Detection of Attacker and Location in Wireless Sensor Network As An Application For Border Surveillance
Detection of Attacker and Location in Wireless Sensor Network As An Application For Border Surveillance
Detection of Attacker and Location in Wireless Sensor Network As An Application For Border Surveillance
Abstract
Border surveillance is one of the high priority in the security of countries around the world. Typical and traditional bor-
der observations involve troops and checkpoints at borders, but these do not provide complete security. One effective
solution is the addition of smart fencing to enhance surveillance in a Border Patrol system. More specifically, effective
border security can be achieved through the introduction of autonomous surveillance and the utilization of wireless sen-
sor networks. Collectively, these wireless sensor networks will create a virtual fencing system comprising a large number
of heterogeneous sensor devices. These devices are embedded with cameras and other sensors that provide a continu-
ous monitor. However, to achieve an efficient wireless sensor network, its own security must be assured. This article
focuses on the detection of attacks by unknown trespassers (perpetrators) on border surveillance sensor networks. We
use both the Dempster–Shafer theory and the time difference of arrival method to identify and locate an attacked node.
Simulation results show that the proposed scheme is both plausible and effective.
Keywords
Wireless sensor networks, border surveillance, Time difference of arrival, Dempster–Shafer theory
Creative Commons CC-BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License
(http://www.creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work without
further permission provided the original work is attributed as specified on the SAGE and Open Access pages (http://www.uk.sagepub.com/aboutus/
openaccess.htm).
2 International Journal of Distributed Sensor Networks
application oriented, robust operations, and small University, utilized energy-efficient WSNs to detect
physical size. objects moving through a passage line.5 Their sensor
Typically, the sensor nodes communicate with each nodes had embedded sound, photographic, and mag-
other via multiple hops over an open wireless channel. netic sensors. In 2012, German researchers investigated
This presents a security challenge as, on borders, WSNs irregularly shaped areas and deployed WSNs6 to detect
are normally deployed in an unattended area that is trespassers. They utilized multiple sensors to work in a
also hostile. Moreover, the sensor nodes do not usually distributed manner.
have any physical protection. Consequently therefore, Unfortunately, there was not much attention has
WSN nodes can be easily captured by trespassers, been given in the literature for protecting a network
thereby providing trespassers with full access to nodes from enemy manipulation, technically termed an
and the ability to cause a failure of the entire network. attack. Although some work has been performed on
Designing and testing a new WSN algorithm is protecting WSNs from attacks, it has not specifically
extremely challenging and maintenance of security focused on border surveillance scenarios.
integrity ranks as a major concern. Common security Staddon et al.7 outlined a method to track unsuccess-
threats include selective forwarding, sinkhole attacks, ful sensor nodes in a network at a sinkhole. Detection
Sybil attacks, wormholes, and a HELLO flood attack.3 of abnormal behavior relied on the assumption that all
The time difference of arrival (TDoA) triangulation sensor node data will be relayed toward the sinkhole
through three beacon nodes location information, is via a predefined routing tree. Moreover, the sinkhole
used to detect the attacker location. TDoA technology must have an overall view of the network topology.
has been widely used in positioning and navigation sys- With this overall knowledge, the method is capable of
tem recently. The position estimation of a source identifying failed nodes using a routing update message.
through determining TDoA of its signal among distrib- Marti et al.8 presented a watchdog-like method. The
uted sensors has many applications in civil as well as in method has a node which listens to the next-hop
the military with the detection of the abnormal beha- neighbor nodes’ broadcasting transmission behavior. It
vior of the sensor (in-sider attack) and location infor- is capable of identifying a packet-dropping attack.
mation. The system that uses TDoA to find a source Numerous watchdogs must work together with coop-
location it requires at least three sensors one of them is erative behavior in this method. Hence, a collaborative
a master (reference) and the other two are slave (auxili- and reputable system is necessary to determine an
ary) sensors. When the location is detected, a further attacker. Quality ratings of the collaborator nodes are
approach is taken to make the network secure by therefore requisite.
reprogramming the node or obsolete the node from the Zhang and Lee9 proposed a technique that is consid-
network. In this article, we have focused on border pro- ered pioneer work on intrusion detection in the area of
tection using secure WSNs. To provide that protection, wireless ad hoc networks. The author has investigated
we need the ability to continuously determine whether a different architecture for cooperative discovery of sta-
any node has been attacked. To this end, we have tistical abnormalities, a defense against attacks on ad
employed the Dempster–Shafer theory (DST) to com- hoc routing.
bine evidence from multiple neighbor nodes to deter- Znaidi et al.10 first introduced a hierarchical distrib-
mine whether a given node has been attacked. DST has uted algorithm for detecting node replication attacks
the capability of modeling the uncertainty in the situa- using a Bloom filter mechanism and a cluster head
tion where the independent evidences are limited. selection. The proposed method needs to employ addi-
WSNs are the most uncertain application scenario. tional clustering algorithm and the authors presented
only a theoretical discussion on the boundaries.
Subsequently, the TDoA method is utilized to find the
Garofalo et al.11 proposed intrusion detection system
location of the given node as it has the simplicity.
architecture designed to ensure a trade-off between dif-
Overall, the implemented method has low latency and
ferent requirements. It is high detection rate obtained
computation.
through decision tree classification. Unfortunately, in
this method the power consumption by the sensor is
Related work high, it is not resilient to node failures as it uses a tree
classification, with a long delay to send the data to the
The researchers have recently investigated WSN-based base station, data overhead is high, and it is costly.
border protection. In 2004,4 researchers at Ohio State Ahmed and Mahmood12 has proposed a clustering-
University deployed sensors with the ability to detect based anomaly detection technique based on the pat-
metallic objects, the major goal was to detect the tanks tern data and attacks characteristics. Their method
and the vehicles. In 2011, researchers at the University works fine with the DoS attacks but it fails for the other
of Virginia, in collaboration with Carnegie-Mellon attacks.
Aseeri et al. 3
The most common contemporary techniques exploit enemies to eavesdrop or to modify fetches data. They
cryptographic primitives. Cryptographic methods use may also choose to physically destroy sensor nodes. As
additional information to provide security, such as a result, protection should be applied both against phys-
authentication information. A polluted packet can be ical attackers and malicious nodes. The major goal of
filtered out based on the validity of the code from the the network attacker is to discontinue the area monitor-
intermediate node. Nevertheless, these schemes carry ing and stop event detection in the border region. To
substantial computational overhead. Furthermore, the these ends, attackers typically use the following meth-
schemes need to send verification information such as ods. They discontinue or delay the data packet, the
hashes and signatures separately, prior to the packet, attacker tries to modify the node to so as not to forward
to maintain reliable communications. Thus, considering detected events to the base station. In addition, attack-
the characteristics of WSNs, it is not possible to achieve ers may attempt to jam the channel to delay the packet,
efficient functionality with these methods. thereby gaining sufficient time to cross the border.
In physical attacks, attackers can physically destroy
the sensor node and take it out of the network. With a
Coverage and deployment strategy of camera sensor, they can destroy the camera so that
WSN analysis of the suspicious area cannot be performed at
Border surveillance requires monitoring every point on the data center.
the border, regardless of the environmental constraints
within a large geographical area. Effective border cov-
erage using WSNs depends on both the connectivity Case study and assumptions
and quality of service (QoS) provided by the networks. In this research, we used the physical parameter tem-
A node must be able to connect to its one-hop neighbor perature for the purpose of simulation. Our WSN sys-
and, using multi-hop communication, it should be able tem was built with one sink node and a random spatial
to transfer data without any alteration. To achieve distribution of stationary sensor nodes. We assumed
effective connectivity for data exchange and QoS, one that the one-hop neighbor distance was significant and
condition is the efficient deployment of the sensor the neighbor acted as an observer and observed the
nodes. During border deployments of WSNs, a pri- transmissions of the mistrusted node. The second sim-
mary condition is to deploy the minimum number of plifying assumption is the observed physical parameters
sensors that will guarantee optimal coverage of every at the nodes reasonably met the condition of indepen-
location on the border with efficiency. WSNs are nor- dent events. The independent events observed by neigh-
mally deployed based on the application scenarios and bor nodes became the individual pieces of evidence. The
number of sensor nodes required to provide the specific decision-making process algorithm about an attacker
applications with effective connectivity. Deployment utilized the DST to combine the independent pieces of
techniques can be categorized as sparse or dense. evidence. This is exemplified by the simplified case as
Sparse deployment uses fewer sensor nodes. shown in Figure 1. Here, the neighbors of node A are
Conversely, dense deployment uses a relatively high
number of sensor nodes in the given field of interest.
Dense deployments are normally utilized where it is
mandatory for every event to be observed and detected
in a large area. Considering the importance and charac-
teristics of border surveillance, the dense deployment
strategy is used. Deployment of the sensors normally
decided based on the application scenario. Most cases
its done by scattering. Despite their quick deployments
and significant advantages, WSNs face various security
problems due to their nature and the possibility of the
presence of one or more faulty or malicious nodes in
the existing network.
X, Y, and Z. They will observe suspected attacked node of one element or function, the other two functions can
A for the defined physical parameters of temperature be derived.
(T ) and packet drop rate (PDR). We assume m1(A) and m2(A) are two basic probabil-
ity numbers, considered to be two independent elements
of evidence, meaning that two self-governing neighbor
Methods sensor nodes act as observers of the same frame. The
The DST was used to detect the attacker. In this theory, conclusions from observations (the pieces of evidence)
the uncertainty interval normally represents probabil- can be combined in accordance with the evidence the-
ity; probability is replaced by the bounds of belief and ory of Dempster’s rule of combination (also known as
plausibility. The lower bound of the interval is known orthogonal sum), as given by equation (6)
as belief and is characterized by supporting evidence. P
The interval upper bound is plausibility and is charac- m1 ðAi Þm2 Aj
i, j:Ai \Aj = B
terized by the un-refuted evidence.13 The theory is a (m1 m2 )ð BÞ = P ð6Þ
system of reasoning: the total probabilities of mutually 1 m1 ðAi Þm2 Aj
i, j:Ai \Aj = f
exclusive hypotheses (for independent events) of similar
classes are tallied and collected in the frame of discern-
where denotes Dempster’s combination operator
ment, also known as the universal discloser. The basic
that combines two basic probability assignments or
belief assignment (BBA) or, in other words, function of
BBA into a third.15 To normalize the equation, a nor-
mass is a function m: 2u ! ½0, 1, and it satisfies two fol-
malization constant L is introduced, as defined by
lowing conditions
equation (7). More than two belief functions can be
mðfÞ = 0 ð1Þ combined pairwise
X
m Aj = 1 ð2Þ 1
L= ð7Þ
Au K
where f is the null set, and a BBA fulfills the condition where
m(f) = 0. The basic probability can be rewritten as P
m(A). This is possible because the share of complete K =1 m1 ðAi Þm2 Aj
belief allocated to hypothesis A replicates the support i, j:Ai \Aj = f
funknowng = fT g [ fPDRg
Figure 2. The location of the attacker.
Given T and PDR, the basic probability assignments
for nodes X , Y , and Z are as follows
mT (X ) = 0:7; mT (Y ) = 0:75; mT (Z) = 0:65; mT (U ) = 0:1 In Figure 2, the three sensor nodes are Bi with the
locations (xi, yi), where i = 1, 2, or 3 and A = (x, y) is
mPDR (X ) = 0:75; mPDR (Y ) = 0:7; mPDR (Z) = 0:75 a point in plane. The difference in the range with the
corresponding beacon nodes with respect to the beacon
Using equation (9), the observation by X , Y , and Z B1, in which the transmitted signal arrives first, is
the combination becomes
Ri, 1 = cdi, 1 = Ri R1 ð11Þ
mT, PDR (X ) = mT (X ) mPDR (X ) = 0:61
mT , PDR (Y ) = mT (Y ) mPDR (Y ) = 0:61 Here, c is the speed of signal propagation, Ri,1 is the
difference in the range between the first beacon B1 and
mT, PDR (Z) = mT (Z) mPDR (Z) = 0:58 the ith beacon (B1(i . 1)), R1 is the distance between
After the decision about the attacker is finalized, a the first beacon node and the transmitter, and di,1 is the
method to find the location of the node is invoked. estimate of TDoA corresponding to the first beacon B1
Complex numerical calculations are involved in loca- and the beacon (B1(i . 1)). A set of nonlinear hyper-
tion estimation in wireless networking. A complex cal- bolic equations is defined by this relationship. The solu-
culation yields higher accuracy, but it requires a more tion of the set yields the 2D coordinates of the source.
powerful processor. Our goal is to reduce the complex- The difficult task is to solve the nonlinear equa-
ity to estimate the compromised node’s location with tion (11). Linearization of the set of equations is the
limited processor capability. common practice for these types of equations. One of
We have utilized the TDoA method for simplicity. several linearization processes is the Taylor series.18,19 In
In this method, normally at least three neighbor nodes Friedlander20 and Schau and Robinson,21 the authors
send signals to the target node at different times. This is present an alternative to the Taylor series expansion,
considered the most traditional methodology to find which is to first transform the set of nonlinear equations
the location of the node.18 To obtain TDoA measure- into a different set. Rearranging the form of equation
ments, the signal sources must lie on a hyperboloid by (11) into
keeping a constant range difference with the measuring
nodes. Assuming the master beacon node is B1, then R2i, 1 = ðRi:1 + R1 Þ2 ð12Þ
the distance from the transmitter to the ith beacon node
is And subtracting equation (10) at i = 1 from equa-
tion (12) results in
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
Ri = ðXi xÞ2 ðYi yÞ2 ð10Þ R2i, 1 + 2Ri, 1 R1 = Xi2 + Yi2 2Xi, 1 x 2Yi, 1 y + x2 + y2
In a two-dimensional (2D) implementation, the tar- ð13Þ
get location can be estimated from two TDoA mea-
surements based on the intersections of signals with the Here, Xi;1 and Yi;1 are equal to Xi–X1 and Yi–Y1,
hyperbola created. Assuming that B1, B2, and B3 are respectively. The set of equations in equation (13) are
beacon nodes measuring the target, the intersection linear in the location of the source A(x; y) and in the
point calculated as a result is target point A. The pro- range of the first receiver of the source R1 as the
cess is shown in Figure 2. unknowns and are more easily handled.
6 International Journal of Distributed Sensor Networks
To solve R1, we employ Chan’s method, a non- Table 1. The simulation parameters.
iterative resolution of the hyperbolic intersection point
estimation problem. The method is capable of opti- Parameters Values
mized performance for arbitrarily placed sensors. This Packet size 500 bytes
solution is applicable in scenario of both distinct and Initial energy 2J
closed sources. The errors in TDoA estimates are con- Transmission range 100 m
sidered to be small, and this method works as an Routine protocol AODV
Simulation time 1 min
approximation to a maximum-likelihood estimator.
Number of nodes 500
Following Chan and Ho’s method22 for the three
beacon node system (B = 3) and generating two AODV: ad hoc on-demand distance vector.
TDOAs, the solution of x and y can be found in terms
of R1 from equations (13). The solution is presented in
the following form
2
x X2, 1 Y2, 1
=
y X3, 1 Y3, 1
( " #) ð14Þ
2
R2, 1 1 R2, 1 K2 + K1
3 R1 +
R3, 1 2 R23, 1 K3 + K1
where
K1 = X12 + Y12
K2 = X22 + Y22
K3 = X32 + Y32
Substituting equation (14) into equation (10) with Figure 3. Observation of the nodes.
i = 1, a quadratic equation is formulated in terms of
R1. Substitution of the positive root back into equation
(8) yields the result. Hence, the system can detect the The simulation was designed and simulated in
location point of the attacked node that basically MATLAB. MATLAB R2015a version has been used
A(x; y). The position error can be determined using to do the simulation. In order to set the simulation
equation (15) environment, we have created an area of 500 m by
500 m and we have set 500 randomly distributed nodes
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
on that area. Additionally, we have created 25 nodes as
Dd = ðx x0 Þ2 + ðy y0 Þ2 ð15Þ an attacked node out of the existing nodes. DST has
been implemented in order to find the attacker and
TDoA for the location detection. We employed the
Results DST of combination to do the simulation. We per-
As a simulation experiment, we performed a case study formed the DST simulation with individual pieces of
with sensors deployed randomly in a b 3 b square evidence from the one-hop neighbor sensor nodes of
field. We used temperature measurement data as a the network. We assume that the system will not sur-
physical parameter. We chose to use a Gaussian distri- vive if 50% or more sensors are attacked or malicious
bution for the temperature range, with zero mean and node. In any active network, we can detect many
two sigma variations, analogous to the methodology attacker nodes if it is attacked. The simulation para-
adopted by Sentz and Ferson.13 In the latter, they uti- meters are shown in Table 1. The simulation results are
lized one sigma variation for a stricter information set. based on 200 different observations of the nodes.
