts of a network to confirm a hit-and-miss party, does not relate to excessive communication and calculation, and does not additionally increase larger energy consumption.
2. In the method for rapidly detecting the compromised node in the wireless sensor network, the suspicious compromised node causing the false data injection is processed by adopting a lightweight method, and the suspicious compromised node causing the false data injection is possibly misjudged, so that when the target trust degree lower than a preset threshold value exists, the compromised node is finally confirmed by adopting a voting mechanism, and the misjudgment can be effectively reduced.
Drawings
The invention is described with the aid of the following figures:
FIG. 1 is a schematic diagram of a scenario of spurious data injection at an event source;
fig. 2 is a schematic diagram of a malicious tampering scenario of a transit node;
FIG. 3 is a process flow diagram of a suspected compromise node in a false data injection scenario for an event source;
FIG. 4 is a flow chart of a process for a suspect compromised node in a malicious tampering scenario with a transit node;
FIG. 5 is a flow chart of detecting compromised nodes;
FIG. 6 is a graph comparing average residual energy indicators of non-compromised nodes for a conventional SEF method and the method of the present invention in a simulation experiment;
FIG. 7 is a comparison graph of the average trust levels of compromised and non-compromised nodes of the method of the present invention in a simulation experiment;
FIG. 8 is a graph comparing the number of compromised nodes and misjudged nodes in the simulation experiment;
fig. 9 is a graph comparing the packet accuracy of the conventional SEF method and the method of the present invention in a simulation experiment.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
In a wireless sensor network, once an event is monitored, all monitored nodes form a cluster, each monitoring node in the cluster reports the data and the signal strength, one node is elected to be a cluster head node (COS node), the COS node generates a data packet representing the whole monitoring cluster, and then the data packet is transferred to a sink node (sink node) through a transfer node in a hop-by-hop manner. The base station sink is a data collection center with strong computing capacity, large storage space and infinite electric quantity, and the base station self adopts a high-level safety mechanism to protect the base station self and is provided with anti-tampering hardware. The sink node is used as the final safety guarantee of the system, once the sink node receives the data packet, the sink node has the whole key pool, so that all verification codes MAC carried by the data packet can be checked, and all false data packets which escape the midway detection can be detected.
It is assumed that an attacker captures multiple compromised nodes and obtains the security information stored in these compromised nodes, but cannot capture the sink node. The invention mainly focuses on the false data injection attack of the compromise node, and the false data injection scene of the compromise node comprises a false data injection scene of an event source and a malicious tampering scene of a transit node. The spurious data injection attack mode of the compromised node in the spurious data injection scenario of the event source comprises the following steps: 1. the COS node forges the MAC; 2. the neighboring node intentionally provides the COS node with the wrong MAC to conduct the badmoutinging attack. The fake data injection attack mode of the compromised node in the malicious tampering scene of the transit node comprises the following steps: 1. the transit node maliciously tampers with the data packet; 2. transit node malicious falsely accuse traps the next hop node tampering with the packet for a badmousing attack.
In order to monitor false data injection scenes of an event source and malicious tampering scenes of a transit node, each node in the wireless sensor network configured by the invention can monitor the behavior of a next-hop neighbor node, and preferably adopts a traditional midway filtering model (SEF model) to detect false data. In a specific embodiment of the present invention, each node in the wireless sensor network configured in the present invention employs a watchdog technique to monitor the behavior of a next-hop neighbor node. For the false data injection scenario of the event source, once the transit node detects a wrong MAC, the two cases with the highest probability are that the COS node of the event source forges the false MAC, or the node corresponding to the neighboring false MAC maliciously provides the wrong MAC to perform the badmouthoning attack, as shown in fig. 1, in which case it is difficult to accurately determine which party provides the false MAC. For a malicious tampering scene of a transit node, when a monitoring node monitors a behavior of tampering a data packet by a transit node of a next hop, two situations still exist, namely, the transit node of the next hop of the monitoring node does implement the tampering behavior, and the transit node of the next hop of the monitoring node implements badmouting 35820and trap attack, as shown in fig. 2, it is difficult to distinguish which party implements the negative behavior in the situation.
Based on the fact that each node in the wireless sensor network can monitor the behavior of a neighbor node of a next hop and the SEF model carries out false data detection, the method for rapidly detecting the compromised node in the wireless sensor network provided by the invention comprises the following steps:
100. before network deployment: in the wireless sensor network, each node is pre-assigned with a unique ID number, and each node pre-stores K keys of a random partition of a global key pool.
In the SEF model, a global key pool is partitioned into n (n > T) partitions, each with m different keys.
101. Network initialization: determining neighbor relation among nodes in wireless sensor network, each node distributing an initial trust degree R (A, C) for each one-hop neighbor nodeinitial
For simplicity, initial confidence R (A, C)initialAnd setting the initial value to be 1, wherein the initial values of the positive behavior and the negative behavior in the corresponding trust model are both 1.
102. Data packet endorsement: after an event occurs, all monitored nodes form a cluster, and each monitored node in the cluster reports data and signals of the monitored nodesIntensity, for the location of occurrence L in the event data report EEAgreeing with time t; and selecting the COS node from each monitoring node in the cluster, wherein each monitoring node in the cluster sends a message verification code to the COS node.
Figure BDA0002412988720000071
Wherein, | | represents byte concatenation operation;
Figure BDA0002412988720000072
representing message verification code M obtained by performing one-way Hami-Hich operation on message b by using key ai(ii) a i is the key index.
Sending one { i, M ] by each monitoring node in the clusteriSending the tuple to the COS node, and after the COS node collects all the groups, selecting T { i, M) belonging to different key partitionsiAnd fourthly, a data report consisting of the tuples, wherein the content of a data packet sent by the COS node is as follows:
{Rn,IDcos,LE,t,E,i1,Mi1,ID1,i2,Mi2,ID2,……,iT,MiT,IDT}
wherein R isnThe event report serial number generated by the COS node aiming at the event; l isEIs the location of the event occurrence; t is the event occurrence time; e is the event content; IDTIs the ID number of the node T.
In one embodiment of the invention, a COS node in a wireless sensor network duplicates a backup packet to a data packet before being sent, the backup packet being retained by the COS node at least twice the time from the network edge to the sink node.
103: and (3) filtering in midway: after the transit node receives the data packet, as shown in fig. 3, it checks whether T pieces of i, M exist in the data packetiIf not, discarding the data packet; if so, the T key indices i are checkedjJ is more than or equal to 1 and less than or equal to T, if not, discarding the data packet;if yes, checking whether a key K belonging to the same key E { K } with the data packet key exists in the transit node key pool or notijJ is more than or equal to 1 and less than or equal to T, if j does not exist, the j is directly forwarded to a next-hop transfer node; if the verification code is the same as the verification code generated by the corresponding key in the data packet, the verification code is directly forwarded to the next hop transfer node.
If the data packets are not the same, the transfer node receives a false verification code, namely the data packets received by the transfer node are false data packets, discards the data packets and sends a false data injection report to an event source, wherein the false data injection report comprises false information in the false data packets and node information corresponding to the false verification code; and judging whether the corresponding backup data packet is tampered by the COS node according to the false data injection report at the event source. If yes, the COS node ignores the false data injection report; if not, respectively recording a negative action for the COS node and the node corresponding to the false verification code to the other side according to the false data injection report; and according to the number of negative behaviors between the COS node and the node corresponding to the false verification code, punishing the trust degree between the COS node and the node corresponding to the false verification code by the trust model.
As shown in fig. 4, when a monitoring node monitors that a next hop relay node thereof tampers with a data packet, a malicious tampering report is sent to the next hop relay node thereof; according to the malicious tampering report, the monitoring node and the next hop transit node thereof respectively record a negative action for the other side; and according to the negative behavior times between the monitoring node and the next hop relay node, the trust model punishs the trust between the monitoring node and the next hop relay node.
