WO2020093907A1 - Trust and noise point detection technology-based intrusion detection method for multi-protocol layer - Google Patents

Trust and noise point detection technology-based intrusion detection method for multi-protocol layer Download PDF

Info

Publication number
WO2020093907A1
WO2020093907A1 PCT/CN2019/113952 CN2019113952W WO2020093907A1 WO 2020093907 A1 WO2020093907 A1 WO 2020093907A1 CN 2019113952 W CN2019113952 W CN 2019113952W WO 2020093907 A1 WO2020093907 A1 WO 2020093907A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
layer
trust value
trust
nodes
Prior art date
Application number
PCT/CN2019/113952
Other languages
French (fr)
Chinese (zh)
Inventor
李光辉
许力
Original Assignee
江南大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 江南大学 filed Critical 江南大学
Publication of WO2020093907A1 publication Critical patent/WO2020093907A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks

Definitions

  • the invention relates to a multi-protocol layer intrusion detection method based on trust and noise point detection technology, which belongs to the field of wireless sensor network security.
  • wireless sensor networks Wireless Sensor Networks, WSN
  • WSN Wireless Sensor Networks
  • nodes may be captured and key information stolen.
  • the purpose of the attacker is to destroy the security attributes of the wireless sensor network, including confidentiality, integrity, availability and identity authentication.
  • the attacker will launch attacks from different protocol layers of the wireless sensor network.
  • wireless sensor networks in addition to attacks against a single protocol layer, there are also cross-layer attacks related to multiple protocol layers. Compared with single-layer, cross-layer attacks can obtain better attack effects, and at the same time better hide the attack behavior or reduce the cost of the attack.
  • the current wireless sensor network (WSN) intrusion detection model still has some unresolved problems. Some models detect attacks based on abnormal network traffic. In fact, not all wireless sensor network attacks will cause abnormal networks. flow. There are also some intrusion detection models that only target several typical attack types, and it is difficult to deal with other types or different types of simultaneous attacks. For cross-layer attacks, the existing wireless sensor network intrusion detection model only considers the trust value change of each layer separately, and sets the detection threshold of each layer to achieve the detection effect. This detection model ignores the connection between protocol layers, while wireless The attack behaviors on the sensor network are usually interrelated and mutually transformed, which results in the existing wireless sensor network intrusion detection model to detect a high rate of false positives and false negatives in the face of cross-layer attacks.
  • the technical problem to be solved by the present invention is to provide a multi-protocol layer intrusion detection method based on trust and noise point detection technology, which can effectively detect the attack types of different protocol layers and can be suitable for a layered structure wireless sensor network It is also suitable for wireless sensor networks with planar structure.
  • the present invention provides a multi-protocol layer intrusion detection method based on trust and noise point detection technology, including:
  • the trust value of each sensor node at each layer is obtained by calculating the relative deviation value of key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer, and network layer respectively;
  • the calculation of the relative deviation value of the key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer, and network layer to obtain the trust value of each sensor node at each layer includes:
  • the idle time and retransmission rate of each sensor node are obtained; the idle time of each sensor node and the relative deviation of the retransmission rate from the neighbor node are used to obtain the MAC layer.
  • the trust value of the network layer is calculated according to the packet forwarding rate of each sensor node and the relative deviation between the number of hops from the node to the cluster head node and neighbor nodes.
  • the data noise point technology is used to bring key parameters into the detection to obtain a noise point list of sensor nodes in the wireless sensor network, including:
  • the cluster head node or base station will use the obtained trust value to give different weights to the parameters of each node, and bring it into the algorithm to obtain the detection result;
  • the punishment mechanism is used to determine the punishment strength to obtain the global trust value of each sensor node.
  • Nodes whose trust value is lower than the threshold are listed as malicious nodes, including:
  • a computer device includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any of the steps of the method is implemented.
  • a computer-readable storage medium having stored thereon a computer program which when executed by a processor implements any of the steps of the method.
  • a processor for running a program wherein the method according to any one of the items is executed when the program is running.
  • This application uses the relative deviation of parameters of multiple protocol layers as a trust metric, uses the weighting method to establish a trust system model, and establishes a punishment mechanism through data noise point detection technology; the monitoring node observes the monitored node's physical layer, MAC layer and network layer Key parameters, and calculate the relative deviation of these key parameters. Based on the relative deviation of the parameters, the monitoring node aggregates the trust value through different protocol layers to evaluate the credibility of the monitored node, and sends the credibility and key parameters to the cluster Header (CH) or base station (BS). The cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes.
  • CH Cluster Header
  • BS base station
  • the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the trust value of a node is less than the threshold, the node is regarded as an abnormal node; the trust value is determined by the key parameters of different protocol layers; it can effectively detect the attack types of different protocol layers.
  • FIG. 1 is a schematic diagram of a layered structure wireless sensor network in a multi-protocol layer intrusion detection method based on trust and noise point detection technology.
  • Figure 2 is a graph of the best false positive rate and false negative rate under various attacks obtained in the experiment.
  • Figure 3 is a comparison diagram of the detection rates of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
  • Figure 4 is a comparison diagram of the detection rates of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
  • Fig. 5 is a comparison chart of the false alarm rate between the multi-protocol intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
  • Fig. 6 is a comparison chart of the false alarm rate of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
  • FIG. 7 is a comparison chart of the underreporting rate of the multi-protocol intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
  • FIG. 8 is a comparison chart of the underreporting rate of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
  • This embodiment provides a multi-protocol layer intrusion detection method (Trust-MultiProtocollayerNoiseIntrusionDetection, T-MPNID) based on trust and noise point detection technology.
  • T-MPNID multi-protocol layer intrusion detection method
  • the multi-protocol layer intrusion detection model corresponding to this method combines multiple protocols
  • the relative deviation of the key parameters of the layer is used as a trust metric.
  • the weighted method is used to establish a trust system model, and a penalty mechanism is established through data noise point detection technology.
  • the monitoring node observes the key parameters of the monitored node to the physical layer, MAC layer and network layer, and calculates the relative deviation of these key parameters. According to the relative deviation of the parameters, the monitoring node can be aggregated through different protocol layers Trust value to evaluate the credibility of the monitored node, and send the credibility and key parameters to the cluster head (CH) or base station (BS).
  • CH cluster head
  • BS base station
  • the cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes. At the same time, the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the global trust value of the node is less than the threshold, the node is regarded as an abnormal node.
  • the trust value is determined by the key parameters of different protocol layers, therefore, our model can effectively detect the attack types of different protocol layers. Moreover, our model can be suitable for both layered wireless sensor networks and planar structure wireless sensor networks.
  • the multi-protocol layer intrusion detection method based on trust and noise point detection technology proposed in this application includes the following steps:
  • Step 1 Build a wireless sensor network
  • the invention is used for multi-protocol layer and cross-layer intrusion detection.
  • FIG. 1 is a layered structure wireless sensor network, that is, a cluster structure.
  • each cluster It consists of many nodes (Sensors, SNs), including a cluster head node.
  • the nodes in the cluster can communicate with the cluster head nodes directly or through other nodes in the cluster.
  • the cluster head node can directly or through other cluster head nodes send the information collected in the cluster to the base station.
  • all nodes within the communication range of a node are neighbor nodes of the node; each node and its neighbor nodes monitor each other and each other are monitoring nodes.
  • the intrusion detection method proposed in this application is mainly aimed at these three layers.
  • Step 2 Obtain the trust value of each sensor node at each layer according to the relative deviation value of key parameters of each sensor node at the physical layer, MAC layer, and network layer.
  • Step 21 In the physical layer, the energy loss of each sensor node is used as a key parameter to obtain the trust value of each sensor node.
  • the energy loss value of each sensor node cannot be directly obtained, but it is related to the total number of packets sent, received, and forwarded, so the relative deviation value of the energy loss of each sensor node is equal to the sensor node sent, received, and forwarded packets The relative deviation value of the sum of the numbers.
  • the relative deviation value of the energy loss is determined according to the relative deviation value of the sum of the number of packets sent, received, and forwarded by each sensor node, and then the relative deviation value of the energy loss of each sensor node and the energy loss of its neighbor stage is used to obtain each sensor
  • the trust value of the node in the physical layer is as follows:
  • the monitoring node i can obtain the total number of packets sent, received, and forwarded by its neighbor node j in the ⁇ t time period TC j (t), and the total number of packets sent, received, and forwarded by the node j in the ⁇ t time period TC j (t ) Is the relative deviation value of the energy consumption of node j Erd (t):
  • TC j (t) S_pack j (t) + R_pack j (t) + F_pack j (t) (1)
  • S_pack j (t), R_pack j (t), and F_pack j (t) respectively represent the total number of packets sent by node j at time t, the total number of received packets, and the total number of forwarded packets.
  • ⁇ TC j (t) TC j (t) -TC j (t- ⁇ t)
  • ⁇ TC j (t) the energy loss of node j in the ⁇ t time period.
  • ⁇ TC i (t) the energy loss of node i in the time period of ⁇ t
  • n represents the number of neighbor nodes of node i.
  • equation (3) if the relative deviation between the energy consumption of the node and the average energy consumption of the neighboring node is greater than 1, it indicates that the energy consumption of the node has exceeded or is lower than the average energy consumption of the neighboring node. At this time, the node may be a malicious node, reducing the trust value to 0.
  • Step 22 According to the mechanism that the backoff window of the node is random and the number of packet retransmissions, the idle time and the retransmission rate of the node can be obtained.
  • the trust value of the MAC layer is obtained by using the relative deviation between the node idle time and the retransmission rate and the neighbor nodes. That is, at the MAC layer, the idle time and retransmission rate of each sensor node are used as key parameters to obtain the trust value of each sensor node.
  • the interval between two consecutive successful transmissions of a node is defined as idle time.
  • the attacker reduces the waiting time by reducing the random backoff time and the time interval between two transmissions. Therefore, the idle time of the malicious node will be less than the idle time of the non-malicious node.
  • the malicious node scrambles the frame to obtain the priority of channel access. Because malicious nodes have higher priority for channel access, the retransmission rate of malicious nodes will be lower than that of non-malicious nodes. Taking idle time and retransmission rate as the trust metric of the MAC layer, then node i takes the trust value of node j Evaluation is:
  • j node starts to receive the xth RTS packet moment, Indicates the start time of the last packet transmission of node j, f ACK indicates the duration of an acknowledgment frame (ACK), and f SIFS indicates the duration of a short frame interval (Short Inter-frame Spacing, SIFS) frame, Indicates the duration of node j data transmission, and f DIFS indicates the duration of the node's long frame interval (Distributed Inter-frame Spacing, DIFS) frame, Represents the random backoff time bt (back-off time) of node j, Represents the random backoff time of node j.
