Channel Aware Detection of Forwarding Attacks in WSN with Malicious Node Detection Based on Co-Operative Approach

International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056
Volume: 04 Issue: 06 | June -2017 www.irjet.net p-ISSN: 2395-0072
© 2017, IRJET | Impact Factor value: 5.181 | ISO 9001:2008 Certified Journal | Page 1018
CHANNEL AWARE DETECTION OF FORWARDING ATTACKS IN WSN
WITH MALICIOUS NODE DETECTION BASED ON CO-OPERATIVE
APPROACH
Ragitha R
M.tech student, Dept. of Electronics & Communication Engineering, KiTS college of engineering, APJ Abdul Kalam
technological University,
------------------------------------------------------------------------***-------------------------------------------------------------------------
Abstract: As a promising event monitoring and data
gathering technique, wireless sensor network (WSN)hasbeen
widely applied to both military andcivilianapplications. Many
WSNs are deployed in unattended and even hostile
environments to perform mission-critical tasks, such as battle
field reconnaissance and homeland security monitoring. So
due to the lack of physical protection, sensor nodes are easily
compromised by adversaries. Wireless sensor networks
(WSNs) are vulnerable to selective forwarding attacks that
can maliciously drop a subset of forwarding packets to
degrade networkperformance. Meanwhile, duetotheunstable
wireless channel in WSNs, the packet loss rate during the
communication of sensor nodes may be high and vary from
time to time. It poses a great challenge to distinguish the
malicious drop and normal packet loss. A Channel-aware
Reputation System with adaptive detection threshold (CRS-A)
can detect selective forwarding attacks in WSNs. The CRS-A
evaluates the data forwarding behaviors of sensor nodes,
according to the deviation of the monitored packet loss and
the estimated normal loss. An attack-tolerantdataforwarding
scheme is developed to collaborate with CRS-A for stimulating
the forwarding cooperation of compromised nodes and
improving the data delivery ratio of the network. But these
solutions for wireless networks may not always be sufficient.
Because some malicious nodes pretend to be intermediate
nodes of a route to some given destinations, drop any packet
that subsequently goes through it, is one of the major types of
attack. In this paper, in addition to CRS-A, uses Ad-hoc on
demand Distance Vector (AODV) routing that propose a co-
operative method to detect malicious node effectively.
Key words: WSN, AODV, CRS-A, malicious node,
reputation value, co operative approach
1. INTRODUCTION
As a promising event monitoring and data gathering
technique, wireless sensor network (WSN) has been widely
applied to both military and civilian applications. Many
WSNs are deployed in unattended and even hostile
environments to perform mission-critical tasks, such as
battle field reconnaissance and homeland security
monitoring. However, due to the lack of physical protection,
sensor nodes are easily compromised by adversaries,
making WSN vulnerable to various security threats. One of
the most severe threats is selectiveforwardingattack,where
the compromised nodes can maliciously drop a subset of
forwarding packets to deteriorate the data delivery ratio of
the network. It also has significantlynegativeimpactstodata
integrity, especially for data-sensitive applications, e.g.,
health-care and industry monitoring. On the other hand,
since WSNs are generally deployed in open areas (e.g.,
primeval forest), the unstable wireless channel andmedium
access collision can cause remarkable normal packet losses.
The selective forwarding attacks are concealed by the
normal packet losses, complicating the attack detection.
Therefore, it is challenging to detecttheselective forwarding
attacks and improve the network performance.
In this paper, I propose a Channel-aware Reputation System
with adaptive detection threshold (CRS-A) [1] to detect
selective forwarding attacks in WSNs with the detection of
malicious node. Specifically, we divide the network lifetime
to a sequence of evaluation periods. During each evaluation
period, sensor nodes estimate the normal packet loss rates
between themselves and their neighboringnodes,andadopt
the estimated packet loss rates to evaluate the forwarding
behaviors of its downstream neighbors along the data
forwarding path. The sensor nodes misbehaving in data
forwarding are punished with reduced reputation values by
CRS-A. Once the reputation value of a senor nodeisbelowan
alarm value, it would be identified as a compromised node
by CRS-A. In the malicious node detection phase, each node
transmits data to a next node, stores a copy of the data in its
buffer and overhears whether the next node transmits the
data. If the node overhears data transmission of the next
node within a predetermined length of time, the node
considers that the data wasproperlytransmittedanddeletes
the copy of the data from the buffer. If not so, the node
increases a failure tally for the next node. Ifthefailure tallyis
greater than a threshold, the node determines that the next
node intentionally dropped the data and reports this fact to
all nodes over the network. The mechanism is cooperative
because nodes in the protocol work co-operatively together
so that they can analyze, detect malicious nodes in a reliable
manner.

2. EXISTING TECHNIQUES
2.1 ADAPTIVE AND CHANNEL AWARE DETECTION OF
SELECTIVE FORWARDING ATTACKS IN WSN
Wireless sensornetworks(WSNs)arevulnerabletoselective
forwarding attacks that can maliciously drop a subset of
forwarding packets to degrade network performance and
jeopardize the information integrity. Meanwhile, due to the
unstable wireless channel in WSNs, the packet loss rate
during the communication of sensor nodes may be high and
vary from time to time. It poses a great challenge to
distinguish the malicious drop and normal packet loss. In
this paper, we propose a Channel-aware Reputation System
with adaptive detectionthreshold(CRS-A)todetectselective
forwarding attacks in WSNs. The CRS-A evaluates the data
forwarding behaviors of sensor nodes, according to the
deviation of the monitored packet loss and the estimated
normal loss. To optimize the detectionaccuracyofCRS-A,we
theoretically derive the optimal threshold for forwarding
evaluation, which is adaptive to the time- varied channel
condition and the estimated attack probabilities of
compromised nodes. Furthermore, an attack-tolerant data
forwarding scheme is developed to collaborate with CRS-A
for stimulating the forwarding cooperation of compromised
nodes and improving the data delivery ratio of the network.
Extensive simulation results demonstrate that CRS-A can
accurately detect selective forwarding attacks and identify
the compromised sensor nodes, while the attack-tolerant
data forwarding scheme can significantly improve the data
delivery ratio of the network.
2.2 DETECTING MALICIOUS NODES IN MANETBASED ON
A COOPERATIVE APPROACH
Mobile Ad hoc Network (MANET) is a self-configuring
network of mobile nodes connected by wireless links and
considered as network without infrastructure. Securing
MANETs is an important part of deploying and utilizing
them, since they are often used in critical applicationswhere
data and communications integrity is important. Existing
solutions for wireless networks can be used to obtain a
certain level of such security. These solutions may not
always be sufficient, as ad-hoc networks have their own
vulnerabilities that cannot be addressed by these solutions.
In the network, some malicious nodes pretend to be
intermediate nodes of a route to some given destinations,
drop any packet that subsequently goes through, it is one of
the major types of attack. We propose a cooperative method
to detect malicious nodes in MANETs. The mechanism is
cooperative because nodes in the protocol work
cooperatively together so that they can analyze, detect
malicious nodes in a reliable manner. We verify our method
by running simulations with mobile nodes using Ad-hoc on
demand Distance Vector (AODV) routing. It is observed that
the malicious node detection rate is very good; theoverhead
detection rate is low, packet delivery ratio is little bit high
and also the response time is observed when there is a
change of mobility speed. In this,eachnodetransmitsdata to
a next node, stores a copy of the data in its buffer and
overhears whether the next node transmits the data. If the
node overhears data transmission of the next node within a
predetermined length of time, the node considers that the
data was properly transmitted and deletes the copy of the
data from the buffer. If not so, the node increases a failure
tally for the next no de. If the failure tally is greater than a
threshold, the node determines that the next node
intentionally dropped the data and reports this fact to all
nodes over the network. Each of the nodes receiving the
report determines whether a reporter and a suspect node
listed in the report are recorded in its report table. When
the number of times that a node reports to the source nodeS
is greater than k equivalent to the number of malicious
nodes over the network, the node is determined as a
malicious node and excluded from the network.
Most of these systems can effectively mitigate the negative
impacts of selective forwarding attacks on information
integrity and network performance. However, they have
limited capability to accurately detect the attacks and
identify the compromised sensor nodes. Several recent
studies consider the normal packet loss into selective
forwarding attack detection for wireless mesh networks.
However, both of the works use an estimated normal packet
loss rate to evaluate the data forwarding behaviors over a
long period. Such approaches are not applicable for the
WSNs in unstable radio environment, where the high and
time-varied packet loss may significantly reduce detection
accuracy. Moreover, in their schemes, a node will be
identified as an attacker once the number of lost packets
during its forwarding exceeds a certain value. The one-time
detection can also produce a largefalsedetectionprobability
for the innocent nodes.
3. SYSTEM MODEL AND DESIGN GOALS
We consider a WSN consisting of a set of randomly
distributed sensor nodes, denoted by N, and a sink node to
monitor an open area. Each sensor node periodically senses
the interested information from the surroundings, and
transmits the sensed data to the sink via multi-hop routing
among sensor nodes. Sensor nodes communicate with their
neighboring nodes based on the IEEE 802.11 DCF. The
monitored area has an unstable radio environment, making
the packet loss rates during the communications of sensor
nodes significantly increased and vary from time to time.
Since sensor nodes are deployed in open area and lack
adequate physical protection, they may be compromised by
adversaries through physical capture or software
vulnerabilities to misbehave in data forwarding. We use PM
to denote the compromising probability of sensor node,
which is defined as the probability that a sensor node is
compromised by the adversary. Meanwhile, we assume that
sensor nodes can monitor the data forwardingtrafficoftheir
neighboring nodes by neighbor monitoring with Watchdog
or acknowledgment- based approaches. It means that a

sensor node can obtain that how many data packets are
forwarded by its forwarding sensor nodes. Existing works
provide a comprehensive study on monitoring forwarding
traffic of sensor nodes, which is not the focus of this paper.
Since the unstable radio environment causes fluctuated
packet loss rates between the neighboring nodes, it is
challenging to distinguish the monitored forwarding
behavior is normal or not.
Compromised sensor nodes can launch selectiveforwarding
attacks to degrade the performance of the network.
Specifically, when a compromised sensor node receives a
data packet, it maliciously drops it with a probability,
referred to as attack probability. Since the adversary can
control the attack probabilities of compromised nodes, it is
difficult to distinguish if the packet losses are caused by
fluctuated channel condition or malicious drops, especially
for the nodes with low attack probabilities.
Furthermore, several neighboring compromised sensor
nodes can collaborate with each other to launch
promotion/demotion attacks to achieve benefits. For
example, if Na and Nb are two neighboring compromised
sensor nodes and data trafﬁc is from Na to Nb, Na may
provide a partial evaluation for Nb’s forwarding behaviors.
Besides, Na can announce Nb as a normal node to its other
neighboring nodes, in spite of Nb misbehaving in the data
forwarding. However, we do not consider the special case
where Na is totally honest in data forwarding to cover for
Nb’s misbehaviors to achieve benefits. This case can be
effectivelyaddressedbythehop-by-hopacknowledgmentor
two directional neighbor monitoring techniques.
We consider that cryptographic techniques have been
utilized in the network to provide sufficient data
confidentiality and authenticationagainsttheadversary, and
then we can focus on resisting selective forwarding attacks.
In addition, we assume there are only a fraction of sensor
nodes compromised by the adversary to misbehave in data
forwarding, since the network would be useless if the
majority of sensor nodes are manipulated by the adversary.
In the following, we call the compromised sensor nodes as
malicious nodes, and the other sensor nodes as normal
nodes. High detection accuracy should be achieved for
detecting selective forwarding attacks and identifying the
malicious nodes, which can bemeasured bytwo metrics.The
one is the attacks should be accurately detected once the
malicious nodes misbehave in data forwarding. The other is
normal nodes cannot be falsely detected as malicious nodes
due to the fluctuated normal packet losses. Besides the
detection of selective forwarding attacks, the data delivery
ratio of the network should be improved by the proposed
scheme to mitigate the negative impacts caused by the
attacks. Meanwhile, the proposed scheme should be able to
partly stimulate the cooperation of malicious nodes in data
forwarding.
4. CRS-A: THE CHANNEL-AWARE REPUTATION SYSTEM
WITH ADAPTIVE DETECTION THRESHOLD
In CRS-A, each sensor node maintains a reputation table to
evaluate the long-term forwarding behaviors of its
neighboring nodes. The essence of CRS-A is to dynamically
update the reputation table based on the forwarding
behavior evaluation for the neighboring nodes,bytakingthe
normal packet loss rate into consideration. However, as the
unstable radio environment make the quality of wireless
channel vary with time, normal packet loss may be different
over a long time period. Therefore, we divide the whole
network lifetime into a sequence of evaluation periods T =
{T1,...,Tt,...}. In each evaluation period Tt, the channel
condition of each data transmission link is assumed to be
stable. Meanwhile, for each Tt, we introduce a channel
estimation stage at the beginning of Tt, and a reputation
update stage at the end of Tt.
During the channel estimation stage, sensor nodes estimate
the normal packet loss ratesofthecommunicationlinkswith
their neighboring nodes, and use them to evaluate the
forwarding behaviors of neighboring nodes. Fig. 4.1 shows
the overview of evaluation periods over the network
lifetime. The reputation update in CRS-A consists of three
procedures: reputation evaluation, propagation and
integration. Reputation Evaluation is to evaluate short-term
reputation scores for the forwarding behaviors of sensor
nodes, based on the deviation of estimated normal packet
loss rate and monitored actual packet loss rate. With
ReputationPropagation,the evaluatedshort-termreputation
scores can be propagated within the neighboring nodes to
achieve a more comprehensive evaluation. Finally, by
Reputation Integration, sensor nodes integrate the
reputation scores evaluated by them and the propagated
reputation scores from their neighboring nodes to update
the reputation table.
4.1 Normal Packet Loss Estimation
According to the network model, normal packet loss is
mainly caused by the poor and unstable wireless channel
and MAC layer collisions. The poor and unstable radio link
quality is the primary reason for the time-varied packet
losses. It is formulated as a two-state Markov model, and the
packet loss rate is determined as an average value over a
long-term period. However, adopting an average value to
represent a time- varied value may mislead the evaluation
for forwarding behaviors. Furthermore, dynamic
environments make the link quality varied in different
locations. Therefore, the packet loss estimation should be
performed in each evaluation period by each sensornode.In
CRS-A, the link quality estimation for each pair of
neighboring nodes is based on the Received Signal Strength
Indicator (RSSI) and Signal-to-Noise Ratio (SNR), under the
symmetric channel assumption. For each Tt, the packet loss
rate caused by poor link quality, denoted by p1
i,j(t), can be

estimated by RSSI and SNR for the transmission link from Ni
to Nj.
As data transmission between two neighboring nodes is
based on the IEEE 802.11, MAC layer collisionsmayincrease
the normal packet loss rate. Since sensor nodes are static in
our network, it means each sensor node has a fixed number
of neighboring nodes. Then, we can use theanalytical results
in to estimate the packet loss caused by medium access
collisions without the impact of hidden terminals. Let n be
the number of nodes contending for channel accessatNj and
pt as the probability that a node transmits data in time slot.
When MAC channel is at steady state, the probabilities for
observing an idle, successful,andcollidingslot,denotedaspi,
ps, and pc, respectively, are
pi = (1-pt)n
ps = n.pt.(1-pt)n-1
pc = 1-pi-ps
And the channel busy ratio Rb can be calculated as
Cb =1-(pi . td)/(pi · σ + ps . ts + pc . tc)
where td, ts and tc denote the idle slot length, the duration of
a successful transmission, and the duration of a collision,
respectively.
4.2 Reputation Evaluation
In CRS-A, sensor nodes monitor their neighbors to evaluate
reputation scoresfortheirforwarding behaviorsduringeach
evaluation period. The evaluated reputation scoresisnamed
as first-hand reputation scores. Specifically, in the data
transmission stage of Tt, node Ni (Ni N) records the number
of data packets sent to its next hop node Nj as Si,j(t), and the
number of data packets forwarded by Nj as fi,j(t). Thus, the
number of data packets lost in the transmission from Ni toNj
is mi,j(t)=Si,j(t)fi,j(t). Based on the discussion of the previous
subsection, we can estimate the normal packet loss rate
between Ni and Nj as pi,j(t). Since each data packet is
transmitted to Nj independently, the data transmissionfrom
Ni to Nj can be regarded as a sequence of independent
repeated trials. It means, if Ni sends l data packets to Nj, the
probability of k (0 ≤ k ≤ l) out of l packets lost during the
transmission, denoted by Pi,j(X = k), follows a binomial
distribution, i.e.
Pi,j(X = k) = (l
k)(pi,j(t))k(1- pi,j(t))l-k.
We consider the forwarding behavior evaluation for Nj
during an evaluation period Tt as a sampling test. If Nj
behaves normally during data forwarding, mi,j(t) should
slightly fluctuate around the estimated number of normal
lost data packets pi,j(t)·Si,j(t). However, when mi,j(t) >
pi,j(t)·Si,j(t), with the increase of mi,j(t), the probability of Nj
misbehaving in data forwarding increases. In order to
evaluate mi,j(t), we introduce a detection threshold i,j(t)
(Si,j(t)·pi,j(t) < i,j(t) <Si,j(t), i,j(t) N+) and deﬁne the
reputation evaluation function of Ni to Nj as follows.
r1
i,j(t) =
where isa
punishment factor and is a adjustment factor. We set and
explain the function as follows.
• If mi,j(t) ≤ pi,j(t)·Si,j(t), the sampling test is acceptable,
which means the transmission between Ni and Nj is
successful. Thus, Ni rewards a positive to Nj.
• If pi,j(t)·Si,j(t) < mi,j(t)≤ i,j(t) we consider it is a normal
fluctuation of pm
i,j around pi,j, and rate to Nj to neutralize the
reputation evaluation.
• When mi,j(t) > i,j(t) we consider there isa highprobability
for Nj to misbehave in the data forwarding. If it happens, Ni
rates a punishment - to Nj.
If Nj is a normal node, mi,j(t) will slightly fluctuate around
pi,j(t)·Si,j(t). The proposed reputation evaluation function
should make the reputation value of Nj stable or increased
after a number of evaluation periods. On the other hand,if Nj
misbehaves in data forwarding, mi,j(t) may be larger than
pi,j(t) · Si,j(t) with a high probability. The proposed function
should decrease the reputation value of Nj sharply after a
number of evaluation periods.
4.3 Reputation Propagation
In order to share the monitored forwarding behavior
information and hence to improve the attack detection
accuracy, Ni propagates the first-hand reputation scores,
such as r1 i,j(t), to their neighbors during each Tt. The
received reputation scores from the neighboring nodes are
called as second- hand reputation scores, which reflect the
evaluation of the neighboring nodes ontheirnexthopnodes.
However, the reputation propagation causes CRS-A
vulnerable to collaborative promotion/demotion attacks,
which means neighboring malicious nodes can collaborate
with each other to mutually promotetheirreputationscores.
To mitigate the impact of the potentially partial reputation
scores, we determine the second-hand reputation scores as
follows.
Denote the set of Ni’s neighboring sensor nodes as NCi, and
the number of nodes in NCi as |NCi|. We further divide the
nodes of NCi into two subsets, NCi,g and NCi,b, based on their
long-term reputation values in Ni. Let Ns be a nodeofNCi.We
put Ns into the honest neighbor set NCi,g,

if Ri,s > NCi Ri,x
|NCi|
Otherwise, Ns is allocated to the dishonest neighborsetNCi,b.
Since the long-term reputation values of malicious nodes
may decrease after misbehaving in a number of evaluation
periods, these nodes are classified into the dishonest
neighbor set and the weights of their propagating
information are reduced by the penalty factor α. As a result,
the negative impacts of mutual reputation promotions
among neighboring malicious nodes can be significantly
mitigated. To reduce the communication overhead of
reputation propagation, the propagated reputation scores
can be piggybacked to other data packets, such as the
periodically exchanged neighbor information.
4.4 Reputation Integration
After reputation propagation, the first-hand and second-
hand short-term reputation scores should be integrated to
update the reputation table. Denote Ri,j as the long-term
reputation value of Nj in Ni’s reputation table, and Rm and Rs
as the upper bound and lower bound ofreputationvalue. We
calculate the integrated reputation score as RI
i,j(t)=σr1
i,j(t)+
(1- σ)r2
i,j(t), and update Ri,j as the following equation.
Ri,j =
Here, σ is the weight factor of the first-hand informationand
σ>0.5. Rm and Rs are system parameters that can be chosen
based on the system requirements.
4.5 Malicious Nodes Identification
In each Tt, sensor nodes can evaluate the forwarding
behaviors of their next hop sensor nodes and update their
reputation table with the above three procedures. After a
number of evaluation periods, the reputation values of
malicious nodes are significantly reduced in the reputation
tables of their neighboring nodes. To identify the malicious
nodes, sensor nodes send their reputation tables to the sink
for identification after a fixed time. When the average
reputation value in Nj’s neighbors is below Ra, Nj is identified
as a malicious node. Here, Ra is an alarm reputation value
that can be predefined according to system requirements. If
Nj is identified as a malicious node,the network operatorcan
perform a security check or software reset for these nodes.
However, since malicious nodes can mutually promotetheir
reputation values or collaboratively degrade the reputation
values of normal nodes, the average reputation valueshould
be adjusted against the promotion and demotion attacks.
5. ADAPTIVE DETECTION THRESHOLD FOR CRS-A
The detection accuracy of CRS-A is significantly impactedby
the misbehaving detection threshold for reputation
evaluation. In this section, we aim to determine the optimal
evaluation threshold for each pair of neighboring nodes
along the data forwarding path to optimize the detection
accuracy of CRS-A. According to the attack model, malicious
nodes can launch attacks with different probabilities, which
indicate the detection threshold should be different for each
communication link. Meanwhile, due to the nature of
dynamic routing andtime-variedchannel conditionin WSNs,
the detection threshold should be adaptive to the time-
varied data traffic and normal packet loss rate of the link.
Without loss of generality, we focus on determining the
optimal threshold for the transmission from Ni to Nj during
the period Tt, in the following analysis.
Since CRS-A is proposed to detect selective forwarding
attacks and identify malicious nodes, we first identify some
performance metrics to evaluate CRS-A before optimizing
them. If i,j(t) is set as a large value, the forwarding
misbehavior of Nj will be regarded as a normal fluctuation,
without being punished with . It means the attacks launched
by Nj are not detected by the detection of CRS-A. On the
other hand, if i,j(t) is set as a small value close to Si,j(t) ·
pi,j(t), the normal fluctuation of mi,j(t) will be detected as a
misbehavior, when Nj acts normally in data forwarding. It
leads to a normal sensor node has a large probability to be
falsely identified as a compromised node by the detection of
CRS-A. Therefore, there exists a trade-off in determining the
value of i,j(t) to optimizethedetectionaccuracyforselective
forwarding attacks.
Here we introduce two metrics,misseddetectionprobability
and false detection probability. The Missed Detection
Probability is the probability that a malicious forwarding
behavior is detected as a normal behavior, while the False
Detection Probability refers to the probability that a normal
forwarding behavior is detected as a malicious behavior. If
we use X to denote the data packets lost in the transmission
from Ni to Nj, and Y to denote the data packets maliciously
dropped by Nj, the missed detection probability ηi,j(t) is
ηi,j(t) = P{X+Y≤ i,j(t)/ j misbehaved in Tt}
and the false detection probability µi,j(t) is
µi,j(t) = P{X+Y≤ i,j(t)/ j behaved well in Tt}
Since both X and Y are discrete random variables, the
probability mass function (PMF) of X and Y should be
determined for calculating ηi,j(t) and µi,j(t). X is defined as
the number of normally lost data packets during the
transmission. If the number of data packetssentbyNi during
Tt is Si,j(t), the false detection probability µi,j(t) is the CDF of
X.
However, due to ηi,j(t) depending on the variable Y, we
should determine the PMF of Y and X + Y. According to the
attack model, each sensor nodes has a probability PM to be

compromised by the adversary. It means P{Y =0 }=1-PM and
P{Y = Y’} = PM, where Y’ is a discrete random variable
denoting the number of maliciously dropped packets by Nj
when Nj is a malicious node.
According to the attack model, when a malicious node
successfully receives a data packet, it decides to maliciously
drop the packet with a probability, which is called attack
probability. We denote the attack probability of Nj as pj.
Since the number of data packets sent by Ni during the
evaluation t are Si,j(t), the PMF of Y’ should be a binomial
function with the number of experiments as Ai(t)=Si,j(t) X.
Obviously, Ai(t) is a random variable depending on X, so we
first calculate the conditional probability when Ai(t) is fixed
as a,( 0 ≤ a ≤ Si,j(t), 0 ≤ k ≤ a) as
P {Y’ = k | Ai(t)=a}= pj
k (1-pj)a-k
And the PMF of Y’ is
P{Y’ = k}= P{Y’ = k| Ai(t)=a} P { Ai(t)=a}]
we can use the PMF of Y’ to determine the PMF of Y as
P{Y = k} =
If Ni sends Si,j(t) data packets to Nj during the evaluation
period Tt and the detection threshold is ξi,j(t) (Si,j(t)·pi,j(t)<
ξi,j(t) < Si,j(t)), the missed detection probability for
evaluating Nj is
ηi,j(t) = ξi,j(t)-k} . P{Y=k}, if k=0
PM - PM . (1- pj) Si,j(t)
Where P{X ≤ k} is the CDF of X
Based on the PMF of X and Y, we further calculate ηj as
follows.
ηj = P{{X+Y ≤ ξi,j(t)} ∩ {Y > 0}}
P{Y > 0}
= P{{X+Y ≤ ξi,j(t)} ∩ {
P{
= ∩ {Y=k}
P{
= ≤ ξi,j(t)|Y = k} . P {Y= k}]
P{
The missed detection probability ηi,j(t) depends on the
attack probability of Nj (i.e., pj). Generally, the attack
probabilities of malicious nodes are various and not known
by the system in advance. However, wecanusethehistorical
data to estimate pj for each malicious node Nj. Specifically,in
each Tt, Ni can estimate pj
pj =
Where Si,j(w).(1-pi,j(w))istheexpectednumberofforwarded
data packets at time period w, while mi,j(w) - Si,j(w)·(1-
(pi,j(w)) is deviation between the actual number of
forwarded data packets and the expected number of
forwarded data packets at time period w. The probability
that node j attacks (or maliciouslydrops)indata forwarding.
When pj is small or equal to 0, we consider Nj behaves well
during the past data forwarding. The false detection
probability µj should be minimized for CRS-A. As pj keeps
increasing, Nj has an increasing probability to be an attack.It
indicates that the missed detection probability ηi,j(t) should
be emphasized to optimize the performance of CRS-A.
Meanwhile, both of the missed detection probability ηi,j(t)
and false detection probability µj depend on i,j(t). When
i,j(t) increases, ηi,j(t) increases and µj decreases.Andif i,j(t)
decreases, the situation reverses. It means ηi,j(t) and µj are
two contradictory optimization objectives. In order to ﬁnd a
trade-off between them, we can integrate ηi,j(t) and µj as a
single objective function νj by weighting them with pj and 1-
pj, respectively. The objective function is defined as νj = pj ·
ηi,j(t) + (1-pj) ·µj. Therefore, for each transmission from Ni to
Nj in Tt, the optimal threshold determination problemcanbe
formulated as calculating i,j(t) to
(PP) minimize νj = pj .ηi,j(t) + (1-pj)·µi,j(t)
It is obvious that (PP) has onlyoneoptimization variableand
a closed-form objective function. As i,j(t) is discrete, the
objective function is non-differentiable withrespectto i,j(t),
which indicates the hardness of deriving a closed-form
optimal solution for (PP). However, due to the constraint
that i,j(t) should be an integer between pi,j(t) · Si(t) and Si(t),
we can adopt a brute-force algorithm to calculate all the
possible values for determiningtheoptimal one.SinceSi(t)is
the only input variable of (PP) which impacts the time
complexity of finding a solution, the brute-force algorithm
can guarantee the time complexity is O(Si(t)), i.e., O(n).
6. CRS-AWITHATTACK-TOLERANT DATAFORWARDING
As a trust evaluation technique independent of route
decision, CRS-A can be applied with any data forwarding
protocol for WSNs. However, due to the negative impacts of
selective forwarding attacks on data forwarding, data

delivery ratio is a key performance metric for evaluating a
defense technique, besidesthedetectionaccuracyforattacks
and malicious nodes. We first develop a distributed and
attack- tolerant data forwarding scheme to collaborate with
CRS- A to improve the data delivery ratio of the network.
Then, we summarize the main idea and proceduresofCRS-A
with attack-tolerant data forwarding into an algorithm.
For a distributed data forwarding scheme, the key challenge
is to decide which sensor node should be chosen in the
forwarding path to optimize the network performance,
based on the local knowledge. In this, we consider data
delivery ratio astheprimary metric ofnetwork performance.
Although we can detect the malicious nodes by CRS-A, it is
unreasonable to isolate all the maliciousnodesfromthedata
forwarding path. We can illustrate it with the following
Figure Na and Nb are two routing candidates of Ns, and Na is
identified as a malicious node by Ns. During Tt, Ns estimates
the normal loss rate of each link as ps,a(t) = 10% and ps,b(t) =
50%. The attack probabilities of Na and Nb are pa = 20% and
pb =0, respectively. In this case, Ns have 6 data packets to
forward. If Ns choose Nb as the next hop, the expected
number of data packets that are successfully forwarded by
Nb is 3. Contrastively, the expected number of data packets
forwarded by Na should be 5, even if its reputation in Ns is
low and it has an attack probability 20% according to the
historical records.
Nb
Normal loss
Ns
Na
Figure 3 Example of dynamic routing
To select a better forwarding node to improve the data
delivery ratio, we introduce the expected data forwarding
ratio (DFR), which is defined as the ratio between the
expected number of forwarded data packets and the total
number of sent data packets. In each evaluation period Tt, Ni
chooses the node with the highest DFR from its forwarding
candidate set as the next hop. The forwarding candidate set
of Ni is the set of its neighboring nodes that are
geographically closer to the sink than Ni. Specifically, the
forwarding decision can be formulated as follows. For each
Ni, given the number of data packets that Ni transmitsinTtas
Si(t), if choosing Nj as the data forwardingnode,the expected
number of lost data packets should beLj(t)=Si(t)·pi,j(t)+[Si(t)
- Si(t)· pi,j(t)]· pj(t). And, the DFR of Nj is
DFRj(t) = (Si(t)Lj(t))/Si(t)
= 1 - pi,j(t) - pj(t) + pi,j(t)·pj(t)
4.5.1 Algorithm
Description: Updating the reputation of sensor nodes and
data forwarding during Tt (Tt T).
1 Phase I Normal Loss Estimation;
2 for each Ni N do
3 Estimate the normal packet loss rate pi,j(t) between Ni and
each Nj in Ni’s neighbor set
4 end
5 Phase II Data Transmission and Monitoring;
6 for each Ni N do
7 Choosing Nj from RCi as the next hop and use Nj to forward
its data;
8 Record the number of sent data packets Si,j(t) and the
number of data packets mi,j(t) forwarded by Nj;
9 end
10 Phase III Reputation Evaluation and Updating;
11 for each Ni N do
12 Calculate the attack probability pj of Nj ;
13 Determine the optimal detection threshold i,j(t) by
solving the problem (PP);
14 Evaluate the first-hand reputation score r1
i,j(t)
15 Propagate r1 i,j(t) to its neighboring nodes;
16 if receive propagated reputation scores then
17 Calculate the second-hand reputation score r2 i,j(t)
18 end
19 Calculate the integrated reputation score RI
i,j(t) with r1
i,j(t) and r2
i,j(t) and update Ri,j
20 end
According to Algorithm 1, when a malicious node Nj is
selected into the routing path by Ni,theevaluationthreshold
is determined by pi,j and pj to evaluate its forwarding
behavior in the current evaluation period. If Nj misbehaves
in this period with a probability p’j that is higher than pj, i.e.,
p’j > p j, the number of lost data packets will be larger than
Malicious drop

the evaluation threshold and it will be punished with a
negative reputation score. Only if Nj adopts a lower attack
probability, it could avoid a reputation punishment. For the
irrational malicious nodes increasing the attack probability
without considering the punishment, they are removed by
the security check soon.Meanwhile,rational maliciousnodes
can be stimulated to behave better to achieve an improved
data delivery ratio.
We consider the overhead of maintaining CRS-A, in terms of
its storage overheadandcommunicationoverhead.InCRS-A,
each node maintains a reputation table to record the
reputation values of its neighboring nodes, which produces
the storage overhead for sensor nodes. If the range of
reputation value is set as [0,255], each reputationvalueonly
take 8 bits and the total storage overhead of Ni for
maintaining the CRS-A is 8·|NCi| bits, where NCi is the
neighbor set of Ni. The communication overhead is mainly
produced by channel estimationandreputationpropagation.
Let B be the number of bits in a PROBE packet that sensor
nodes broadcast to their neighboring nodes for channel
estimation. The overhead for channel estimation is B bits
data broadcasting and B·|NCi| bits data receiving for each
node in an evaluation period. Similarly, each sensor node
evaluates a reputation score for its data forwarding node,
and propagates the score to its neighboring nodes in each
evaluation period. Thus, the communication overhead of
reputation propagation includes 8 bits data broadcasting
and 8 ·|NCi| bits data receiving. Since the PROBE packet and
reputation score information are much smaller than the
transmitted data packets of sensor nodes, it means CRS-A
has a small communication overhead to be employed into
WSNs.
7. MALICIOUS NODE DETECTION
To detect the malicious node we have proposed one method
which uses a reactive routing protocol known as Ad hoc On
demand Distance Vector (AODV) routing for analysis of the
effect of the black hole attack when thedestinationsequence
number is changed via simulation. The proposed algorithm
first detects those nodes, which may be malicious. Then the
neighbor of the malicious node initiates a cooperative
detection mechanism to detect the actual black holenode. In
AODV routing, messages contain only the source and the
destination addresses. Itusesdestinationsequence numbers
to specify the valid route. At first the sender broadcast the
Route Request (RREQ) message to its neighbors. Each node
that receives the broadcast, checks the destinationtoseeifit
is the intended recipient. If yes it sends a Route Reply
(RREP) message back to the originator. RREP message
contains the current sequence number of the destination
node. The same process continues till the packets reach to
destination or reach to an intermediate node, which has a
fresh, enough routes to destination. Every node keeps track
of its neighbor by maintaining two small size tables. One is
sequence table (SnT) to keep the neighbor node’s id and
neighbor node’s sequence number and other is the status
table (ST) to keep track of the node’s status whether it is a
safe node or a malicious one. Every node also maintains a
neighbor list (N_List) and this list is updated periodically.
When an intermediate node receives a RREP checks if the
difference between theDst_SeqpresentintheRREPmessage
and the sequence no present in its table is greater thansome
predefined threshold value? if so then theintermediatenode
stops forwarding the message and mark the node as „M‟ or
malicious in the status table(ST) and send a notification
message(NM) to source node along with the malicious
node’s id and neighbor list of the malicious node. The
threshold value is the average difference of Dst_Seq in each
time slot between the sequence number of RREP message
and the one held in the table.
The source node has an additional table called Flag Table
(FT). M1HN’s after receiving the Further Detectionmessage,
broadcast a RREQ message by setting destination addressto
source node’s address. If it receives a RREP message from
the malicious node, it sends a Test packet (TP) to the source
node via malicious node, and at the same time it sends a
Acknowledgment Packet (AP) to source node(SN) though
some other route. Then the source node waits for wt time
until it receives the entire testandacknowledgementpacket.
If, SN receives a TP, it updates the Flag Table (FT) by adding
the source node id to the table and set the flag of the node as
Y and if an AP is received set the flag as N and update the
count field. If all the entries for the malicious nodeareNthen
source node updates the status table(ST)byaddingtheMN s
id to the ST and making the status as B i.e. Black hole.
To accurately distinguish selective forwarding attacks from
the normal packet loss, CRS- A evaluates the forwarding
behaviors by the deviation between the estimated normal
packet loss and monitored packet loss. To improve the
detection accuracy of CRS-A, we have further derived the
optimal evaluation threshold of CRS-Aina probabilisticway,
which is adaptive to the time-varied channel condition and
the attack probabilities of compromisednodes.Inaddition,a
distributed and attack-tolerant data forwarding scheme is
developed to collaborate with CRS-A for stimulating the
cooperation of compromised nodes and improving the data
delivery ratio.
8. CONCLUSION
WSN is being emerged as a promising andinterestingarea.It
is designed for real-time data collection and analysis of data
in hostile environments so they are used mainly in
monitoring and surveillance basedapplications.Most widely
used applications of WSN are military appliance, area
monitoring, environmental monitoring, industrial
monitoring, machine health monitoring, water/wastewater
monitoring, and fleet monitoring. Since, WSNs are mostly
used in a hostile environment security is mainly concerned.
The conventional security measures are not suitable to the
wireless sensor networks due to resource constraints of
both memory and energy. In WSN,sensornodesusewireless

communication to send packets. A sensor node uses multi-
hop transmission to deliver the packet to the base station,
due to its limited transmission range. So a packet is
forwarded through too many hops/nodes to reach the
destination. As, we discussed sensor networks are usually
deployed in hostile environments, an adversary can launch
attacks. Attacks can be classified into two types, inside
attacks and outside attacks. The latter one can be easily
detected and security solutions are provided. In former one,
adversary compromises some internal nodes and launches
attacks which will be difficult to detect.
This paper proposes two functions; they are the channel
aware detection of forwarding attacks using CRS-A and the
malicious node detection based on co-operative approach.
Experiments are conducted using NS-2 version 2.35, a
scalable simulation environment for network systems. The
routing protocol we use is AODV. Our simulated network
consists of 50 mobile nodes placed randomly with all nodes
have the same transmission range. The channel capacity is2
Mbps. We setup the parameters of CRS-A as follows. The
range of the reputation value of a sensor nodes is [0,200],
i.e., Rs =0 and Rm = 200. The initial reputation is 100 for all
the sensor nodes. The value of adjustment and punishment
are δ=1and λ= 10, respectively. Meanwhile, we set the
penalty factor for calculating the second-hand reputation
score as α =0 .6, and the weight for reputation integration as
σ =0 .75. The alarm reputation value for malicious node
identification is Ra = 20.
CRS-A updates the reputation values of sensor nodes based
on their behaviors in data forwarding. The sensor nodes
with low reputation values will be identified as malicious
nodes over a number of evaluation periods. The
compromising probability is PM = 40% in the simulation. It
means that a sensor node has a probability of 40% to be
compromised as a malicious node. A larger compromising
probability means a larger number of malicious nodesinthe
network.
REFERENCES
[1] “Adaptive and Channel-Aware Detection of Selective
Forwarding Attacks in WirelessSensorNetworks”by Ju Ren,
Student Member, IEEE, Yaoxue Zhang, Kuan Zhang, Student
Member, IEEE, and Xuemin (Sherman) Shen, Fellow, IEEE
[2] “Detecting Malicious Nodes in MANET based on a
Cooperative Approach” byReena SahooDept.OfInformation
Technology Sambalpur University Sambalpur, Odisha, India
and Dept. Of Information Technology Sambalpur University
Sambalpur, Odisha, India and Dr. P. M. Khilar Dept. of CSE
NIT, Rourkela, Odisha, I
[3] B. Yu and B. Xiao, “Detecting selectiveforwardingattacks
in wireless sensor networks,” in Proc. of the 2nd
International Workshop on Security in Systems and
Networks, April 2006, pp. 1-8.
[4] Tran Hoang Hai, Eui-Nam Huh, “Detecting Selective
ForwardingAttacksinWirelessSensorNetworksUsingTwo-
hops Neighbour Knowledge” Seventh IEEE International
Symposium on Network Computing and Applications, 2008,
pp.325-331.

Channel Aware Detection of Forwarding Attacks in WSN with Malicious Node Detection Based on Co-Operative Approach

More Related Content

What's hot (20)

Similar to Channel Aware Detection of Forwarding Attacks in WSN with Malicious Node Detection Based on Co-Operative Approach (20)

More from IRJET Journal (20)

Recently uploaded (20)

Channel Aware Detection of Forwarding Attacks in WSN with Malicious Node Detection Based on Co-Operative Approach