104: and sink verification: when the sink node detects a false data packet, sending a false data injection report to an event source; the dummy data injection report includes dummy information in a dummy data packet; and judging whether the corresponding backup data packet is tampered by the COS node according to the false data injection report at the event source. If yes, the COS node ignores the false data injection report; if not, according to the false data injection report, the COS node and the node corresponding to the false verification code in the false data packet record a negative behavior for the other side, and according to the times of the negative behaviors between the COS node and the node corresponding to the false verification code, the trust model punishs the trust between the COS node and the node corresponding to the false verification code.
105. Detection of compromised nodes: as shown in fig. 5, if the target trust level lower than the preset threshold exists, the target node generates a compromised node alarm message and sends the compromised node alarm message to all one-hop neighbor nodes thereof, and the one-hop neighbor node of the suspected compromised node receiving the compromised node alarm message performs trust evaluation on the suspected compromised node to obtain a trust evaluation result; and the target node confirms whether the suspected compromise node is the compromise node or not according to the trust evaluation result. The target trust degree is the trust degree of the target node on the suspected compromise node.
Specifically, the trust evaluation of the suspected compromised node by the one-hop neighbor node of the suspected compromised node receiving the compromised node alarm message to obtain a trust evaluation result includes: the one-hop neighbor node of the suspected compromised node receiving the compromised node alarm message checks whether the trust degree of the one-hop neighbor node to the suspected compromised node is lower than the preset threshold value; if YES, returning YES to the target node; if not, returning NO to the target node.
Specifically, determining whether a suspected compromised node is a compromised node according to a trust evaluation result includes: according to the reply of all received compromised node alarm messages, if the number of the nodes which reply YES accounts for more than 50% of the number of all the reply nodes, the target node confirms that the suspected compromised node is a compromised node; otherwise, the suspected compromised node cannot be determined to be a compromised node.
Specifically, after confirming that the suspected compromised node is a compromised node, the method further includes: and the target node deletes the compromised node from the neighbor list, transmits a compromised node confirmation message to the two-hop range, and deletes the compromised node from the neighbor list by the node receiving the compromised node confirmation message.
Preferably, in the method for rapidly detecting a compromised node in a wireless sensor network provided by the present invention, the trust model includes:
Figure BDA0002412988720000091
Figure BDA0002412988720000092
wherein, R (A, C)newFor updated direct trust of node A to node C, R (A, C)newHas a value range of [0,1 ]];R(A,C)oldDirect trust of the node A to the node C before updating; totalaThe number of times of the overall interaction between the node A and the node C; a. theNIs the number of negative actions; waInteraction weight that is negative behavior; m is a safety sensitive factor; β is the historical interaction weight.
Certainly, in the method for rapidly detecting compromised nodes in the wireless sensor network provided by the invention, the false data detection by using the SEF model is only preferable, and it is conceivable that the false data detection can also be performed by using the LBRS model or the GRSEF model.
The method for rapidly detecting the compromised node in the wireless sensor network can analyze, position and backtrack scenes where the false data injection behavior occurs, each node confirms the suspicious compromised node according to self observation and records a negative behavior for the node in a trust model, and the suspicious compromised node can be finally confirmed as the compromised node and isolated along with accumulation of the negative behaviors of the relevant suspicious compromised node. The method can effectively detect the compromised nodes, adopts a lightweight method on the aspect of processing suspicious compromised nodes causing false data injection, does not adopt group behaviors and multi-hop communication related to local parts of a network to confirm a hit-and-miss party, does not relate to excessive communication and calculation, and does not additionally increase larger energy consumption.
