Xiangqian Chen, Kia Makki, Kang Yen, and Niki Pissinou

Abstract

Defending against attack is the key successful factor for sensor network security. There are many approaches that can be used to detect and defend against attacks, yet few are focused on modeling attack distribution. Knowing the distribution models of attacks can help system estimate the attack probability and thus defend against them effectively and efficiently. In this paper, we use probability theory to develop a basic uniform model, a basic gradient model, an intelligent uniform model and an intelligent gradient model of attack distribution in order to adapt to different application environments. These models allow systems to estimate the attack probability of each node under a given position and time. Applying these models in system security designs can improve system security performance and decrease the overheads in nearly every security area. Based on these models, we describe a novel probability secure routing algorithm that is effective to defend against attacks whether they are detected or not. Besides this application, we also introduce some other applications, such as secure routing that can save systems available energy and resources while still providing enough security, detecting attack, and key management.

1. Introduction

Recent advances in electronic and computer technologies lead to widespread deployment of wireless sensor networks (WSNs) on the horizon. Different WSNs may consist of different types of sensors, such as seismic, low sampling rate, magnetic, thermal, visual, infrared, acoustic, and radar sensors, which can monitor temperature, humidity, vehicular movement, lightning condition, pressure, soil makeup, noise levels, and so on [1]. These various classes of sensors lead to WSNs wide-range applications, including military sensing and tracking, environment monitoring, patient monitoring and tracking, and smart environments [2].

Many sensor networks have mission-critical tasks, such as above military applications. Thus, the security issues in WSNs are kept in the foreground among research areas. Compared with other wireless networks, such as ad hoc wireless LAN and cellular networks, security in WSNs is more complicated due to the constrained capabilities of sensor node hardware and the properties of the deployment environment .

Security issues mainly come from attacks. If no attack occurred, there is no need for security. Thus, detecting and defending against attacks are important tasks of security mechanisms. It is obvious that knowing the probabilities of attacks can help systems monitor, identify, and defend against them efficiently and effectively. Although there are some approaches that can be adapted to detect and defend against attacks, few of them have been done to provide a method to estimate the probability of being attacked for each node. Most current approaches assume the same probability of attack occurring everywhere as a matter of course, and use this embedded assumption without a clear declaration in their systems. In fact, their hypothesis is different from some special applications in which attacks may occur with different probabilities. For example, how can one think that the attack close to an enemy-controlled area transpires with the same probability as in a controlled area?

In this paper, we present several attack distribution models in order to estimate attack probability, and then provide several applications based on these models. Our current modeling works are based on static WSNs, that is, sensor nodes will not change their positions after deployment. Besides this assumption, we suppose that there exists attack detecting system in our intelligent models. Our current attack distribution models can be adapted to those types of attacks that the attack probability for a node is correlated with the attack events of its neighbors and its position. In WSNs, many types of attacks occur with the above neighbor effect and position effect. Based on our survey, this is the first time that attack distribution models have been proposed to estimate the attack probability of a node under a given position and time. The remainder of the paper is organized as follows. Section 2 presents related work. Section 3 describes the details of attack distribution models. Section 4 shows some applications of these models. Finally, we conclude and lay out some future work in Section 5.

2. Related Work

In this section, we give a concise introduction of related work as two categories: attack detection and prevention, and node positioning.

2.1. Attack Detection and Prevention

Due to the wireless nature and special deployment environments of WSNs [3], a great variety of attacks are possible. To express clearly, we give a short summation of attacks and defense suggestions based on the point of view of open system interconnect (OSI) model. Generally, the typical layered networking model of sensor networks includes the physical layer, the data link layer, the network layer, the transport layer, the middleware layer, and the application layer. Each layer is susceptible to different attacks. Even some attacks can crosscut multiple layers or exploit interactions between them. In this paper, we mainly discuss attacks and defenses on the transport layer and below layers.

Physical Layer

Jamming and tampering are the major types of physical attacks [4]. The standard defense against jamming involves various forms of spread spectrum, frequency hopping, low-duty cycle, rerouting traffic, adopting prioritized transmission scheme, and so on. Tampering is another type of physical attack in sensor network. An attacker can also tamper with nodes physically, interrogate and compromise them. Tamper protection falls into two categories: passive (e.g., hiding) and active (e.g., tamper-proofing circuit).

Data Link Layer

Collision, exhaustion, and unfairness are the major attacks in this layer [4]. The normal defending methods to these three attacks, respectively, are error-correcting code, rate limitation, and small frames, although these mechanisms have limitations.

Network Layer

There are many types of attacks in this layer. Karlof and Wagner summarize the attacks of network layer as follows: spoofed, altered, or replayed routing information; selective forwarding; sinkhole attacks; sybil attacks; wormholes; HELLO flood attacks; acknowledgement spoofing [5]. Authentication, identification, multipath, neighbor node monitor, location, distance verification, and so on are the normal methods to prevent routing attacks.

Transport Layer

Flooding and desynchronization are the normal attacks in this layer [4]. Solving client puzzles can partly ease flooding. One counter to desynchronization is to authenticate all packets exchanged, including all control fields in the transport protocol header.

As a whole, attack detecting methods can be classified as centralized approaches and neighbors’ cooperative approaches. Centralized approaches use the base station to detect attacks [6, 7]. In neighbors’ cooperative approaches, neighbor nodes of the given node collect neighbors’ information and make a collective decision to detect attacks [8, 9]. Essentially, [10] is a neighbors’ approach because it collects neighbors’ data, though it processes them with statistical method. Similarly, [11] also belongs to neighbors’ approach, though it makes decisions based on threshold analysis.

We note that all of the above schemes can be used to detect attacks in some extent; however there might not be high efficiency because researchers implicitly suppose that any node, whether it is located near or far from the base station, has the same probability of being attacked. This assumption is not always suitable; for example, in battlefield surveillance applications, the attack event close to an enemy-controlled area occurs with a larger probability than in a controlled area. Thus, knowing the distribution of attacks can help us to design efficient and effective secure mechanisms to detect and defend against them. This point is our main focus in this paper.

2.2. Node Positioning

In some location systems, several sensors have a position system such as GPS to locate their positions. We call this type of sensor beacon node. These location systems use location information from these beacon nodes to construct the whole location system by utilizing ultrasound and time-of-flight techniques. Capkun and Hubaux [12] proposed a mechanism for position verification, called verifiable multilateration (VM) based on distance bounding techniques [13], which can prevent a compromised node from reducing the measured distance. VM uses the distance bound measurements from three or more reference points (verifiers) to verify the position of the claimant. Lazos and Poovendran [14] proposed a range overlapping method instead of using expensive distance estimation methods. Its main idea is as follows: each locator transmits different beacons with individual coordinates and coverage sector areas. After receiving enough sector information from different locators, the sensor estimates its location as the center of gravity of the overlapping region of the sectors that include it.

Due to adversaries’ attacks, the beacon nodes or normal nodes maybe compromised. Some location systems estimate location by combining deployment knowledge and probability theory without beacons. For example, Fang et al. [15] integrated predeployment knowledge of sensors and the maximum likelihood estimation method to estimate the sensors’ locations.

3. Modeling of Attack Distribution

Before presenting the models of attack distribution, we describe some assumptions regarding the sensor network security scenarios.

3.1. Network and Security Assumptions

The followings are assumptions of WSNs.

(i) Base station: the base station is computationally robust, having the requisite processor speed, memory, and power to support the cryptographic and routing requirements of the sensor network. Adversaries can destroy the base station but they cannot compromise it within the limited time. (ii) Sensor nodes: the sensor nodes are similar to current generation sensor nodes in their computational and communication capabilities and their power resources [16]. They can be deployed via aerial scattering or by physical installation. We assume that any sensor node will know the position of itself and its immediate neighbor nodes after deployment and the base station will know all the nodes’ positions. All the sensor nodes will not change their positions after deployed. If adversaries change the positions of nodes or identity, the neighbor nodes will detect this attack [17], and this is not the focus of this paper. (iii) Adversary: adversaries have unlimited energy and computing power. An attacker needs to spend some time to attack a node. In the attacking process, they will not change the targets until the chosen target nodes were attacked. After attacking one node, the attacker will continue attacking a new good node without any halt, stop, or hibernation.

3.2. Distribution Models

Based on whether, an attack event is thought of as independent event or not; we classify the attack distribution models as either basic models or intelligent models. To focus on the main viewpoint of attack distribution models, we only use 2-dimension distribution models, which assume that all the nodes are in the same plane.

3.2.1. Basic Attack Distribution Models

We label some models as basic attack models because the probability of one sensor being attacked does not affect its neighbors within these models. When the attack probability and the frequency are comparatively small, the correlation of attacking among neighbors can be neglected. Under this condition, basic models are accurate enough to estimate the attack probability. Due to different application environments, we classify the basic models as either uniform models or gradient models.

(1) Basic Uniform Attack Distribution Model

In some sensor network application situations, such as environmental and health applications, every sensor node has nearly the same probability of being attacked despite of its position. In such cases, the attack probabilities of nodes following uniform distribution are reasonable, as shown in Figure 1.

The mathematical model is given by (1) where is the coordinate of the sensor; is the attack probability of this sensor at time is a distributed function which is independent of the coordinates of a sensor. Most current security approaches use this simple model without a clear declaration.

Figure 1: Basic uniform attack model.

(2) Basic Gradient Attack Distribution Model

In some special application scenarios, such as battlefield surveillance, reconnaissance of opposing forces and terrain, and other military applications, the basic uniform attack model is not suitable because the nodes close to an enemy-controlled area may have larger probabilities of being attacked than the nodes that are far away from an enemy-controlled area. Thus, a rough gradient-based attack model approximates to the real environment. The gradient is based on the distance from the opponent or the base station, as shown Figure 2.

Figure 2: Basic gradient attack model.

The mathematical model is given by (2) where is the attack probability in the base station area at time is the gradient function; is the projective vector of sensor in the gradient direction. In this model, the closer that a sensor node is to an enemy-controlled area, the more probable that it is attacked. The difference between a uniform model and a gradient model is that the location of a sensor may affect the attack probability in the latter model, while it does not matter in the previous model.

3.2.2. Intelligent Attack Distribution Models

The above basic models assume that every attack is an independent event. This supposition is not accurate enough when the probability and frequency of attacks are comparatively larger, especially in a dense sensor network. In this environment, the attack probability will increase when its neighbors have been recently attacked. It is easier and more conceivable for adversaries to attack the nearest neighbors in the next period after they have attacked a sensor because of what follows.

(i) The communication information between the attacked node and its neighbors may help adversaries to attack them easily, and the adversary is intelligent enough to utilize this correlation. (ii) A recently attacked node means that the adversary is close to that node, and thus its neighbor nodes have larger probabilities of being chosen as the target of this adversary. (iii) Attacking more nodes in a nearby area may badly impair the system when the sensor network uses a majority decision mechanism to integrate data, prevent error, and so on.

The difference between a basic model and an intelligent model is that the latter model considers the effect of attack events coming from neighbor nodes when estimating the attack probability. In intelligent models, systems should have mechanisms to detect and record the attack events and use current attack events to estimate future attacks. That’s why we call these models intelligent models. Before describing intelligent models, we give some technical terms as follows.

(i) Attacked node: it is a node that has already been attacked by an attacker and the attacker got its assaulting result, such as compromising the node, disabling it, and so on. (ii) Attacking time: the time spent by an attacker to attack a benign node to get assaulting result. In our models, attacking time follows normal distribution and the expected value is . (iii) Detected attacked node: it is an attacked node and the attack event has already been detected by the system. (iv) Recently attacked node: it is an attacked node that has been attacked within time interval . (v) Detecting attacked time: the time interval between the time when the node was attacked and the time when the system detected that the node was attacked. In our models, it also follows normal distribution. (vi) i-hop neighbor: an i-hop neighbor is a node that at least needs number of i-hops to reach the given node.

In this type of model, we assume that the expected time for an adversary attack against a good node is and adversaries will continue attacking the good nodes with this frequency without any halt, stop, changing attacking target, or hibernation. In some sensor security mechanisms, the expected value maybe decreases when more and more nodes are attacked. But the attack difficulty can be retained as the previous and the assumption of the average attack time is still suitable if the application meets one or two cases: the total number of the attacked nodes is comparatively small compared with the large number of the normal nodes; the system assumes some adapting methods to enhance the security. A normal distribution with expected value can approximate the attack probability. Under this assumption, we time the system with each interval of . Our object is to use current available attack event information to estimate the attack probability in the next time period. We imagine that the probability of a node being attacked includes two parts: current adversaries and new adversaries, which will be joined in the next period. Thus, we get the following mathematical model: (3) where is the attack probability, which is introduced by newly added adversaries in the time period from to is the probability that is introduced by current adversaries.

Similar to basic model classifications, an intelligent model can also be classified as a uniform model and a gradient model.

(1) Intelligent Uniform Attack Distribution Model

This model adapts the application environment where the new adversaries evenly distribute within the coverage area. In this model, (3) can be expressed as follows: (4) where follows uniform distribution and does not care about node positioning, and this part is introduced by newly added adversaries from time .

We assume 1-hop neighbors of the given node are the nodes which are the immediate neighbor nodes of the given node and can directly connect to this node; 2-hop neighbors of the given node are the nodes which can contact the given node at least by two hops, and so on. We call all the 1-hop neighbors of the given node as 1-hop layer nodes, and all the 2-hop neighbors as 2-hop layer, and so on. In dense WSNs, the distances between a given node and its 1-hop neighbors are nearly equal. Therefore, we suppose that each 1-hop benign neighbor of a recently attacked node has the same probability of being chosen as the attacking target of an adversary which corresponds to this recently attacked node. Similarly, we make the same assumption of 2-hop neighbors, 3-hop neighbors, and so on. While the probability that one of 1-hop layer nodes being chosen as the attacking target is larger than the probability of 2-hop layer node, and so on, a geometric distribution can approximate the probability of the adversary, which corresponds to the recently attacked node, choosing an attacking target from different layers.

Figure 3 clearly shows the above definitions. As shown in Figure 3, node is the given node; nodes and are 1-hop neighbor nodes of node nodes are 2-hop neighbors of node a. Nodes and have the same probability of being chosen as the attacking target in the next time period. Similarly, nodes and have the same probability of being chosen as the attacking target in the next time period. While the probability that one of 1-hop layer nodes ( and ) being chosen as the attacking target is larger than that of one of 2-hop layer nodes ( and ), and so on, a geometric distribution can approximate this assumption.

As shown in Appendix A, is given by

(5) where is the largest number of hops that node can access all the nodes in the network; is the number of nodes that have been recently attacked and are i-hops to node ; node is denoted as the recently attacked node in all nodes; is the total number of i-hop neighbors to node and of them are attacked nodes; the probability of one of i-hop nodes to be chosen as the attacking target of the adversary, which corresponds to a recently attacked node, is . is the attack probability of the chosen attacking target in time follows normal distribution and the expected value is follows geometric distribution and is given by (6)(7) where and are parameters of geometric distribution; is the total probability of an adversary choosing a good node, 1-hop to the recently attacked node, as the attacking target; is the ratio which is less than 1, and is a natural number.

As shown in Appendix A, we get the following equation: (8)

In the case of in (5), we use 1 instead of the product item first, and then replace with for each product item with index . For example, if , we use 1 instead of the product , and replace with , with , and so on for each product item with index .

In normal distribution, about of values lie within 3 standard deviations. The beginning attacking time (denoted by ) is the time when node is actually attacked. In time is equal to 0. In a practical environment, we cannot know the actual attacking time , but we can approximate it by subtracting the average detecting time from the actual detecting time of node being attacked.

Suppose the number of new added adversaries follows uniform distribution of time. As shown in Appendix B, is given by (9) where is a very small time period which can be thought of as the smallest time unit in the system; (); is the number of new adversaries that are introduced in a unit time; is the number of current good nodes in the network; Similar to , , follows the same normal distribution and is the time when newly introduced attacker nodes begin to attack probability in a unit time for each node (i.e., a node has probability of being chosen as the attacking target by the new adversaries in a unit time), which is given by (10)

To describe clearly the intelligent uniform model, we use Figure 4 to calculate the attack probability of node .

In Figure 4, nodes and are 1-hop neighbors of node a; nodes and are 2-hop neighbors of node nodes and are 1-hop neighbors of node nodes b and are recently attacked nodes that have been attacked in the last time period; nodes d and c are old attacked nodes. In Figure 4 for node a, , that is, node can reach all the sensors in the network within 2 hops. Node a has one 1-hop neighbor node (node b) and one 2-hop neighbor node (node ) that have been recently attacked. So and . Node has six 1-hop neighbors, thus . Node b has two 1-hop attacked neighbors, that is, node and node , then . Node has five 2-hop neighbors (node and ) and one 2-hop attacked neighbor (node ), consequently Suppose and no new adversaries are introduced in the network. We calculate the attack probability of node a as follows:

(11)

Figure 3: Difinitions in intelligent mode.

Figure 4: Intelligent uniform attack mode.

(2) Intelligent Gradient Attack Distribution Model

This model adapts the application environment where the new introduced attackers follow a gradient distribution of positions. Similar to the above intelligent uniform model, the mathematical model of attack probability is give by (12) where is given by (13)

Equation (13) is similar to (2). The only difference between these two equations is that the intelligent models partition the system time in small time period, which equals the average attacking time . The only difference between an intelligent uniform model and an intelligent gradient model is that they have different first items in the mathematical model expression. The first item of the latter follows a gradient distribution of position, while the previous follows a uniform distribution. Similar to an intelligent uniform model, can be estimated as the following equation: (14) where is the attack probability in a unit time in the base station area (i.e., a node has probability of being chosen as the attacking target in a unit time in this small area); the other parameters in (14) are the same as parameters in (9).

Someone may say that the second part of (12) should also adjust with gradient weight. Firstly, for a given recently attacked node, the probability of a corresponding adversary choosing an 1-hop layer node as the attacking target is larger than the probability to choose a 2-hop layer node (i.e., . Secondly, the difference of gradient weight among 1-hop neighbors is comparatively small especially in dense networks. Thirdly, for an attacker, the difference of attacking probabilities in different directions is close to zero. The number of attackers in different directions can embody the gradient model enough. Thus, for easy estimation, we only introduce the gradient vector in the first part of (12). Figure 5 shows this model.

Figure 5: Intelligent gradient attack model.

4. Applications of Attack Distribution Models

Defending against attacks is the key successful factor for sensor network security. Attack distribution model can help systems defend against attacks before they occur or if they have already occurred but have not been detected. Our models can be applied to many types of attacks. For example, basic models can be adapted to most types of attacks that are introduced in Section 2. And they provide a rough attack probability estimation that can be used to analyze system security weakness and help to defend against them with more efficiency and effectiveness. While our intelligent models can be applied to detect and defend against those types of attacks that have neighbor correlation effects with giving more accurate attack probability estimation , a neighbor correlation effect is a phenomenon that a node has larger probability of being attacked in the near future when its neighbor has been recently attacked. Of course, to use intelligent models, systems have many attack detecting mechanisms.

We can apply attack distribution models to analyze system security weakness, improve security performance, distribute system resources efficiently on security cost, and so on. Because this is the first introduction of the attack distribution model, more research works should be performed in the future. In the following, we will give some application examples of how to use our models to provide efficient and effective security mechanisms.

4.1. Detecting Attack

Detecting attack is an important task for system security. In this area, the modeling of attack will help a lot. A standard application of intelligent models is to integrate them into current attack detecting system. For example, most current monitoring systems, such as in [6–11], monitor all the nodes in the system without emphasis, and the system should decentralize their resources evenly in all nodes in order to monitor whether they have larger attack probabilities or not. That makes the detecting mechanism less efficient. Due to the heavy work, the system performance may decrease largely, and may even make this work unpractical. Applying our models to these monitoring systems and choosing nodes that have larger attack probabilities as the main monitoring objects will make node monitoring work more effectively and more efficiently; thus allowing the system to have enough resources to defend against attacks.

4.2. Secure Routing

WSNs use multihop routing and wireless communication to transfer data, thus incur more routing attacks. To our knowledge, there is no previously published work to provide an effective routing algorithm that can prevent routing paths from passing those nodes that have been attacked but have not been detected by the system. Based on our survey, until now few proposals even consider undetected attack issues.

An ideal secure routing algorithm to defend against attacks lets routing paths bypass all attacked nodes. However, most attack activities can not be immediately detected because any detection mechanism needs time and the fraudulent action of adversaries (Adversaries do not want system to notice their attacking activities, thus they will adopt any action that one can imagine to make the detecting time longer.) makes the time even longer. A routing path is still a compromise path when it passes those “good” nodes which system considers as good nodes while they are actually attacked nodes that just have not been detected yet. Applying our attack distribution models in secure routing algorithm design can ease this issue. We develop a novel probability secure routing scheme that estimates the attack probability and makes the routing paths detour those nodes that have already been detected as attacked nodes or have larger attack probabilities than the given threshold.

Figures 6, 7, and 8 are the results from the same simulation. These three figures are used to compare different routing algorithms. To describe easily, we define the routing algorithm without security consideration as ALG-I (e.g., AODV in [18]), the algorithm that the routing path bypasses those detected attacked nodes as ALG-II (e.g., pathrater in [8]), our algorithm as ALG-III (threshold is 0.12). The threshold choosing corresponds to the security requirement. We will discuss it later. In this simulation, the attack distribution follows an intelligent uniform model; there are 400 sensor nodes in the network and node density is equal to 10. The expected time for an adversary to attack a benign node is , which is equal to 300 unit time; the average time for system to detect an attacked node is also equal to . In each unit time, there are 10 randomly chosen routing requests to the base station; the simulation time is the intelligent model parameters values are as follows: , and . At the beginning time of this simulation, there are 10 adversaries introduced to attack this sensor network, and there are no more newly adversaries to be introduced in this system. The probability threshold to distinguish good or bad nodes is 0.12.

Figure 6: Routing security comparison.

Figure 7: Routing overhead comparison.

Figure 8: Successful routing ratio comparison.

