• No results found

Synthetical Malicious Behavior Detection of MAC Layer Multiple Attack in Wireless Sensor Networks


Academic year: 2020

Share "Synthetical Malicious Behavior Detection of MAC Layer Multiple Attack in Wireless Sensor Networks"


Loading.... (view fulltext now)

Full text


2016 International Conference on Wireless Communication and Network Engineering (WCNE 2016) ISBN: 978-1-60595-403-5

Synthetical Malicious Behavior Detection of MAC Layer

Multiple Attack in Wireless Sensor Networks

Shuai JIANG and Jian WANG

School of Electronic Science and Engineering, National University of Defense technology, Changsha, China

Keywords: Synthetical detection, Multiple attack, MAC layer, Wireless sensor networks.

Abstract. Wireless sensor networks have relatively weaker security performance compared to wired ones, and the MAC layer is a key part of their security system. In MAC layer, multiple synergetic attacks are more destructive than single attacks and more difficult to detect. In this paper, we propose a synthetical malicious behavior detection framework to detect when multiple attacks are launched in MAC layer. In this detection framework, we design a hierarchical data collection system to collect the necessary data for detection and propose the notion of behavioral deviation to roundly evaluate multiple aspects of behavior in MAC layer. Furthermore, we design a detection algorithm based on a hypothesis testing model to approximate the identity of malicious nodes. Finally, we prove the superiority of the synthetical detection framework compared with other kinds of single detection methods through simulation.


A wireless sensor network (WSN) is a kind of ad-hoc network composed of many self-organized sensor nodes which is widely used nowadays. But because of weaknesses in the properties of sensor nodes, WSNs cannot implement very complex operations, and many types of security frameworks cannot be applied in a WSN, which make WSNs much more vulnerable to attack than other kinds of network.

The cluster-based structure is one of the widely-used WSN structures currently. The cluster-based network contains several node clusters, and each cluster is composed of one cluster head (CH) and a number of sensor nodes (SN) [1]. Each SN periodically sends environmental information gathered to its CH. And the CH implements the following data processes. This hierarchical structure not only promotes the transmission effect while reducing the power cost [2], but also conveniently collects useful data for security systems.

Among different kinds of attacks, malicious behavior in the MAC layer is one of the most typical forms of attack. In wireless networks like WSN, the MAC layer protocol regulates access to the channel and transmission process. Malicious behavior in the MAC layer can paralyze a wide range of network functions and cause serious chaos in a WSN. The typical type of malicious behavior contains small backoff window (SBW) attacks and frame-dropping (FD) attacks [3].

Some methods for detecting these malicious behaviors currently exist. Svetlana Radosavac and John S. Baras [4] proposed a method to discover the backoff time of the WSN nodes by calculating the interval of transmissions and also designed a Mini-max robust detection approach to optimize the outcome of detection against most harmful attacks. Wenkai Wang and Yan Sun [5] have also proposed a trust evaluating system using the backoff time of each node in the network for cross-layer attack detection. L. Gandhimathi and Dr. G. Murugaboopathi [3] proposed a detection method to monitor the amount of medium access and number of packets dropped at each node. However, if a malicious node launches several different types of attack, especially when the intensities of these attacks are relatively low, it is very difficult with current detection methods to accurately figure out the malicious node.


In this detection framework, SNs collect both medium access and frame dropping data and sends them to the CH. The CH disposes the data and calculates the deviations of different malicious behaviors with an algorithm designed by us. Then deviations from different behaviors are coalesced together and evaluated using a hypothesis testing model to detect whether a node is malicious node. The scientific contributions of this paper include:

A novel synthetical malicious behavior detection framework able to detect multiple MAC layer attacks containing small backoff window attacks and frame-dropping attacks, which also has better detection accuracy than existing detection methods which are usable on only one kind of attack.

We propose the notion of behavior deviation, which evaluates differences between the behavior of the node under detection and the behavior of standard nodes. Behavior deviation makes it possible to evaluate multiple aspects of node behavior as a whole, and promotes accuracy and robustness of detection frameworks.

This paper propose an algorithm to calculate the total behavior deviation of each node in a WSN, and estimate whether the node is a malicious node by evaluating the total behavior deviation based on a hypothesis testing model.

Subsequent sections of the paper are organized as follows: In Section II, we introduce two typical types of attacks in the MAC layer, the small backoff window attack and the frame-dropping attack, summarizing their behavioral features. In Section III, we propose a novel synthetical malicious behavior detection framework and related algorithm to detect multiple MAC layer attacks in a WSN. In Section IV, we evaluate the performance of the synthetical detection framework through simulation, comparing this detection framework with other existing detection methods. Conclusions are drawn in Section VI.

