Detection of wormhole attacks on IPv6 mobility-based wireless sensor network

Wormhole attacks in wireless sensor networks were introduced by Sanzgiri [11], Papadimitratos [12], and Hu [2, 3, 8]. In a wormhole attack, a wormhole tunnel is constructed by two malicious nodes. Malicious nodes will “tunnel” their received routing information to another point in the network and then replay them. Once the wormhole tunnel is constructed, malicious nodes could eavesdrop on traffic from their neighbor nodes, drop packets or to perform man-in-the-middle attacks [4].

Hu et al. proposed two types of packet leashes: geographic leashes and temporal leashes to prevent wormhole attacks [4]. Leashes are designed to protect against wormholes over a single hop wireless transmission. Geographical leash will ignore any messages from unreasonable distance, and temporal leash will ignore any packets with unreasonable lifetime [4]. However, to construct packet leashes, all nodes must have synchronized clocks and their own position. It is impractical in most wireless sensor network environment.

A lightweight wormhole detection approach called LITEWORP was proposed by Khalil et al. [9]. In LITEWORP, each node builds its two-hop neighbor list. By monitoring all control traffic of neighbor, LITEWORP could identify and isolate malicious node. However, monitoring and extracting every neighbors’ traffic result in extra overload. Moreover, it is not always possible to find guard node for particular link. The proposed system is not suitable for nodes with limited battery capacity. Khalil et al. also proposed a routing protocol called MobiWorp to detect and isolate wormhole attack [13]. MobiWorp rely on a secure central authority (CA) for global tracking of node positions. MobiWorp also deployed a special node called guard node to maintain a black list and monitor network traffic. However, CA and guard node are impractical in some wireless sensor network applications.

Choi et al. proposed a Wormhole Attack Prevention (WAP) algorithm which measured the round-trip time (RTTs) between neighbors, identifying that two neighbors which are not within each other’s communication range are supposed to be suffering from wormhole attack [14]. But, WAP algorithm could only be suitable for wireless sensor network applications with a lot of nodes. WAP algorithm could not detect false positive alarm while affected nodes only have few neighbor nodes due to lack of enough neighbor nodes’ information.

The RPL became a standard routing protocol for wireless sensor networks [6]. RPL is primarily designed for 6LoWPAN (IPv6 over Low-powered Wireless Personal Area Networks). Because IPv6 provide almost unlimited IP space, it is suitable for wireless sensor network applications for point-to-point communication or point-to-multicast communication among tiny nodes. 6LoWPAN network is a wireless sensor network which supports IPv6. 6LoWPAN uses IPv6 as Internet layer and IEEE 802.15.4 as data link and physical layer [7]. Differ from typical stand-alone wireless sensor networks, devices of wireless sensor network applications only have limited resources, and these devices are accessible from anywhere. Hence, wireless sensor network applications are exposed to threats both from the Internet and from within the network. RPL protocol provides new ICMPv6 control messages to exchange routing graph information. RPL protocol uses DIO (DODAG Information Objects) messages to advertise information for building RPL DODAG, and DAO (Destination Advertisement Object) messages are used for supporting downward traffic toward leaf nodes. Nodes send DIO messages periodically, once nodes receive a DIO message, they might use the information to join a new network or update their routing table [6]. Now, the most popular wireless sensor network standard like ZigBee IP supports RPL [15, 16]. ZigBee is a low-cost, low-power, wireless sensor network standard which enable tiny and smart devices to work together for wireless sensor network applications [15]. Therefore, the proposed system will be based on RPL routing protocol. RPL is also vulnerable to wormhole attack. Attackers could send fake ICMPv6 routing packets to construct wormhole tunnel. Khan et al. proposed a Merkle-tree-based authentication to prevent wormhole attack [17]. An added authentication mechanism while maintaining parents within a DODAG can be used for avoiding promotion of routes encompassing malicious nodes sending replay attacks around the surrounding region. However, building Merkle tree needs additional communication and computation resources.

Sensor network applications make use of tiny devices which have limited resources and electricity power. Therefore, additional hardware requirement or complicated detection algorithm is not suitable for detecting wormhole attacks in such environments. In this article, the proposed system is based on RPL without extra hardware or complicated detection algorithm.

Experiment 1 is used to validate the correctness of proposed approach, and it also describes how all experiments in this research are conducted. In this section, all nodes are deployed by random, the first deployed node is root node. Malicious nodes are deployed after deploying all benign nodes. Table 2 illustrates the parameters of this example, and Table 3 shows the location (coordinates) of each node.

After all nodes are deployed, the routing path will be established based on RPL protocol. Figure 7 illustrates the topology before wormhole attack of experiment 1.

Figure 7 shows number of nodes, routing path, and rank value of each node. For example, 9(15) means the ninth node in this experiment and its rank value is 15. After routing path of each node is established, the malicious node 52 and 51 start to spread fake routing message. Figure 8 shows the changes of topology after wormhole attack.

Node 51 and node 52 first build their wormhole tunnel, and then node 52 replays the router advertisement message from node 52’s parent node (node 29) to its neighbor nodes. Neighbor nodes of node 52 will change their routing path. In this experiment, nodes 3, 7, 9, 11, 14, 15, 18, 31, and 43 change their routing path. The proposed approach could 100% identify the affected and malicious nodes. For example, before wormhole attack, the rank value of node 31 and its parent node (node 14) is 10 and 9, respectively. Therefore, the Rank_Threshold of node 31 is |9 − 10| = 1. After malicious nodes launch wormhole attack, node 31 receives the advertisement message from node 52. The rank value of advertisement message is 6. Therefore, the Rank_Diff of node 31 is |6 − 10| = 4. According to the proposed detection mechanism, if Rank_Diff > Rank_Threshold, the node which sends abnormal advertisement message is malicious. Table 4 illustrates the result of experiment 1. True positive (TP) is 9 because all affected nodes could be detected (This also means the proposed system could detect malicious nodes.). True negative (TN) is 41 because there is not any unaffected node to be identified as affected node (This also means there is not any benign node to be identified as malicious node.). Experiment 1 shows that the proposed system could detect malicious nodes and affected nodes without any false negative.

Experiment 1 already shows that the proposed system could detect malicious wormhole tunnel. However, applications of wireless sensor networks could be applied to many areas. In this paper, experiments 2 to 5 are conducted to evaluate if the proposed system could detect wormhole attack in different environments and applications.

Experiment 2 will evaluate if the proposed system could detect wormhole attack in different map sizes. Table 5 illustrates the parameters in experiment 2, and Table 6 shows the result of experiment 2.

The result of experiment 2 shows that the proposed system could detect wormhole attack perfectly in different map sizes without any false negative. This is a very important feature because nodes of wireless sensor network could be deployed in a small area like a house or be deployed in a large area like a farm. The proposed system is suitable for various wireless sensor network applications.

Experiment 3 evaluates if the number of benign nodes affects the detection performance or not. Table 7 presents the parameters of experiment 3, and Table 8 shows the results.

The results of experiment 3 show that the number of benign nodes does not affect the detection performance. The number of nodes in a sensor network may vary in different applications and applied environments. Some applications such as smart homes need few nodes, and some networks such as VANETs (Vehicular Ad Hoc Networks) involve a lot of nodes. Detection mechanisms [14] relying on neighbor node information may not be able to detect wormholes if there are not enough nodes in the environment. The results show that the proposed system could detect wormholes in various network environments ranging from a small to large amount of nodes.

Experiment 4 tests if communication range of nodes will affect the detection performance of proposed system. Nodes with longer communication range mean more neighbor nodes and complex routing tables. Different wireless sensor network applications need different communication ranges. In Zigbee’s specification, communication range of Zigbee devices are from 50 to 300 m. Table 9 illustrates the parameters in experiment 4, and Table 10 shows the result of experiment 4.

The result of experiment 4 shows that communication range of benign nodes would not affect the detection performance of proposed system. Communication range of nodes varies with applications. Some applications like smart home need only shorter communication range, and some network like VANETs (Vehicular Ad Hoc Networks) need longer communication range (like 100 m or longer). The result shows that the proposed system could detect wormhole in different wireless sensor network applications.

In experiment 5, we evaluate the relation between the distance of wormhole tunnel and the performance of our approach. Distance of wormhole tunnel always longer than communication range of benign nodes. If distance of wormhole tunnel is shorter than communication range of benign nodes, malicious nodes will never attract any traffic. However, some detection mechanisms use transmission time to estimate transmission distance nodes [4]. If the length of wormhole is short, such detection mechanism may not work. Table 11 illustrates the parameters in experiment 5, and Table 12 shows the result of experiment 5.

The result indicates that the proposed system will detect wormhole attacks with different distances of wormhole tunnel.

The results of experiments 1 to 5 show that proposed system could detect wormhole attack well in different situations. The proposed system is a location-based detection system. Although each node could not know their exact location, the relative location will be get based on rank value in RPL routing protocol. Any malicious DIO messages will be ignored due to unreasonable rank value. The proposed approach does not need any additional devices like GPS or complex algorithm to compute location of nodes. Some approaches like temporal leashes which used transmission time to estimate transmission distance nodes [4]; Wired Equivalent Privacy (WEP) which monitor network traffic of neighbor nodes to detect wormhole [14]. In this paper, we implement temporal leashes and WEP as benchmark of proposed system. Experiment 6 evaluates the detection performance based on different rain fade. Table 13 illustrates the parameters in experiment 6, and Table 14 shows the result of experiment 6.

Result of experiment 5 shows that the proposed system and WEP could detect wormhole perfect in different rain fade levels. Detection accuracy of packet leashes will vary by rain fade because some benign nodes are identified as malicious due to Network latency. Packet leashes approach used transmission time to estimate transmission distance. But packet leashes did not consider that network latency could result in longer transmission time. Once Network transmission is unstable, benign nodes would be identified as malicious nodes.

Number of benign nodes is also a very important parameter to evaluate a detection mechanism of wormhole. Some detection approaches need neighbor nodes’ information to detect wormhole attack. Table 15 illustrates the parameters in experiment 7, and Table 16 shows the result of experiment 7.

The result of experiment 7 indicates that WAP will have low accuracy when few nodes are deployed. WAP analyzed neighbor nodes’ traffic, if there are enough neighbor nodes, WAP could not get enough information to detect wormhole well. According to experiments 6 and 7, the results show the proposed system outperform WAP and packet leashes. Our system could apply to most wireless sensor network applications without additional hardware. The results of experiments 1 to 7 show that the proposed system could 100% detect wormhole. Compared with traditional wormhole detection approach, the proposed system has higher accuracy rate. Moreover, the proposed system does not need any additional hardware or special nodes. The experiments show the proposed system is a good security mobility management mechanism for wireless sensor network.