We assumed adequate data sets to have stricter condi- In Figure 3, it is clearly seen that observation
tions (with perhaps two sigma variations), which can with three sensor nodes of X, Y, and Z are shown in
significantly increase the average accuracy. In our case, blue, red, and green colors. The observation reaches
we took the average of the results of 20 runs. Our aver- almost the same conclusion about the attacker, that is,
age result is from 95% (with one sigma variation) to between 75% and 85% certainty that node A is an
99.99% (with two sigma variations). The temperature attacker.
varied from 8°C to 14°C in the information set we Figure 4 shows the simulation results, which por-
adopted. trays the neighbor sensor nodes observations of the
Aseeri et al. 7
Acknowledgements
The authors acknowledge King Abdulaziz City for Science
and Technology (KACST) in Saudi Arabia for sponsoring
and supporting this work.
international conference on mobile computing and network- 16. Tabassian M, Ghaderi R and Ebrahimpour R. Combina-
ing, Boston, MA, 6–11 August 2000, pp.275–283. New tion of multiple diverse classifiers using belief functions
York: ACM. for handling data with imperfect labels. Expert Syst Appl
10. Znaidi W, Minier M and Ubéda S. Hierarchical node 2012; 39(2): 1698–1707.
replication attacks detection in wireless sensor networks. 17. Campos F and Cavalcante S. An extended approach for
In: IEEE 20th international symposium on personal, indoor Dempster-Shafer theory. In: IEEE International confer-
and mobile radio communications, Tokyo, Japan, 13–16 ence on information reuse and integration, Las Vegas, NV,
September 2009. New York: IEEE. 27–29 October, pp.338–344. New York: IEEE.
11. Garofalo A, Sarno CD and Formicola V. Enhancing 18. Ahmed M, Huang X and Sharma D. A novel framework
intrusion detection in wireless sensor networks through for abnormal behaviour identification and detection for
decision trees. In: Vieira M and Cunha JC (eds) Depend- wireless sensor networks. Int J Comput Commun Eng
able computing. Berlin: Springer, 2013, pp.1–15. 2012; 6(2): 148–151.
12. Ahmed M and Mahmood AN. Novel approach for net- 19. Foy WH. Position-location solutions by Taylor-series
work traffic pattern analysis using clustering-based collec- estimation. IEEE T Aerosp Electron Syst 1976 12(2):
tive anomaly detection. Ann Data Sci 2015; 2(1): 111–130. 187–194.
13. Sentz K and Ferson S. Combination of evidence in Demp- 20. Friedlander B. A passive localization algorithm and its
ster-Shafer theory. Sandia Report. SAND 2002-0835, accuracy analysis. IEEE J Ocean Eng 1987 12(1):
April 2002. Binghamton, NY: Binghamton University. 234–245.
14. Kay RU. Fundamentals of the Dempster-Shafer theory 21. Schau H and Robinson A. Passive source localization
and its applications to system safety and reliability mod- employing intersecting spherical surfaces from time-of-
elling. Reliab Theor Appl 2007; 3(4): 173–185. arrival differences. IEEE T Acoust Speech 1987; 35(8):
15. Koks D. An introduction to Bayesian and Dempster-Shafer 1223–1225.
data fusion. Laverton Ave, ACT, Australia: DSTO Sys- 22. Chan YT and Ho KC. A simple and efficient estimator
tems Sciences Laboratory, 2003. for hyperbolic location. IEEE T Signal Proces 1994;
42(8): 1905–1915.