  • DIFS distributed Inter-frame Spacing
  • K j ⁇ k 1 , k 2 , k 4 , ..., k b ⁇ .
  • the number of times the m node sends data can be obtained from the relative deviation value of the idle time to obtain the confidence value of the parameter idle time.
  • the monitoring node or cluster head can detect whether it is a retransmission by observing the repeated sequence number in the frame header.
  • the node retransmission rate can be obtained by using the number of retransmissions. The smaller the retransmission rate, the more likely the node will be attacked. Therefore, within the time period of ⁇ t, the retransmission rate of the monitored node j can be obtained as:
  • rs ij (t) represents the number of retransmissions of node j in the period ⁇ t.
  • S_pack j (t) represents the number of packets sent by node j in the ⁇ t time period.
  • rs_rate ik (t) represents the retransmission rate of k nodes in the ⁇ t time period, and k is one of the neighbor nodes of node i. n represents the number of adjacent nodes of node i.
  • Equation (13) the average retransmission rate of the neighboring node of the monitored node j can be obtained, and the relative deviation of the retransmission rate can be calculated.
  • Step 23 Calculate the trust value of the network layer based on the packet forwarding rate of the node and the relative deviation value of the node-to-cluster head hop count from the neighbor node.
  • the calculation of the trust value of the network layer takes the hop count of the node to the cluster head and the packet forwarding rate as trust metrics. That is, at the network layer, the hop count of each sensor node to the cluster head and the packet forwarding rate are used as key parameters To get the trust value of each sensor node, including:
  • the weight values of q 1 and q 2 are determined according to the actual situation of network deployment.
  • the monitoring node uses the relative deviation of the hop count of the monitored node and its neighbors as the trusted value.
  • n the number of neighbor nodes of node i
  • k is one of the neighbor nodes of the monitored node. From the average hops of neighbor nodes, the relative deviation between the hops of the monitored node j and the average hops of the neighbor nodes can be calculated. From this, the trust value of the monitored j node can be obtained
  • hop_count j represents the number of hops from node j to the cluster head. When the hop count of the monitored node is less than the average hop count of the neighbor node, the trust value will drop.
  • the monitoring node i can obtain the packet forwarding rate of the monitored node j, and can also obtain the trust value of the forwarding rate obtained by the forwarding.
  • FP j (t) represents the number of packets that node j successfully forwarded
  • RFP j (t) represents the number of packets forwarded by surrounding nodes from node j. It can be seen from equation (14) that if node j does not forward successfully, then the trust value will decrease accordingly.
  • Step 3 According to the obtained trust values of each sensor node in the physical layer, MAC layer, and network layer, fusion is performed to obtain the total trust value.
  • the trust value of node j to node i is obtained according to the relative deviation value of the parameters of each protocol layer of the node.
  • the total trust value formula is
  • is set according to actual needs.
  • w 1 ⁇ [0,1], w 2 ⁇ [0,1], and w 3 ⁇ [0,1], which represent the weights of the trust values of the physical layer, MAC layer, and network layer, where w 1 + w 2 + w 3 1.
  • T ij (t) is the fusion trust value of the current j node
  • n represents the number of neighboring nodes related to node j.
  • the calculation of the trust value of the cluster head is the same as that of the nodes in the cluster.
  • Step 4 Then the data noise point technology will bring the data into the node where the abnormality is detected to obtain the noise point list of the sensor node.
  • Step 41 Use the parameters of each protocol layer as data and send them to the cluster head or base station.
  • the cluster head or base station will use the trust value obtained in step 2 to give different weights to the parameters of each node and bring them into the algorithm. Get the test result.
  • the average size of the backoff window (CW) in the ⁇ t time is used as a key parameter for noise point detection.
  • the node packet forwarding rate and the number of hops to the cluster head are used as key parameters for noise point detection, because when a large number of malicious nodes appear in neighbor nodes, the relative deviation value from neighbor nodes will appear serious error. Using the above two parameters as key parameters can reduce the error of the detection process.
  • the cluster head or base station uses the trust value obtained by S1 as the credible weight of the data, and uses the DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm for noise point detection.
  • the DBSCAN algorithm can refer to "Ester MA-Density-Based Algorithms for Discovery Clusters in Large Spatial Databases with Noise [C] // Proceedings of the second ACM International Conference Knowledge Discovery (KDD), 1996. AAAI Press, 1996. ".
  • Step 42 Generate a list of sensor noise points from the obtained detection results and send them to each node.
  • the cluster head punishes the nodes in the noise sensor list generated after the detection of data noise points of each cycle to reduce the trust value, and forwards the trust value of the node in the cluster after punishment to each node in the cluster .
  • Step 5 Use the punishment mechanism to determine the punishment strength and obtain the trust value of the final node. Nodes whose trust value is lower than the threshold are classified as malicious nodes.
  • Step 51 Use the fusion trust value of the protocol layer to add weight to the penalty power of the node. The higher the trust value, the greater the penalty power. Penalize the trust value of the node to get the global trust value of the final node.
  • the punishment degree of the present invention is different according to different protocol layers.
  • the global trust value after punishment is expressed as:
  • C MAC and C NET respectively represent the penalty factor in the case of an attack in the MAC layer and the network layer, and the penalty factor determines the value of the final penalty factor after multiple experiments.
  • ⁇ 1 ⁇ [0,1] and ⁇ 2 ⁇ [0,1] are the weight values of the penalty factors at the MAC layer and the network layer respectively.
  • the present invention sets the weight values of ⁇ 1 and ⁇ 2 to the currently calculated nodes Trust value, when the node's higher trust value is detected as a noise point sensor node, then the node may be maliciously attacked but not detected, then the greater the punishment of the node, otherwise the lower the node's confidence , The less punished the node is.
  • Step 52 Use the false positive rate and the false negative rate to obtain the best detection threshold, and compare the node trust value with the threshold. If it is less than the threshold, it is a malicious node.
  • FPR false positive rate
  • FNR false negative rate
  • False positives refer to: detected as a malicious node, actually a normal node.
  • Missing reports refer to: detected as a normal node, actually a malicious node.
  • the false alarm rate and the false alarm rate under different detection thresholds are simulated in the four attack types. As shown in FIG. 2, when the threshold S of the four types of attacks is 0.885, the false alarm rate and the false alarm rate are both less than 0.07, so this application sets the optimal detection threshold to 0.885.
  • the two latest algorithms are the NBBTE scheme and the PLTB scheme.
  • the NBBTE scheme can refer to "FENG R, XU X, XIANG Z , et al. A Trust Evaluation Algorithm for Wireless Wireless Sensors Networks Based Node on Behaviors and DS Evidence Theory [J]. Sensors, 2011, 11 (2): 1345-1360.
  • FIG. 3 is a comparison diagram of the detection rate of the T-MPNID method and the NBBTE method proposed in this application.
  • the detection rate of the T-MPNID method is better than the NBBTE method under the four attacks.
  • the NBBTE method only focuses on the node behavior of the network layer, so the detection rate at the MAC layer is zero.
  • the detection rate of the method proposed in this application in cross-layer attacks, slot attacks, and selective forwarding attacks is increased by 22%, 10%, and 3%, respectively, compared to the NBBTE method.
  • the detection rate of the T-MPNID method is compared with the PLTB method. As the number of malicious nodes increases, the detection rate of the two methods continues to decline. When the proportion of malicious nodes is less than 10%, in the T-MPNID method, the detection rates of the four attacks are maintained above 0.97. When the proportion of malicious nodes is greater than 10%, the detection rate of back-off attacks and cross-layer attacks drops much lower than that of PLTB. When the proportion of the number of malicious nodes is 30%, the detection rate of the T-MPNID method is improved by 0.33, 0.25, 0.08 among the four attacks of back-off attack, cross-layer attack, slot attack and selective forwarding attack respectively. , 0.03.
  • Figure 5 is a comparison chart of the false alarm rate of the T-MPNID method and the NBBTE method. As the number of malicious nodes increases, the false alarm rate shows an upward trend. Since the NBBTE method does not consider back-off attacks, no analysis of back-off attacks is performed. In slot attacks, cross-layer attacks and selective forwarding attacks, the false alarm rate of the T-MPNID method is lower than that of the NBBTE method. When the proportion of malicious nodes is 30%, the false alarm rate of the T-MPNID method is reduced by 50% and 40% in cross-layer attacks and slot attacks, respectively, compared to the NBBTE method.
  • Figure 6 is a comparison diagram of the false alarm rate of the T-MPNID method and the PLTB method.
  • the proportion of malicious nodes exceeds 20%, the false alarm rate of the T-MPNID method is lower than the PLTB method in slot attacks and cross-layer attacks. 5% -8%. In both methods, the false positive rate of selective forwarding attacks is stable at 0.02.
  • the false alarm rate of the four attacks in the T-MPNID method is lower than that of the NBBTE method.
  • the proportion of malicious nodes is 20%, in the T-MPNID method, the underreporting rates of slot attacks, selective forwarding attacks, and cross-layer attacks are reduced by 54%, 51.8%, and 53.1%, respectively, compared with the NBBTE method.
  • the proportion of malicious nodes is 30%, the under-reporting rate of the T-MPNID method in slot attacks, selective forwarding attacks, and cross-layer attacks is reduced by 20.6%, 22.3%, and 15.8% respectively compared to the NBBTE method.
  • the PLTB method is compared with the T-MPNID method.
  • the T-MPNID method has four types of back-off attacks, slot attacks, cross-layer attacks, and selective forwarding attacks.
  • the underreporting rate decreased by 9%, 5%, 3% and 1% on average.
  • this application uses the relative deviation of parameters of multiple protocol layers as a trust metric, uses the weighting method to establish a trust system model, and establishes a penalty mechanism through data noise point detection technology; the monitoring node observes the physical layer, MAC layer and network layer. Monitor the key parameters of the node, and calculate the relative deviations of these key parameters. Based on the relative deviations of the parameters, the monitoring node aggregates the trust values through different protocol layers to evaluate the credibility of the monitored node, and compares the credibility and key parameters Send to cluster head (CH) or base station (BS). The cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes.
  • CH cluster head
  • BS base station
  • the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the trust value of a node is less than the threshold, the node is regarded as an abnormal node; the trust value is determined by the key parameters of different protocol layers; it can effectively detect the attack types of different protocol layers.
  • a computer device includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any of the steps of the method is implemented.
  • a processor for running a program wherein the method according to any one of the items is executed when the program is running.
  • Some steps in the embodiments of the present invention may be implemented by software, and the corresponding software program may be stored in a readable storage medium, such as an optical disk or a hard disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed is a trust and noise point detection technology-based intrusion detection method for a multi-protocol layer, belonging to the field of wireless sensor network security. Said method comprises: using a weighted method to establish trust values of various protocol layers for relative deviation values of a plurality of key parameters in a physical layer, an MAC layer and a network layer, and fusing same to obtain a fused trust value. When malicious nodes are aggregated together, it is difficult to perform detection by means of the relative deviation values, and a data noise point detection technology is introduced. Key parameters of the protocol layers of nodes inside a cluster are detected, a penalty is imposed on nodes with abnormal parameter data, and the abnormal key parameters are regarded as noise points. The key parameters of the protocol layers provide data for data noise point detection, and the trust values provide trustworthy weights for noise point detection and a node penalty degree in a penalty mechanism. The present invention uses the penalty mechanism to reduce the trust values, and feeds back the trust values of nodes, effectively detecting the attack types to different protocol layers.

Description

基于信任及噪声点检测技术的多协议层的入侵检测方法Multi-protocol layer intrusion detection method based on trust and noise point detection technology 技术领域Technical field
本发明涉及基于信任及噪声点检测技术的多协议层的入侵检测方法,属于无线传感网络安全领域。The invention relates to a multi-protocol layer intrusion detection method based on trust and noise point detection technology, which belongs to the field of wireless sensor network security.
背景技术Background technique
无线传感网络(Wireless Sensor Networks,WSN)中,由于传感器节点部署和无线通信的开放性,无线传感网络面临着严重的安全问题。在某些无线传感网的部署中,节点可能会被捕获,关键信息被窃取。攻击者的目的是破坏无线传感网络的安全属性,包括机密性、完整性、可用性和身份认证。为了实现这些攻击目标,攻击者会从无线传感网的不同协议层发动攻击。在无线传感网络中,除了针对单个协议层的攻击外,还存在与多协议层相关的跨层攻击。与单层相比,跨层攻击可以获得更好的攻击效果,同时更好的隐藏攻击行为或者降低攻击的代价。In wireless sensor networks (Wireless Sensor Networks, WSN), due to the openness of sensor node deployment and wireless communication, wireless sensor networks face serious security problems. In the deployment of some wireless sensor networks, nodes may be captured and key information stolen. The purpose of the attacker is to destroy the security attributes of the wireless sensor network, including confidentiality, integrity, availability and identity authentication. In order to achieve these attack targets, the attacker will launch attacks from different protocol layers of the wireless sensor network. In wireless sensor networks, in addition to attacks against a single protocol layer, there are also cross-layer attacks related to multiple protocol layers. Compared with single-layer, cross-layer attacks can obtain better attack effects, and at the same time better hide the attack behavior or reduce the cost of the attack.
传统技术存在以下技术问题:The traditional technology has the following technical problems:
现在的无线传感网络(WSN)入侵检测模型还存在着一些未解决的问题,一些模型根据网络流量的异常来检测攻击,实际上,并不是所有的无线传感网络的攻击都会引起异常的网络流量。还有一些入侵检测的模型只针对几种典型的攻击类型,对于其他类型或者不同类型的同时攻击难以应对。而对于跨层攻击,现有的无线传感网络入侵检测模型仅仅单独考虑每一层信任值变化,并设置各层检测阈值以达到检测效果,这种检测模型忽略协议层间的联系,而无线传感网络上的攻击行为通常是相互关联的和相互转化的,这就导致现有的无线传感网络入侵检测模型在面对跨层攻击时检测的误报率与漏报率较高。The current wireless sensor network (WSN) intrusion detection model still has some unresolved problems. Some models detect attacks based on abnormal network traffic. In fact, not all wireless sensor network attacks will cause abnormal networks. flow. There are also some intrusion detection models that only target several typical attack types, and it is difficult to deal with other types or different types of simultaneous attacks. For cross-layer attacks, the existing wireless sensor network intrusion detection model only considers the trust value change of each layer separately, and sets the detection threshold of each layer to achieve the detection effect. This detection model ignores the connection between protocol layers, while wireless The attack behaviors on the sensor network are usually interrelated and mutually transformed, which results in the existing wireless sensor network intrusion detection model to detect a high rate of false positives and false negatives in the face of cross-layer attacks.
发明内容Summary of the invention
本发明要解决的技术问题是提供一种基于信任及噪声点检测技术的多协议层的入侵检测方法,可以有效的检测出不同协议层的攻击类型,既可以适合分层结构的无线传感网络,也适用于平面结构的无线传感网络。The technical problem to be solved by the present invention is to provide a multi-protocol layer intrusion detection method based on trust and noise point detection technology, which can effectively detect the attack types of different protocol layers and can be suitable for a layered structure wireless sensor network It is also suitable for wireless sensor networks with planar structure.
为了解决上述技术问题,本发明提供了一种基于信任及噪声点检测技术的多协议层的入侵检测方法,包括:In order to solve the above technical problems, the present invention provides a multi-protocol layer intrusion detection method based on trust and noise point detection technology, including:
搭建无线传感器网络;Build a wireless sensor network;
通过计算无线传感器网络中各个传感器节点分别在物理层、MAC层、网络层的关键参数的相对偏差值得到各个传感器节点在各层的信任值;The trust value of each sensor node at each layer is obtained by calculating the relative deviation value of key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer, and network layer respectively;
根据得到的各个传感器节点在物理层、MAC层、网络层的信任值,进行融合得到各个传感器节点的总的信任值;According to the obtained trust values of each sensor node in the physical layer, MAC layer, and network layer, fusion is performed to obtain the total trust value of each sensor node;
利用数据噪声点技术将关键参数带入检测,得到无线传感器网络中传感器节点的噪声点列表;Use the data noise point technology to bring the key parameters into the detection and obtain the noise point list of the sensor nodes in the wireless sensor network;
利用惩罚机制,确定惩罚力度,得到各个传感器节点的全局信任值,对于全局信任值低于阈值的节点,列为恶意节点。Use the punishment mechanism to determine the punishment strength and obtain the global trust value of each sensor node. Nodes whose global trust value is lower than the threshold are classified as malicious nodes.
可选的,所述通过计算无线传感器网络中各个传感器节点分别在物理层、MAC层、网络层的关键参数的相对偏差值得到各个传感器节点在各层的信任值,包括:Optionally, the calculation of the relative deviation value of the key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer, and network layer to obtain the trust value of each sensor node at each layer includes:
根据各个传感器节点发送、接受、转发包的数量来衡量能量损耗,利用能量损耗的相对偏差值得到物理层的信任值;Measure energy loss according to the number of packets sent, received, and forwarded by each sensor node, and use the relative deviation value of energy loss to obtain the trust value of the physical layer;
根据节点的退避窗口是随机的机制,以及包重传次数,得到各个传感器节点的空闲时间和重传率;利用各个传感器节点的空闲时间以及重传率与邻居节点的相对偏差值得到MAC层的信任值;According to the random mechanism of the node's backoff window and the number of packet retransmissions, the idle time and retransmission rate of each sensor node are obtained; the idle time of each sensor node and the relative deviation of the retransmission rate from the neighbor node are used to obtain the MAC layer. Trust value
根据各个传感器节点的包转发率以及节点到簇头节点的跳数与邻居节点的相对偏差值计算网络层的信任值。The trust value of the network layer is calculated according to the packet forwarding rate of each sensor node and the relative deviation between the number of hops from the node to the cluster head node and neighbor nodes.
可选的,所述利用数据噪声点技术将关键参数带入检测,得到无线传感器网络中传感器节点的噪声点列表,包括:Optionally, the data noise point technology is used to bring key parameters into the detection to obtain a noise point list of sensor nodes in the wireless sensor network, including:
将各协议层的参数作为数据,发送给簇头节点或者基站;Send the parameters of each protocol layer as data to the cluster head node or base station;
簇头节点或基站将接收到的参数,利用得到的信任值给与每个节点参数的不同权重,带入算法中得到检测结果;The cluster head node or base station will use the obtained trust value to give different weights to the parameters of each node, and bring it into the algorithm to obtain the detection result;
将得到的检测结果生成一个传感器噪声点列表,并发送给各个传感器节点。Generate a list of sensor noise points from the obtained detection results and send them to each sensor node.
可选的,所述利用惩罚机制,确定惩罚力度,得到各个传感器节点的全局信任值,对于信任值低于阈值的节点,列为恶意节点,包括:Optionally, the punishment mechanism is used to determine the punishment strength to obtain the global trust value of each sensor node. Nodes whose trust value is lower than the threshold are listed as malicious nodes, including:
利用协议层的融合信任值对节点的惩罚力度加上权重,信任值越高,惩罚力度越大;Use the fusion trust value of the protocol layer to add weight to the punishment strength of the node. The higher the trust value, the greater the punishment strength;
对各个传感器节点的信任值进行惩罚,得到各个传感器节点的全局信任值;Penalize the trust value of each sensor node to obtain the global trust value of each sensor node;
利用实验得到的误报率和漏报率确定最佳的检测阈值,将节点信任值与检测阈值对比,小于检测阈值即为恶意节点。Use the false positive rate and false negative rate obtained by experiment to determine the best detection threshold, and compare the node trust value with the detection threshold. If it is less than the detection threshold, it is a malicious node.
一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现任一项所述方法的步骤。A computer device includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any of the steps of the method is implemented.
一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现任一项 所述方法的步骤。A computer-readable storage medium having stored thereon a computer program which when executed by a processor implements any of the steps of the method.
一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行任一项所述的方法。A processor for running a program, wherein the method according to any one of the items is executed when the program is running.
本发明的有益效果:The beneficial effects of the invention:
本申请将多个协议层的参数相对偏差作为信任度量,利用加权法建立信任系统模型,并通过数据噪声点检测技术建立惩罚机制;监控节点对物理层、MAC层和网络层观察被监控节点的关键参数,并计算这些关键参数的相对偏差,根据参数的相对偏差,监控节点通过不同层协议层聚合信任值来评估对被监控节点的可信度,并将可信度和关键参数发送给簇头(CH)或者基站(BS)。簇头和基站可以通过多个监控节点的评估信任值来计算节点的聚合信任值,同时簇头或者基站将在周期性的利用噪声检测技术获得异常关键参,对存在异常关键参数数据的节点进行惩罚,降低其信任值。如果节点的信任值小于阈值,则将该节点视为异常节点;信任值由不同协议层的关键参数决定;可以有效的检测出不同协议层的攻击类型。This application uses the relative deviation of parameters of multiple protocol layers as a trust metric, uses the weighting method to establish a trust system model, and establishes a punishment mechanism through data noise point detection technology; the monitoring node observes the monitored node's physical layer, MAC layer and network layer Key parameters, and calculate the relative deviation of these key parameters. Based on the relative deviation of the parameters, the monitoring node aggregates the trust value through different protocol layers to evaluate the credibility of the monitored node, and sends the credibility and key parameters to the cluster Header (CH) or base station (BS). The cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes. At the same time, the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the trust value of a node is less than the threshold, the node is regarded as an abnormal node; the trust value is determined by the key parameters of different protocol layers; it can effectively detect the attack types of different protocol layers.
附图说明BRIEF DESCRIPTION
为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly explain the technical solutions in the embodiments of the present invention, the drawings required in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, without paying any creative work, other drawings can be obtained based on these drawings.
图1基于信任及噪声点检测技术的多协议层的入侵检测方法中的分层结构无线传感网络的示意图。FIG. 1 is a schematic diagram of a layered structure wireless sensor network in a multi-protocol layer intrusion detection method based on trust and noise point detection technology.
图2是实验中获取的最佳的误报率和各种攻击下的漏报率图。Figure 2 is a graph of the best false positive rate and false negative rate under various attacks obtained in the experiment.
图3是基于信任及噪声点检测技术的多协议层的入侵检测方法与NBBTE方案的检测率对比图。Figure 3 is a comparison diagram of the detection rates of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
图4是基于信任及噪声点检测技术的多协议层的入侵检测方法与PLTB方案的检测率对比图。Figure 4 is a comparison diagram of the detection rates of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
图5是基于信任及噪声点检测技术的多协议层的入侵检测方法与NBBTE方案的误报率对比图。Fig. 5 is a comparison chart of the false alarm rate between the multi-protocol intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
图6是基于信任及噪声点检测技术的多协议层的入侵检测方法与PLTB方案的误报率对比图。Fig. 6 is a comparison chart of the false alarm rate of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
图7是基于信任及噪声点检测技术的多协议层的入侵检测方法与NBBTE方案的漏报率对比图。FIG. 7 is a comparison chart of the underreporting rate of the multi-protocol intrusion detection method based on trust and noise point detection technology and the NBBTE scheme.
图8是基于信任及噪声点检测技术的多协议层的入侵检测方法与PLTB方案的漏报率对比图。FIG. 8 is a comparison chart of the underreporting rate of the multi-protocol layer intrusion detection method based on trust and noise point detection technology and the PLTB scheme.
具体实施方式detailed description
为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。To make the objectives, technical solutions, and advantages of the present invention clearer, the following describes the embodiments of the present invention in further detail with reference to the accompanying drawings.
实施例一:Example one:
本实施例提供一种基于信任及噪声点检测技术的多协议层的入侵检测方法(Trust-Multi Protocol layer Noise Intrusion Detection,T-MPNID),该方法对应的多协议层入侵检测模型将多个协议层的关键参数相对偏差作为信任度量,利用加权法建立信任系统模型,并通过数据噪声点检测技术建立惩罚机制。This embodiment provides a multi-protocol layer intrusion detection method (Trust-MultiProtocollayerNoiseIntrusionDetection, T-MPNID) based on trust and noise point detection technology. The multi-protocol layer intrusion detection model corresponding to this method combines multiple protocols The relative deviation of the key parameters of the layer is used as a trust metric. The weighted method is used to establish a trust system model, and a penalty mechanism is established through data noise point detection technology.
在该入侵检测方法中,监控节点对物理层、MAC层和网络层观察被监控节点的关键参数,并计算这些关键参数的相对偏差,根据参数的相对偏差,监控节点可以通过不同层协议层聚合信任值来评估对被监控节点的可信度,并将可信度和关键参数发送给簇头(CH)或者基站(BS)。In this intrusion detection method, the monitoring node observes the key parameters of the monitored node to the physical layer, MAC layer and network layer, and calculates the relative deviation of these key parameters. According to the relative deviation of the parameters, the monitoring node can be aggregated through different protocol layers Trust value to evaluate the credibility of the monitored node, and send the credibility and key parameters to the cluster head (CH) or base station (BS).
簇头和基站可以通过多个监控节点的评估信任值来计算节点的聚合信任值,同时簇头或者基站将在周期性的利用噪声检测技术获得异常关键参,对存在异常关键参数数据的节点进行惩罚,降低其信任值。如果节点的全局信任值小于阈值,则将该节点视为异常节点。The cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes. At the same time, the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the global trust value of the node is less than the threshold, the node is regarded as an abnormal node.
因为本发明提出的方案,信任值由不同协议层的关键参数决定,因此,我们的模型可以有效的检测出不同协议层的攻击类型。而且,我们的模型既可以适合分层结构的无线传感网络,也适用于平面结构的无线传感网络。Because the scheme proposed by the present invention, the trust value is determined by the key parameters of different protocol layers, therefore, our model can effectively detect the attack types of different protocol layers. Moreover, our model can be suitable for both layered wireless sensor networks and planar structure wireless sensor networks.
本申请所提出的基于信任及噪声点检测技术的多协议层的入侵检测方法,包括以下步骤:The multi-protocol layer intrusion detection method based on trust and noise point detection technology proposed in this application includes the following steps:
步骤1:搭建无线传感器网络Step 1: Build a wireless sensor network
本发明用于对多协议层以及跨层的入侵检测,如图1所示,为一种分层结构的无线传感网络,也即分簇结构,该无线传感网络中,每个簇内由许多节点(Sensor Nodes,SNs)组成,其中包括一个簇头节点,簇内的节点可以直接或者通过簇内其他节点与簇头节点进行通信。簇头节点可以直接或者通过其他簇头节点将簇内收集到的信息发送给基站。The invention is used for multi-protocol layer and cross-layer intrusion detection. As shown in FIG. 1, it is a layered structure wireless sensor network, that is, a cluster structure. In the wireless sensor network, each cluster It consists of many nodes (Sensors, SNs), including a cluster head node. The nodes in the cluster can communicate with the cluster head nodes directly or through other nodes in the cluster. The cluster head node can directly or through other cluster head nodes send the information collected in the cluster to the base station.
无线传感网络中,一个节点通信范围内的所有节点,都为该节点的邻居节点;而各节点与其邻居节点间相互监测,互为监测节点。In a wireless sensor network, all nodes within the communication range of a node are neighbor nodes of the node; each node and its neighbor nodes monitor each other and each other are monitoring nodes.
由于无线传感器网络攻击主要针对物理层,MAC层和网络层,因此本申请所提出的入侵检测方法主要针对这三层进行研究。Because wireless sensor network attacks are mainly aimed at the physical layer, MAC layer and network layer, the intrusion detection method proposed in this application is mainly aimed at these three layers.
步骤2:根据各个传感器节点在物理层、MAC层、网络层关键参数的相对偏差值得到 各个传感器节点在各层的信任值。Step 2: Obtain the trust value of each sensor node at each layer according to the relative deviation value of key parameters of each sensor node at the physical layer, MAC layer, and network layer.
具体包括:This includes:
步骤21:物理层中,将各个传感器节点的能量损耗作为关键参数来得到各个传感器节点的信任值。Step 21: In the physical layer, the energy loss of each sensor node is used as a key parameter to obtain the trust value of each sensor node.
实际应用中,各个传感器节点的能量损耗值无法直接获取,但与其发送、接收、转发包的数量总和相关,所以各个传感器节点的能量损耗的相对偏差值就等于各个传感器节点发送、接收、转发包的数量总和的相对偏差值。In practical applications, the energy loss value of each sensor node cannot be directly obtained, but it is related to the total number of packets sent, received, and forwarded, so the relative deviation value of the energy loss of each sensor node is equal to the sensor node sent, received, and forwarded packets The relative deviation value of the sum of the numbers.
具体的,根据各个传感器节点发送、接收、转发包的数量总和的相对偏差值来确定能量损耗的相对偏差值,再利用各个传感器节点的能量损耗与其邻居阶段的能量损耗的相对偏差值得到各个传感器节点在物理层的信任值,过程如下:Specifically, the relative deviation value of the energy loss is determined according to the relative deviation value of the sum of the number of packets sent, received, and forwarded by each sensor node, and then the relative deviation value of the energy loss of each sensor node and the energy loss of its neighbor stage is used to obtain each sensor The trust value of the node in the physical layer is as follows:
在物理层中,根据互为监控节点的节点i、节点j之间的传输通信过程中产生的发送包传输,转发包、接受包的数量总和,来粗略估计其在Δt时间段内的能量消耗。In the physical layer, based on the sum of the number of transmitted packets, forwarded packets, and received packets generated during the transmission and communication between node i and node j, which are mutual monitoring nodes, to roughly estimate their energy consumption in the Δt time period .
监测节点i可以得到其相邻节点j在Δt时间段的发送、接收、转发包的数量总和TC j(t),节点j在Δt时间段的发送、接收、转发包的数量总和TC j(t)的相对偏差值即节点j的能耗的相对偏差E rd(t): The monitoring node i can obtain the total number of packets sent, received, and forwarded by its neighbor node j in the Δt time period TC j (t), and the total number of packets sent, received, and forwarded by the node j in the Δt time period TC j (t ) Is the relative deviation value of the energy consumption of node j Erd (t):
TC j(t)=S_pack j(t)+R_pack j(t)+F_pack j(t)     (1) TC j (t) = S_pack j (t) + R_pack j (t) + F_pack j (t) (1)
Figure PCTCN2019113952-appb-000001
Figure PCTCN2019113952-appb-000001
在式(1)中,S_pack j(t)、R_pack j(t),F_pack j(t)分别表示节点j在t时刻发包总数量、接受包的总数量和转发包的总数量。 In equation (1), S_pack j (t), R_pack j (t), and F_pack j (t) respectively represent the total number of packets sent by node j at time t, the total number of received packets, and the total number of forwarded packets.
式(2)中,ΔTC j(t)=TC j(t)-TC j(t-Δt),
Figure PCTCN2019113952-appb-000002
ΔTC j(t)表示节点j在Δt时间段内的能量损耗。
Figure PCTCN2019113952-appb-000003
表示节点i的所有邻居节点的在Δt时间内的平均能耗水平,ΔTC i(t)表示节点i在Δt时间段内的能量损耗,n表示节点i的邻居节点的数量。 In equation (2), ΔTC j (t) = TC j (t) -TC j (t-Δt),
Figure PCTCN2019113952-appb-000002
ΔTC j (t) represents the energy loss of node j in the Δt time period.
Figure PCTCN2019113952-appb-000003
Represents the average energy consumption level of all neighboring nodes of node i in Δt time, ΔTC i (t) represents the energy loss of node i in the time period of Δt, and n represents the number of neighbor nodes of node i.
能量的偏差越大,节点的可信度就越低,所以可以得到物理层的信任值
Figure PCTCN2019113952-appb-000004
的计算公式: The greater the energy deviation, the lower the credibility of the node, so the trust value of the physical layer can be obtained
Figure PCTCN2019113952-appb-000004
The calculation formula:
Figure PCTCN2019113952-appb-000005
Figure PCTCN2019113952-appb-000005
在式(3)中,如果节点能量消耗与邻居节点的平均能量消耗的相对偏差值大于1时,表明节点的能量消耗已经超过或者低于邻居节点的平均节点能量消耗的两倍甚至两倍以上,此时的节点就可能为恶意节点,将信任值降为0。In equation (3), if the relative deviation between the energy consumption of the node and the average energy consumption of the neighboring node is greater than 1, it indicates that the energy consumption of the node has exceeded or is lower than the average energy consumption of the neighboring node. At this time, the node may be a malicious node, reducing the trust value to 0.
步骤22:根据节点的退避窗口是随机的机制,以及包重传次数,可以得到节点的空闲时间和重传率。利用节点空闲时间和重传率与邻居节点的相对偏差值得到MAC层的信任值,即在MAC层,将各个传感器节点的空闲时间和重传率作为关键参数来得到各个传感器节点的信任值。Step 22: According to the mechanism that the backoff window of the node is random and the number of packet retransmissions, the idle time and the retransmission rate of the node can be obtained. The trust value of the MAC layer is obtained by using the relative deviation between the node idle time and the retransmission rate and the neighbor nodes. That is, at the MAC layer, the idle time and retransmission rate of each sensor node are used as key parameters to obtain the trust value of each sensor node.
具体的,将节点连续两次成功传输的间隔时间定义为空闲时间。攻击者通过降低随机退避时间来减少等待时间,减少两次传输的时间间隔,因此恶意节点的空闲时间将小于非恶意节点的空闲时间。Specifically, the interval between two consecutive successful transmissions of a node is defined as idle time. The attacker reduces the waiting time by reducing the random backoff time and the time interval between two transmissions. Therefore, the idle time of the malicious node will be less than the idle time of the non-malicious node.
恶意节点通过对帧进行扰乱,以获得信道访问的优先级。由于恶意节点有着对信道访问更高的优先级,所以恶意节点的重传率将会低于非恶意节点。将空闲时间和重传率作为MAC层的信任度量,那么节点i将节点j的信任值
Figure PCTCN2019113952-appb-000006
评估为: The malicious node scrambles the frame to obtain the priority of channel access. Because malicious nodes have higher priority for channel access, the retransmission rate of malicious nodes will be lower than that of non-malicious nodes. Taking idle time and retransmission rate as the trust metric of the MAC layer, then node i takes the trust value of node j
Figure PCTCN2019113952-appb-000006
Evaluation is:
Figure PCTCN2019113952-appb-000007
Figure PCTCN2019113952-appb-000007
在式(4)中,
Figure PCTCN2019113952-appb-000008
表示空闲时间,
Figure PCTCN2019113952-appb-000009
表示重传率,m 1,m 2为两个参数信任度量的权重。m 1∈[0,1],m 2∈[0,1],且m 1+m 2=1。m 1,m 2权重的值由实施检测系统的实际情况来定。 In equation (4),
Figure PCTCN2019113952-appb-000008
Means free time,
Figure PCTCN2019113952-appb-000009
Representing the retransmission rate, m 1 and m 2 are the weights of the two parameter trust metrics. m 1 ∈ [0,1], m 2 ∈ [0,1], and m 1 + m 2 = 1. The weight values of m 1 and m 2 are determined by the actual situation of the implementation of the detection system.
下面分别给出空闲时间
Figure PCTCN2019113952-appb-000010
和重传率
Figure PCTCN2019113952-appb-000011
的计算过程: The following gives the idle time
Figure PCTCN2019113952-appb-000010
And retransmission rate
Figure PCTCN2019113952-appb-000011
The calculation process:
1)空闲时间
Figure PCTCN2019113952-appb-000012
1) Idle time
Figure PCTCN2019113952-appb-000012
Figure PCTCN2019113952-appb-000013
Figure PCTCN2019113952-appb-000013
Figure PCTCN2019113952-appb-000014
Figure PCTCN2019113952-appb-000014
式(5)中,
Figure PCTCN2019113952-appb-000015
表示j节点开始接收第x个RTS包时刻,
Figure PCTCN2019113952-appb-000016
表示节点j的上一个数据包传输开始时刻,f ACK表示确认帧(ACK)的持续时间,f SIFS表示短帧间隔(Short Inter-frame Spacing,SIFS)帧的持续时间,
Figure PCTCN2019113952-appb-000017
表示节点j数据传输持续的时间,f DIFS表示节点长帧间隔(Distributed Inter-frame Spacing,DIFS)帧的持续时间,
Figure PCTCN2019113952-appb-000018
表示节点j的随机退避时间bt(back-off time),
Figure PCTCN2019113952-appb-000019
表示节点j的随机退避时间。在网络中将节点j的邻居节点可以表示为:K j={k 1,k 2,k 4,...,k b}。
Figure PCTCN2019113952-appb-000020
表示节点j的邻居节点所有成功发送数据的节点的平均空闲时间;b为节点j的邻居节点数量,已知节点j的邻居节点的平均空闲时间,因此可以得到节点j的空闲时间和其邻居节点空闲时间的偏差值: In formula (5),
Figure PCTCN2019113952-appb-000015
It means the j node starts to receive the xth RTS packet moment,
Figure PCTCN2019113952-appb-000016
Indicates the start time of the last packet transmission of node j, f ACK indicates the duration of an acknowledgment frame (ACK), and f SIFS indicates the duration of a short frame interval (Short Inter-frame Spacing, SIFS) frame,
Figure PCTCN2019113952-appb-000017
Indicates the duration of node j data transmission, and f DIFS indicates the duration of the node's long frame interval (Distributed Inter-frame Spacing, DIFS) frame,
Figure PCTCN2019113952-appb-000018
Represents the random backoff time bt (back-off time) of node j,
Figure PCTCN2019113952-appb-000019
Represents the random backoff time of node j. In the network, the neighbor node of node j can be expressed as: K j = {k 1 , k 2 , k 4 , ..., k b }.
Figure PCTCN2019113952-appb-000020
Represents the average idle time of all nodes that have successfully sent data to the neighbor node of node j; b is the number of neighbor nodes of node j, the average idle time of the neighbor nodes of node j is known, so the idle time of node j and its neighbor nodes can be obtained Deviation value of idle time:
Figure PCTCN2019113952-appb-000021
Figure PCTCN2019113952-appb-000021
在式(6)中,m节点发送数据的次数,由空闲时间的相对偏差值,可以到得到空闲时间这一参数的信任值。In equation (6), the number of times the m node sends data can be obtained from the relative deviation value of the idle time to obtain the confidence value of the parameter idle time.
Figure PCTCN2019113952-appb-000022
Figure PCTCN2019113952-appb-000022
由式(7),我们可以看出如果被监测节点的空闲时间小于簇内的平均空闲时间,那么其信任值将会减小。From equation (7), we can see that if the idle time of the monitored node is less than the average idle time in the cluster, then its trust value will decrease.
2)重传率
Figure PCTCN2019113952-appb-000023
2) Retransmission rate
Figure PCTCN2019113952-appb-000023
为了计算
Figure PCTCN2019113952-appb-000024
的信任值,首先计算节点j的重传次数的相对偏差。 For calculation
Figure PCTCN2019113952-appb-000024
For the trust value of, first calculate the relative deviation of the retransmission times of node j.
监测节点或者簇头可以通过观察帧头中的重复序号来检测是否为重传。利用重传次数可以得到节点重传率。重传率越小,说明节点越可能受到攻击。所以,在Δt时间周期内,被监测节点j重传率可得:The monitoring node or cluster head can detect whether it is a retransmission by observing the repeated sequence number in the frame header. The node retransmission rate can be obtained by using the number of retransmissions. The smaller the retransmission rate, the more likely the node will be attacked. Therefore, within the time period of Δt, the retransmission rate of the monitored node j can be obtained as:
Figure PCTCN2019113952-appb-000025
Figure PCTCN2019113952-appb-000025
在式(8)中,rs ij(t)表示节点j的在时间Δt周期内重传次数。S_pack j(t)表示节点j在Δt时间周期内发送包的数。 In equation (8), rs ij (t) represents the number of retransmissions of node j in the period Δt. S_pack j (t) represents the number of packets sent by node j in the Δt time period.
还可以通过监测节点i获得其相邻节点在Δt时间周期内的平均重传率。It is also possible to obtain the average retransmission rate of its neighboring nodes in the Δt time period by monitoring node i.
Figure PCTCN2019113952-appb-000026
Figure PCTCN2019113952-appb-000026
在式(9)中,rs_rate ik(t)表示k节点在Δt时间周期内的重传率,k是节点i的邻居节点之一。n表示节点i的相邻节点数量。 In equation (9), rs_rate ik (t) represents the retransmission rate of k nodes in the Δt time period, and k is one of the neighbor nodes of node i. n represents the number of adjacent nodes of node i.
由式(13)可得被监测节点j的相邻节点的平均重传率,并计算出重传率相对偏差值。我们利用节点j的重传率的相对偏差值,得到重传率的:From Equation (13), the average retransmission rate of the neighboring node of the monitored node j can be obtained, and the relative deviation of the retransmission rate can be calculated. We use the relative deviation of the retransmission rate of node j to get the retransmission rate:
Figure PCTCN2019113952-appb-000027
Figure PCTCN2019113952-appb-000027
步骤23:根据节点的包转发率和节点到簇头的跳数的与邻居节点的相对偏差值计算网络层的信任值。Step 23: Calculate the trust value of the network layer based on the packet forwarding rate of the node and the relative deviation value of the node-to-cluster head hop count from the neighbor node.
网络层的信任值计算,将节点到达簇头的跳数和包的转发率两个作为信任度量,即在网 络层,将各个传感器节点的到达簇头的跳数和包的转发率作为关键参数来得到各个传感器节点的信任值,具体包括:The calculation of the trust value of the network layer takes the hop count of the node to the cluster head and the packet forwarding rate as trust metrics. That is, at the network layer, the hop count of each sensor node to the cluster head and the packet forwarding rate are used as key parameters To get the trust value of each sensor node, including:
根据式(11)计算出网络层的信任值:Calculate the trust value of the network layer according to equation (11):
Figure PCTCN2019113952-appb-000028
Figure PCTCN2019113952-appb-000028
式(11)中,q 1∈[0,1],q 2∈[0,1]是权重值,且q 1+q 2=1。 In equation (11), q 1 ∈ [0,1] and q 2 ∈ [0,1] are weight values, and q 1 + q 2 = 1.
q 1和q 2权重值根据网络部署的实际情况来确定。 The weight values of q 1 and q 2 are determined according to the actual situation of network deployment.
先计算跳数作为信任值度量的信任值,监测节点通过对被监测节点和其周围邻居节点跳数的相对偏差值作为被信任值。First calculate the hop count as the trust value of the trust value metric. The monitoring node uses the relative deviation of the hop count of the monitored node and its neighbors as the trusted value.
Figure PCTCN2019113952-appb-000029
Figure PCTCN2019113952-appb-000029
在式(12)中,n表示节点i的邻居节点的数量,k是被监测节点的邻居节点之一。由邻居节点的平均跳数可以计算出被监测节点j的跳数和邻居节点的平均跳数的相对偏差值。由此可以得被监测j节点的信任值
Figure PCTCN2019113952-appb-000030
In equation (12), n represents the number of neighbor nodes of node i, and k is one of the neighbor nodes of the monitored node. From the average hops of neighbor nodes, the relative deviation between the hops of the monitored node j and the average hops of the neighbor nodes can be calculated. From this, the trust value of the monitored j node can be obtained
Figure PCTCN2019113952-appb-000030
Figure PCTCN2019113952-appb-000031
Figure PCTCN2019113952-appb-000031
在式(13)中hop_count j表示节点j到簇头的跳数。当被监测节点的跳数小于邻居节点的平均跳数时,信任值将会下降。 In equation (13), hop_count j represents the number of hops from node j to the cluster head. When the hop count of the monitored node is less than the average hop count of the neighbor node, the trust value will drop.
监测节点i可以获得被监测节点j的包转发率,还可以得到转发的获得转发率的信任值。The monitoring node i can obtain the packet forwarding rate of the monitored node j, and can also obtain the trust value of the forwarding rate obtained by the forwarding.
Figure PCTCN2019113952-appb-000032
Figure PCTCN2019113952-appb-000032
式(14)中,FP j(t)表示节点j成功转发包的数量,RFP j(t)表示节点j由周围节点转发过来的包的数量。由式(14)可以看出如果节点的j没有转发成功,那么信任值就会相应的下降。 In equation (14), FP j (t) represents the number of packets that node j successfully forwarded, and RFP j (t) represents the number of packets forwarded by surrounding nodes from node j. It can be seen from equation (14) that if node j does not forward successfully, then the trust value will decrease accordingly.
步骤3:根据得到的各个传感器节点在物理层、MAC层、网络层的信任值,进行融合得到总的信任值。Step 3: According to the obtained trust values of each sensor node in the physical layer, MAC layer, and network layer, fusion is performed to obtain the total trust value.
节点j对节点i的信任值根据节点的各协议层的参数的相对偏差值得到。总的信任值公式为The trust value of node j to node i is obtained according to the relative deviation value of the parameters of each protocol layer of the node. The total trust value formula is
Figure PCTCN2019113952-appb-000033
Figure PCTCN2019113952-appb-000033
Figure PCTCN2019113952-appb-000034
Figure PCTCN2019113952-appb-000034
式(15)中,
Figure PCTCN2019113952-appb-000035
表示节点i在t时刻由其邻居节点j计算出的信任值,
Figure PCTCN2019113952-appb-000036
表示节点i在t-Δt时刻由其邻居节点j计算出的信任值,μ∈[0,1]是历史信任值的权重。 In formula (15),
Figure PCTCN2019113952-appb-000035
Represents the trust value calculated by its neighbor node j at time t,
Figure PCTCN2019113952-appb-000036
Represents the trust value calculated by its neighbor node j at time t-Δt, μ∈ [0,1] is the weight of the historical trust value.
本方法中,μ根据实际需求进行设定。In this method, μ is set according to actual needs.
式(16)中,
Figure PCTCN2019113952-appb-000037
Figure PCTCN2019113952-appb-000038
代表的是节点i在物理层、MAC层和网络层对节点j的直接计算出的信任值。 In formula (16),
Figure PCTCN2019113952-appb-000037
with
Figure PCTCN2019113952-appb-000038
It represents the directly calculated trust value of node i to node j at the physical layer, MAC layer and network layer.
w 1∈[0,1]、w 2∈[0,1]和w 3∈[0,1],分别表示物理层、MAC层和网络层的信任值的权值,其中w 1+w 2+w 3=1。 w 1 ∈ [0,1], w 2 ∈ [0,1], and w 3 ∈ [0,1], which represent the weights of the trust values of the physical layer, MAC layer, and network layer, where w 1 + w 2 + w 3 = 1.
考虑一个节点是否是恶意节点,通过将节点的信任值与预设的信任值阈值进行比较。在簇内,由于监测节点将其有关相邻节点的信任评估结果发送给簇头,簇头可以计算j的平均信任值作为其信任值:Consider whether a node is a malicious node, by comparing the trust value of the node with a preset trust value threshold. In the cluster, since the monitoring node sends its trust evaluation results about neighboring nodes to the cluster head, the cluster head can calculate the average trust value of j as its trust value:
Figure PCTCN2019113952-appb-000039
Figure PCTCN2019113952-appb-000039
其中T ij(t)为当前j节点的融合信任值,n表示节点j有关相邻节点的数量。簇头的信任值的计算与簇内节点的信任值计算相同。 Where T ij (t) is the fusion trust value of the current j node, and n represents the number of neighboring nodes related to node j. The calculation of the trust value of the cluster head is the same as that of the nodes in the cluster.
步骤4:然后由数据噪声点技术将数据带入检测出异常的节点,得到传感器节点的噪声点列表。Step 4: Then the data noise point technology will bring the data into the node where the abnormality is detected to obtain the noise point list of the sensor node.
步骤41:将各协议层的参数作为数据,发送给簇头或者基站,簇头或基站将接收到的参数,利用步骤2得到的信任值给与每个节点参数的不同权重,带入算法中得到检测结果。Step 41: Use the parameters of each protocol layer as data and send them to the cluster head or base station. The cluster head or base station will use the trust value obtained in step 2 to give different weights to the parameters of each node and bring them into the algorithm. Get the test result.
数据噪声点检测技术,我们对MAC层中,Δt时间内退避窗口(CW)的平均大小作为噪声点检测的关键参数,当平均退避窗口的越小,信道的优先级就越高,越有可能受到攻击。在网络层中,将节点包的转发率和到簇头的跳数和作为噪声点检测的关键参数,因为当邻居节点中出现大量的恶意节点时,与邻居节点的相对偏差值将出现严重的误差。将上两种参数作为关键参数可以降低检测过程的误差。簇头或基站将S1得到的信任值作为数据可信的权重,使用DBSCAN(Density-Based Spatial Clustering of Applications with Noise)算法做噪声点检测,DBSCAN算法可参考“Ester M.A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise[C]//Proceedings of the second ACM International Conference on Knowledge Discovery and Data Mining(KDD),1996.AAAI Press,1996.”。Data noise point detection technology. In the MAC layer, the average size of the backoff window (CW) in the Δt time is used as a key parameter for noise point detection. The smaller the average backoff window, the higher the channel priority and the more likely it is. being attacked. In the network layer, the node packet forwarding rate and the number of hops to the cluster head are used as key parameters for noise point detection, because when a large number of malicious nodes appear in neighbor nodes, the relative deviation value from neighbor nodes will appear serious error. Using the above two parameters as key parameters can reduce the error of the detection process. The cluster head or base station uses the trust value obtained by S1 as the credible weight of the data, and uses the DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm for noise point detection. The DBSCAN algorithm can refer to "Ester MA-Density-Based Algorithms for Discovery Clusters in Large Spatial Databases with Noise [C] // Proceedings of the second ACM International Conference Knowledge Discovery (KDD), 1996. AAAI Press, 1996. ".
步骤42:将得到的检测结果生成一个传感器噪声点列表,并发送给各个节点。Step 42: Generate a list of sensor noise points from the obtained detection results and send them to each node.
簇头将每个周期数据噪声点检测后产生的噪声传感器列表中的节点进行信任值的惩罚, 降低其信任值,并在将惩罚后的簇内节点的信任值转发到簇内的每个节点。The cluster head punishes the nodes in the noise sensor list generated after the detection of data noise points of each cycle to reduce the trust value, and forwards the trust value of the node in the cluster after punishment to each node in the cluster .
步骤5:利用惩罚机制,确定惩罚力度,得到最终节点的信任值,对于信任值低于阈值的节点,列为恶意节点。Step 5: Use the punishment mechanism to determine the punishment strength and obtain the trust value of the final node. Nodes whose trust value is lower than the threshold are classified as malicious nodes.
步骤51:利用协议层的融合信任值对节点的惩罚力度加上权重,信任值越高,惩罚力度越大。对节点的信任值进行惩罚,得到最终节点的全局信任值。Step 51: Use the fusion trust value of the protocol layer to add weight to the penalty power of the node. The higher the trust value, the greater the penalty power. Penalize the trust value of the node to get the global trust value of the final node.
本发明根据不同协议层的惩罚程度也不相同,惩罚后的全局信任值表示为:The punishment degree of the present invention is different according to different protocol layers. The global trust value after punishment is expressed as:
Figure PCTCN2019113952-appb-000040
Figure PCTCN2019113952-appb-000040
式(18)中,C MAC,C NET分别表示在MAC层和网络层出现攻击情况下的惩罚因子,惩罚因子通过多次实验后确定最终的惩罚因子的值。α 1∈[0,1],α 2∈[0,1]分别在MAC层和网络层惩罚因子的权重值,本发明将α 1、α 2,权重值设置为当前已经计算出的节点的信任值,当节点的信任值越高,却被检测为噪声点传感器节点时,那么节点可能遭受恶意攻击,却没有检测出来,那么该节点的惩罚力度越大,反之当节点的信任值越低,那么节点受到的惩罚力度就越小。 In equation (18), C MAC and C NET respectively represent the penalty factor in the case of an attack in the MAC layer and the network layer, and the penalty factor determines the value of the final penalty factor after multiple experiments. α 1 ∈ [0,1] and α 2 ∈ [0,1] are the weight values of the penalty factors at the MAC layer and the network layer respectively. The present invention sets the weight values of α 1 and α 2 to the currently calculated nodes Trust value, when the node's higher trust value is detected as a noise point sensor node, then the node may be maliciously attacked but not detected, then the greater the punishment of the node, otherwise the lower the node's confidence , The less punished the node is.
步骤52:利用误报率率和漏报率得到最佳的检测阈值,将节点信任值与阈值对比,小于阈值即为恶意节点。Step 52: Use the false positive rate and the false negative rate to obtain the best detection threshold, and compare the node trust value with the threshold. If it is less than the threshold, it is a malicious node.
为验证本申请提出的方法(即T-MPNID方法)能够有效的检测出不同协议层的攻击类型,进行仿真实验如下:In order to verify that the method proposed in this application (that is, T-MPNID method) can effectively detect the attack types of different protocol layers, the simulation experiments are as follows:
利用MATLAB2016a作为仿真工具,在100m×100m范围内部署了120个传感器节点,并平均分成4个簇。信任值更新的时间间隔为10min。详细的仿真参数见表1。Using MATLAB2016a as a simulation tool, 120 sensor nodes were deployed within a range of 100m × 100m and were divided into 4 clusters on average. The time interval for updating the trust value is 10 minutes. The detailed simulation parameters are shown in Table 1.
表1实验参数值Table 1 Experimental parameter values
Figure PCTCN2019113952-appb-000041
Figure PCTCN2019113952-appb-000041
实验中,在MAC层和网络层模拟了四种典型的攻击,包括退避攻击(back-off manipulation attack)、选择性转发攻击(selective forwarding attack)、槽洞攻击(sinkhole attack)和MAC-网络的跨层攻击(MAC-Network cross-layer attack),选择误报率(FPR:false positive rate)和漏报率(FNR:false negative rate)衡量检测系统的性能关键指标。In the experiment, four typical attacks were simulated at the MAC layer and the network layer, including back-off manipulation, selective forwarding attack, sinkhole attack, and MAC-network attack. For a cross-layer attack (MAC-Network cross-layer attack), the false positive rate (FPR: false positive rate) and false negative rate (FNR: false negative rate) are selected to measure the key performance indicators of the detection system.
误报是指:检测为恶意节点,实际为正常节点。False positives refer to: detected as a malicious node, actually a normal node.
漏报是指:检测为正常节点,实际为恶意节点。Missing reports refer to: detected as a normal node, actually a malicious node.
为了确定最佳的检测阈值S,在四种攻击类型中模拟了不同检测阈值下误报率和漏报率。如图2所示,当四种类型的攻击在阈值S为0.885时,误报率和漏报率均小于0.07,故本申请将最佳检测阈值设定为0.885。In order to determine the optimal detection threshold S, the false alarm rate and the false alarm rate under different detection thresholds are simulated in the four attack types. As shown in FIG. 2, when the threshold S of the four types of attacks is 0.885, the false alarm rate and the false alarm rate are both less than 0.07, so this application sets the optimal detection threshold to 0.885.
在检测率、误报率,漏报率三个方面在与两种最新算法进行对比,两种最新算法分别为NBBTE方案和PLTB方案;其中,NBBTE方案可参考“FENG R,XU X,XIANG Z,et al.A Trust Evaluation Algorithm for Wireless Sensor Networks Based on Node Behaviors and D-S Evidence Theory[J].Sensors,2011,11(2):1345-1360.”;PLTB方案可参考“JIAN W,SHUAI J,FAPOJUWO A O.A Protocol Layer Trust-Based Intrusion Detection Scheme for Wireless Sensor Networks[J].Sensors,2017,17(6):1227.”In terms of detection rate, false alarm rate, and false alarm rate, they are compared with the two latest algorithms. The two latest algorithms are the NBBTE scheme and the PLTB scheme. Among them, the NBBTE scheme can refer to "FENG R, XU X, XIANG Z , et al. A Trust Evaluation Algorithm for Wireless Wireless Sensors Networks Based Node on Behaviors and DS Evidence Theory [J]. Sensors, 2011, 11 (2): 1345-1360. ”For the PLTB scheme, please refer to“ JIAN W, SHUAI J, FAPOJUWOAOAProtocolLayerTrust-BasedIntrusionDetectionSchemeforWirelessSensorNetworks [J] .Sensors, 2017,17 (6): 1227. "
图3是本申请提出的T-MPNID方法检测率与NBBTE方法对比图。根据图3可知,在四种攻击下T-MPNID方法检测率都优于NBBTE方法。NBBTE方法只关注网络层的节点行为,因此在MAC层检测率为0。本申请所提出的方法在跨层攻击、槽洞攻击和选择性转发攻击中的检测率比NBBTE方法分别提高22%、10%、3%。FIG. 3 is a comparison diagram of the detection rate of the T-MPNID method and the NBBTE method proposed in this application. According to Figure 3, the detection rate of the T-MPNID method is better than the NBBTE method under the four attacks. The NBBTE method only focuses on the node behavior of the network layer, so the detection rate at the MAC layer is zero. The detection rate of the method proposed in this application in cross-layer attacks, slot attacks, and selective forwarding attacks is increased by 22%, 10%, and 3%, respectively, compared to the NBBTE method.
如图4所示,T-MPNID方法的检测率与PLTB方法进行对比,两种方法随着恶意节点的数量增多,检测率在不断下降。当恶意节点数量的比例低于10%时,T-MPNID方法中,四种攻击的检测率均保持在0.97以上。当恶意节点数量比例为大于10%时,退避攻击和跨层攻击检测率下降幅度远低于PLTB。当恶意节点数量的比例为30%时,在退避攻击、跨层攻击、槽洞攻击和选择性转发攻击四种攻击中,T-MPNID方法的检测率比PLTB方法分别提高了0.33、0.25、0.08、0.03。As shown in Figure 4, the detection rate of the T-MPNID method is compared with the PLTB method. As the number of malicious nodes increases, the detection rate of the two methods continues to decline. When the proportion of malicious nodes is less than 10%, in the T-MPNID method, the detection rates of the four attacks are maintained above 0.97. When the proportion of malicious nodes is greater than 10%, the detection rate of back-off attacks and cross-layer attacks drops much lower than that of PLTB. When the proportion of the number of malicious nodes is 30%, the detection rate of the T-MPNID method is improved by 0.33, 0.25, 0.08 among the four attacks of back-off attack, cross-layer attack, slot attack and selective forwarding attack respectively. , 0.03.
图5为T-MPNID方法的误报率与NBBTE方法对比图,随着恶意节点的数量的增多,误报率呈上升趋势。由于NBBTE方法没有考虑退避攻击,因此没有对退避攻击进行分析。在槽洞攻击、跨层攻击和选择性转发攻击中,T-MPNID方法的误报率均低于NBBTE方法。在恶意节点数量的比例为30%时,T-MPNID方法的误报率在跨层攻击和槽洞攻击中比NBBTE方法分别降低了50%和40%。Figure 5 is a comparison chart of the false alarm rate of the T-MPNID method and the NBBTE method. As the number of malicious nodes increases, the false alarm rate shows an upward trend. Since the NBBTE method does not consider back-off attacks, no analysis of back-off attacks is performed. In slot attacks, cross-layer attacks and selective forwarding attacks, the false alarm rate of the T-MPNID method is lower than that of the NBBTE method. When the proportion of malicious nodes is 30%, the false alarm rate of the T-MPNID method is reduced by 50% and 40% in cross-layer attacks and slot attacks, respectively, compared to the NBBTE method.
图6为T-MPNID方法的误报率与PLTB方法对比图,当恶意节点数量的比例超过20%时,在槽洞攻击和跨层攻击中,T-MPNID方法的误报率比PLTB方法低5%-8%。在两种方法中,选择性转发攻击的误报率都在稳定在0.02。Figure 6 is a comparison diagram of the false alarm rate of the T-MPNID method and the PLTB method. When the proportion of malicious nodes exceeds 20%, the false alarm rate of the T-MPNID method is lower than the PLTB method in slot attacks and cross-layer attacks. 5% -8%. In both methods, the false positive rate of selective forwarding attacks is stable at 0.02.
在图7中,T-MPNID方法中四种攻击的漏报率均低于NBBTE方法。当恶意节点数量比例为20%时,在T-MPNID方法中,槽洞攻击、选择性转发攻击、跨层攻击的漏报率与 NBBTE方法相比分别降低了54%、51.8%、53.1%。当恶意节点数量比例为30%时,T-MPNID方法在槽洞攻击、选择性转发攻击、跨层攻击的漏报率比NBBTE方法分别降低了20.6%、22.3%、15.8%。In Figure 7, the false alarm rate of the four attacks in the T-MPNID method is lower than that of the NBBTE method. When the proportion of malicious nodes is 20%, in the T-MPNID method, the underreporting rates of slot attacks, selective forwarding attacks, and cross-layer attacks are reduced by 54%, 51.8%, and 53.1%, respectively, compared with the NBBTE method. When the proportion of malicious nodes is 30%, the under-reporting rate of the T-MPNID method in slot attacks, selective forwarding attacks, and cross-layer attacks is reduced by 20.6%, 22.3%, and 15.8% respectively compared to the NBBTE method.
在图8中,PLTB方法与T-MPNID方法进行比较,当恶意节点数量比例超过15%时,在退避攻击、槽洞攻击、跨层攻击和选择性转发四种攻击中,T-MPNID方法的漏报率与PLTB相比平均降低9%、5%、3%、1%。In Fig. 8, the PLTB method is compared with the T-MPNID method. When the proportion of malicious nodes exceeds 15%, the T-MPNID method has four types of back-off attacks, slot attacks, cross-layer attacks, and selective forwarding attacks. Compared with PLTB, the underreporting rate decreased by 9%, 5%, 3% and 1% on average.
综上,本申请将多个协议层的参数相对偏差作为信任度量,利用加权法建立信任系统模型,并通过数据噪声点检测技术建立惩罚机制;监控节点对物理层、MAC层和网络层观察被监控节点的关键参数,并计算这些关键参数的相对偏差,根据参数的相对偏差,监控节点通过不同层协议层聚合信任值来评估对被监控节点的可信度,并将可信度和关键参数发送给簇头(CH)或者基站(BS)。簇头和基站可以通过多个监控节点的评估信任值来计算节点的聚合信任值,同时簇头或者基站将在周期性的利用噪声检测技术获得异常关键参,对存在异常关键参数数据的节点进行惩罚,降低其信任值。如果节点的信任值小于阈值,则将该节点视为异常节点;信任值由不同协议层的关键参数决定;可以有效的检测出不同协议层的攻击类型。In summary, this application uses the relative deviation of parameters of multiple protocol layers as a trust metric, uses the weighting method to establish a trust system model, and establishes a penalty mechanism through data noise point detection technology; the monitoring node observes the physical layer, MAC layer and network layer. Monitor the key parameters of the node, and calculate the relative deviations of these key parameters. Based on the relative deviations of the parameters, the monitoring node aggregates the trust values through different protocol layers to evaluate the credibility of the monitored node, and compares the credibility and key parameters Send to cluster head (CH) or base station (BS). The cluster head and the base station can calculate the aggregated trust value of the node through the evaluation trust values of multiple monitoring nodes. At the same time, the cluster head or the base station will periodically use noise detection technology to obtain abnormal key parameters, and carry out on the nodes with abnormal key parameter data. Penalty, reduce its trust value. If the trust value of a node is less than the threshold, the node is regarded as an abnormal node; the trust value is determined by the key parameters of different protocol layers; it can effectively detect the attack types of different protocol layers.
一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现任一项所述方法的步骤。A computer device includes a memory, a processor, and a computer program stored on the memory and executable on the processor. When the processor executes the program, any of the steps of the method is implemented.
一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时实现任一项所述方法的步骤。A computer-readable storage medium on which a computer program is stored, which when executed by a processor implements any of the steps of the method.
一种处理器,所述处理器用于运行程序,其中,所述程序运行时执行任一项所述的方法。A processor for running a program, wherein the method according to any one of the items is executed when the program is running.
本发明实施例中的部分步骤,可以利用软件实现,相应的软件程序可以存储在可读取的存储介质中,如光盘或硬盘等。Some steps in the embodiments of the present invention may be implemented by software, and the corresponding software program may be stored in a readable storage medium, such as an optical disk or a hard disk.
以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modification, equivalent replacement, improvement, etc. within the spirit and principle of the present invention should be included in the protection of the present invention Within range.

Claims (7)

  1. 一种多协议层的入侵检测方法,其特征在于,包括:A multi-protocol layer intrusion detection method, which is characterized by:
    搭建无线传感器网络;Build a wireless sensor network;
    通过计算无线传感器网络中各个传感器节点分别在物理层、MAC层、网络层的关键参数的相对偏差值得到各个传感器节点在各层的信任值;The trust value of each sensor node at each layer is obtained by calculating the relative deviation value of key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer, and network layer respectively;
    根据得到的各个传感器节点在物理层、MAC层、网络层的信任值,进行融合得到各个传感器节点的总的信任值;According to the obtained trust values of each sensor node in the physical layer, MAC layer, and network layer, fusion is performed to obtain the total trust value of each sensor node;
    利用数据噪声点技术将关键参数带入检测,得到无线传感器网络中传感器节点的噪声点列表;Use the data noise point technology to bring the key parameters into the detection and obtain the noise point list of the sensor nodes in the wireless sensor network;
    利用惩罚机制,确定惩罚力度,得到各个传感器节点的全局信任值,对于全局信任值低于阈值的节点,列为恶意节点。Use the punishment mechanism to determine the punishment strength and obtain the global trust value of each sensor node. Nodes whose global trust value is lower than the threshold are classified as malicious nodes.
  2. 根据权利要求1所述的多协议层的入侵检测方法,其特征在于,所述通过计算无线传感器网络中各个传感器节点分别在物理层、MAC层、网络层的关键参数的相对偏差值得到各个传感器节点在各层的信任值,包括:The multi-protocol layer intrusion detection method according to claim 1, characterized in that each sensor is obtained by calculating the relative deviation value of key parameters of each sensor node in the wireless sensor network at the physical layer, MAC layer and network layer respectively The trust value of the node at each layer, including:
    根据各个传感器节点发送、接受、转发包的数量来衡量能量损耗,利用能量损耗的相对偏差值得到物理层的信任值;Measure energy loss according to the number of packets sent, received, and forwarded by each sensor node, and use the relative deviation value of energy loss to obtain the trust value of the physical layer;
    根据节点的退避窗口是随机的机制,以及包重传次数,得到各个传感器节点的空闲时间和重传率;利用各个传感器节点的空闲时间以及重传率与邻居节点的相对偏差值得到MAC层的信任值;According to the random mechanism of the node's backoff window and the number of packet retransmissions, the idle time and retransmission rate of each sensor node are obtained; the idle time of each sensor node and the relative deviation of the retransmission rate from the neighbor node are used to obtain the MAC layer. Trust value
    根据各个传感器节点的包转发率以及节点到簇头节点的跳数与邻居节点的相对偏差值计算网络层的信任值。The trust value of the network layer is calculated according to the packet forwarding rate of each sensor node and the relative deviation between the number of hops from the node to the cluster head node and neighbor nodes.
  3. 根据权利要求1所述的多协议层的入侵检测方法,其特征在于,所述利用数据噪声点技术将关键参数带入检测,得到无线传感器网络中传感器节点的噪声点列表,包括:The multi-protocol layer intrusion detection method according to claim 1, wherein the data noise point technology is used to bring key parameters into the detection to obtain a noise point list of sensor nodes in the wireless sensor network, including:
    将各协议层的关键参数作为数据,发送给簇头节点或者基站;Send the key parameters of each protocol layer as data to the cluster head node or base station;
    簇头节点或基站将接收到的参数,利用得到的信任值给与每个节点参数的不同权重,带入算法中得到检测结果;The cluster head node or base station will use the obtained trust value to give different weights to the parameters of each node, and bring it into the algorithm to obtain the detection result;
    将得到的检测结果生成一个传感器噪声点列表,并发送给各个传感器节点。Generate a list of sensor noise points from the obtained detection results and send them to each sensor node.
  4. 根据权利要求1所述的多协议层的入侵检测方法,其特征在于,所述利用惩罚机制,确定惩罚力度,得到各个传感器节点的全局信任值,对于信任值低于阈值的节点,列为恶意 节点,包括:The multi-protocol layer intrusion detection method according to claim 1, wherein the punishment mechanism is used to determine the punishment strength to obtain the global trust value of each sensor node, and the node whose trust value is below the threshold is classified as malicious Nodes, including:
    利用协议层的融合信任值对节点的惩罚力度加上权重,信任值越高,惩罚力度越大;Use the fusion trust value of the protocol layer to add weight to the punishment strength of the node. The higher the trust value, the greater the punishment strength;
    对各个传感器节点的信任值进行惩罚,得到各个传感器节点的全局信任值;Penalize the trust value of each sensor node to obtain the global trust value of each sensor node;
    利用误报率和漏报率得到最佳的检测阈值,将节点信任值与检测阈值对比,小于检测阈值即为恶意节点。Use the false positive rate and false negative rate to get the best detection threshold. Compare the node trust value with the detection threshold. If it is less than the detection threshold, it is a malicious node.
  5. 一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现权利要求1到4任一项所述方法的步骤。A computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, characterized in that, when the processor executes the program, any one of claims 1 to 4 is realized Method steps.
  6. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时实现权利要求1到4任一项所述方法的步骤。A computer-readable storage medium on which a computer program is stored, characterized in that when the program is executed by a processor, the steps of the method according to any one of claims 1 to 4 are implemented.
  7. 一种处理器,其特征在于,所述处理器用于运行程序,其中,所述程序运行时执行权利要求1到4任一项所述的方法。A processor, characterized in that the processor is used to run a program, wherein the method according to any one of claims 1 to 4 is executed when the program is run.
PCT/CN2019/113952 2018-11-08 2019-10-29 Trust and noise point detection technology-based intrusion detection method for multi-protocol layer WO2020093907A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811325309.2A CN109257750B (en) 2018-11-08 2018-11-08 Intrusion detection method of multi-protocol layer based on trust and noise point detection technology
CN201811325309.2 2018-11-08

Publications (1)

Publication Number Publication Date
WO2020093907A1 true WO2020093907A1 (en) 2020-05-14

Family

ID=65043206

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/113952 WO2020093907A1 (en) 2018-11-08 2019-10-29 Trust and noise point detection technology-based intrusion detection method for multi-protocol layer

Country Status (2)

Country Link
CN (1) CN109257750B (en)
WO (1) WO2020093907A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949642A (en) * 2021-10-19 2022-01-18 中国电子科技集团公司第二十研究所 Internet of things sensor node trust evaluation method based on block chain storage
CN115001750A (en) * 2022-05-06 2022-09-02 国网宁夏电力有限公司信息通信公司 Trusted group construction method and system based on trust management in power internet of things

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109257750B (en) * 2018-11-08 2020-02-18 江南大学 Intrusion detection method of multi-protocol layer based on trust and noise point detection technology
CN111405512B (en) * 2020-03-16 2021-06-25 长沙学院 Method for rapidly detecting compromised node in wireless sensor network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011045714A2 (en) * 2009-10-14 2011-04-21 Koninklijke Philips Electronics N.V. A method for operating a node in a wireless sensor network
CN102802158A (en) * 2012-08-07 2012-11-28 湖南大学 Method for detecting network anomaly of wireless sensor based on trust evaluation
CN104080140A (en) * 2013-03-29 2014-10-01 南京邮电大学 Cooperative communication method based on trust evaluation for mobile ad hoc network
CN104469836A (en) * 2014-11-24 2015-03-25 河海大学常州校区 Method for building multi-dimension trust model in underwater sensor network
CN107750053A (en) * 2017-05-25 2018-03-02 天津大学 Based on multifactor wireless sensor network dynamic trust evaluation system and method
CN109257750A (en) * 2018-11-08 2019-01-22 江南大学 The intrusion detection method of multi-protocol layer based on trust and noise spot detection technique

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011045714A2 (en) * 2009-10-14 2011-04-21 Koninklijke Philips Electronics N.V. A method for operating a node in a wireless sensor network
CN102802158A (en) * 2012-08-07 2012-11-28 湖南大学 Method for detecting network anomaly of wireless sensor based on trust evaluation
CN104080140A (en) * 2013-03-29 2014-10-01 南京邮电大学 Cooperative communication method based on trust evaluation for mobile ad hoc network
CN104469836A (en) * 2014-11-24 2015-03-25 河海大学常州校区 Method for building multi-dimension trust model in underwater sensor network
CN107750053A (en) * 2017-05-25 2018-03-02 天津大学 Based on multifactor wireless sensor network dynamic trust evaluation system and method
CN109257750A (en) * 2018-11-08 2019-01-22 江南大学 The intrusion detection method of multi-protocol layer based on trust and noise spot detection technique

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949642A (en) * 2021-10-19 2022-01-18 中国电子科技集团公司第二十研究所 Internet of things sensor node trust evaluation method based on block chain storage
CN115001750A (en) * 2022-05-06 2022-09-02 国网宁夏电力有限公司信息通信公司 Trusted group construction method and system based on trust management in power internet of things
CN115001750B (en) * 2022-05-06 2024-04-05 国网宁夏电力有限公司信息通信公司 Trusted group construction method and system based on trust management in electric power Internet of things

Also Published As

Publication number Publication date
CN109257750B (en) 2020-02-18
CN109257750A (en) 2019-01-22

Similar Documents

Publication Publication Date Title
WO2020093907A1 (en) Trust and noise point detection technology-based intrusion detection method for multi-protocol layer
Khan et al. A trust based distributed intrusion detection mechanism for internet of things
Subba et al. Intrusion detection in Mobile Ad-hoc Networks: Bayesian game formulation
Han et al. Management and applications of trust in Wireless Sensor Networks: A survey
Krontiris et al. LIDeA: a distributed lightweight intrusion detection architecture for sensor networks
Nadeem et al. Adaptive intrusion detection & prevention of denial of service attacks in MANETs
EP2789130A1 (en) Security method for mobile ad hoc networks with efficient flooding mechanism using layer independent passive clustering (lipc)
Sultana et al. Kinesis: a security incident response and prevention system for wireless sensor networks
Panos et al. A novel intrusion detection system for MANETs
Singh et al. An intelligent intrusion detection and prevention system for safeguard mobile adhoc networks against malicious nodes
Onat et al. A real-time node-based traffic anomaly detection algorithm for wireless sensor networks
Midi et al. A system for response and prevention of security incidents in wireless sensor networks
Althubaity et al. Specification-based distributed detection of rank-related attacks in RPL-based resource-constrained real-time wireless networks
Liu Resilient cluster formation for sensor networks
Chandan Consensus routing and environmental discrete trust based secure AODV in MANETs
Roy et al. BHIDS: a new, cluster based algorithm for black hole IDS
Ullah et al. Trusted and secured routing in MANET: An improved approach
Liu et al. A hybrid data mining anomaly detection technique in ad hoc networks
Cho et al. Performance analysis of dynamic group communication systems with intrusion detection integrated with batch rekeying in mobile ad hoc networks
Saied et al. A lightweight threat detection system for industrial wireless sensor networks
Xu et al. An Efficient Compromised Nodes Detection System in Wireless Sensor Networks.
Mamatha et al. Quantitative Behavior Based Intrusion Detection System for MANETS
Panos et al. Securing the 802.11 MAC in MANETs: A specification-based intrusion detection engine
Basan et al. Detection of anomalies in the robotic system based on the calculation of Kullback-Leibler divergence
Roy et al. MCBHIDS: Modified layered cluster based algorithm for black hole IDS

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19881431

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19881431

Country of ref document: EP

Kind code of ref document: A1