Discrete Dynamics in Nature and Society

Volume 2017 (2017), Article ID 5743801, 9 pages

https://doi.org/10.1155/2017/5743801

## A Dynamic Programming Model for Internal Attack Detection in Wireless Sensor Networks

^{1}School of Computer Science and Control Engineering, North University of China, Taiyuan, Shan’xi 030051, China^{2}School of Instrument and Electronics, North University of China, Taiyuan, Shan’xi 030051, China

Correspondence should be addressed to Qiong Shi

Received 10 March 2017; Accepted 9 May 2017; Published 1 June 2017

Academic Editor: Lu-Xing Yang

Copyright © 2017 Qiong Shi et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Internal attack is a crucial security problem of WSN (wireless sensor network). In this paper, we focus on the internal attack detection which is an important way to locate attacks. We propose a state transition model, based on the continuous time Markov chain (CTMC), to study the behaviors of the sensors in a WSN under internal attack. Then we conduct the internal attack detection model as the epidemiological model. In this model, we explore the detection rate as the rate of a compromised state transition to a response state. By using the Bellman equation, the utility for the state transitions of a sensor can be written in standard forms of dynamic programming. It reveals a natural way to find the optimal detection rate that is by maximizing the total utility of the compromised state of the node (the sum of current utility and future utility). In particular, we encapsulate the current state, survivability, availability, and energy consumption of the WSN into an information set. We conduct extensive experiments and the results show the effectiveness of our solutions.

#### 1. Introduction

WSN (wireless sensor network) is always vulnerable because it is usually deployed in hostile environments [1]. The attack behaviors in WSN are mainly divided into two types: external attack and internal attack. For the improvement of hardware performance, which makes the public cryptography possible, the external attacks in WSN can be prevented effectively with the security structure based on cryptography [2–4]. Thus, the focus of the study is about internal attack such as detection, revocation, and tolerance of the compromised nodes and replicated nodes that have been physically captured. Normally, there are three ways to detect internal attacks: analyzing the attack behavior [5–8], detecting the compromised nodes [9–13], and verifying replica attack [14–17].

In a WSN, the states of a sensor are typically distinguished into healthy, compromised, responsive, or fail state. At any time, a sensor stays precisely at one of the four states. For the existence of internal attacks, the sensor transits among the states in its lifecycle. In this paper, we leverage the continuous time Markov chain (CTMC) to model the state transition of sensors. In addition, we built up an internal attack detection model for WSN based on classical SIR epidemiological model. The model described the behaviors of the sensors in a WSN under internal attacks.

Thereafter, we can detect the internal attacks over the models. According to our study, the detection rate can be viewed as the rate of the transitions from a compromised state to a responsive state. In this way, the system responds immediately when a sensor changes its state to a compromised state; that is, the node has been attacked. Traditionally, the existing studies on internal attack detection in WSN focus on more efficient detection methods and higher detection rates [18–20], while the detection rate is actually not the higher the better in practice, especially when it is constrained with limits of network characteristics of a WSN such as power and computing capability. In contrast, we are more concerned with the trade-off between detection rate and network characteristics.

Therefore, we proposed a solution to find the optimal detection rate rather than choose the highest rate. By using the Bellman equation, the utility for the state transitions of a sensor can be written in standard forms of dynamic programming. In addition, we encapsulate the four parameters, that is, current state, survivability, availability, and energy consumption, into information set. The information set is a good indicator for achieving the balance between network characteristics and security. We can find the optimal detection rate by maximizing the total utility. Extensive experiments have been conducted to show the effectiveness of our solutions. The experimental results show that our solution can indeed improve the survivability of WSN and therefore guide the design of WSN.

The rest of this paper is organized as follows. In Section 2, we give related work and outline the perspectives and approaches in the existing literatures. In Section 3, we propose the state transition model of internal attack and internal attack detection model, based on CTMC and epidemiological model, respectively. Thereafter, we establish dynamic programming model via the Bellman equation to find the optimal detection rate. In Sections 4 and 5, we present the numerical simulation study for our methods. Finally, we conclude our study in the paper and the future work in Section 6.

#### 2. Related Work

The epidemiological model has been widely used to analyze the spread of malware in wired networks [21–25]. In literature [26], the impact of the network topology on the viral prevalence was studied and author proposed a node-based approach. In literature [27], epidemic processes were studied in complex networks. In literature [28], a theoretical assessment approach was proposed on the impact of patch forwarding on the prevalence of computer virus.

In recent years, application of the epidemiological model in WSN has become increasingly widespread [29]. The analyses based on the simulation and experiment research show that the epidemiological model can effectively describe the dynamic propagation of malware when the number of nodes in the network is large enough. In literature [30], the attack behavior of malware was studied by combining the epidemiological model with a loss equation. In literature [31], the reactive diffusion equation model of malware propagation was proposed based on the theory of epidemiological diseases.

Normally the state of the sensors in a WSN is either healthy, compromised, responsive, or failed. At any time, a sensor stays precisely at one of the four states. The state of a sensor will transit to other types if it suffers an internal attack. Therefore, we use the CTMC to model the state transition of a sensor, though the decision of the “malicious attacker” is not random in the attacked WSN, while the attack time is randomly distributed. The lifecycle of sensors can be regarded as a dynamic system, so the stochastic process can be used to establish the corresponding model. In some related papers, the Markov chain [32] is also widely used to simulate the spread of malware in WSN.

#### 3. Model and Methods

##### 3.1. State Transition Model

The various epidemic models are actually state transition models. These states are mutually exclusive: every sensor is in a precisely specific state at any time. The sensor transits diversely among different states during its lifecycle.

The state transition of a node in WSN can be modeled with a CTMC. Figure 1 depicts the state transition diagram of a node under an internal attack. A circled node in the diagram stands for a state which is either healthy, compromised, responsive, or failed, which are marked with , , , or , respectively. Each arc in the diagram associates with a rate , which indicates the rate of the transition from state to state when the node suffered an internal attack.