CN101453733B - Wormhole attack detection method based on monitor node in wireless Mesh network - Google Patents

Abstract

The invention relates to a wormhole attack detection method based on monitoring nodes in a wireless Mesh network, which belongs to the field of computer network. When a source node transmits information to a destination node, all the monitoring nodes on a path monitor the transmission conditions of packages of corresponding links; if the packet loss ratio of a certain link is found to be more than a maximum threshold value after statistics, a monitoring node reports to a regional router and indicates that the link is wormhole; the regional router starts a voting mechanism based on the monitoring node, and two nodes at both ends of the link are wormhole attack nodes if most monitoring nodes vote that the link is wormhole; the regional router temporarily isolates the two nodes and transmitsreport information to a core router; and the core router cancels authorization certificates of the two wormhole attack nodes and expels the two wormhole attack nodes out of the network. The method can guarantee that malicious attack nodes of the wireless Mesh network are detected and isolated when launching a wormhole attack by utilization of high bandwidth.

Description

Wormhole attack detection method based on monitoring nodes in wireless mesh network

technical field

The invention relates to a monitoring node-based wormhole attack detection method, which can be applied to the detection of wormhole attacks initiated by using high bandwidth in a wireless Mesh network, and belongs to the field of computer networks.

Background technique

In wireless Mesh networks, most of the existing routing protocols assume that the communication parties communicate in a safe environment, and more focus on routing and routing strategies, and rarely consider security issues. However, because the Mesh client also has the role of routing, Mesh nodes can create, delete or update routing paths in the network according to routing information to launch various attacks. Wormhole attack is one of the most dangerous attack methods. Wormhole attack is two malicious nodes X and Y who conspire to establish a high-quality and high-bandwidth private channel. The attacker records data packets or bit information at position X in the network, and transmits the stolen information to Another location Y in the network. Because the distance of the private channel is generally greater than the single-hop wireless transmission, the data packets transmitted through the private channel reach the destination node earlier than the data packets transmitted through the normal multi-hop path. When communication users choose the private channel of X and Y to communicate, X and Y will initiate attack behaviors such as discarding all packets or only forwarding some packets, modifying packets, etc. Even if there is trust and identity authentication between network communications, the attacker can still attack when he does not have the key. Worse, unlike malicious nodes in routing protocols, which can be easily located, wormhole attackers are invisible to higher layers, and the wormhole and attackers at the ends of the wormhole are invisible along the path. Therefore, a more secure measure is needed to detect wormhole attacks to ensure the application security of wireless mesh networks. Sastry, Shnakar, and Wagner at the University of California, Berkeley proposed the Eeho protocol, in which only nodes belonging to a wireless network using radio frequency or ultrasound can be in the attestation zone. The uncertified node sends an ultrasonic signal to the certified node in order to prove that it is in the certified area, and the certified node determines whether the uncertified node is in the certified node through the time it receives the ultrasonic signal. in the area. The advantage of this protocol is that no encryption technology and strict clock synchronization are required. Although radio frequency signals are used in most wireless network devices, in order to detect a wormhole attack, each network device requires an additional device to detect and emit ultrasonic frequencies, which increases the cost of the network. He.Tian et al. proposed ApIT, which uses triangular areas to determine node locations in the network. This method uses nodes with GPS to calculate whether some nodes are within the triangular area formed. These calculations determine the relative positions of all nodes in the network, which can help prevent wormhole attacks outside the triangle area, but wormhole attacks inside the triangle area cannot be prevented. Bulusu, Heidemann and Estrin used weak signal strength to detect wormhole attacks, but the signal strength is an uncertain parameter, it is easily interfered by the surrounding environment, the same node, the same location of the signal, because of the change of the environment, become or strong or weak. Hu.Lingxuan, DavidEvnas determine whether there is a wormhole attack by matching the antenna direction of the node sending the signal with the antenna direction of the node receiving the signal. a limitation. Yih-Chun Hu et al. proposed a method based on data packet restrictions (PaeketLeashes), which limits the maximum transmission distance of the sending node by adding regional restrictions or time-domain restrictions to the data packets. At the same time, the protocol uses the TIK authentication protocol to detect and defend against wormhole attacks, that is, to match the above-mentioned timestamp and location stamp in each data packet to detect whether there is a wormhole intrusion in the system. In this TIK protocol, each node has a public key, and each node must disclose the public key to other users, which increases the storage space of each node and the bandwidth of the network.

Contents of the invention

In order to prevent malicious attack nodes from using high bandwidth to launch wormhole attacks in wireless Mesh networks, we propose a wormhole attack detection method based on monitoring nodes to ensure that malicious attack nodes can be detected and isolated when launching wormhole attacks .

The present invention provides a network model for wormhole attack detection, the network model has the following characteristics:

(1) There is a backbone network, and there are at least two backbone routers in the backbone network. These backbone routers form a virtual CA according to the threshold system, an offline CA that accesses the network only when an attack node is notified, and a backbone router The authorized certificate store that can only be accessed. Among all the backbone routers, at least two backbone routers are connected to the Internet by wire;

(2) At least two area networks, each area network has two area routers, and each area router is connected to the backbone router and end users. Area routers share a database storing user IDs, area IDs, authorization keys, and user information (identity cards, mailboxes, mailing addresses, and mobile phones).

(3) High-speed wireless connection is adopted in the backbone network, and low-speed connection is adopted in the regional network;

(4) The communication between the two parties communicates with each other through the authorization certificate, and uses identity-based encryption to transmit information;

(5) Neither the source node nor the destination node is an attack node, and at least one area router and the backbone router forming the virtual CA are not malicious attack nodes;

The present invention proposes a wormhole attack detection method based on monitoring nodes in a wireless Mesh network, which is characterized in that, comprising the following steps:

(1) When the offline CA is initialized, it distributes public-private key pairs and public key certificates for backbone routers, regional routers, and user nodes, and distributes public-private key pairs for backbone networks and regional networks;

(2) The application node submits the public key certificate issued by the offline CA to the virtual CA, and the virtual CA authenticates the application node with the public key certificate issued by the offline CA; these application nodes include user nodes, backbone routers and area routers;

(3) After the application node is authenticated by the virtual CA, an authorization certificate and an identity-based private key are issued. These authorization certificates are stored in the authorization certificate library, which can only be accessed by the backbone router;

(4) The area router selects the monitoring node according to the user's data storage capacity and security level. A monitoring node is a type of node with the characteristic that it can monitor the packet sending of a certain link and store the sending packet record in its cache. For example, if node C is the monitoring node of link A-B, then both A and B are neighbor nodes, and C is monitoring the sending and receiving of packets between A and B. The identifier of the sender and the identifier of the sender node are stored in its cache together.

(5) When the sending node communicates with the receiving node, the monitoring node monitors the incoming and outgoing status of all packets on this link, and records them in the cache, and then uses the following detection process to detect whether there is a wormhole attack, detect The process is shown in Figure 1;

(6) If the monitoring node monitors that a sending node sends x packets, and the receiving node forwards y packets after receiving the packets, the packet loss rate of the monitoring node statistics γ=(x-y/x)×100 %, if γ>τ, then it is considered that there is a wormhole attack, and the monitoring node will report to the area router that this link is a wormhole. In the formula γ>τ, γ is the packet loss rate, τ is the maximum threshold of the packet loss rate specified by the system, and the value of τ is set according to the normal packet loss rate when the network is in normal operation;

(7) When the regional router receives the report information from the monitoring node, the regional router will start the voting mechanism based on the monitoring node, that is, actively call or passively count the reporting results of other monitoring nodes within a certain period of time;

(8) If most of the monitoring nodes vote this link as a wormhole, that is, the two nodes at both ends of the link are wormhole attack nodes, and the area router temporarily isolates the wormhole attack nodes;

(9) The area router publishes the attack information to users and backbone routers in the entire area network at the same time;

(10) The backbone router will revoke the authorization certificates of the two wormhole attack nodes, thereby expelling the two wormhole attack nodes from the network;

In the steps, the communication between users, the monitoring node reporting information to the area router, and the area router reporting information to the backbone router all adopt identity-based encryption methods.

The purpose of the present invention is to provide a monitoring node-based wormhole attack detection method for wireless Mesh network users from launching wormhole attacks with high bandwidth. Using this method can ensure that malicious attack nodes in wireless Mesh networks can be detected and isolated in time when using high bandwidth to launch wormhole attacks, ensuring network security; and compared with the Eeho protocol proposed by Sastry, Shnakar and Wagner, our The mechanism does not require each network device to have additional equipment to detect and emit ultrasonic frequencies; compared with the ApIT detection method proposed by He. Wormholes cannot be detected, but we use a large number of statistical methods to set the threshold value τ of the packet loss rate according to the network scale and daily behavior characteristics of users, so our method can also detect wormholes in specific triangular areas; Compared with Bulusu, Heidemann and Estrin who use weak signal strength to detect wormhole attacks, our mechanism does not rely on signal strength greatly affected by environmental factors to detect wormhole attacks; Compared with the method of detecting wormhole attacks by determining whether the antenna direction of the node matches the antenna direction of the node receiving the signal, our mechanism does not rely on the matching of antenna angles to detect wormhole attacks; and Yih-Chun Hu et al. Compared with limited detection methods, our mechanism adopts an identity-based encryption method, which greatly reduces the storage space and bandwidth required by the network for storing public keys and publishing public keys. It can be seen that our wormhole attack detection mechanism is an effective, highly usable, and able to resist wormhole attack detection method. expected target.

Description of drawings

Fig. 1 detection flowchart of the present invention

Fig. 2 attack model diagram of the present invention

Fig. 3 network model figure of the present invention

Detailed ways

The present invention proposes an attack model that uses high bandwidth to launch a wormhole attack for the MR-LQSR (Multi-Radio Link-Quality Source Routing) protocol developed by Microsoft for wireless Mesh networks that supports multiple radio frequencies.

The MR-LQSR protocol adopts a new routing performance criterion called Weighted Cumulative Expected Transmission Time (WCETT). Its expression is shown in equation (1) and equation (2):

$\mathrm{<span\; class="notranslate">\; WCETT</span>}<span\; class="notranslate">\; =</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; -</span>\mathrm{<span\; class="notranslate">\; \&beta;</span>}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; *</span>\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 1</span>}}{\overset{\mathrm{<span\; class="notranslate">\; h</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}{\mathrm{<span\; class="notranslate">\; ETT</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}<span\; class="notranslate">\; +</span>\mathrm{<span\; class="notranslate">\; \&beta;</span>}<span\; class="notranslate">\; *</span>\underset{\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; j</span>}<span\; class="notranslate">\; \&le;</span>\mathrm{<span\; class="notranslate">\; k</span>}}{\mathrm{<span\; class="notranslate">\; <figure-callout\; id="1"\; label="max"\; filenames="H2008102276970E00021.png"\; state="\{\{state\}\}">max</figure-callout></span>}}{\mathrm{<span\; class="notranslate">\; x</span>}}_{\mathrm{<span\; class="notranslate">\; j</span>}}<span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>$

In Equation (1) and Equation (2), h is the number of links that a route passes through h hops, k is the number of channels used in the system, ETT _i is the transmission time for transmitting a packet on link i, x _j is the time required to transmit packets on channel j, and β is a variable parameter value in the range of 0≤β≤1. When all channels can be fully utilized, β=0. WCETT comprehensively considers link performance parameters such as bandwidth and minimum hops and other factors, but when all channels are fully utilized or WCETT weights are equal, two malicious attack nodes will use the weakness of the routing protocol to launch a wormhole attack. As shown in Figure 2 of the attack model, the source node S wants to find an optimal route to communicate with the destination node D. Malicious nodes X and Y establish a high-bandwidth private tunnel between them, so there are three routes from source node S to destination node D, namely SEFDGHD, SQXABCY and SQXYD. Because the WCETT value of SQXYD is 10, the WCETT value of SQXABCY is 11, and the WCETT value of SEFDGHD is 12. Among the three routes, the destination node D will choose the SQXYD with the smallest WCETT value due to its high bandwidth as the best route. When the source node S sends the information packet to the destination node D along the route SQXYD, the malicious attack nodes X and Y will launch an attack, such as deleting the packet, forwarding only part of the packet, modifying the packet, etc.

In order to achieve the above goals, we implement the network model shown in Figure 3, and then use the monitoring node-based wormhole attack detection method to detect the wormhole attack point and isolate it.

1. Network model

The designed network model is shown in Figure 3, which has the following characteristics:

(1) The whole wireless Mesh network is composed of a backbone network and two regional networks.

(2) The backbone network consists of 4 backbone routers, an offline CA that accesses the network only when an attack node is notified, and an authorized certificate library that only the backbone routers can access. Among all the backbone routers, there are two backbone routers connected to the Internet by wire.

(3) In each area network, there are 2 area routers connected to the backbone router and end users. Area routers share a database storing user IDs, area IDs, authorization keys, and user information (identity cards, mailboxes, mailing addresses, and mobile phones).

(4) 54Mbps wireless connection is adopted in the backbone network, and 11Mbps connection is adopted in the regional network;

(5) The communication parties communicate through the four backbone routers of the backbone network to grant the identity-based private key and authorization certificate to the application node according to the (4,3) threshold system; the authorization certificates are mutually verified, and the identity-based encryption method is used to transmit information;

(6) Neither the source node nor the destination node is an attack node, and at least one area router and m backbone routers are not malicious attack nodes;

(7) The geographic location of each node can be accurately obtained through GPS (Global Positioning System).

2. Detection steps

Take the attack model Figure 2 as an example to illustrate that our wormhole attack detection method can detect wormhole attacks using high bandwidth.

(1) When the offline CA is initialized, it distributes public-private key pairs and public key certificates for backbone routers, regional routers, and user nodes, and distributes public-private key pairs for backbone networks and regional networks;

(2) The application node submits the public key certificate issued by the offline CA to the virtual CA, and the virtual CA authenticates the application node with the public key certificate issued by the offline CA; these application nodes include user nodes, backbone routers and area routers;

(3) After the application node is authenticated by the virtual CA, an authorization certificate and an identity-based private key are issued. These authorization certificates are stored in the authorization certificate library, which can only be accessed by the backbone router;

(4) The area router designates monitoring nodes according to the user's data storage capacity and security level. In the attack model diagram 2, the area router designates node I as the monitoring node of link Q-X, nodes A, B, C, P, K and node M as the monitoring node of link X-Y, and L as the monitoring node of link Y-D;

(5) When the source node S sends a data packet to the destination node D along the route S-Q-X-Y-D, the monitoring node I monitors the packet sending situation of the link Q-X, and the monitoring node L monitors the packet sending situation of the link Y-D, and records the packet sending situation in their respective buffers , and then use the following detection process to detect whether there is a wormhole attack, the detection process is shown in Figure 1;

(6) When the malicious sending node X sends x packets, the malicious receiving node Y only forwards y packets when forwarding the packets, and the monitoring nodes A, B, C, P, K and node M count the packet loss rate γ =(x-y/x)×100%, if γ>τ, then it is considered that there is a wormhole attack, and reported to the area router Zr, in the formula γ>τ, γ is the packet loss rate, τ is the system specified The maximum threshold of the packet loss rate. The value of τ is set according to the packet loss rate when the network is in normal operation. In our implementation, when the network is operating normally, the normal packet loss rate is less than 10%, so we set τ as 10%, that is to say, if the packet loss rate of a link is greater than 10%, we consider the link to be Wormhole;

(7) When the area router Zr receives the first report message, the area router will start the voting mechanism based on the monitoring nodes, that is, all the monitoring nodes that actively call this link will return to monitor the packet sending situation of this link or passively Count the reporting results of other monitoring nodes within a certain period of time;

(8) If more than 4 monitoring nodes among monitoring nodes A, B, C, P, K, and node M all vote for the X-Y link as a wormhole, and the two nodes X and Y are wormhole attack nodes, then The regional router Zr temporarily isolates the wormhole attack nodes X and Y;

(9) The area router Zr publishes the attack information to users and the backbone router Br of the entire area network at the same time;

(10) The backbone router Br will revoke the authorization certificates of the two wormhole attack nodes X and Y, thereby expelling these two nodes X and Y from the network;

The communication between users, the monitoring node reporting information to the area router Zr, and the area router Zr reporting information to the backbone router Br all use identity-based encryption methods.

Claims (1)

1. a wormhole attack detection method based on monitoring node in a wireless Mesh network, is characterized in that, comprises the following steps: (1) When the offline CA is initialized, it distributes public-private key pairs and public key certificates for backbone routers, regional routers, and user nodes, and distributes public-private key pairs for backbone networks and regional networks; (2) The application node submits the public key certificate issued by the offline CA to the virtual CA, and the virtual CA authenticates the application node with the public key certificate issued by the offline CA; these application nodes include user nodes, backbone routers and area routers; (3) After the application node is authenticated by the virtual CA, an authorization certificate and an identity-based private key are issued. These authorization certificates are stored in the authorization certificate library, which can only be accessed by the backbone router; (4) The regional router selects the monitoring node according to the user's data storage capacity and security level; monitors the packet sending situation of a certain link, and stores the packet sending record in its cache; (5) When the sending node communicates with the receiving node, the monitoring node monitors the incoming and outgoing status of all packets on this link, and records them in the cache, and then uses the following detection process to detect whether there is a wormhole attack; (6) If the monitoring node monitors that a sending node sends x packets, and the receiving node forwards y packets after receiving the packets, the packet loss rate of the monitoring node statistics γ=(x-y)/x×100 %, if γ>τ, then it is considered that there is a wormhole attack, and the monitoring node will report to the area router that this link is a wormhole; in the formula γ>τ, γ is the packet loss rate, and τ is The system specifies the maximum threshold of packet loss rate, and the value of τ is set according to the normal packet loss rate when the network is in normal operation; (7) When the regional router receives the report information from the monitoring node, the regional router will start the voting mechanism based on the monitoring node, that is, actively call or passively count the reporting results of other monitoring nodes; (8) If most of the monitoring nodes vote this link as a wormhole, that is, the two nodes at both ends of the link are wormhole attack nodes, and the area router temporarily isolates the wormhole attack nodes; (9) The area router publishes the attack information to users and backbone routers in the entire area network at the same time; (10) The backbone router will revoke the authorization certificates of the two wormhole attack nodes, thereby expelling the two wormhole attack nodes from the network; Identity-based encryption is used for communication between users, monitoring nodes report information to area routers, and area routers report information to backbone routers.

Images