Multiple Attacks in Mac Layer

The MAC layer protocol regulates the channel access and the transmission process of every node. Wireless networks, including WSNs, mostly adopt the 802.11 protocol as their MAC layer protocol. In the 802.11 protocol, a node constantly overhears the channel if it has no data to transmit. If the node has something to transmit, it waits for a certain duration called DIFS (Distributed Coordination Function Inter-Frame Spacing). After that, the node randomly waits for another additional period called backoff time. The backoff time is a random duration set in the range of zero to contention window size (CW). During the backoff period, if a collision occurs, the backoff timer will pause and wait for the channel to be free again before resuming. After the backoff period finishes, the node implements its transmission. If a collision occurs during the transmission, the source node doubles its contention window and repeats the transmission process. If the source node transmits successfully, it resets its contention window to the preset size [6].

In this protocol, a malicious node may be able to launch many kinds of attacks, small backoff window attack and frame-dropping attack are two of the most typical types among them.

The small backoff window attack aims to illegally obtain priority channel access by lessening the contention window without permission and refusing to increase it. Malicious node can use this kind of attack to constantly monopolize the channel and stop the transmission of other nodes, which causes serious congestion and disturbs normal services in the network.

The frame-dropping attack is another typical attack on the MAC layer. The progression of this kind of attack is very simple. In the multi-hop network, nodes should not only send their own data, but also transmit data for other nodes. Malicious nodes in the network refuse to transmit data for other nodes by dropping all or a part of their frames in the MAC layer. This kind of attack can also cause serious chaos or even shut down the whole network.


multiple attack, an attacker probabilistically implements the two kinds of attack in order to reduce the probability of detection without sharply decreasing the intensity of total malicious behaviors. However, most existing detection methods aim at only a certain type of malicious behavior, while in multiple attacks, each kind of malicious behavior is very low intensity, which makes it very difficult to detect this form of attack based on existing detection methods.

Multiple Attack Detection Algorithm

In this section, we designed an algorithm which can detect two kinds of malicious behavior, taking the behavior of both small backoff window and frame-dropping attacks into account at the same time and evaluate them under a proper standard. To detect these two kinds of attacks, we monitor the transmission times and number of frames dropped at each node and pick out any abnormally large figure.

To collect the necessary data, we use the hierarchical trust management system [1] for reference. In a cluster-based WSN, SNs undertake the job of data collection and CHs undertake the job of data operation. Thus, we set up a process where each SN monitors adjacent SNs and collect data on their transmission times and number of frames dropped during a node observation period Ξ”t. After each observation period ends, the SNs send the related data to their CH. After the CH receives data from all SNs, it calculates the SBW and FD behavior deviations.

To get the behavior deviation for each of the two kinds of malicious behavior, we have to calculate the standard figures for transmission time and dropped frames. We propose an optimal method to obtain these standard figures.

In the WSN, we first choose several reliable nodes as standard nodes, and the CH calculates their average transmission times and number of frames dropped as the standard figures before each estimation process. According to the simulation result, the standard figures based on this calculation have the best accuracy and flexibility.

The behavior deviation of SBW in jth observation period can be calculated as

𝐷𝑆𝑖𝑗 = π‘€π‘–π‘—βˆ’π‘€π‘ π‘—

𝑀𝑠𝑗 (1)

where the wij is the total transmission time of node i in the jth observation period and the wsj is the

standard figure for transmission time in the jth observation period.

The calculation of behavior deviation of FD is similar, it can be calculated as

𝐷𝐹𝑖𝑗 =

π‘‘π‘–π‘—βˆ’π‘‘π‘ π‘—

𝑑𝑠𝑗 (2)

where the dij is the total number of dropped frames at node i in the jth observation period and the dsj is the standard figure of dropped frames in the jth observation period.

By calculating behavior deviation for SBW and FD, we can evaluate the two kinds of malicious behavior at the same order of magnitude. The CH then calculates the total behavior deviation of node i with the equation below.

𝐷𝑖𝑗 = 𝐷𝑆𝑖𝑗 + 𝐷𝐹𝑖𝑗 (3) For a normal SN, the behavior deviation of SBW and FD should be around 0. However, for a malicious node, its number of transmission times or dropped frames will be larger than the standard figures, so the total behavior deviation will be obviously larger than 0. So we can therefore estimate whether the SN is a malicious node by hypothesis testing.

To meet the required detection accuracy and energy limits, we set an estimation period Ξ”T. Ξ”T can be expressed as


The CH calculates the standard deviation, Si, of behavior deviation of node i in an estimation period

Ξ”T. This can be calculated using the equation below

𝑆𝑖 = √ 1

π‘›βˆ‘ (π·π‘–π‘—βˆ’ 𝐷𝑖)

2 𝑛

𝑗=1 (5)

With the values of Si and Di obtained, we can implement the hypothesis testing process. Here, we

adopt the t-distribution hypothesis testing model, and calculate the value t used for estimation.

𝑑 = βˆšπ‘› βˆ’ 1𝐷𝑖

𝑆 (6)

t is then compared with the fractile of the t-distribution tΞ± (v). The rule of estimation is

𝑑 𝐻1

> < 𝐻0

𝑑𝛼(𝑣) (7)

where H0 means node i is a legal node and H1 means node i is a malicious node.