In the method for rapidly detecting the compromised node in the wireless sensor network, the suspicious compromised node causing the false data injection is processed by adopting a lightweight method, and the suspicious compromised node causing the false data injection is possibly misjudged, so that when the target trust degree lower than a preset threshold value exists, the compromised node is finally confirmed by adopting a voting mechanism, and the misjudgment can be effectively reduced.
Simulation experiment
400 nodes are randomly scattered over a square area of 100 x 100 square meters. The sensing range and the communication range of each node are 10 meters, and each node is distributed to a unique ID and 5 random keys in a random key partition in a global key pool before network deployment. The global key pool is divided into 10 partitions in total, each key partition holds 10 different keys, each key consisting of a key value and a key index. The initial trust degree distributed by the node to each neighbor node is 1, the initial values of the corresponding positive behavior and the negative behavior are 1, the system randomly designates 10 nodes in the network as compromise nodes before the experiment begins, and each compromise node injects a false verification code or provides the false verification code or tampers a data packet or attacks the next hop node by baseband in a probability of pi. The initial energy level of each node is 1, and 0.00005 units of energy is consumed each time a node propagates a packet or receives a packet. In the model, the transmission and the reception of the data packet are the main energy consumption, and the rest energy consumption is ignored for the sake of simplicity.
The simulation experiment is carried out for 50 rounds in total, each round of experiment randomly simulates 400 events occurring in the network range, all the events generate corresponding data packets and are forwarded to the sink base station hop by hop, the negative behaviors of the relative nodes in the process are recorded by the corresponding nodes and are punished in the trust model, and all the compromised nodes are gradually detected and isolated along with the work of the trust model and the compromised node detection model. A GEAR routing algorithm was used in the simulation experiments.
The simulation experiment results are as follows:
as shown in fig. 6, the simulation experiment compares the average remaining energy index of the non-compromised nodes of the conventional SEF method and the method of the present invention, and the experimental result shows that the model of the present invention consumes slightly more energy than the conventional SEF model, mainly because the backtracking of the dummy data injection report and the compromised node detection process consume additional energy.
As shown in fig. 7, the variation of the average trust level of the compromised and non-compromised nodes with the increase of the experiment rounds is reflected. The experimental result shows that the detection process of the compromised nodes is started after the average trust level of the suspicious compromised nodes is gradually reduced to the preset threshold value of the system, so that the compromised nodes are gradually detected and isolated, the average trust level of the non-compromised nodes is always maintained at a higher level, and the effectiveness of the method is proved by experiments.
As shown in fig. 8, the number of detected compromised nodes is compared with the number of erroneously judged compromised nodes, and as the number of detected compromised nodes increases gradually with the increase of the number of experimental rounds, 10 are reached (i.e. all compromised nodes are detected) in round 45, while the number of erroneously judged nodes is always maintained at 0.
As shown in fig. 9, the simulation experiment compares the conventional SEF method and the method of the present invention on the data packet accuracy index, from the experimental result, the two methods in the initial stage of the experiment basically have the same data packet accuracy, and as the experiment proceeds, the data packet accuracy of the method of the present invention gradually increases and reaches 1 (because all the compromised nodes are detected and isolated) in the 45 th round of experiment, while the conventional SEF method cannot detect the compromised nodes, so the index always maintains the same level and does not increase.
It should be understood that the above description of specific embodiments of the present invention is only for the purpose of illustrating the technical lines and features of the present invention, and is intended to enable those skilled in the art to understand the contents of the present invention and to implement the present invention, but the present invention is not limited to the above specific embodiments. It is intended that all such changes and modifications as fall within the scope of the appended claims be embraced therein.

Claims (6)

1. A method for rapidly detecting compromised nodes in a wireless sensor network is characterized in that each node in the wireless sensor network can monitor the behavior of a next-hop neighbor node, and the method comprises the following steps:
in the course of filtering the false data packet midway, if the transit node detects that the received data packet is the false data packet, sending a false data injection report to an event source; the false data injection report comprises false information in a false data packet and node information corresponding to the false information; according to the false data injection report at the event source, the COS node judges whether the corresponding backup data packet is tampered; if yes, the COS node ignores the false data injection report; if not, respectively recording a negative action for the COS node and the node corresponding to the false information to the other side according to the false data injection report; according to the number of negative behaviors between the COS node and the node corresponding to the false information, punishing the trust degree between the COS node and the node corresponding to the false information by the trust model; the COS node represents a cluster head node;
in the process of filtering the false data packet midway, when the monitoring node monitors the behavior that the next hop transit node falsifies the data packet, sending a malicious falsification report to the next hop transit node; according to the malicious tampering report, the monitoring node and the next hop transit node thereof respectively record a negative action for the other side; according to the number of negative behaviors between the monitoring node and the next hop transfer node, the trust model punishs the trust between the monitoring node and the next hop transfer node;
the trust model includes:
Figure FDA0003057526660000011
Figure FDA0003057526660000012
wherein, R (A, C)newFor updated direct trust of node A to node C, R (A, C)newHas a value range of [0,1 ]];R(A,C)oldDirect trust of the node A to the node C before updating; totalaThe number of times of the overall interaction between the node A and the node C; a. theNIs the number of negative actions; waInteraction weight that is negative behavior; m is a safety sensitive factor; β is the historical interaction weight;
if the target trust degree lower than the preset threshold exists, carrying out trust evaluation on the suspected compromised node by a common one-hop neighbor node of the target node and the suspected compromised node to obtain a trust evaluation result; the target node confirms whether the suspected compromise node is a compromise node or not according to the trust evaluation result; the target trust degree is the trust degree of the target node on the suspected compromise node;
the method for carrying out trust evaluation on the suspected compromised node by the common one-hop neighbor node of the target node and the suspected compromised node to obtain a trust evaluation result comprises the following steps: generating a compromised node alarm message by the target node and sending the compromised node alarm message to all one-hop neighbor nodes of the target node, and checking whether the trust degree of the suspected compromised node of the target node receiving the compromised node alarm message is lower than the preset threshold value or not by the one-hop neighbor nodes of the suspected compromised node; if YES, returning YES to the target node; if not, replying NO to the target node;
the target node determines whether the suspected compromised node is a compromised node according to the trust evaluation result, and the method comprises the following steps: according to the reply of all received compromised node alarm messages, if the number of the nodes which reply YES accounts for more than 50% of the number of all the reply nodes, the target node confirms that the suspected compromised node is a compromised node; otherwise, the suspected compromised node cannot be determined to be a compromised node.
2. The method of claim 1, wherein each node in the wireless sensor network monitors the behavior of the next-hop neighbor node using a watchdog technique.
3. The method of claim 1, wherein the determining, by the transit node, that the received packet is a dummy packet comprises:
the transfer node judges whether a false MAC exists in the received data packet, if so, the data packet received by the transfer node is a false data packet;
the key which is the same as the key corresponding to the false MAC exists in the transit node key pool, but the MAC generated according to the key which is the same as the key corresponding to the false MAC in the transit node key pool is different from the false MAC.
4. The method of claim 1 wherein the COS node in the wireless sensor network duplicates a backup packet to the data packet before it is transmitted, the backup packet being retained by the COS node at least twice the time from the network edge to the sink node.
5. The method of claim 4, further comprising the steps of:
when the sink node detects a false data packet, sending a false data injection report to an event source; according to the false data injection report at the event source, the COS node judges whether the corresponding backup data packet is tampered;
if yes, the COS node ignores the false data injection report; if not, according to the false data injection report, the COS node and the node corresponding to the false information in the false data packet record one negative behavior to the other side, and according to the times of the negative behaviors between the COS node and the node corresponding to the false information, the trust model punishs the trust between the COS node and the node corresponding to the false information.
6. The method of claim 1, further comprising, after said confirming that the suspected compromised node is a compromised node: and the target node deletes the compromised node from the neighbor list, transmits a compromised node confirmation message to the two-hop range, and deletes the compromised node from the neighbor list by the node receiving the compromised node confirmation message.
CN202010182311.XA 2020-03-16 2020-03-16 Method for rapidly detecting compromised node in wireless sensor network Active CN111405512B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010182311.XA CN111405512B (en) 2020-03-16 2020-03-16 Method for rapidly detecting compromised node in wireless sensor network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010182311.XA CN111405512B (en) 2020-03-16 2020-03-16 Method for rapidly detecting compromised node in wireless sensor network

Publications (2)

Publication Number Publication Date
CN111405512A CN111405512A (en) 2020-07-10
CN111405512B true CN111405512B (en) 2021-06-25

Family

ID=71430936

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010182311.XA Active CN111405512B (en) 2020-03-16 2020-03-16 Method for rapidly detecting compromised node in wireless sensor network

Country Status (1)

Country Link
CN (1) CN111405512B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109041065A (en) * 2018-09-19 2018-12-18 北京计算机技术及应用研究所 A kind of node trust management method towards the more copy ad hoc network of double bounce
CN109257750A (en) * 2018-11-08 2019-01-22 江南大学 The intrusion detection method of multi-protocol layer based on trust and noise spot detection technique
CN110177370A (en) * 2019-05-31 2019-08-27 长安大学 A kind of collusion malice vehicle node detection method towards car networking

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109041065A (en) * 2018-09-19 2018-12-18 北京计算机技术及应用研究所 A kind of node trust management method towards the more copy ad hoc network of double bounce
CN109257750A (en) * 2018-11-08 2019-01-22 江南大学 The intrusion detection method of multi-protocol layer based on trust and noise spot detection technique
CN110177370A (en) * 2019-05-31 2019-08-27 长安大学 A kind of collusion malice vehicle node detection method towards car networking

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
Adaptive and Channel-Aware Detection of Selective Forwarding Attacks in Wireless Sensor Networks;Ju Ren et al.;《IEEE TRANSACTIONS ON WIRELESS COMMUNICATIONS》;20160531;全文 *
Malicious Nodes Identification for Complex Network Based on Local Views;Grazielle Vernize et al.;《Security in Computer Systems and Networks》;20140930;全文 *
Modeling and Simulation of False Report Filtering Scheme Based on Position in Wireless Sensor Networks;Liu Zhixiong, Li Limiao;《系统仿真学报》;20190131;全文 *
无线传感器网络中虚假数据过滤方法;刘志雄;《中国博士学位论文全文数据库 信息科技辑》;20121215;全文 *
无线传感器网络虚假数据注入攻击防御策略研究;裔传俊;《中国博士学位论文全文数据库 信息科技辑》;20200215;全文 *

Also Published As

Publication number Publication date
CN111405512A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
KR102264442B1 (en) Fingerprint recognition electronic control unit for vehicle intrusion detection
Xing et al. Real-time detection of clone attacks in wireless sensor networks
Yan et al. Vulnerability and protection for distributed consensus-based spectrum sensing in cognitive radio networks
US8695089B2 (en) Method and system for resilient packet traceback in wireless mesh and sensor networks
CN100471141C (en) Mixed intrusion detection method of wireless sensor network
Lo et al. Illusion attack on vanet applications-a message plausibility problem
Baiad et al. Novel cross layer detection schemes to detect blackhole attack against QoS-OLSR protocol in VANET
TWI405434B (en) Botnet early detection using hhmm algorithm
Agarwal et al. Intrusion detection system for PS-Poll DoS attack in 802.11 networks using real time discrete event system
CN109756515B (en) Black hole attack detection and tracking method based on suspicion degree accumulation
CN109257750B (en) Intrusion detection method of multi-protocol layer based on trust and noise point detection technology
CN101917733A (en) Method for detecting flooding attack by wireless self-organizing network route query
CN103297973A (en) Method for detecting Sybil attack in underwater wireless sensor networks
Senthilkumar et al. Data Traffic Trust Model for Clustered Wireless Sensor Network
Dhillon et al. Implementation & evaluation of an IDS to safeguard OLSR integrity in MANETs
CN114666795A (en) Node behavior-based underwater acoustic sensing network node reliability evaluation method
CN111405512B (en) Method for rapidly detecting compromised node in wireless sensor network
CN111614650B (en) Method and device for detecting compromised nodes in wireless sensor network
CN115694956A (en) Method for evaluating confidence of Internet of things node based on fuzzy evidence theory
Wang et al. Appeal-based distributed trust management model in VANETs concerning untrustworthy RSUs
KR100803029B1 (en) Method for cooperatively defending of ddos attack using statistical detection
Abdildaeva Sybil attack detection in wireless sensor networks
Meenatchi et al. Intrusion detection system in MANETS: a survey
CN115802358A (en) Multi-step DDoS prediction poisoning attack based on reinforcement learning and defense method thereof
KR20220169584A (en) METHOD FOR SELECTING IoT OPTIMIZATION NODES AND REMOVING MALICIOUS NODES

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant