This work provides a solution to identify malicious nodesin wireless sensor networks through detection of maliciousmessage transmissions in a network. A message transmissionis considered suspicious if its signal strength is incompatiblewith its originator’s geographical position. We provideprotocols for detecting suspicious transmissions – andthe consequent identification of malicious nodes – and fordisseminating this information in the network. We evaluatethe detection rate and the efficiency of our solution along anumber of parameters.
A wireless sensor network (WSN) consists of a set ofcompact and automated devices called sensing nodes. Asensing node is a computational device that has memory,battery, processor, transceiver, and a sensing device. TheBerkeley MICA Mote [4, 1], SmartDust [7, 8, 12], andCotsDust  are examples of such nodes. These nodes aredistributed across an area and communicate among themselves,forming an ad hoc network. Sensor networks containspecial nodes that process and store the information collectedby the network; they are called sink nodes. Communicationbetween two nodes is performed in multiple hopsif they are not within each other’s transmission range.Wireless sensor networks can collect data from the environmentwhere they are embedded. The data are often firstprocessed by the sensor nodes and then sent over non-securechannels to the sink node for further processing. Some ofthe applications envisioned for sensor networks are environmentalmonitoring, infrastructure management, publicsafety, medical, home and office security, transportation,and battlefield surveillance. Given their criticality, these applicationsare likely to be attacked.There are a number of ways one can attack a WSN. Forexample, one can spoof the various fields of a messagewhile it is in transit, in such a way that what the recipientreceives is an altered copy of the original message. Onecan also tamper with a node (its hardware and/or software),so as to alter its behavior. Different types of attacks willrequire different types of countermeasures.In this work, we focus on two types of attacks: HELLOflood attacks  and wormhole attacks . HELLO messagesare used in many protocols by nodes that want toannounce their presence and proximity to their neighbors.Most of these protocols rely on the assumption that a nodeA is within the radio transmission range of another node Bif A is able to receive messages from B. In a HELLO floodattack, a malicious node may try to transmit a message withan abnormally high power so as to make all nodes believethat it is their neighbor.Wormhole attacks can be described in the followingsteps. An adversary A tunnels a message received to a secondadversary B in a distant part of the network using a lowlatencyout-of-band channel. B then retransmits the messageexactly as received to the nodes in its neighborhood.An immediate result of a wormhole attack is that nodes thathear the transmission from B are tricked into thinking thatthey are neighbors of whichever node originated the message(this node is most likely located in a distant part of thenetwork).Both the HELLO flood attack and the wormhole attackare typically carried out to compromise route establishmentin a network. For example, a malicious node that broadcastsa routing beacon with an extra high power could lead a largenumber of nodes to attempt to use it as their next hop in theirroute to the sink. But those sufficiently far away would besimply sending their messages into the oblivion. A similarscenario results from a wormhole attack. A malicious nodecould convince nodes that are normally multiple hops fromthe sink node that they are just one hop away.
Download full report