CN113727349B - Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance - Google Patents
Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance Download PDFInfo
- Publication number
- CN113727349B CN113727349B CN202111042930.XA CN202111042930A CN113727349B CN 113727349 B CN113727349 B CN 113727349B CN 202111042930 A CN202111042930 A CN 202111042930A CN 113727349 B CN113727349 B CN 113727349B
- Authority
- CN
- China
- Prior art keywords
- node
- trust
- distance
- attack
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000002159 abnormal effect Effects 0.000 title claims description 11
- 238000001514 detection method Methods 0.000 claims abstract description 15
- 241001481828 Glyptocephalus cynoglossus Species 0.000 claims abstract description 12
- 238000004364 calculation method Methods 0.000 claims abstract description 9
- 238000005265 energy consumption Methods 0.000 claims abstract description 9
- 230000005856 abnormality Effects 0.000 claims abstract description 6
- 238000012850 discrimination method Methods 0.000 claims description 11
- 239000011159 matrix material Substances 0.000 claims description 5
- 238000005070 sampling Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000013210 evaluation model Methods 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 206010062519 Poor quality sleep Diseases 0.000 claims 1
- 238000004422 calculation algorithm Methods 0.000 abstract description 3
- 238000004891 communication Methods 0.000 description 4
- 241000220225 Malus Species 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000037007 arousal Effects 0.000 description 1
- 230000000779 depleting effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000006185 dispersion Substances 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 238000013468 resource allocation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/66—Trust-dependent, e.g. using trust scores or trust relationships
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/18—Self-organising networks, e.g. ad-hoc networks or sensor networks
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/70—Reducing energy consumption in communication networks in wireless communication networks
Abstract
The invention discloses a method for detecting network node abnormality of a witch attack based on a mahalanobis distance, and relates to a network abnormality detection method. The method only needs to detect the Sybil attack node according to the distance between the nodes, so that the calculation process is simplified, and meanwhile, the energy consumption is reduced. Under the condition that the density of the Sybil nodes or the density of the total nodes is increased, the detection rate change amplitude of the method is not large, the method is basically stable, and the algorithm is obtained to have the performances of high detection rate, low false detection rate and stability.
Description
Technical Field
The invention relates to a network anomaly detection method, in particular to a method for detecting anomaly of a witch attack network node based on a mahalanobis distance.
Background
Each node has only one legal identity by default in the wireless sensor network. When a malicious node claims to possess multiple identities, but actually has only one identity, and thus makes various damages to the network, the attack is called a witch attack. Because of the characteristic of multiple identities, effective detection and identification are difficult to perform when the witches attack breaks the defending line, so that the witches attack becomes an attack mode which is most difficult to detect.
The harsh environmental deployment and wireless channel communication modes of the wireless sensor network can lead to various network attacks, wherein the most typical one is Sybil attack (Sybil attack), which falsifies various identities and sends messages with different powers to launch the attack to the network, and the attack behavior is difficult to predict due to the changeable identities.
The wireless sensor network is deployed in a very severe open environment, adopts wireless channel communication, has limited energy, can adopt a simpler communication technology, and has more network attack problems compared with the traditional wireless communication, and the common network attack types and the main characteristics of the network attack types are summarized in table 1.
Table 1 common network attacks in WSNs
According to the above common attack modes of the wireless sensor network, it can be found that the attack modes of the wireless sensor network basically act as the following modes: 1. depleting the node energy; 2. refusing to forward the message; 3. discarding messages, etc., wherein the witches attack has unique attack characteristics and strong attack force, and has distinctive destructiveness. At the beginning of the development of the witch attack, a method for endangering multi-route paths is adopted, however, as the routing protocol is continuously changed and developed, the witch attack starts to destroy various routing protocols such as probability routing, geographic routing and the like. Meanwhile, the Sybil attack also utilizes the nodes to forge the number of the control nodes, and influences a data fusion mechanism and a fair resource allocation mechanism. Moreover, the method can damage the abnormal behavior detection voting competition mechanism and the voting competition mechanism, and has strong destructiveness and extremely wide adverse effect.
Disclosure of Invention
The invention aims to provide a method for detecting network node abnormality of a witch attack based on a mahalanobis distance. Through theoretical research and simulation results, the method can rapidly and accurately identify the malicious nodes, timely expel the malicious nodes from the network, improve the accuracy of data and the safety of the network, prolong the life cycle of the network and further ensure the safety of the network. Therefore, a method for detecting abnormal Sybil attack nodes based on the Malus distance is provided for the problem.
