Article Preview
Top1. Introduction
In recent years, wireless sensor networks (WSNs) tend to make life more convenient. A WSN is formed by a group of wireless sensors and each sensor can monitor various properties of an area, e.g., humidity, light, temperature, and so on. WSNs also have been applied to many domains, such as industrial automation (Gungor & Hancke, 2009), health monitoring and prognosis (Pantelopoulos & Bourbakis, 2010), agricultural environment monitoring (Cai et al., 2010) and ecology observations(Yamamoto, Uchiyama, Yamamoto, Nakamura, & Yamazaki, 2012). After data collections, sensors will send the data to the data collection center via multiple hop routing mechanisms. The communications among WSN rely on the cooperation of all sensor nodes in the network. WSN is vulnerable due to the distributed characteristic, the open medium and the dynamically changing of topology. On the way to the data collection center, these sensing data could be sniffed by malicious nodes. Due to the rapid development of Internet of Things (IOT), it’s expected WSNs will have a significant role in our future life. Therefore, security related issues of WSNs are critical research topics. In this research, we focus on the anomalies of black hole attack in WSNs. A black hole attack happens when a malicious node claims a one hop distance to the sink node as Figure 1 and all the traffics are directed to the malicious node. In Figure 1, the black node annotated with M is the malicious node and the gray node annotated with S is the sink node (data collection center).
In wired network, intrusion prevention measures, such as the installation of firewalls, are used to prevent malicious attacks. Firewalls installed at the routers or switches can filter out the malicious network traffics. However, WSNs don’t equipped wiith this kind of facilities. Therefore, intrusion detections or traffic anomaly detections may be more necessary for WSNs. Traffic anomaly detection systems compare the captured system activity logs or network traffic profiles with patterns of well-known attacks to identify potential attacks. There are two different detection methods: the misuse identification and the anomaly detection. The misuse identification compares the “signature” of well-known attacks to captured activity logs. It is not effective to apply misuse detection to new attacks. The anomaly detection filter out the deviated system behaviors from the established profiles. The anomaly detection is more effective for new attacks since it doesn’t operate based on attack patterns. However, in WSNs, each sensor node often only possesses limited computational ability, traditional intrusion detection techniques cannot be easily applied to WSNs directly.
Many anomaly detection systems only implement single node self-monitoring. Although self-monitoring is easy and is a natural approach to implement, it also possesses the disadvantages of faking. Since each node has full control of its own anomany detection system and the data traffic passing through a single node is only monitored by itself, it is very easy for a malicious node to forge traffic measurements for itself or the traffic passing through it. Some researcher propose neighbor-monitoring strategy in traffic anomaly detection in Mobile ad hoc network (MANET), in which each mobile node monitors its neighbors’ traffic (Wang, Lin, & Wong, 2005). Since each mobile node is monitored by all its neighboring mobile nodes, it is difficult for all neighboring mobile nodes to forge traffic information for the monitored mobile node unless all of them have been compromised. In this research, we also employ the same neighour-monitoring strategy in WSNs.