Simulation Result


We adopt Matlab 2015a as our simulation tool. An ad-hoc network was set up containing one CH and 60 SNs to simulate a WSN cluster, the simulation parameters are shown in Table 1.

Table 1. Simulation parameters.

Parameter Value

Number of Nodes 60

Transmission Rate 2Γ—106 b/s

Bit Error Rate 10-6

MAC protocol 802.11 DCF

Initial Contention Window 32 (frame sizes) Maximum Contention Window 1024 (frame sizes)

Malicious Contention Window 8 (frame sizes)

Confidence Level 0.95

For PHY layer simulation, the transmission rate is set at 2Γ—106 b/s and the bit error rate at 10-6. For the MAC layer, the 802.11 DCF protocol is implemented, with initial contention window size set at 32, and maximum contention window size as 1024. The node drops its current frame if the contention window reaches maximum size. The contention window size of the malicious node implementing the SBW attack is set at 8 and does not increase, contrary to the exponential backoff rules. The time taken for messages sent to arrive in the MAC layer follows the Poisson distribution. In all corresponding hypothesis testing process, we set the confidence level at 0.95.

To evaluate the performance of the synthetical malicious behavior detection framework, we compare the detection probability and false-alarm probability of both the synthetical malicious behavior detection framework and single detection methods. We choose two single detection methods for comparison. Method I, considers only SBW attacks, and collects the transmission times of each node, comparing them with standard figures based on the hypothesis testing model. Method II is similar to Method I, it implement an estimation process using the number of dropped frames.


Figure 1. Comparison of three detection methods. Table 2. False-alarm probability of detection methods.

Synthetical detection

Detection method I

Detection method II False-alarm


11.18% 18.63% 34.12%

From figure 1 and table 2, we can see that the performance of the synthetical malicious behavior detection framework is much better than that of the single detection methods.


In this paper, we propose a novel synthetical detection framework aimed at multiple attack in the MAC layer, which is more elusive and destructive than single attack methods. The synthetical detection framework adopts the notion of hierarchical system to collect the necessary data while reducing the cost of storage and channel resource. The biggest innovation in the synthetical detection framework is the multiple attack detection algorithm, which roundly consider the abnormal behavior of SBW and FD attacks and evaluate such behavior using behavioral deviation. With behavioral deviation, we can estimate the identity of each node in a WSN and determine whether it is a malicious node. Finally, we examine this synthetical detection framework using simulations, and prove that the performance of the synthetical detection framework is much better than other single detection methods. In future, we can improve the detection system by increasing the variety of attack which it takes into consideration, and optimizing the algorithm for better accuracy.


[1] Fenye Bao, Ing-Ray Chen, MoonJeong Chang, Jin-Hee Cho. Hierachical Trust Management for Wireless Sensor Networks and its Applications to Trust-Based Routing and Intrusion Detection, IEEE Trans on Network and Service Management, P169-183, 2012.

[2] Rabia Noor Enam, Energy efficient differential data aggregation in a dynamic cluster based WSN, Collaboration Technologies and Systems (CTS), 2013.

[3] L.Gandhimathi, Dr.G.Murugaboopathi, Cross layer Intrusion Detection and Prevention of Multiple attacks in Wireless Sensor Network using Mobile Agent, International Conference On Information Communication And Embedded System (ICICES 2016).

[4] Svetlana Radosavac, John S. Baras, Iordanis Koutsopoulos, A Framework for MAC Protocol Misbehavior Detection in Wireless Networks, WiSE’05, September 2, 2005.


[6] Maxim Raya, Jean-Pierre Hubaux, Alaeddine El Fawal, DOMINO: Detecting MAC Layer Greedy Behavior in IEEE 802.11 Hotspots, IEEE Transactions on Mobile Computing, P1691-1705, 2006.

[7] Svetlana Radosavac, Nassir Benammar, John S. Baras, Cross-layer attacks in wireless ad hoc networks, 2004 Conference on Information Sciences and Systems, Princeton University, March 17-19, 2004.


Table 1. Simulation parameters.
Figure 1. Comparison of three detection methods.


Related documents

ο‚· Social Science Assistant Professor representative to the Committee on Promotion, Tenure, and Academic Freedom (2010-2011 Academic Year). ο‚· Arts and Sciences representative

In conclusion, it is apparent that South Africa does allow for the practice of surrogacy as long as the arrangement is entered into by adults of sound mind under a valid

Comfort, O comfort my people, says your God. Speak tenderly to Jerusalem, and cry to her that she has served her term, that her penalty is paid, that she has received from the

Applicant will need to return missing or incomplete items within two weeks from the date that they are notified or application will be voided..

In cases of individual household wine production in the Catholic village of Cizhong and to a limited extent elsewhere, wine production is an agentive and creative methodology to

The query can be given by providing keywords, by selecting one or more sample texture patterns, by assigning color values within positional color blocks, or by

The main objective of the present paper is to characterize the scattered field from the transmitter to the receiver according to urban parameters (shape of buildings, density

All team members who are directly involved with the development of the software must receive appropriate security training. The training must at a minimum cover the