The invention aims at realizing the following technical scheme:
a method for detecting network node anomalies of a witch attack based on mahalanobis distance, the method comprising the following steps:
1) The judgment method of the trust mechanism models the surprise of the user by utilizing the characteristics and the attribute of the malicious attack so as to establish a reasonable trust evaluation model; definition of trust attributes, including energy consumption rate, packet loss rate, message sending frequency and sensor measurement value M 5;
2) Judging a node type by using a malicious node anomaly detection method, and judging an abnormal node method of the Sybil attack in the wireless sensor network by using a Markov distance discrimination method;
the covariance matrix Cov is calculated by μ and sample attribute values, and the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the sampling number of each trust attribute, i is {1,2, … n s };
the mahalanobis distance of all samples was obtained by the above equation, and the maximum mahalanobis distance was calculated as:
and calculating the corresponding trust attributes of all nodes by calculating the P i values of all nodes, if the Marsh distance is larger than d max, the node is suspicious, otherwise, if the Marsh distance is smaller than or equal to d max, the node is normal, and judging whether the node in the network is a malicious node attacked by Sybil or not by judging the abnormality of the attribute values.
The method for detecting the abnormal network node attack by the Sybil based on the Malus distance comprises the following steps of:
where M 1 represents the energy consumption rate, P t represents the node remaining energy at time t, and P t+Δt represents the node remaining energy at time (t+Δt).
The abnormal detection method of the Sybil attack network node based on the Mahalanobis distance comprises the step of determining the ratio of the packet loss rate of a node to the total transmitted data packet quantity when the node communicates.
The method for detecting the abnormal network node attack by the Sybil based on the Mahalanobis distance comprises the steps of sending the message at the frequency and sending the number of data packets in a certain node unit time.
According to the method for detecting the abnormal network node attack by the Sybil based on the Male distance, the measured value M 5 of the sensor is not reflected on network transmission when some malicious nodes attack, the measured value M 5 of the sensor is forged or tampered, so that a physical system of the sensor is out of order, at the moment, M 5 has great deviation, and M 5 is a stable sequence when the measured value M 5 of the sensor is not attacked.
The invention has the advantages and effects that:
According to the invention, for the Sybil attacks under different conditions, a Markov distance judging method is adopted, a node trust degree cooperation method is calculated to identify malicious nodes of the Sybil attacks, and simulation is carried out on different situations of single Sybil attacks and collusion of a plurality of Sybil attackers. Compared with the detection algorithm for the Sybil attack based on the positioning mechanism, which is provided by the prior research, the method only needs to detect the Sybil attack node according to the distance of the node, so that the calculation process is simplified, and meanwhile, the energy consumption is reduced. Under the condition that the density of the Sybil nodes or the density of the total nodes is increased, the detection rate change amplitude of the method is not large, the method is basically stable, and the algorithm is obtained to have the performances of high detection rate, low false detection rate and stability.
Detailed Description
The present invention will be described in detail with reference to examples.
The detection method of the invention comprises the following steps:
1. judgment method of trust mechanism
The method models the arousal of the malicious attack by utilizing the characteristics and the attributes of the malicious attack so as to establish a reasonable trust evaluation model.
The definition of the trust attribute M is specifically described below:
Definition 1: energy consumption rate. The amount of the consumed energy of the node in unit time is calculated as follows:
Where M 1 represents the energy consumption rate, P t represents the node remaining energy at time t, and P t+Δt represents the node remaining energy at time (t+Δt).
Definition 2: packet loss rate. When a certain node communicates, the ratio of the packet loss number of the node to the total transmitted data packet number is calculated. The calculation formula is as follows:
Where M 2 is the packet loss rate, s is the total number of packets sent by a node to other nodes, and s 1 is the packet loss number of the node.
Defining 3 message receiving frequency. The number of successfully received packets per unit time at a node. The calculation formula is as follows:
Wherein s r represents the number of messages successfully received within Δt time; m 3 is the message receiving frequency.
Definition 4: message sending frequency. The number of packets transmitted per unit time by a node. The calculation formula is as follows:
Wherein M 4 is the message sending frequency, and s n represents the number of messages successfully sent in Δt unit time.
Definition 5: sensor measurement M 5. When some malicious nodes attack, the behavior of the malicious nodes is not reflected on network transmission, and the malicious nodes forge or tamper the measured value of the sensor to cause the physical system to break down, at this time, M 5 has great deviation, and when the malicious nodes are not attacked, M 5 is a stable sequence.