In Figure 6, average compromise path ratio is the ratio of the number of compromise paths to the number of routing requests in the whole simulation time. If the value of average compromise path ratio is larger, it means less routing security under attack. This figure clearly shows what follows: the average compromise path ratio in ALG-I is the largest among three algorithms; the average compromise path ratio in ALG-II is in the middle; ALG-III has the least average compromise path ratio as expected, and has the best security performance. That’s easy to understand. ALG-I has the largest probability of finding a routing path to pass attacked nodes because the routing algorithm does not consider detouring attacked nodes. The attack probability will be rapidly decreased when the system adopts attack detecting mechanisms and makes the routing paths bypass those attacked nodes that have been detected by the system. Besides bypassing those detected attacked nodes in the routing path, our algorithm also lets the routing path bypass those nodes that have larger probabilities of being attacked, and then the routing path will bypass some nodes that have already been attacked but have not been detected by the system. As a result, our algorithm improves the routing security further.

Figure 7 compares the average routing path length (it is the average number of links for each routing path.) in different algorithms. It shows what follows: the average path length in ALG-I is the smallest; the average path length in ALG-II is in the middle; ALG-III has the largest average path length. The reason is that ALG-I finds the routing paths that have the least hops, thus it has the smallest average path length; while ALG-II may find paths that satisfies the security requirement but may not be the least hop paths. In our algorithm, besides bypassing those detected attacked nodes in the path, the routing path should also detour some estimate bad nodes, making the average path length the largest among the three types of algorithms.

Figure 8 compares the average successful ratio (This is the ratio of the number of successful routing requests to the total number of routing requests.) in different algorithms. It shows what follows: the average successful ratio is 100 percent in ALG-I; the average successful ratio in ALG-II is in the middle; the average successful ratio in ALG-III is the least. Radically, in a completely connected network, every routing request will find a successful path. While some routing requests cannot find successful routing paths in ALG-II because there exist some probabilities for some nodes who are surrounded by detected attacked nodes and cannot find valid routing paths; the successful ratio will decrease further when the system considers some probability attack nodes as bad nodes in our algorithm.

Figures 9, 10, and 11 compare the security, overhead, and successful ratio results with different thresholds in our algorithm. We use the same parameters as the simulation for Figures 6, 7, and 8, except different thresholds.

Figure 9: Routing securities in different thresholds.

Figure 10: Routing overhead in different thresholds.

Figure 11: Successful routing ratio in different thresholds.

The main object of Figures 9 and 11 is to compare security, overhead and successful routing effects under different thresholds. When the threshold increases, the security performance decreases (average compromise path ratio increases as shown in Figure 9), the average length of routing paths decreases (average path length decreases as shown in Figure 10), and successful ratio increases (average successful ratio increases as shown in Figure 11). The reason is that after the threshold increase, the system considers more nodes as good nodes and it makes the secure network connectivity increase. Thus, the system has a larger probability to find a successful routing path for a routing request, and the average length for routing paths decreases because the total number of bad nodes in the algorithm is getting smaller. At the same time, the security performance decreases because a routing path has a larger probability to pass a node that has actually been attacked but has not been detected, and is thought of as a good node in the system. These three figures also show that the curves change sharply initially and tend to flat later. The reason is that we suppose that attacking time follows a normal distribution, and the attacking time for most attack events will fall into the nearby area of the expected value of the normal distribution (normal distribution has a convergence property). If the threshold is close to the center value of the above converging area, then the number of undetected attacked nodes to be filtered by our algorithm will vary to a large extent, making the curves tilt sharply. While the threshold is far from the center value of the above converging area, the number of undetected attacked nodes to be filtered by our algorithm will alter less, making the slope of the curves a near constant.

Besides improving routing security, using our models can also help systems save effective energy. As we know, systems cannot use attacked nodes in some applications, though they may have larger energy. If we know a node has a larger probability of being attacked in the future, utilizing its resources and energy before it has been attacked will help systems decrease the energy and resource loss. Attack distribution models can estimate attack probabilities in the future. If we apply attack distribution models and design a routing algorithm which allows routing paths to choose those nodes whose attack probabilities are still in the secure scope but may enter into an insecure scope in the future, it will save systems effective energy and resources while still providing enough security.

4.3. Key Management

For security, key management is very important and complex, especially in symmetric cryptography structures. Many current key management proposals, such as [19–21], do not consider the attack distribution. They imply the attack probability to be the same for every node. However, when their security system is deployed in a different environment from their supposition, the security performance will decrease greatly.

For example, in [19], the security scheme requires common keys ( is a constant, ) to establish secure communications between a pair of nodes. In their scheme, is equal in each area. When their scheme is deployed in a gradient-based environment, the security performance will decrease because the system has the same ability to tolerate or defend against attacks in all areas, but adversaries attack the system with different strengths on different areas; thus making the system unable to provide enough security in some areas and able to provide more security than needed in other areas. Of course, you can increase to provide enough security everywhere, but it will consume more resources. It looks difficult to get a high security performance with a low overhead; however, when you apply an attack distribution model to this security mechanism, you will find that this is the key in solving this issue. For example, if we apply to follow the same distribution as the attack distribution model, that is, where is the coordinates of node, the system will solve the above-mentioned issue. In the modified security scheme, the ratio between the strength of preventions and attacks can be kept the same in every area. In [20, 21], though this scheme has a nice threshold property (when the number of compromised nodes is less than the threshold , the probability that any nodes other than these compromised nodes are affected is close to zero), it needs more resources to implement this desirable threshold when it is deployed in a gradient-based application environment. Similarly, we can also apply to follow the same distribution as the attack model of the given application environment to ease the issue.

Besides improving the key predistribution step of key management, we can also apply our models to aberrant node management, rekeying frequency, and so on. with the similar modification method in order to improve system performance and security.

5. Conclusions and Future Work

In this paper, we have developed several models to estimate attack distribution in different sensor network application environments. These models allow systems to estimate the probabilities of attacks. Applying these models to system security design will improve system security performance and decrease the overheads in nearly every security related area. Based on these models, we briefly describe a novel secure routing algorithm that can defend against undetected attacks effectively. Besides this application, we also introduce some other applications, such as secure routing that both saves systems available energy and resources while still providing enough security, detecting attack, and key management.

Because this is the first time we try to model the distribution of attacks, there are some important works that we plan to study in the future. For example, how to model the attack distribution in mobile networks? How to find the suitable values for the parameters in current models when they are deployed in practical applications?

Appendices

A. Appendix A

In the intelligent uniform model, the probability of a node being attacked which is introduced by all recently attacked nodes is given by (A.1)

Suppose

Benign node can access all the nodes in the network at most by hops; node has recently attacked nodes which are i-hops to it. We denote node as the jth recently attacked node in all nodes; node has i-hop neighbors and of them are attacked nodes; the probability of one of i-hop nodes of being chosen as the attacking target of the adversary, which corresponds to a recently attacked node, is follows geometric distribution and is given by (A.2)(A.3)where and are parameters of geometric distribution, is a natural number.

From (A.3), we have following equation: (A.4)If is a large natural number, (A.4) can be expressed as the following equation:(A.5)From (A.3) and (A.5), we get the following equation:(A.6)

Derivation of

From the above suppositions, the probability (denoted by ) of node to be chosen as the attacking target of the adversary which corresponds to node is given by (A.7) The probability (denoted by ) of node of being attacked at time , which corresponds to node , is given by(A.8)where is the attack probability of the chosen attacking target in time follows normal distribution and the expected value is . Thus, the unattacked probability (denoted by ) of node , which corresponds to node , is given by(A.9)Then, the unattacked probability (denoted by ) of node , which corresponds to all recently i-hop attacked nodes, is given by(A.10) Then, the unattacked probability (denoted by ) of node , which corresponds to all recently attacked nodes, is given by(A.11)Finally, the probability of node being attacked, which corresponds to all recently attacked nodes, is given by(A.12)

B. Appendix B

In intelligent uniform model, the probability of one node being attacked, which is introduced by all new adversaries joined from time , is given by (B.13)

Suppose

The number of newly added adversaries follows uniform distribution of time and the time for an adversary to attack a node follows normal distribution which is expressed as function. is a very small time period which can be thought of as the smallest time unit in the system; (); is the number of new adversaries that are introduced in a unit time; is the number of current good nodes in the network; is a normal distribution function; is the attack probability in unit time for each node (i.e., a node has probability to be chosen as the attacking target in a unit time), which is given by(B.14)

Derivation

In each time period, there are adversaries added to the network. Considering the ith time period which begins from to , we have what follows.

The probability (denoted by ) of one node being chosen as the attacking target by the new adversaries that are introduced in the time period is given by(B.15)Then, the probability (denoted by ) of one node being attacked by the new adversaries that are introduced in the time period, is given by(B.16)Then, the probability (denoted by ) of a node that has not been attacked by the new adversaries that are introduced in the time period is given by(B.17)Thus, the probability (denoted by ) of a node that has not been attacked by all the new adversaries that are introduced from to now is given by(B.18)Finally, the probability of one node to be attacked, which is introduced by all new adversaries that are introduced from time , is given by(B.19)

References

1. D. Estrin, R. Govindan, J. Heidemann, and S. Kumar, “Next century challenges: scalable coordination in sensor networks,” in Proceedings of the 5th ACM/IEEE International Conference on Mobile Computing and Networking (MOBICOM '99), p. 263, Seattle, Wash, USA, August 1999.
2. I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks,” IEEE Communications Magazine, vol. 40, no. 8, 102 pages, 2002.
3. E. Shi and A. Perrig, “Designing secure sensor networks,” IEEE Wireless Communications, vol. 11, no. 6, 38 pages, 2004.
4. A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” Computer, vol. 35, no. 10, 54 pages, 2002.
5. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: attacks and countermeasures,” Ad Hoc Networks, vol. 1, no. 2-3, 293 pages, 2003.
6. C. Jaikaeo, C. Srisathapornphat, and C.-C. Shen, “Diagnosis of sensor networks,” in Proceedings of the IEEE International Conference on Communications (ICC '01), p. 1627, Helsinki, Finland, June 2001.
7. J. Staddon, D. Balfanz, and G. Durfee, “Efficient tracing of failed nodes in sensor networks,” in Proceedings of the 1st ACM International Workshop on Wireless Sensor Networks and Applications, p. 122, Atlanta, Ga, USA, September 2002.
8. S. Marti, T. Giuli, K. Lai, and M. Baker, “Mitigating routing misbehavior in mobile ad hoc networks,” in Proceedings of the 6th Annual International Conference on Mobile Computing and Networking (MOBICOM '00), p. 255, Boston, Mass, USA, August 2000.
9. G. Wang, W. Zhang, G. Cao, and T. La Porta, “On supporting distributed collaboration in sensor networks,” in Proceedings of IEEE Military Communications Conference (MILCOM '03), vol. 2, p. 752, Monterey, Calif, USA.
10. M. Ding, D. Chen, K. Xing, and X. Cheng, “Localized fault-tolerant event boundary detection in sensor networks,” in Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '05), vol. 2, p. 902, Miami, Fla, USA.
11. B. Krishnamachari and S. Iyengar, “Distributed Bayesian algorithms for fault-tolerant event region detection in wireless sensor networks,” IEEE Transactions on Computers, vol. 53, no. 3, 241 pages, 2004.
12. S. Capkun and J.-P. Hubaux, “Secure positioning of wireless devices with application to sensor networks,” in Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '05), vol. 3, p. 1917, Miami, Fla, USA.
13. S. Brands and D. Chaum, “Distance-bounding protocols,” in Proceedings of Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, p. 344, Lofthus, Norway, May 1993.
14. L. Lazos and R. Poovendran, “SeRLoc: secure range-independent localization for wireless sensor networks,” in Proceedings of the ACM Workshop on Wireless Security (WiSe '04), p. 21, Philadelphia, Pa, USA, October 2004.
15. L. Fang, W. Du, and P. Ning, “A beacon-less location discovery scheme for wireless sensor networks,” in Proceedings of the 24th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM '05), vol. 1, p. 161, Miami, Fla, USA.
16. Crossbow Technology, “MICA2: wireless measurement system,” http://www.xbow.com.
17. H. Song, L. Xie, S. Zhu, and G. Cao, “Sensor node compromise detection: the location perspective,” in Proceedings of the International Conference on Wireless Communications and Mobile Computing (IWCMC '07), p. 242, Honolulu, Hawaii, USA, August 2007.
18. C. E. Perkins and E. M. Royer, “Ad-hoc on-demand distance vector routing,” in Proceedings of the 2nd IEEE Workshop on Mobile Computing Systems and Applications (WMCSA '99), p. 90, New Orleans, La, USA, February 1999.
19. H. Chan, A. Perrig, and D. Song, “Random key predistribution schemes for sensor networks,” in Proceedings of IEEE Symposium on Security and Privacy, p. 197, Berkeley, Calif, USA, May 2003.
20. W. Du, J. Deng, Y. S. Han, and P. K. Varshney, “A pairwise key pre-distribution scheme for wireless sensor networks,” in Proceedings of the ACM Conference on Computer and Communications Security (CCS '03), p. 42, Washington, DC, USA, October 2003.
21. D. Liu and P. Ning, “Establishing pairwise keys in distributed sensor networks,” in Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), p. 52, Washington, DC, USA, October 2003.