Insider Attacker
Detection in Wireless
Sensor Networks
Fang Liu , Xiuzhen Cheng
The George Washington University
IEEE INFOCOM 2007
26th IEEE International Conference on Computer Communications.
Presented by Jinman Jeong
Outline
Introduction
Existent Solutions
Insider Attacker Detection
Performance Evaluation
Conclusion
Introduction
Easy to compromise nodes
Insider attacker
compromised nodes c
an
be
insider attacker
.
An internal adversary can easily
modify and
drop
with access to the valid cryptographic
keys
Causes False readings
Causes Routing misbehaviors
Existent Solutions
Several approach in WSN
misuse based
–
r
equires prior knowledge
anomaly based

r
equires prior knowledge
specification

based

r
equires prior knowledge
cross feature analysis based
–
r
equires prior knowledge
specific protocol based
–
not general
Prior knowledge requirement
incurs extra training overhead
produces serious concern that attack behaviors may change
dynamically
Detecting Insider attackers
Requires no prior knowledge
Generic solution
Instead of considering specific aspects,
Monitors many aspects of sensor networking
behaviors.
High detection accuracy & Low false alarm
rate
Our Work
–
A General Solution
to Insider Attacker Detection
The Basic Idea
Observation and Assumption in this paper:
: E
xpected to behave similarly in close
neighborhood.
Localized statistical analysis

Measure the
networking behaviors of neighbor nodes
(e.g. p
acket dropping rate, packet sending rate, forwarding delay time, etc.)
Algorithm
Information Collection
Filtering the collected data
Majority Vote
Each node gets information
from neighbor nodes
the final decision
For an accurate detection result,
the collected information must
be filtered
Initial Insider attackers Detection
Throughout this
paper, insider attackers are also called
outliers
The detection is conducted by
computing mahalanobis distance
Information Collection
X
i
: x’s neighbor node.
F(X
i
) : the set of
attribute vectors
received from
sensor X
i
(e.g.Packet drop rate, Sensor
readings… )
Node
x
gets F(X
i
)
in
neighbor nodes
x
x
1
x
2
x
3
x
i
F(
x
i
)= (f
1
(
x
i
), f
2
(
x
i
)… )
T
Filtering the collected data
N(X) : the set of
neighborhood
of x,
whose selection is
determined by the node density in the network
For a dense network, N(x) may equals one

hop neighbors
For a sparse network, N(x) should be large
For a sparse network ,
Sensor (A) should select
a reliable relay node
(C or D?)
for filtering
information from F
A
B
F
E
C
D
A
B
E
D
C
F
sparse
dense
Filtering the collected data
A
B
E
D
C
F
C: (19,32,40)
D: (22,
11
,42)
E: (21,29,38)
F: (19,31,39)
C: (
0.83
,0.63,0.15)
D: (1.17,
1.49
,1.31)
E: (0.50,0.33,
1.02
)
F: (
0.83
,0.53,0.44)
C: 0.83
D: 1.49
E: 1.02
F: 0.83
C: 1
D: 0.56
E: 0.81
F: 1
max
T= min/x
standardize
A’s monitoring results
Trust value
Z=(y

μ
)/
σ

sparse
How to select
a reliable relay node? C
Min = 0.83
max = underlined filed
(C
or D
?)
How to select
a reliable relay node?
Insider Attacker Detection
The detection is conducted by
computing Mahalanobis
distance
xi is treated as an outlier if D(Xi) is
larger than
θ
(i.e., >
θ
)
Mahalalobis distance
In statistics, a useful way of
determining similarity of an
unknown sample set to a known
one.
In pattern recognition,
widely used in classification
techniques.
Insider Attacker Detection
2
2
2
)
(
2
1
)
(
x
e
x
p
)
(
)
(
2
1
exp


)
2
(
1
)
(
1
2
/
1
2
/
μ
x
Σ
μ
x
Σ
x
T
d
p
Univariate Gaussian Distribution
X~N(μ,σ2)
probability density function
Multivariate Gaussian
Distribution
X~N(μ,Σ)
As the mahalanobis distance increase, the
probability will be decrease
Mahalanobis distance
D
2
(
x
i
) =
(
f
(
x
i
)

μ
)
T
Σ

1
(
f
(
x
i
)

μ
)
~
χ
2
d
.
Thus,
Prob
(
D
2
(
x
i
)>
χ
2
d
(
α
)) >
α
.
Majority Vote
if sensor x determines which sensors are outlying, it
sends a message with the format to the neighbors
n ID
1
Status
1
… … ID
n
Status
n`
n : the number of sensors in N`(x)
ID
i
: the ID of sensor x
i
Status
i
: whether or not x
i
is an outlier (0/1)
Sensor x receive announcements from others
Sensor x make the final decision from all the votes
Simulation Settings
With N = 4096 uniformly distributed sensors,
(64 X 64 , q = 3 attributes)
Different normal distributions.
μ1(normal) = (10, 15, 20) , Σ1 ~ N
3
(μ1, Σ1)
μ2(abnormal) = (30, 35, 40) , Σ2 ~ N
3
(μ2, Σ2)
Σ1 = Σ2 =
Simulation Settings
2 different tests were run 100 times, and
the results is averaged.
Dense network
Sparse network
( more N(x) should contain the multi

hop
neighborhood for better performance)
Performance Evaluation
(1/2)
Sparse networks
Dense networks

Detection accuracy:
# of
detected outliers
# of
Real outliers
Sparse networks
Dense networks
Performance Evaluation
(2/2)

False alarm:
# of normal sensors that are claimed as insider attackers
# of normal sensors.
Sparse networks
Dense networks
Conclusion
Generic solution to detect an insider attacker
Requires no
prior
knowledge about network
activities
high detection accuracy, low false alarm rate
Works well with 25% misbehaving sensors
Thank you!
Comments 0
Log in to post a comment