2. In the mathematical method, the most commonly used method is a distance discrimination method, in the first step, sample information of data is obtained, the obtained sample information is classified according to different rules, and when a new sample point is added, the category of the node is judged according to the rules only. The common distance discrimination methods include a mahalanobis distance discrimination method and a Euclidean distance discrimination method, wherein the Euclidean distance discrimination method is the most used distance discrimination method in daily life, and has the advantages of convenient use and lack of dispersion information in the case of defects, particularly in the case of overall distribution; the mahalanobis distance discrimination method can make up for the defects of the Euclidean distance discrimination method, examines various relations among samples from a plurality of different aspects, is very suitable for discriminating the similarity of the samples, and particularly describes an abnormal node method for judging the witch attack in the wireless sensor network by using the mahalanobis distance discrimination method.
Let G be the n-dimensional ensemble, μ= (μ 1,μ2,…μn)T be the sample mean vector,Is a covariance matrix, then sample x= (X 1,x2,…,xn)T is the mahalanobis distance from the overall G:
Under the condition of ensuring the security and trust attribute of the wireless sensor network to be normal, sampling is carried out on six trust attributes P j (j=1, 2, … 6) of the sample node for n s times respectively. The corresponding sample attribute set is denoted as Q, P' j represents the sample value of the trust attribute P j, and there are:
the sampled sample mean μ can be calculated as follows:
The covariance matrix Cov can then be calculated from μ and sample attribute values, as can be seen from the above, the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the number of samples of trust attributes per class, i e {1,2, … n s }.
Therefore, the mahalanobis distance of all samples is obtained by the above equation, and the maximum mahalanobis distance is calculated as:
By calculating the values of all nodes P i, if the Marsh distance is greater than d max, the node is suspicious, otherwise, if the Marsh distance is less than or equal to d max, the node is normal, and by judging the abnormality of the attribute values, the trust attribute corresponding to all the nodes can be calculated, so that whether the node in the network is a malicious node attacked by Sybil can be judged.
Claims (1)
1. The method for detecting the abnormal of the network node of the witches attack based on the mahalanobis distance is characterized by comprising the following steps:
1) The judgment method of the trust mechanism models the wakefulness by utilizing the characteristics and the attributes of the malicious attack so as to establish a reasonable trust evaluation model; definition of trust attributes, including energy consumption rate, packet loss rate, message sending frequency and sensor measurement value M 5;
The energy consumption rate is the amount of node consumption capacity in unit time, and the calculation formula is as follows:
Wherein M 1 represents an energy consumption rate, P t represents node remaining energy at time t, and P t+Δt represents node remaining energy at time (t+Δt);
The packet loss rate is the ratio of the packet loss quantity of a certain node to the total transmitted data packet quantity when the node communicates; the calculation formula is as follows:
Wherein M 2 is the packet loss rate, s is the total number of data packets sent by the node to other nodes, and s 1 is the packet loss number of the node;
the message receiving frequency is the number of successfully received data packets in a certain node unit time; the calculation formula is as follows:
Wherein s r represents the number of messages successfully received within Δt time; m 3 is the message receiving frequency;
The message sending frequency is the number of sending data packets in a certain node unit time; the calculation formula is as follows:
wherein M 4 is the message sending frequency, s n represents the number of messages successfully sent in Δt unit time;
when the measured value M 5 of the sensor is attacked by some malicious nodes, the behavior of the measured value M 5 is not reflected on network transmission, the measured value M 5 of the sensor is forged or tampered with, so that a physical system of the sensor is failed, at the moment, M 5 has great deviation, and when the measured value M 5 is not attacked, the measured value M 5 is a stable sequence;
2) Judging a node type by using a malicious node anomaly detection method, and judging an abnormal node method of the Sybil attack in the wireless sensor network by using a Markov distance discrimination method;
Let G be the n-dimensional ensemble, μ= (μ 1,μ2,…μn)T be the sample mean vector, Is a covariance matrix, then sample x= (X 1,x2,…,xn)T is the mahalanobis distance from the overall G:
Under the condition of ensuring the security and the normal trust attribute of the wireless sensor network, sampling six trust attributes P j (j=1, 2, … 6) of the sample node for n s times respectively; the corresponding sample attribute set is denoted as Q, P' j represents the sample value of the trust attribute P j, and there are:
the sampled sample mean μ can be calculated as follows:
then, the covariance matrix Cov is calculated through mu and the sample attribute values, and the mahalanobis distance of the trust attribute P' j (i) is calculated as follows:
wherein, Is the Marshall distance of trust attribute P' j (i), j represents the trust attribute class, j ε {1,2,3,4,5,6}; i is the sampling number of each trust attribute, i is {1,2, … n s };
the mahalanobis distance of all samples was obtained by the above equation, and the maximum mahalanobis distance was calculated as:
and calculating the corresponding trust attributes of all nodes by calculating the P i values of all nodes, if the Marsh distance is larger than d max, the node is suspicious, otherwise, if the Marsh distance is smaller than or equal to d max, the node is normal, and judging whether the node in the network is a malicious node attacked by Sybil or not by judging the abnormality of the attribute values.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111042930.XA CN113727349B (en) | 2021-09-07 | 2021-09-07 | Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111042930.XA CN113727349B (en) | 2021-09-07 | 2021-09-07 | Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113727349A CN113727349A (en) | 2021-11-30 |
CN113727349B true CN113727349B (en) | 2024-04-26 |
Family
ID=78682159
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111042930.XA Active CN113727349B (en) | 2021-09-07 | 2021-09-07 | Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113727349B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100083681A (en) * | 2009-01-13 | 2010-07-22 | 창신정보통신(주) | Detection device and method for malicious node in wireless sensor network |
CN108040325A (en) * | 2017-12-19 | 2018-05-15 | 电子科技大学 | A kind of witch's nodal test method based on RSSI value and credit worthiness |
CN112615716A (en) * | 2019-10-03 | 2021-04-06 | 通用汽车环球科技运作有限责任公司 | Method for detecting misbehavior and Sybil attack of digital key through user filing |
-
2021
- 2021-09-07 CN CN202111042930.XA patent/CN113727349B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20100083681A (en) * | 2009-01-13 | 2010-07-22 | 창신정보통신(주) | Detection device and method for malicious node in wireless sensor network |
CN108040325A (en) * | 2017-12-19 | 2018-05-15 | 电子科技大学 | A kind of witch's nodal test method based on RSSI value and credit worthiness |
CN112615716A (en) * | 2019-10-03 | 2021-04-06 | 通用汽车环球科技运作有限责任公司 | Method for detecting misbehavior and Sybil attack of digital key through user filing |
Non-Patent Citations (1)
Title |
---|
异构无线传感器网络中基于AOA的女巫攻击检测方案;章曙光;汪乾;王浩;钟娟;;中国科学技术大学学报(第01期);全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN113727349A (en) | 2021-11-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110011999B (en) | IPv6 network DDoS attack detection system and method based on deep learning | |
CN109067586B (en) | DDoS attack detection method and device | |
CN106878995B (en) | Method for identifying abnormal type of wireless sensor network based on perception data | |
CN113079143A (en) | Flow data-based anomaly detection method and system | |
KR100615080B1 (en) | A method for automatic generation of rule-based detection patterns about the bots and worms in the computer network | |
Garofalo et al. | Enhancing intrusion detection in wireless sensor networks through decision trees | |
CN109257749B (en) | Dynamic topology-oriented wireless sensor network self-adaptive layered intrusion detection method | |
Xu et al. | Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning | |
Li et al. | Early detection of DDoS based on $\varphi $-entropy in SDN networks | |
CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
CN111918294B (en) | Detection method and device of Sybil attack node considering sensor error | |
CN113420802A (en) | Alarm data fusion method based on improved spectral clustering | |
CN112911584A (en) | Method for avoiding black hole node attack based on detection route to obtain node trust value in energy collection wireless sensor network | |
Ma et al. | DDoS detection for 6G Internet of Things: Spatial-temporal trust model and new architecture | |
CN113727349B (en) | Method for detecting abnormal network node of Sybil attack based on Mahalanobis distance | |
CN111314910A (en) | Novel wireless sensor network abnormal data detection method for mapping isolation forest | |
CN115643108B (en) | Safety assessment method, system and product for industrial Internet edge computing platform | |
CN111245833B (en) | Vehicle intrusion detection method and device | |
Wu et al. | Abnormal information identification and elimination in cognitive networks | |
Xiao et al. | A danger theory inspired protection approach for hierarchical wireless sensor networks | |
Hikal et al. | Detection of black-hole attacks in MANET using adaboost support vector machine | |
CN113850222A (en) | Method for realizing vehicle-mounted bus signal classification and monitoring by adopting support vector machine | |
Cui | Malware detection algorithm for wireless sensor networks in a smart city based on random forest | |
CN112804685B (en) | Lightweight green safety data fusion model establishment method for industrial Internet of things | |
CN115119280A (en) | FANETs safe routing method based on trust mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |