CN113727349B - Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance - Google Patents

Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance Download PDF

Info

Publication number
CN113727349B
CN113727349B CN202111042930.XA CN202111042930A CN113727349B CN 113727349 B CN113727349 B CN 113727349B CN 202111042930 A CN202111042930 A CN 202111042930A CN 113727349 B CN113727349 B CN 113727349B
Authority
CN
China
Prior art keywords
node
trust
distance
attack
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111042930.XA
Other languages
Chinese (zh)
Other versions
CN113727349A (en
Inventor
王军
王妍
明佳音
姚士正
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang University of Chemical Technology
Original Assignee
Shenyang University of Chemical Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang University of Chemical Technology filed Critical Shenyang University of Chemical Technology
Priority to CN202111042930.XA priority Critical patent/CN113727349B/en
Publication of CN113727349A publication Critical patent/CN113727349A/en
Application granted granted Critical
Publication of CN113727349B publication Critical patent/CN113727349B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/66Trust-dependent, e.g. using trust scores or trust relationships
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a method for detecting network node abnormality of a witch attack based on a mahalanobis distance, and relates to a network abnormality detection method. The method only needs to detect the Sybil attack node according to the distance between the nodes, so that the calculation process is simplified, and meanwhile, the energy consumption is reduced. Under the condition that the density of the Sybil nodes or the density of the total nodes is increased, the detection rate change amplitude of the method is not large, the method is basically stable, and the algorithm is obtained to have the performances of high detection rate, low false detection rate and stability.

Description

Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance
Technical Field
The invention relates to a network anomaly detection method, in particular to a method for detecting anomaly of a witch attack network node based on a mahalanobis distance.
Background
Each node has only one legal identity by default in the wireless sensor network. When a malicious node claims to possess multiple identities, but actually has only one identity, and thus makes various damages to the network, the attack is called a witch attack. Because of the characteristic of multiple identities, effective detection and identification are difficult to perform when the witches attack breaks the defending line, so that the witches attack becomes an attack mode which is most difficult to detect.
The harsh environmental deployment and wireless channel communication modes of the wireless sensor network can lead to various network attacks, wherein the most typical one is Sybil attack (Sybil attack), which falsifies various identities and sends messages with different powers to launch the attack to the network, and the attack behavior is difficult to predict due to the changeable identities.
The wireless sensor network is deployed in a very severe open environment, adopts wireless channel communication, has limited energy, can adopt a simpler communication technology, and has more network attack problems compared with the traditional wireless communication, and the common network attack types and the main characteristics of the network attack types are summarized in table 1.
Table 1 common network attacks in WSNs
According to the above common attack modes of the wireless sensor network, it can be found that the attack modes of the wireless sensor network basically act as the following modes: 1. depleting the node energy; 2. refusing to forward the message; 3. discarding messages, etc., wherein the witches attack has unique attack characteristics and strong attack force, and has distinctive destructiveness. At the beginning of the development of the witch attack, a method for endangering multi-route paths is adopted, however, as the routing protocol is continuously changed and developed, the witch attack starts to destroy various routing protocols such as probability routing, geographic routing and the like. Meanwhile, the Sybil attack also utilizes the nodes to forge the number of the control nodes, and influences a data fusion mechanism and a fair resource allocation mechanism. Moreover, the method can damage the abnormal behavior detection voting competition mechanism and the voting competition mechanism, and has strong destructiveness and extremely wide adverse effect.
Disclosure of Invention
The invention aims to provide a method for detecting network node abnormality of a witch attack based on a mahalanobis distance. Through theoretical research and simulation results, the method can rapidly and accurately identify the malicious nodes, timely expel the malicious nodes from the network, improve the accuracy of data and the safety of the network, prolong the life cycle of the network and further ensure the safety of the network. Therefore, a method for detecting abnormal Sybil attack nodes based on the Malus distance is provided for the problem.
The invention aims at realizing the following technical scheme:
a method for detecting network node anomalies of a witch attack based on mahalanobis distance, the method comprising the following steps:
1) The judgment method of the trust mechanism models the surprise of the user by utilizing the characteristics and the attribute of the malicious attack so as to establish a reasonable trust evaluation model; definition of trust attributes, including energy consumption rate, packet loss rate, message sending frequency and sensor measurement value M 5;
2) Judging a node type by using a malicious node anomaly detection method, and judging an abnormal node method of the Sybil attack in the wireless sensor network by using a Markov distance discrimination method;
the covariance matrix Cov is calculated by μ and sample attribute values, and the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the sampling number of each trust attribute, i is {1,2, … n s };
the mahalanobis distance of all samples was obtained by the above equation, and the maximum mahalanobis distance was calculated as:
and calculating the corresponding trust attributes of all nodes by calculating the P i values of all nodes, if the Marsh distance is larger than d max, the node is suspicious, otherwise, if the Marsh distance is smaller than or equal to d max, the node is normal, and judging whether the node in the network is a malicious node attacked by Sybil or not by judging the abnormality of the attribute values.
The method for detecting the abnormal network node attack by the Sybil based on the Malus distance comprises the following steps of:
where M 1 represents the energy consumption rate, P t represents the node remaining energy at time t, and P t+Δt represents the node remaining energy at time (t+Δt).
The abnormal detection method of the Sybil attack network node based on the Mahalanobis distance comprises the step of determining the ratio of the packet loss rate of a node to the total transmitted data packet quantity when the node communicates.
The method for detecting the abnormal network node attack by the Sybil based on the Mahalanobis distance comprises the steps of sending the message at the frequency and sending the number of data packets in a certain node unit time.
According to the method for detecting the abnormal network node attack by the Sybil based on the Male distance, the measured value M 5 of the sensor is not reflected on network transmission when some malicious nodes attack, the measured value M 5 of the sensor is forged or tampered, so that a physical system of the sensor is out of order, at the moment, M 5 has great deviation, and M 5 is a stable sequence when the measured value M 5 of the sensor is not attacked.
The invention has the advantages and effects that:
According to the invention, for the Sybil attacks under different conditions, a Markov distance judging method is adopted, a node trust degree cooperation method is calculated to identify malicious nodes of the Sybil attacks, and simulation is carried out on different situations of single Sybil attacks and collusion of a plurality of Sybil attackers. Compared with the detection algorithm for the Sybil attack based on the positioning mechanism, which is provided by the prior research, the method only needs to detect the Sybil attack node according to the distance of the node, so that the calculation process is simplified, and meanwhile, the energy consumption is reduced. Under the condition that the density of the Sybil nodes or the density of the total nodes is increased, the detection rate change amplitude of the method is not large, the method is basically stable, and the algorithm is obtained to have the performances of high detection rate, low false detection rate and stability.
Detailed Description
The present invention will be described in detail with reference to examples.
The detection method of the invention comprises the following steps:
1. judgment method of trust mechanism
The method models the arousal of the malicious attack by utilizing the characteristics and the attributes of the malicious attack so as to establish a reasonable trust evaluation model.
The definition of the trust attribute M is specifically described below:
Definition 1: energy consumption rate. The amount of the consumed energy of the node in unit time is calculated as follows:
Where M 1 represents the energy consumption rate, P t represents the node remaining energy at time t, and P t+Δt represents the node remaining energy at time (t+Δt).
Definition 2: packet loss rate. When a certain node communicates, the ratio of the packet loss number of the node to the total transmitted data packet number is calculated. The calculation formula is as follows:
Where M 2 is the packet loss rate, s is the total number of packets sent by a node to other nodes, and s 1 is the packet loss number of the node.
Defining 3 message receiving frequency. The number of successfully received packets per unit time at a node. The calculation formula is as follows:
Wherein s r represents the number of messages successfully received within Δt time; m 3 is the message receiving frequency.
Definition 4: message sending frequency. The number of packets transmitted per unit time by a node. The calculation formula is as follows:
Wherein M 4 is the message sending frequency, and s n represents the number of messages successfully sent in Δt unit time.
Definition 5: sensor measurement M 5. When some malicious nodes attack, the behavior of the malicious nodes is not reflected on network transmission, and the malicious nodes forge or tamper the measured value of the sensor to cause the physical system to break down, at this time, M 5 has great deviation, and when the malicious nodes are not attacked, M 5 is a stable sequence.
2. In the mathematical method, the most commonly used method is a distance discrimination method, in the first step, sample information of data is obtained, the obtained sample information is classified according to different rules, and when a new sample point is added, the category of the node is judged according to the rules only. The common distance discrimination methods include a mahalanobis distance discrimination method and a Euclidean distance discrimination method, wherein the Euclidean distance discrimination method is the most used distance discrimination method in daily life, and has the advantages of convenient use and lack of dispersion information in the case of defects, particularly in the case of overall distribution; the mahalanobis distance discrimination method can make up for the defects of the Euclidean distance discrimination method, examines various relations among samples from a plurality of different aspects, is very suitable for discriminating the similarity of the samples, and particularly describes an abnormal node method for judging the witch attack in the wireless sensor network by using the mahalanobis distance discrimination method.
Let G be the n-dimensional ensemble, μ= (μ 12,…μn)T be the sample mean vector,Is a covariance matrix, then sample x= (X 1,x2,…,xn)T is the mahalanobis distance from the overall G:
Under the condition of ensuring the security and trust attribute of the wireless sensor network to be normal, sampling is carried out on six trust attributes P j (j=1, 2, … 6) of the sample node for n s times respectively. The corresponding sample attribute set is denoted as Q, P' j represents the sample value of the trust attribute P j, and there are:
the sampled sample mean μ can be calculated as follows:
The covariance matrix Cov can then be calculated from μ and sample attribute values, as can be seen from the above, the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the number of samples of trust attributes per class, i e {1,2, … n s }.
Therefore, the mahalanobis distance of all samples is obtained by the above equation, and the maximum mahalanobis distance is calculated as:
By calculating the values of all nodes P i, if the Marsh distance is greater than d max, the node is suspicious, otherwise, if the Marsh distance is less than or equal to d max, the node is normal, and by judging the abnormality of the attribute values, the trust attribute corresponding to all the nodes can be calculated, so that whether the node in the network is a malicious node attacked by Sybil can be judged.

Claims (1)

1. The method for detecting the abnormal of the network node of the witches attack based on the mahalanobis distance is characterized by comprising the following steps:
1) The judgment method of the trust mechanism models the wakefulness by utilizing the characteristics and the attributes of the malicious attack so as to establish a reasonable trust evaluation model; definition of trust attributes, including energy consumption rate, packet loss rate, message sending frequency and sensor measurement value M 5;
The energy consumption rate is the amount of node consumption capacity in unit time, and the calculation formula is as follows:
Wherein M 1 represents an energy consumption rate, P t represents node remaining energy at time t, and P t+Δt represents node remaining energy at time (t+Δt);
The packet loss rate is the ratio of the packet loss quantity of a certain node to the total transmitted data packet quantity when the node communicates; the calculation formula is as follows:
Wherein M 2 is the packet loss rate, s is the total number of data packets sent by the node to other nodes, and s 1 is the packet loss number of the node;
the message receiving frequency is the number of successfully received data packets in a certain node unit time; the calculation formula is as follows:
Wherein s r represents the number of messages successfully received within Δt time; m 3 is the message receiving frequency;
The message sending frequency is the number of sending data packets in a certain node unit time; the calculation formula is as follows:
wherein M 4 is the message sending frequency, s n represents the number of messages successfully sent in Δt unit time;
when the measured value M 5 of the sensor is attacked by some malicious nodes, the behavior of the measured value M 5 is not reflected on network transmission, the measured value M 5 of the sensor is forged or tampered with, so that a physical system of the sensor is failed, at the moment, M 5 has great deviation, and when the measured value M 5 is not attacked, the measured value M 5 is a stable sequence;
2) Judging a node type by using a malicious node anomaly detection method, and judging an abnormal node method of the Sybil attack in the wireless sensor network by using a Markov distance discrimination method;
Let G be the n-dimensional ensemble, μ= (μ 12,…μn)T be the sample mean vector, Is a covariance matrix, then sample x= (X 1,x2,…,xn)T is the mahalanobis distance from the overall G:
Under the condition of ensuring the security and the normal trust attribute of the wireless sensor network, sampling six trust attributes P j (j=1, 2, … 6) of the sample node for n s times respectively; the corresponding sample attribute set is denoted as Q, P' j represents the sample value of the trust attribute P j, and there are:
the sampled sample mean μ can be calculated as follows:
then, the covariance matrix Cov is calculated through mu and the sample attribute values, and the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the sampling number of each trust attribute, i is {1,2, … n s };
the mahalanobis distance of all samples was obtained by the above equation, and the maximum mahalanobis distance was calculated as:
and calculating the corresponding trust attributes of all nodes by calculating the P i values of all nodes, if the Marsh distance is larger than d max, the node is suspicious, otherwise, if the Marsh distance is smaller than or equal to d max, the node is normal, and judging whether the node in the network is a malicious node attacked by Sybil or not by judging the abnormality of the attribute values.
CN202111042930.XA 2021-09-07 2021-09-07 Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance Active CN113727349B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111042930.XA CN113727349B (en) 2021-09-07 2021-09-07 Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111042930.XA CN113727349B (en) 2021-09-07 2021-09-07 Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance

Publications (2)

Publication Number Publication Date
CN113727349A CN113727349A (en) 2021-11-30
CN113727349B true CN113727349B (en) 2024-04-26

Family

ID=78682159

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111042930.XA Active CN113727349B (en) 2021-09-07 2021-09-07 Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance

Country Status (1)

Country Link
CN (1) CN113727349B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100083681A (en) * 2009-01-13 2010-07-22 창신정보통신(주) Detection device and method for malicious node in wireless sensor network
CN108040325A (en) * 2017-12-19 2018-05-15 电子科技大学 A kind of witch's nodal test method based on RSSI value and credit worthiness
CN112615716A (en) * 2019-10-03 2021-04-06 通用汽车环球科技运作有限责任公司 Method for detecting misbehavior and Sybil attack of digital key through user filing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100083681A (en) * 2009-01-13 2010-07-22 창신정보통신(주) Detection device and method for malicious node in wireless sensor network
CN108040325A (en) * 2017-12-19 2018-05-15 电子科技大学 A kind of witch's nodal test method based on RSSI value and credit worthiness
CN112615716A (en) * 2019-10-03 2021-04-06 通用汽车环球科技运作有限责任公司 Method for detecting misbehavior and Sybil attack of digital key through user filing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
异构无线传感器网络中基于AOA的女巫攻击检测方案;章曙光;汪乾;王浩;钟娟;;中国科学技术大学学报(第01期);全文 *

Also Published As

Publication number Publication date
CN113727349A (en) 2021-11-30

Similar Documents

Publication Publication Date Title
CN110011999B (en) IPv6 network DDoS attack detection system and method based on deep learning
CN109067586B (en) DDoS attack detection method and device
CN106878995B (en) Method for identifying abnormal type of wireless sensor network based on perception data
CN113079143A (en) Flow data-based anomaly detection method and system
KR100615080B1 (en) A method for automatic generation of rule-based detection patterns about the bots and worms in the computer network
Garofalo et al. Enhancing intrusion detection in wireless sensor networks through decision trees
CN109257749B (en) Dynamic topology-oriented wireless sensor network self-adaptive layered intrusion detection method
Xu et al. Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning
Li et al. Early detection of DDoS based on $\varphi $-entropy in SDN networks
CN110768946A (en) Industrial control network intrusion detection system and method based on bloom filter
CN111918294B (en) Detection method and device of Sybil attack node considering sensor error
CN113420802A (en) Alarm data fusion method based on improved spectral clustering
CN112911584A (en) Method for avoiding black hole node attack based on detection route to obtain node trust value in energy collection wireless sensor network
Ma et al. DDoS detection for 6G Internet of Things: Spatial-temporal trust model and new architecture
CN113727349B (en) Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance
CN111314910A (en) Novel wireless sensor network abnormal data detection method for mapping isolation forest
CN115643108B (en) Safety assessment method, system and product for industrial Internet edge computing platform
CN111245833B (en) Vehicle intrusion detection method and device
Wu et al. Abnormal information identification and elimination in cognitive networks
Xiao et al. A danger theory inspired protection approach for hierarchical wireless sensor networks
Hikal et al. Detection of black-hole attacks in MANET using adaboost support vector machine
CN113850222A (en) Method for realizing vehicle-mounted bus signal classification and monitoring by adopting support vector machine
Cui Malware detection algorithm for wireless sensor networks in a smart city based on random forest
CN112804685B (en) Lightweight green safety data fusion model establishment method for industrial Internet of things
CN115119280A (en) FANETs safe routing method based on trust mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant