CN101013976A - Mixed intrusion detection method of wireless sensor network - Google Patents

Abstract

Translated fromChinese

无线传感器网络的混合入侵检测方法是一种无线传感器网络的安全保护方案，主要用于解决无线传感器网络所遭受的各种安全攻击和安全问题，该检测方法综合了基于主机和基于网络、基于集中和基于分布、基于异常和基于模式等多种检测方法，根据无线传感器网络的特点和面临的外部和内部攻击，将检测任务分散到传感器节点、簇头节点和基站节点，并综合了基于主机和基于网络，基于集中和基于分布，基于异常和基于模式多种检测方法的优势，避免了依靠复杂算法增强网络安全而导致的对网络和节点资源过多的消耗，在保证网络安全的同时，延迟了网络的生命期。

The hybrid intrusion detection method for wireless sensor networks is a security protection scheme for wireless sensor networks, which is mainly used to solve various security attacks and security problems suffered by wireless sensor networks. And distribution-based, anomaly-based and pattern-based detection methods, according to the characteristics of the wireless sensor network and the external and internal attacks it faces, the detection tasks are distributed to sensor nodes, cluster head nodes and base station nodes, and a combination of host-based and The advantages of network-based, centralized-based and distribution-based, anomaly-based and pattern-based multiple detection methods avoid excessive consumption of network and node resources caused by relying on complex algorithms to enhance network security. While ensuring network security, delays the lifetime of the network.

Description

Translated fromChinese

无线传感器网络的混合入侵检测方法Hybrid Intrusion Detection Method for Wireless Sensor Networks

技术领域technical field

本发明是一种无线传感器网络的安全保护方案，主要用于解决无线传感器网络所遭受的各种安全攻击和安全问题，属于无线传感器网络和信息安全交叉技术应用领域。The invention is a security protection scheme of a wireless sensor network, which is mainly used to solve various security attacks and security problems suffered by the wireless sensor network, and belongs to the application field of wireless sensor network and information security cross technology.

背景技术Background technique

无线传感器网络是由大量廉价的低功率传感器节点通过无线多跳方式自组织形成的一种新型网络，广泛应用于军事、医疗健康、工业控制、环境监控、智能家居等安全性要求较高的重要场合。传感器节点具有体积小，计算、通信和存储能力差，由无法更换的一次性电池供电等特点，且往往被部署在无人值守的开放、恶劣环境中。比传统网络和一般自组织网络(Ad Hoc网络)更加容易遭受包括被动窃听、物理破坏、碰撞、注入或者篡改网络数据包、选择性转发、路由欺骗和拒绝服务等攻击。Wireless sensor network is a new type of network formed by self-organization of a large number of cheap low-power sensor nodes through wireless multi-hop, widely used in military, medical health, industrial control, environmental monitoring, smart home and other important important occasion. Sensor nodes have the characteristics of small size, poor computing, communication and storage capabilities, powered by disposable batteries that cannot be replaced, and are often deployed in unattended open and harsh environments. Compared with traditional networks and general self-organizing networks (Ad Hoc networks), it is more vulnerable to attacks including passive eavesdropping, physical destruction, collision, injection or tampering of network data packets, selective forwarding, routing deception, and denial of service.

解决网络安全问题可以采用加密、认证等基于预防的技术，预防可以减少攻击，却不能杜绝攻击。尤其，在无线传感器网络中，当节点被俘获并被攻击者重新编程，他们就可以以合法的身份访问网络。况且，传感器节点在计算、通信和存储等方面能力的限制，网络拓扑的动态特性和网络可扩张性要求使得高效的基于预防的安全技术难以实施。所以有必要在无线传感器网络中设计并实施有效的入侵检测系统作为安全的第二道防线。Prevention-based technologies such as encryption and authentication can be used to solve network security problems. Prevention can reduce attacks, but cannot eliminate attacks. Especially, in wireless sensor networks, when nodes are captured and reprogrammed by attackers, they can access the network with legitimate identities. Moreover, the limitations of sensor nodes in terms of computing, communication and storage capabilities, the dynamic characteristics of network topology and the requirements of network scalability make it difficult to implement efficient prevention-based security technologies. So it is necessary to design and implement an effective intrusion detection system as the second line of defense in the wireless sensor network.

入侵检测技术根据不同的标准可以分为基于主机和基于网络的入侵检测、基于异常和基于模式的入侵检测、集中式和分布式入侵检测，将这些检测技术有机地结合有利于发挥各自的优势。传统的入侵检测技术不能直接应用于无线传感器网络，即使是适用于Ad Hoc网络的入侵检测技术也不一定就直接适用于无线传感器网络，需要专门设计无线传感器网络的入侵检测方法。According to different standards, intrusion detection technology can be divided into host-based and network-based intrusion detection, anomaly-based and pattern-based intrusion detection, centralized and distributed intrusion detection. The organic combination of these detection technologies is conducive to exerting their respective advantages. Traditional intrusion detection techniques cannot be directly applied to wireless sensor networks, and even the intrusion detection techniques applicable to Ad Hoc networks are not necessarily directly applicable to wireless sensor networks, and intrusion detection methods for wireless sensor networks need to be specially designed.

无线传感器网络与Ad Hoc网络都是自组织无线网络，但无线传感器网络有着自身特有的性质和安全需求，不能将适用于Ad Hoc的入侵检测系统直接应用于无线传感器网络。第一，Ad Hoc网络中的每个节点通常都由一个用户所持或者管理；而无线传感器网络中的每个传感器节点都是独立的，它们各自向基站发送数据和接收从基站发来的控制数据，基站通常由一个用户管理。第二，传感器节点的计算、存储、通信资源和电池能量都不及Ad Hoc网络节点，导致了基于认证和加密的安全方案难以在大规模无线传感器网络中有效实现。第三，无线传感器网络中节点的数量和密度远远大于Ad Hoc网络中节点的数量和密度，但是由于电源的限制和物理环境的恶劣，传感器节点更容易失效。第四，在大多数无线传感器网络应用中，传感器节点是静止的，且通信模式稳定，各节点以多对一的方式将传感器读取数据发送给基站，基站以一对多的方式将控制数据发给各传感器节点。Both wireless sensor networks and Ad Hoc networks are self-organizing wireless networks, but wireless sensor networks have their own unique properties and security requirements, and the intrusion detection system suitable for Ad Hoc cannot be directly applied to wireless sensor networks. First, each node in the Ad Hoc network is usually owned or managed by a user; while each sensor node in the wireless sensor network is independent, they each send data to the base station and receive control data from the base station , the base station is usually managed by one user. Second, the computing, storage, communication resources and battery energy of sensor nodes are not as good as Ad Hoc network nodes, which makes it difficult to effectively implement security schemes based on authentication and encryption in large-scale wireless sensor networks. Third, the number and density of nodes in a wireless sensor network are far greater than those in an Ad Hoc network, but due to power constraints and harsh physical environments, sensor nodes are more likely to fail. Fourth, in most wireless sensor network applications, the sensor nodes are stationary and the communication mode is stable. Each node sends the sensor reading data to the base station in a many-to-one manner, and the base station transmits the control data to the base station in a one-to-many manner. sent to each sensor node.

发明内容Contents of the invention

技术问题：本发明的目的是提供一种适用于无线传感器网络的混合入侵检测方法，来解决无线传感器网络面临的各种安全问题和安全攻击。通过使用本发明提出的方法可以在网络的不同层次、针对不同的网络攻击、综合不同的检测方法对网络异常和节点损害进行检测，从而达到保护无线传感器网络免受各种新旧攻击的安全目标。Technical problem: The purpose of the present invention is to provide a hybrid intrusion detection method suitable for wireless sensor networks to solve various security problems and security attacks faced by wireless sensor networks. By using the method proposed by the invention, network abnormality and node damage can be detected at different levels of the network, aiming at different network attacks, and combining different detection methods, so as to achieve the security goal of protecting the wireless sensor network from various old and new attacks.

技术方案：本发明的方法是一种策略性的方法，在深入分析无线传感器网络现有安全技术不足的基础上，对针对无线传感器网络的不同攻击方式的特征进行量化，据此提出综合基于主机和网络、基于异常和误用、基于集中与分布等多种入侵检测方法的混合入侵检测方法。其目标是在尽量少地消耗节点和网络资源的情况下，通过简单的方法解决入侵预防技术无法有效解决的无线传感器网络的安全攻击问题。Technical solution: The method of the present invention is a strategic method. On the basis of in-depth analysis of the existing security technologies of wireless sensor networks, the characteristics of different attack methods for wireless sensor networks are quantified, and accordingly a comprehensive host-based A hybrid intrusion detection method based on various intrusion detection methods such as network, anomaly and misuse, and centralized and distributed. Its goal is to solve the security attack problem of wireless sensor network that cannot be effectively solved by intrusion prevention technology through a simple method while consuming as few nodes and network resources as possible.

一、体系结构1. Architecture

无线传感器网络从逻辑上可以分为平面式和层簇式两种体系结构。平面式结构中，各传感器节点地位平等，都参与数据采集和路由转发功能。在层簇式结构中，将节点分为普通传感器节点、簇头节点和基站节点。各簇节点通过本簇簇头节点将采集的数据传送给基站节点，簇头节点相对普通传感器节点功能更强大、资源更丰富；基站是整个网络中功能最强的、资源最丰富的节点，负责整个网络的管理。本发明的方法就建立在无线传感器网络的层簇式体系结构基础上，无需添加新的设备仪器。图1给出层簇式无线传感器网络入侵检测逻辑示意图。Wireless sensor networks can be logically divided into two types of architectures: planar and layered clusters. In the planar structure, each sensor node has an equal status and participates in data collection and routing and forwarding functions. In the layer cluster structure, the nodes are divided into ordinary sensor nodes, cluster head nodes and base station nodes. Each cluster node transmits the collected data to the base station node through the cluster head node of the cluster. The cluster head node is more powerful and has more resources than ordinary sensor nodes; the base station is the most powerful and resource-rich node in the entire network. Management of the entire network. The method of the invention is based on the layered cluster system structure of the wireless sensor network without adding new equipment. Figure 1 shows the logical schematic diagram of intrusion detection in layered cluster wireless sensor network.

传感器节点将采集的关于本节点的与安全相关的数据和观测到的邻居节点异常行为发送给簇头节点，簇头节点根据收集到的各节点的信息、尤其是各节点汇报的邻居节点异常行为信息判断某节点是否入侵或被入侵，并对能确定的入侵行为进行分类和存储。簇头节点再将自己不能确定的异常行为发送给基站节点，由基站在全网范围内进行检测分析，并报用户。最后基站将入侵结果和入侵响应要求通过安全信道在全网广播。基站是整个无线传感器网络和外部其它网络及用户的接口。The sensor node sends the collected safety-related data about the node and the observed abnormal behavior of the neighbor nodes to the cluster head node. The information judges whether a node is intruded or has been intruded, and classifies and stores the intrusion behavior that can be determined. The cluster head node then sends the abnormal behavior that it cannot determine to the base station node, and the base station detects and analyzes it in the whole network and reports it to the user. Finally, the base station broadcasts the intrusion results and intrusion response requirements on the entire network through a secure channel. The base station is the interface between the entire wireless sensor network and other external networks and users.

二、方法流程2. Method flow

本发明的方法采用基于主机和基于网络相结合的入侵检测技术，将检测任务分发到节点、簇头和基站三个不同的等级。一方面，将各节点视为传统网络中的主机，负责将本节点的各资源使用情况和观测到的邻居节点的异常行为信息发送给其上级节点，供进一步分析使用；另一方面，簇头节点和基站节点还要承担采集本局域或全局网络的网络信息，综合比较分析直至作出决策。The method of the invention adopts the combined intrusion detection technology based on the host computer and the network, and distributes detection tasks to three different levels of nodes, cluster heads and base stations. On the one hand, each node is regarded as a host in the traditional network, responsible for sending the resource usage of the node and the observed abnormal behavior information of neighboring nodes to its superior node for further analysis; on the other hand, the cluster head Nodes and base station nodes are also responsible for collecting network information of the local or global network, comprehensively comparing and analyzing until making decisions.

首先，普通的传感器节点采集应用数据的同时，监测邻居节点的行为，将自己当前的CPU和电能使用情况连同邻居节点的可疑行为信息发送给簇头节点。First, common sensor nodes monitor the behavior of neighbor nodes while collecting application data, and send their current CPU and power usage, together with suspicious behavior information of neighbor nodes, to the cluster head node.

其次，簇头节点同样需要将本节点的信息送给基站节点，此外，簇头节点对来自簇内的各节点的信息进行统计分析，包括某个节点当前信息与历史信息的比较以及节点之间信息的横向比较(假设普通节点的初始资源分配情况相同，网络部署开始一段时间内是安全的，不存在攻击)。Secondly, the cluster head node also needs to send the information of this node to the base station node. In addition, the cluster head node performs statistical analysis on the information from each node in the cluster, including the comparison between the current information of a node and the historical information and the relationship between nodes. Horizontal comparison of information (assuming that the initial resource allocation of ordinary nodes is the same, the network deployment is safe for a period of time, and there is no attack).

最后，基站根据从各簇头节点发来的统计数据，可以在全网范围内分析网络的安全状况，检测正在进行的和已经发生的入侵攻击。Finally, based on the statistical data sent from each cluster head node, the base station can analyze the security status of the network within the scope of the entire network, and detect ongoing and existing intrusion attacks.

本发明所述的无线传感器网络的混合入侵检测方法有机结合基于异常的入侵检测和基于模式的入侵方法，在各级节点采集完数据并转换成统计指标后，先确认该统计指标是否与本地入侵数据库某记录项匹配，若有则可直接断定发生了相同类型的攻击，用当前时间修改入侵数据库中匹配记录的入侵时间项；若没找到直接匹配的记录，则表明可能是新攻击，重新进行入侵判断和入侵行为特征入库操作。为简化模式匹配，入侵数据库中通常存放能够标识入侵特征的指标绝对值。为减轻基站存储压力、减少通信量，本发明方法要求将入侵数据库分布在各簇头节点和基站节点上，入侵数据库不能定义过大，采用类似“滑动窗口”的方法，让数据库只保留最近检测的入侵记录。入侵数据库已满的情况下，又检测到新的攻击，将最早检测到的入侵从数据库中删除。The hybrid intrusion detection method for wireless sensor networks described in the present invention organically combines abnormality-based intrusion detection and pattern-based intrusion methods. If there is a matching record in the database, it can be directly concluded that the same type of attack has occurred, and the current time is used to modify the intrusion time item of the matching record in the intrusion database; if no direct matching record is found, it indicates that it may be a new attack, and then proceed again Intrusion judgment and intrusion behavior feature storage operation. To simplify pattern matching, the intrusion database usually stores the absolute value of indicators that can identify intrusion characteristics. In order to reduce the storage pressure of the base station and reduce the traffic, the method of the present invention requires that the intrusion database be distributed on each cluster head node and the base station node. intrusion records. When the intrusion database is full and a new attack is detected, the earliest detected intrusion is deleted from the database.

在检测到入侵后，需要采用合适的方法，对入侵进行跟踪，需要的数据包括：路由信息、拓扑观察、攻击类型和特征等。After an intrusion is detected, it is necessary to adopt an appropriate method to track the intrusion. The required data includes: routing information, topology observation, attack type and characteristics, etc.

入侵响应指对发起入侵的节点或节点集将要采取的措施，包括：隔离节点、收回证书、强制被攻击节点进入睡眠状态和丢包并要求重发等，视不同攻击类型而定。Intrusion response refers to the measures to be taken against the intruding node or node set, including: isolating nodes, withdrawing certificates, forcing the attacked node to sleep, dropping packets and requiring retransmission, etc., depending on the type of attack.

所述方法的具体步骤为：The concrete steps of described method are:

1.1)各节点采集数据，计算安全统计指标，包括本节点的数据包等待时间、到达率、功率减少率和邻居节点的数据包碰撞率、发送频率，1.1) Each node collects data and calculates safety statistics indicators, including data packet waiting time, arrival rate, power reduction rate of this node, data packet collision rate and sending frequency of neighboring nodes,

1.2)非簇头节点将步骤1.1)计算的安全统计指标发送给簇头节点，1.2) The non-cluster head node sends the security statistics index calculated in step 1.1) to the cluster head node,

1.3)各节点执行内部攻击检测模块，1.3) each node executes the internal attack detection module,

1.4)簇头节点接收本簇成员发来的安全统计指标，1.4) The cluster head node receives the security statistics indicators sent by the cluster members,

1.5)簇头节点根据接收的安全统计指标，计算入侵特征值，1.5) The cluster head node calculates the intrusion characteristic value according to the received security statistics index,

1.6)簇头在本节点入侵模式数据库中寻找匹配的入侵特征值，若找到，执行步骤1.7)；若找不到，将入侵特征值发送给基站，基站会根据全局拓扑信息和接收自簇头的入侵特征值，搜索保存在基站的全局入侵模式数据库，根据搜索结果执行相应的入侵响应模块，执行步骤1.8)，1.6) The cluster head looks for the matching intrusion feature value in the intrusion pattern database of this node, if found, execute step 1.7); if not found, send the intrusion feature value to the base station, and the base station will receive from the cluster head according to the global topology information The intrusion feature value, search the global intrusion pattern database stored in the base station, execute the corresponding intrusion response module according to the search results, and perform step 1.8),

1.7)直接执行相应的入侵响应模块，执行步骤1.9)，1.7) directly execute the corresponding intrusion response module, perform step 1.9),

1.8)簇头节点执行外部攻击检测模块，1.8) The cluster head node executes the external attack detection module,

1.9)等待下一检测周期到达，重新执行1.1)。1.9) Wait for the arrival of the next detection cycle, and re-execute 1.1).

簇头节点执行的外部攻击检测模块包括以下步骤：The external attack detection module executed by the cluster head node includes the following steps:

2.1)判断成员节点的等待时间是否超过既定的等待时间阀值，若是，则执行步骤2.2)，若否，则执行步骤2.8)，2.1) Determine whether the waiting time of the member nodes exceeds the predetermined waiting time threshold, if so, then perform step 2.2), if not, then perform step 2.8),

2.2)判断该成员节点的邻居节点的数据包碰撞率是否超过既定的碰撞率阀值，若是，则执行步骤2.3)；若否，则执行步骤2.5)，2.2) judge whether the packet collision rate of the neighbor node of the member node exceeds the established collision rate threshold, if so, then perform step 2.3); if not, then perform step 2.5),

2.3)记录该成员节点的邻居节点有碰撞攻击行为，通知其它邻居节点暂停数据发送，进入睡眠状态，2.3) Record that the neighbor nodes of the member node have collision attack behavior, notify other neighbor nodes to suspend data transmission and enter sleep state,

2.4)计算碰撞攻击特征值，执行2.11)，2.4) Calculate the characteristic value of the collision attack, execute 2.11),

2.5)判断该成员节点的邻居节点发送数据包的平均时间间隔是否小于既定的时间间隔阀值，若是，执行步骤2.6)；若否，优先该成员节点发送数据包，执行步骤2.13)，2.5) judge whether the average time interval of the neighbor nodes of the member node sending data packets is less than the predetermined time interval threshold, if so, perform step 2.6); if not, give priority to the member node to send data packets, and perform step 2.13),

2.6)记录该成员节点的邻居节点有不公平竞争攻击行为，对该恶意节点进行隔离，2.6) Record that the neighbor nodes of the member node have unfair competition attacks, and isolate the malicious node,

2.7)计算不公平竞争特征值，执行2.11)，2.7) Calculate the characteristic value of unfair competition, execute 2.11),

2.8)判断该成员节点数据包的到达率或者功率减少率是否过高，若是，执行步骤2.9)；若否，执行步骤2.13)，2.8) Determine whether the arrival rate or power reduction rate of the member node data packet is too high, if so, perform step 2.9); if not, perform step 2.13),

2.9)记录该成员节点遭受耗尽攻击行为，要求该节点立即进入睡眠状态，2.9) Record the exhaustion attack behavior of the member node, and require the node to go to sleep immediately,

2.10)计算耗尽攻击特征值，2.10) Calculate the exhaustion attack characteristic value,

2.11)判断入侵数据库是否已满，若是，删除最早添加的入侵特征值，并将新计算的攻击特征值添加到本地入侵数据库；若否，直接将新计算的攻击特征值添加到本地入侵数据库，2.11) Determine whether the intrusion database is full, if so, delete the earliest added intrusion feature value, and add the newly calculated attack feature value to the local intrusion database; if not, directly add the newly calculated attack feature value to the local intrusion database,

2.12)执行入侵跟踪与入侵响应模块，2.12) Execute the intrusion tracking and intrusion response module,

2.13)等待下一检测周期到达，执行新一轮检测。2.13) Wait for the arrival of the next detection period, and perform a new round of detection.

各节点执行的内部攻击检测模块要求各节点拥有自己的两级邻居表，并据此对邻居节点的行为进行监测，采用的方法是：在数据包在由原节点发送到目标节点的过程中，经过节点X，M是这条路径上X的下一跳节点，X指定与M共同的邻居节点G作为检测M行为的监视节点，在X向M发送数据时，G暂存该数据包，在接收X向M发送的下一个数据包时，即可释放这部分存储空间。M可能出现的异常行为包括：The internal attack detection module implemented by each node requires each node to have its own two-level neighbor table, and monitor the behavior of neighbor nodes accordingly. The method adopted is: when the data packet is sent from the original node to the target node, After passing through node X, M is the next hop node of X on this path. X designates the neighbor node G common to M as the monitoring node for detecting M’s behavior. When X sends data to M, G temporarily stores the data packet, and then When receiving the next data packet sent by X to M, this part of the storage space can be released. Possible abnormal behaviors of M include:

1)如果G在指定时间t内没有监听到M转发X发送的数据包，则视M有丢包行为，1) If G does not listen to the data packet sent by M forwarded by X within the specified time t, it will be considered that M has a packet loss behavior,

2)如果G在指定时间t内监听到M转发了X发送的数据包，但包头或包内容被修改了，则视M篡改了数据包，完整性认证通常采用MAC机制实现，为了简化操作和节省资源，G可以对来自X的数据包和M当前转发的数据包做异或操作，如果不为零，即可判断转发包被篡改，2) If G detects that M has forwarded the data packet sent by X within the specified time t, but the header or content of the packet has been modified, it will be deemed that M has tampered with the data packet, and integrity authentication is usually implemented using the MAC mechanism. In order to simplify operations and To save resources, G can perform an XOR operation on the data packet from X and the data packet currently forwarded by M. If it is not zero, it can be judged that the forwarded packet has been tampered with.

3)如果G监听到M转发了声称是X发送的数据包，但G并没有收到X发来的包，则视M在伪造包。3) If G hears that M has forwarded the data packet claimed to be sent by X, but G has not received the packet sent by X, then M is regarded as forging the packet.

内部攻击检测模块包括以下步骤：The internal attack detection module includes the following steps:

3.1)判断接收到的数据包是否来自邻居节点，若是，则执行步骤3.2)；若否，执行步骤3.18)，3.1) determine whether the received data packet is from a neighbor node, if so, perform step 3.2); if not, perform step 3.18),

3.2)判断邻居节点是否邀请自己监视某邻居节点，若否，则执行步骤3.3)；若是，执行步骤3.8)，3.2) Determine whether the neighbor node invites itself to monitor a certain neighbor node, if not, then perform step 3.3); if so, perform step 3.8),

3.3)判断邻居节点声称可以到达的节点是否是基站节点，若是，执行步骤3.4)；若否，执行步骤3.6)，3.3) Determine whether the node that the neighbor node claims to be reachable is a base station node, if so, perform step 3.4); if not, perform step 3.6),

3.4)查看基站是否是该邻居节点的邻居，若否，记录下该邻居节点的身份标识号，并使记录谎称自己是基站的邻居节点的异常行为，计数器加1；若是执行步骤3.22)，3.4) check whether the base station is the neighbor of the neighbor node, if not, record the identity number of the neighbor node, and make the record falsely claim that it is the abnormal behavior of the neighbor node of the base station, and add 1 to the counter; if it executes step 3.22),

3.5)判断步骤3.4)中记录异常行为的计数器值是否大于既定的阀值，若是，断定该邻居节点试图发起污水池攻击，执行步骤3.20)；若否，将该邻居节点的异常行为信息发送给簇头，执行步骤3.21)，3.5) Determine whether the counter value of recording abnormal behavior in step 3.4) is greater than the established threshold value, if so, determine that the neighbor node attempts to initiate a sewage pool attack, and perform step 3.20); if not, send the abnormal behavior information of the neighbor node to cluster head, execute step 3.21),

3.6)判断邻居节点声称的可达节点是否是其邻居节点，若否，记录下该邻居节点的身份标识号，并使记录该异常行为的计数器加1；若是，执行步骤3.22)，3.6) Determine whether the reachable node claimed by the neighbor node is its neighbor node, if not, record the identity number of the neighbor node, and add 1 to the counter for recording the abnormal behavior; if so, perform step 3.22),

3.7)判断步骤3.6)中记录异常行为的计数器值是否大于既定的阀值，若是，断定该邻居节点和其声称的可达邻居节点合谋蠕虫洞攻击，执行步骤3.20)；若否，将该邻居节点的异常行为信息发送给簇头，执行步骤3.21)，3.7) Determine whether the counter value of the abnormal behavior recorded in step 3.6) is greater than the established threshold, if so, determine that the neighbor node and its claimed reachable neighbor node conspired to attack the wormhole, and perform step 3.20); if not, the neighbor node The abnormal behavior information of the node is sent to the cluster head, execute step 3.21),

3.8)判断被监视的节点是否伪造数据包，若是，执行步骤3.9)；若否，执行步骤3.12)，3.8) judge whether the monitored node forges data packets, if so, perform step 3.9); if not, perform step 3.12),

3.9)判断被监视节点转发的声称来源于同一非邻居节点的伪造包数量是否大于既定的阀值，若是，执行步骤3.10)；若否，执行步骤3.11)，3.9) Determine whether the number of forged packets forwarded by the monitored node claiming to be from the same non-neighboring node is greater than the predetermined threshold, if so, perform step 3.10); if not, perform step 3.11),

3.10)确定被监视节点和其声称的伪造包的来源节点合谋蠕虫洞攻击，执行步骤3.20)，3.10) determine that the monitored node and the source node of the forged packet it claims conspire to attack the wormhole, and perform step 3.20),

3.11)确定被监视节点伪造包攻击，执行步骤3.20)，3.11) Determine the forged packet attack of the monitored node, perform step 3.20),

3.12)判断被监视节点是否有丢包行为，若是，执行步骤3.13)；若否执行步骤16)，3.12) judge whether the monitored node has a packet loss behavior, if so, perform step 3.13); if not perform step 16),

3.13)判断丢包率是否在既定的合理范围内，若是，执行步骤3.14)；若否，执行步骤3.15)，3.13) determine whether the packet loss rate is within the established reasonable range, if so, perform step 3.14); if not, perform step 3.15),

3.14)确定被监视节点正在进行选择性转发攻击，执行步骤3.20)，3.14) determine that the monitored node is conducting a selective forwarding attack, and perform step 3.20),

3.15)判断丢包率是否大于既定阀值2，若是，断定被监视节点死亡或者故意不转发包，执行步骤3.20)；若否，执行步骤3.22)，3.15) Determine whether the packet loss rate is greater than the predetermined threshold 2, if so, determine that the monitored node is dead or does not intentionally forward packets, and execute step 3.20); if not, execute step 3.22),

3.16)判断被监视节点是否篡改数据包且篡改次数超过既定阀值，若是，执行步骤17)；若否，执行步骤3.22)，3.16) Determine whether the monitored node has tampered with the data packet and the number of tampering exceeds the predetermined threshold, if so, perform step 17); if not, perform step 3.22),

3.17)判定数据包的源节点有篡改数据包行为，执行步骤3.20)，3.17) determine that the source node of the data packet has the behavior of tampering with the data packet, perform step 3.20),

3.18)使记录该非邻居节点到达次数的计数器加1，并判断其是否大于既定阀值，若是，执行步骤3.19)；若否，发送关于该节点的异常行为给簇头节点，执行步骤3.21)，3.18) Add 1 to the counter that records the number of arrivals of this non-neighbor node, and judge whether it is greater than a predetermined threshold, if so, perform step 3.19); if not, send the abnormal behavior of the node to the cluster head node, and perform step 3.21) ,

3.19)判定数据包的源节点有拒绝服务攻击行为，节点休眠一小段时间，3.19) It is determined that the source node of the data packet has a denial of service attack, and the node sleeps for a short period of time.

3.20)执行入侵跟踪和入侵响应模块，执行步骤3.22)，3.20) Execute the intrusion tracking and intrusion response module, perform step 3.22),

3.21)簇头根据其掌握的簇内信息，对成员节点发来的节点异常行为做出入侵判断，执行相应的入侵响应模块，3.21) The cluster head makes an intrusion judgment on the abnormal behavior of the node sent by the member nodes according to the information in the cluster it has mastered, and executes the corresponding intrusion response module,

3.22)等待下一检测周期到达，执行新一轮检测。3.22) Wait for the arrival of the next detection period, and perform a new round of detection.

有益效果：本发明方法针对无线传感器网络的特殊性提出了一种高效的综合各种方法的混合入侵检测方法，主要用于检测无线传感器网络容易遭受的外部和内部攻击和及时对入侵作出反应，避免攻击的进一步危害。通过使用本发明提出的方法可以解决简单加密、认证无法避免的安全问题。在无需添加任何检测设备和消耗过多资源的条件下保证了对入侵检测的客观准确性、完备性和及时性，从而达到进一步保护无线传感器网络安全的目的。下面我们给出具体的说明。Beneficial effects: the method of the present invention proposes an efficient hybrid intrusion detection method that integrates various methods for the particularity of wireless sensor networks, and is mainly used to detect external and internal attacks that wireless sensor networks are susceptible to and respond to intrusions in a timely manner. Avoid further harm from the attack. By using the method proposed by the invention, the unavoidable security problems of simple encryption and authentication can be solved. The objective accuracy, completeness and timeliness of intrusion detection are guaranteed without adding any detection equipment and consuming too many resources, so as to achieve the purpose of further protecting the security of wireless sensor networks. Below we give specific instructions.

混合性：传统的入侵检测系统按照不同的标准可以分为：基于主机和基于网络、基于异常和基于模式、集中式和分布式等多种类型，它们都有各自的优缺点和适应场合。为了充分发挥各种检测方法的优越性，我们在实际设计时将各种方法有机的结合在一起。采集的数据包括单个传感器节点的行为和网络性能相关的数据；检测任务分布在各个传感器节点，簇头和基站同时还承担着本簇内和全网范围内单个节点无法确认的异常行为的检测和确认；各级入侵检测模块集中了异常检测和模式检测两种方法，在检测新攻击的同时，加快并简化了已知攻击的检测。Hybridity: Traditional intrusion detection systems can be divided into different types according to different standards: host-based and network-based, exception-based and pattern-based, centralized and distributed, and many other types, all of which have their own advantages and disadvantages and suitable occasions. In order to give full play to the advantages of various detection methods, we organically combine various methods in the actual design. The collected data includes the behavior of a single sensor node and data related to network performance; the detection task is distributed among each sensor node, and the cluster head and base station are also responsible for the detection and detection of abnormal behaviors that cannot be confirmed by a single node within the cluster and within the entire network. Confirmation; intrusion detection modules at all levels integrate anomaly detection and pattern detection methods to speed up and simplify the detection of known attacks while detecting new attacks.

有效性：本发明方法针对外部攻击和内部攻击的不同特征，提出了相应的检测方法。外部入侵的检测，建立在简单的统计指标基础之上，可以有效地检测包括碰撞、耗尽、不公平竞争和篡改、注入消息等攻击。内部入侵检测方法，利用拓扑形成过程的邻居表，有效检测和抑制了非邻居节点的不同攻击。“滑动窗口”机制的使用及临时存储空间的及时释放，大大减轻了节点的存储压力，有利于更多攻击的有效检测。Effectiveness: The method of the present invention proposes corresponding detection methods for different characteristics of external attacks and internal attacks. The detection of external intrusion is based on simple statistical indicators, which can effectively detect attacks including collision, exhaustion, unfair competition, tampering, and message injection. The internal intrusion detection method uses the neighbor table in the topology formation process to effectively detect and suppress different attacks from non-neighbor nodes. The use of the "sliding window" mechanism and the timely release of temporary storage space greatly reduce the storage pressure of nodes, which is conducive to the effective detection of more attacks.

客观准确性：本发明方法要求各级节点对入侵的判断建立在一定的经验值之上，即，某个节点的某种异常行为必须达到既定的阀值并被多个节点检测到，才可以断定其为恶意节点并触发入侵相应功能。这主要是针对无线传感器网路通信环境恶劣、容易出错，为降低误警率和避免恶意节点有意孤立合法节点而设计的，实现了入侵检测的客观性和准确性。Objective accuracy: The method of the present invention requires nodes at all levels to judge intrusion based on certain experience values, that is, certain abnormal behavior of a certain node must reach a predetermined threshold and be detected by multiple nodes before it can be detected. It is determined that it is a malicious node and triggers the corresponding function of intrusion. This is mainly designed for the harsh and error-prone wireless sensor network communication environment, to reduce the false alarm rate and avoid malicious nodes intentionally isolating legitimate nodes, and realize the objectivity and accuracy of intrusion detection.

附图说明Description of drawings

图1是层簇式无线传感器网络入侵检测逻辑示意图。Figure 1 is a schematic diagram of the intrusion detection logic of the layered cluster wireless sensor network.

图2是外部攻击入侵检测流程图。Figure 2 is a flow chart of external attack intrusion detection.

图3是内部攻击说明示意图。Figure 3 is a schematic illustration of an insider attack.

图4是内部攻击入侵检测流程图。Figure 4 is a flowchart of internal attack intrusion detection.

具体实施方式Detailed ways

假设在无线传感器网络部署完毕一小段时间内，网络中不存在恶意节点；每个节点通过邻居发现过程，保存了自己的邻居表(一跳可达)和邻居的邻居表；基站据此保留了整个网络的拓扑结构；数据包含有源、目标节点身份信息。Assume that within a short period of time after the wireless sensor network is deployed, there are no malicious nodes in the network; each node saves its own neighbor table (reachable by one hop) and neighbor table through the neighbor discovery process; the base station keeps The topology of the entire network; the data contains the identity information of the source and target nodes.

为了方便描述，我们将无线传感器网络容易遭受的攻击区分为外部攻击和内部攻击，据此说明上述混合入侵检测方法的具体实施方式。For the convenience of description, we divide the attacks that wireless sensor networks are vulnerable to into external attacks and internal attacks, and accordingly illustrate the specific implementation of the above hybrid intrusion detection method.

1.外部攻击的入侵检测1. Intrusion detection of external attacks

针对无线传感器网络的外部攻击主要发生在数据链路层，包括：碰撞攻击、非公平竞争、资源耗尽攻击和完整性攻击。External attacks against wireless sensor networks mainly occur at the data link layer, including collision attacks, unfair competition, resource exhaustion attacks, and integrity attacks.

碰撞攻击：信道不空闲时，恶意节点故意向该信道发送数据或控制信息包，导致正常数据包被破坏，并被丢弃。Collision attack: When the channel is not idle, malicious nodes intentionally send data or control packets to the channel, causing normal data packets to be destroyed and discarded.

非公平竞争：在基于请求发送/确认发送(RTS/CTS)的媒体访问控制MAC协议中，按照先来先服务的机制使用公共信道，要求其它节点需要等待一个随机的时间单位才能尝试发送。恶意节点有意等待一个更小的时间单位或者干脆不等就向信道发送数据，从而导致正常节点无法公平获得对公共信道的使用。Unfair competition: In the request-to-send/confirm-to-send (RTS/CTS)-based media access control MAC protocol, the common channel is used according to the first-come, first-served mechanism, requiring other nodes to wait for a random time unit before attempting to send. Malicious nodes intentionally wait for a smaller time unit or simply send data to the channel without waiting, so that normal nodes cannot obtain the use of the public channel fairly.

耗尽攻击：在基于RTS/CTS的MAC协议中，如果恶意节点向某节点持续发送RTS数据包，该节点就要不断发送CTS包进行回应，最终导致节点资源被耗尽。Exhaustion attack: In the RTS/CTS-based MAC protocol, if a malicious node continues to send RTS data packets to a certain node, the node will continue to send CTS packets in response, eventually causing the node resources to be exhausted.

完整性攻击：恶意节点注入或者篡改信道中已有的数据包，降低了数据的可信度和可用性。Integrity attack: Malicious nodes inject or tamper with existing data packets in the channel, reducing the credibility and availability of data.

检测指标：Detection Indicator:

定义以下统计数据作为触发对上述攻击的检测指标。The following statistics are defined as triggering detection indicators for the above attacks.

碰撞率Re：某节点单位时间(秒)内发生碰撞的时间(秒)。Collision rate Re: the collision time (seconds) of a node within unit time (seconds).

数据包等待时间Tw：数据包在MAC层缓冲区等待发送的时间。Packet waiting time Tw: the time that a data packet waits to be sent in the buffer of the MAC layer.

数据包发送频率Fs：单位时间(秒)内发送数据包的次数。Data packet sending frequency Fs: the number of times data packets are sent per unit time (second).

RTS包到达率R_RTS：节点单位时间(秒)内成功接收RTS包的数量。RTS packet arrival rate R_RTS : the number of RTS packets successfully received by the node per unit time (second).

功率减少程度Dpw：本次单位时间功率的减少量与上个单位时间内功率的减少量之比。Power reduction degree Dpw: the ratio of the power reduction in this unit time to the power reduction in the previous unit time.

电能消耗的程度：本单位时间电能的消耗与上个单位电能消耗之比。The degree of power consumption: the ratio of the power consumption per unit time to the power consumption of the previous unit.

数据包重发频率Frs：单位时间内(秒)内同一数据包被重新发送的次数。Data packet retransmission frequency Frs: the number of times the same data packet is resent within a unit of time (seconds).

入侵发生时，这些指标会有明显变化，周期性采集这些统计指标，据此估算入侵概率，从而判定是否发生入侵。When an intrusion occurs, these indicators will change significantly. These statistical indicators are collected periodically, and the probability of intrusion is estimated based on this, so as to determine whether an intrusion has occurred.

检测步骤：Detection steps:

1-1)各节点采集数据计算上述相关指标。1-1) Each node collects data to calculate the above-mentioned relevant indicators.

1-2)检查当前指标值是否与步骤1-5)、1-7)、1-9)、1-11)记录下的某行为相匹配，并执行匹配的步骤，无匹配步骤时，执行步骤1-3)；1-2) Check whether the current index value matches a certain behavior recorded in steps 1-5), 1-7), 1-9), and 1-11), and execute the matching steps. If there is no matching step, execute steps 1-3);

1-3)节点判断本节点的等待时间是否超过既定的等待时间阀值。若否，执行步骤1-7)；1-3) The node judges whether the waiting time of the node exceeds the preset waiting time threshold. If not, perform steps 1-7);

1-4)判断某邻居节点的碰撞率是否超过既定的碰撞率阀值且另有某邻居节点重发包率超过既定的阀值。若否，则执行步骤1-5)；1-4) Judging whether the collision rate of a neighbor node exceeds the predetermined threshold of collision rate and the retransmission rate of another neighbor node exceeds the predetermined threshold. If not, execute steps 1-5);

1-5)记录邻居节点的碰撞攻击行为，通知其它邻居节点暂停数据发送，进入睡眠状态。执行步骤1-1)；1-5) Record the collision attack behavior of neighbor nodes, notify other neighbor nodes to suspend data transmission and enter sleep state. Execute steps 1-1);

1-6)判断某邻居节点的发送数据包的平均时间间隔是否小于既定的时间间隔阀值；1-6) judge whether the average time interval of sending data packets of a certain neighbor node is less than the predetermined time interval threshold;

1-7)记录邻居节点的不公平竞争行为，并通知簇头节点，对该恶意节点进行隔离。执行步骤1-1)；1-7) Record the unfair competition behavior of neighbor nodes, and notify the cluster head node to isolate the malicious node. Execute steps 1-1);

1-8)判断本节点数据包的到达率或者功率减少率是否过高。若否，执行步骤1-9)；1-8) Judging whether the arrival rate of the data packets of the local node or the power reduction rate is too high. If not, perform steps 1-9);

1-9)遭受耗尽攻击，进入睡眠状态。执行步骤1-1)；1-9) suffer exhaustion attack and enter sleep state. Execute steps 1-1);

1-10)判断消息的完整性；1-10) judge the integrity of the message;

1-11)若完整性破坏，则丢包，并要求重发。执行步骤1-1)。1-11) If the integrity is broken, the packet is lost and retransmission is required. Execute steps 1-1).

2.内部攻击的入侵检测2. Intrusion detection of internal attacks

无线传感器网络中，内部攻击指攻击者俘获一个或多个合法节点，获取密钥资料或敏感信息，以合法身份运行恶意代码或从事恶意行为，主要集中在网络层，包括：选择转发(即，Selective Forwarding：无线传感器网络遭受的一种攻击类型，攻击者在俘获节点后有选择地丢弃需要转发的数据包，当选择转发的攻击点处于数据包转发的最优路径上时，对网络的危害尤其大)、污水池攻击(即，Sinkhole攻击：无线传感器网络遭受的一种攻击类型，该攻击利用大功率收发器，与基站形成单跳路由或是比其它节点更快到达基站的路由，吸引附近大范围内的节点以其为父节点向基站转发数据包，导致大量数据包不能到达正确的目标节点)、蠕虫洞攻击(即，Wormhole攻击：无线传感器网络遭受的一种攻击类型，该攻击通常由两个恶意节点相互串通合谋，距离基站较远的恶意节点声称自己和距基站近的节点可以建立低时延高带宽的链路，从而吸引周围节点将数据包发送到它那里，破坏正常的分簇)、女巫攻击(即，Sybil攻击：无线传感器网络遭受的一种攻击类型，一个恶意节点对外的表象是多个传感器节点，即一个物理设备具有多个身份标识，包括伪造身份标识和盗用身份标识两种情况)和Hello洪泛攻击(即，Hello flooding攻击：无线传感器网络遭受的一种攻击类型，其特征为无线传感器网络部署的邻居发现阶段，恶意节点以足够大的功率广播Hello数据包，收到Hello包的节点将恶意节点作为自己的邻居，并在以后向它发送数据。导致普通发送功率的节点不能将自己的数据包发送到目的地)等。In wireless sensor networks, internal attacks refer to attackers capturing one or more legitimate nodes, obtaining key materials or sensitive information, running malicious codes or engaging in malicious behaviors in a legal identity, mainly concentrated in the network layer, including: select forwarding (ie, Selective Forwarding: A type of attack suffered by wireless sensor networks. After the attacker captures the node, the attacker selectively discards the data packets that need to be forwarded. When the attack point selected for forwarding is on the optimal path for data packet forwarding, the network will be harmed. Especially large), sinkhole attack (ie, Sinkhole attack: a type of attack on wireless sensor networks, which uses high-power transceivers to form a single-hop route with the base station or a route to the base station faster than other nodes, attracting Nearby nodes in a large range use it as a parent node to forward data packets to the base station, resulting in a large number of data packets not reaching the correct target node), wormhole attack (that is, Wormhole attack: a type of attack suffered by wireless sensor networks, the attack Usually, two malicious nodes collude with each other. The malicious node farther from the base station claims that it can establish a low-latency and high-bandwidth link with a node close to the base station, thereby attracting surrounding nodes to send data packets to it, disrupting normal operation. Clustering), Sybil attack (that is, Sybil attack: a type of attack suffered by wireless sensor networks, a malicious node appears to be multiple sensor nodes, that is, a physical device has multiple identities, including forged identities and identity theft) and Hello flooding attack (that is, Hello flooding attack: a type of attack suffered by wireless sensor networks, characterized by the neighbor discovery phase of wireless sensor network deployment, malicious nodes broadcast Hello with sufficient power data packet, the node that receives the Hello packet takes the malicious node as its neighbor, and sends data to it in the future. The node that causes normal sending power cannot send its own data packet to the destination), etc.

检测方法：Detection method:

数据包在由原节点S发送到目标节点D的过程中，经过节点X，M是这条路径上X的下一跳节点，X指定与M共同的邻居节点G作为检测M行为的监视节点，在X向M发送数据时，G暂存该数据包(在接收X向M发送的下一个数据包时，即可释放这部分存储空间)，据此检测M异常的转发行为。见图3。In the process of sending the data packet from the original node S to the target node D, it passes through node X, and M is the next hop node of X on this path, and X designates the neighbor node G common to M as the monitoring node to detect the behavior of M. When X sends data to M, G temporarily stores the data packet (this part of the storage space can be released when receiving the next data packet sent by X to M), and detects the abnormal forwarding behavior of M accordingly. See Figure 3.

(1)如果G在指定时间t内没有监听到M转发X发送的数据包，则视M有丢包行为。(1) If G does not listen to the data packet sent by M forwarded by X within the specified time t, it will be regarded as M has a packet loss behavior.

(2)如果G在指定时间t内监听到M转发了X发送的数据包，但包头或包内容被修改了，则视M篡改了数据包。完整性认证通常采用MAC机制实现，为了简化操作和节省资源，G可以对来自X的数据包和M当前转发的数据包做异或操作，如果不为零，即可判断转发包被篡改。(2) If G detects that M has forwarded the data packet sent by X within the specified time t, but the header or the content of the packet has been modified, it is deemed that M has tampered with the data packet. Integrity authentication is usually implemented using the MAC mechanism. In order to simplify operations and save resources, G can perform an XOR operation on the data packet from X and the data packet currently forwarded by M. If it is not zero, it can be judged that the forwarded packet has been tampered with.

(3)如果G监听到M转发了声称是X发送的数据包，但G并没有收到X发来的包，则视M在伪造包。(3) If G hears that M has forwarded the data packet claimed to be sent by X, but G does not receive the packet from X, then M is regarded as forging the packet.

(4)如果G监听到M和自己收到同一个非邻居节点发来的数据包，则可以视该节点企图发起Sinkhole和Wormhole攻击。(4) If G listens to the data packets sent by M and itself from the same non-neighboring node, it can be regarded as the node is trying to launch Sinkhole and Wormhole attacks.

本发明所述的无线传感器网络的混合入侵检测方法要求G维持一个关于M某种异常行为的计数器，记为CNTx(G，M)，并根据网络环境和应用的安全需要，设置一个上限值c1，当CNTx(G，M)≥c1时，G才可认定M的行为是恶意的，并触发入侵响应功能。The hybrid intrusion detection method for wireless sensor networks described in the present invention requires G to maintain a counter about some abnormal behavior of M, which is denoted as CNTx(G, M), and an upper limit is set according to the network environment and application security requirements c1, when CNTx(G, M)≥c1, G can determine that the behavior of M is malicious, and trigger the intrusion response function.

响应操作：Response action:

CNTx(G，M)≥c1时，由G触发该功能。When CNTx(G, M)≥c1, this function is triggered by G.

(1)G将M从自己邻居表中删除，并向M的邻居发送可认证消息，告知M有某种恶意行为。此时，G可以释放监测M所需的资源。(1) G deletes M from its neighbor list, and sends an authenticable message to M's neighbors, informing M of some malicious behavior. At this point, G can release the resources needed to monitor M.

(2)M的邻居节点(如：N节点)对收到的消息进行认证，验证消息确实来于G，且M是自己的邻居节点后，N将关于M的相应恶意行为的计数器CNT(N，M)加1。(2) M's neighbor node (eg: N node) authenticates the received message, and after verifying that the message is indeed from G, and M is its own neighbor node, N will set the counter CNT(N , M) plus 1.

(3)N判断CNT(N，M)的值，若CNT(N，M)≥c2，则将M视为恶意节点，不发送数据给M，也不转发来自M的数据包，并删除邻居表中M的相关信息，从而达到隔离节点的目的。(3) N judges the value of CNT (N, M), if CNT (N, M) ≥ c2, then M is regarded as a malicious node, does not send data to M, does not forward data packets from M, and deletes neighbors The relevant information of M in the table, so as to achieve the purpose of isolating nodes.

本发明所述的无线传感器网络的混合入侵检测方法对选择性转发攻击的检测是直接有效的。根据假设，同时采用只向邻居节点发送数据和只转发邻居节点发来的数据的策略，还可以有效抵制Hello flooding攻击。The hybrid intrusion detection method of the wireless sensor network described in the present invention is directly effective for the detection of selective forwarding attacks. According to the hypothesis, the strategy of only sending data to neighbor nodes and only forwarding data from neighbor nodes can also effectively resist Hello flooding attacks.

对于Wormhole攻击，一方面，各邻居节点在收到要求将数据发给M’、并由M’转给M时，若发现M并不是M’的邻居节点，则可以怀疑M’和M在合谋Wormhole攻击，并报告给M’的监视节点G’；另一方面，Wormhole攻击进行过程中，当M’转发来自M回应数据包时，M’的监视节点G’就可以发现M’的异常行为，因为G’没有收到Y发来的相应消息。M’沿相同路径，反向发送数据给M时，M的监视节点G同样可以发现M的异常行为。For the Wormhole attack, on the one hand, when each neighbor node receives a request to send data to M', and M' forwards it to M, if it is found that M is not a neighbor node of M', it can be suspected that M' and M are colluding. Wormhole attack, and report to the monitoring node G' of M'; on the other hand, during the Wormhole attack, when M' forwards the response data packet from M, the monitoring node G' of M' can discover the abnormal behavior of M' , because G' did not receive the corresponding message from Y. When M' sends data to M in the reverse direction along the same path, M's monitoring node G can also discover the abnormal behavior of M.

Sinkhole攻击的特点是利用大功率收发器，与基站形成单跳路由或是比其它节点更快到达基站的路由，所以，检测Sinkhole攻击的方法更简单。一方面，基站收到大功率非邻居节点发来的数据，基本可以断定该节点正试图发起Sinkhole攻击，丢弃该节点发来的数据包，以安全的方式通知网络中的其它节点；另一方面，收到Sinkhole攻击节点“邀请”的节点通过判断该节点是否是自己的邻居节点断定其有异常行为，Sinkhole攻击节点的监视节点(实际上是恶意节点为实施Sinkhole攻击而俘获的正常节点的监视节点)也可以根据监测到被监视节点的发送功率明显加大(与以往正常节点相比)而断定其为异常节点。A sinkhole attack is characterized by using a high-power transceiver to form a single-hop route with the base station or a route to the base station faster than other nodes. Therefore, the method of detecting a sinkhole attack is simpler. On the one hand, when the base station receives data from a high-power non-neighboring node, it can basically be concluded that the node is trying to launch a sinkhole attack, discard the data packet sent by the node, and notify other nodes in the network in a safe manner; on the other hand , the node that receives the "invitation" of the sinkhole attack node judges whether the node is its own neighbor node and concludes that it has abnormal behavior. The monitoring node of the sinkhole attack node (actually it is the monitoring node) can also be concluded as an abnormal node according to the significantly increased transmission power of the monitored node (compared with the normal nodes in the past).

Sybil攻击的主要目的是降低多经路由的效果，其行为特征是用盗用的合法节点身份吸引并丢弃需要转发的数据包。邻居表的使用，使得Sybil攻击者只能盗用当前路径上某节点S的邻居节点的ID。根据本发明所提出的检测内部攻击的方法，可以有效隔离被假冒的节点。为从根本上避免和阻止Sybil攻击，将借助于基于身份ID的密钥预分发机制，将预存储的密钥信息和节点的身份信息关联起来，限制恶意节点破坏并假冒多个合法节点。此外，基于地理的路由协议，可以检测到恶意节点位置与其所声称节点的位置不一致，从而有效检测和预防Sybil攻击。The main purpose of Sybil attack is to reduce the effect of multi-routing, and its behavior is characterized by using stolen legal node identities to attract and discard data packets that need to be forwarded. The use of the neighbor table makes the Sybil attacker only steal the ID of the neighbor node of a certain node S on the current path. According to the method for detecting internal attacks proposed by the present invention, faked nodes can be effectively isolated. In order to fundamentally avoid and prevent Sybil attacks, the key pre-distribution mechanism based on ID will be used to associate the pre-stored key information with the identity information of the node, so as to limit the damage of malicious nodes and impersonate multiple legitimate nodes. In addition, geographically-based routing protocols can detect that the location of malicious nodes is inconsistent with the location of the claimed node, so as to effectively detect and prevent Sybil attacks.

检测步骤：Detection steps:

2-1)判断接收到的数据包是否来自邻居节点。若是，执行步骤2-2)；若否，执行步骤2-16)，2-1) Judging whether the received data packet is from a neighbor node. If yes, perform step 2-2); if not, perform step 2-16),

2-2)判断邻居节点是否要求自己监视某邻居节点；若否，执行步骤2-3)；若是，执行步骤2-8)，2-2) Determine whether the neighbor node requires itself to monitor a certain neighbor node; if not, perform step 2-3); if so, perform step 2-8),

2-3)判断邻居节点声称可以到达的节点是否是基站节点；若是，执行步骤2-4)；若否，执行步骤2-6)，2-3) Determine whether the node that the neighbor node claims to be reachable is a base station node; if so, perform step 2-4); if not, perform step 2-6),

2-4)查看基站是否是该邻居节点的邻居；若否，记录下该邻居节点的ID号，并使记录该异常行为的计数器Csh＝Csh+1，2-4) check whether base station is the neighbor of this neighbor node; If not, record the ID number of this neighbor node, and make the counter Csh=Csh+1 of recording this abnormal behavior,

2-5)判断Csh是否大于既定的阀值Csh，若是，断定该邻居节点试图发起Sinkhole攻击，执行步骤2-17)，2-5) Determine whether Csh is greater than the predetermined threshold Csh, if so, determine that the neighbor node attempts to initiate a sinkhole attack, and perform step 2-17),

2-6)判断邻居节点声称的可达节点是否是其邻居节点；若否，记录下该邻居节点的ID，并使记录该异常行为的计数器Cwh＝Cwh+1，2-6) judge whether the reachable node that neighbor node claims is its neighbor node; If not, record the ID of this neighbor node, and make the counter Cwh=Cwh+1 of recording this abnormal behavior,

2-7)判断Cwh是否大于既定的阀值Cwh；若是，断定该邻居节点和其声称的可达邻居节点合谋Wormhole攻击，执行步骤2-17)，2-7) Determine whether Cwh is greater than the predetermined threshold Cwh; if so, determine that the neighbor node and its claimed reachable neighbor node conspired to attack Wormhole, and perform step 2-17),

2-8)判断被监视的节点是否伪造数据包；若是，执行步骤2-9)；若否，执行步骤2-12)，2-8) judge whether the monitored node forges the data packet; if so, execute step 2-9); if not, execute step 2-12),

2-9)判断被监视节点转发的声称来源于同一非邻居节点的伪造包数量是否大于既定的阀值Cf；若是，执行步骤2-10)；若否，执行步骤2-11)，2-9) Determine whether the number of forged packets forwarded by the monitored node claiming to be from the same non-neighboring node is greater than the predetermined threshold Cf; if so, perform step 2-10); if not, perform step 2-11),

2-10)断定被监视节点和其声称的伪造包的来源节点合谋Wormhole攻击，执行步骤2-17)，2-10) Determine that the monitored node and the source node of the forged packet it claims are colluding with the Wormhole attack, and perform step 2-17),

2-11)断定被监视节点伪造包攻击。执行步骤2-17)，2-11) Determine the forged packet attack of the monitored node. Execute steps 2-17),

2-12)判断被监视节点是否有丢包行为；若是，执行步骤2-13)，2-12) determine whether the monitored node has a packet loss behavior; if so, perform step 2-13),

2-13)判断丢包率是否在既定的合理范围内，若是，执行步骤2-14)；若否，执行步骤2-15)，2-13) Determine whether the packet loss rate is within a predetermined reasonable range, if so, perform step 2-14); if not, perform step 2-15),

2-14)断定被监视节点正在进行选择性转发攻击，执行步骤2-17)，2-14) determine that the monitored node is conducting a selective forwarding attack, and perform step 2-17),

2-15)丢包率过高时，判断丢包率是否大于既定阀值2；若是，断定被监视节点死亡或者故意不转发包，执行步骤2-17)，2-15) When the packet loss rate is too high, judge whether the packet loss rate is greater than the predetermined threshold 2; if so, determine that the monitored node is dead or deliberately does not forward the packet, and execute step 2-17),

2-16)记录该非邻居节点到达的次数C_ID，并判断C_ID是否大于既定阀值C_ID；若是执行步骤2-17)，2-16) Record the number of times C_ID that the non-neighbor node arrives, and judge whether C_ID is greater than the predetermined threshold C_ID; if execute step 2-17),

2-17)进入入侵跟踪和入侵响应模块。2-17) Enter the intrusion tracking and intrusion response module.

Claims (4)

Translated fromChinese

1、一种适用于无线传感器网络的混合入侵检测方法，其特征在于该检测方法综合了基于主机和基于网络、基于集中和基于分布、基于异常和基于模式的多种检测方法，在保证网络安全的同时，延迟网络的生命期，所述方法的具体步骤为：1. A hybrid intrusion detection method suitable for wireless sensor networks, characterized in that the detection method combines multiple detection methods based on hosts and networks, based on concentration and distribution, based on abnormalities and based on patterns, in order to ensure network security While delaying the lifetime of the network, the specific steps of the method are:1.1)各节点采集数据，计算安全统计指标，包括本节点的数据包等待时间、到达率、功率减少率和邻居节点的数据包碰撞率、发送频率，1.1) Each node collects data and calculates safety statistics indicators, including data packet waiting time, arrival rate, power reduction rate of this node, data packet collision rate and sending frequency of neighboring nodes,1.2)非簇头节点将步骤1.1)计算的安全统计指标发送给簇头节点，1.2) The non-cluster head node sends the security statistics index calculated in step 1.1) to the cluster head node,1.3)各节点执行内部攻击检测模块，1.3) each node executes the internal attack detection module,1.4)簇头节点接收本簇成员发来的安全统计指标，1.4) The cluster head node receives the security statistics indicators sent by the cluster members,1.5)簇头节点根据接收的安全统计指标，计算入侵特征值，1.5) The cluster head node calculates the intrusion characteristic value according to the received security statistics index,1.6)簇头在本节点入侵模式数据库中寻找匹配的入侵特征值，若找到，执行步骤1.7)；若找不到，将入侵特征值发送给基站，基站会根据全局拓扑信息和接收自簇头的入侵特征值，搜索保存在基站的全局入侵模式数据库，根据搜索结果执行相应的入侵响应模块，执行步骤1.8)，1.6) The cluster head looks for the matching intrusion feature value in the intrusion pattern database of this node, if found, execute step 1.7); if not found, send the intrusion feature value to the base station, and the base station will receive from the cluster head according to the global topology information The intrusion feature value, search the global intrusion pattern database stored in the base station, execute the corresponding intrusion response module according to the search results, and perform step 1.8),1.7)直接执行相应的入侵响应模块，执行步骤1.9)，1.7) directly execute the corresponding intrusion response module, perform step 1.9),1.8)簇头节点执行外部攻击检测模块，1.8) The cluster head node executes the external attack detection module,1.9)等待下一检测周期到达，重新执行1.1)。1.9) Wait for the arrival of the next detection cycle, and re-execute 1.1).2、根据权利要求1所述的适用于无线传感器网络的混合入侵检测方法，其特征在于簇头节点执行的外部攻击检测模块包括以下步骤：2. The hybrid intrusion detection method applicable to wireless sensor networks according to claim 1, wherein the external attack detection module performed by the cluster head node comprises the following steps:2.1)判断成员节点的等待时间是否超过既定的等待时间阀值；若是，则执行步骤2.2)，若否，则执行步骤2.8)，2.1) Determine whether the waiting time of the member nodes exceeds the predetermined waiting time threshold; if so, then perform step 2.2), if not, then perform step 2.8),2.2)判断该成员节点的邻居节点的数据包碰撞率是否超过既定的碰撞率阀值；若是，则执行步骤2.3)；若否，则执行步骤2.5)，2.2) judge whether the data packet collision rate of the neighbor node of this member node exceeds the established collision rate threshold; if so, then perform step 2.3); if not, then perform step 2.5),2.3)记录该成员节点的邻居节点有碰撞攻击行为，通知其它邻居节点暂停数据发送，进入睡眠状态，2.3) Record that the neighbor nodes of the member node have collision attack behavior, notify other neighbor nodes to suspend data transmission and enter sleep state,2.4)计算碰撞攻击特征值，执行2.11)，2.4) Calculate the characteristic value of the collision attack, execute 2.11),2.5)判断该成员节点的邻居节点发送数据包的平均时间间隔是否小于既定的时间间隔阀值；若是，执行步骤2.6)；若否，优先该成员节点发送数据包，执行步骤2.13)，2.5) judge whether the average time interval of the neighbor nodes of the member node sending data packets is less than the predetermined time interval threshold; if so, perform step 2.6); if not, give priority to the member node to send data packets, and perform step 2.13),2.6)记录该成员节点的邻居节点有不公平竞争攻击行为，对该恶意节点进行隔离，2.6) Record that the neighbor nodes of the member node have unfair competition attacks, and isolate the malicious node,2.7)计算不公平竞争特征值，执行2.11)，2.7) Calculate the characteristic value of unfair competition, execute 2.11),2.8)判断该成员节点数据包的到达率或者功率减少率是否过高，若是，执行步骤2.9)；若否，执行步骤2.13)，2.8) Determine whether the arrival rate or power reduction rate of the member node data packet is too high, if so, perform step 2.9); if not, perform step 2.13),2.9)记录该成员节点遭受耗尽攻击行为，要求该节点立即进入睡眠状态，2.9) Record the exhaustion attack behavior of the member node, and require the node to go to sleep immediately,2.10)计算耗尽攻击特征值，2.10) Calculate the exhaustion attack characteristic value,2.11)判断入侵数据库是否已满，若是，删除最早添加的入侵特征值，并将新计算的攻击特征值添加到本地入侵数据库；若否，直接将新计算的攻击特征值添加到本地入侵数据库，2.11) Determine whether the intrusion database is full, if so, delete the earliest added intrusion feature value, and add the newly calculated attack feature value to the local intrusion database; if not, directly add the newly calculated attack feature value to the local intrusion database,2.12)执行入侵跟踪与入侵响应模块，2.12) Execute the intrusion tracking and intrusion response module,2.13)等待下一检测周期到达，执行新一轮检测。2.13) Wait for the arrival of the next detection period, and perform a new round of detection.3、根据权利要求1所述的适用于无线传感器网络的混合入侵检测方法，其特征在于各节点执行的内部攻击检测模块要求节点拥有各自的两级邻居表，并据此对邻居节点的行为进行监测，采用的方法是：在数据包在由原节点发送到目标节点的过程中，经过节点X，M是这条路径上X的下一跳节点，X指定与M共同的邻居节点G作为检测M行为的监视节点，在X向M发送数据时，G暂存该数据包，在接收X向M发送的下一个数据包时，即可释放这部分存储空间；M可能出现的异常行为包括：3. The hybrid intrusion detection method suitable for wireless sensor networks according to claim 1, characterized in that the internal attack detection module implemented by each node requires the node to have its own two-level neighbor table, and accordingly conducts a check on the behavior of the neighbor nodes Monitoring, the method used is: in the process of sending the data packet from the original node to the target node, it passes through node X, M is the next hop node of X on this path, and X specifies the neighbor node G common to M as the detection The monitoring node of M behavior, when X sends data to M, G temporarily stores the data packet, and releases this part of the storage space when receiving the next data packet sent by X to M; the possible abnormal behavior of M includes:1)如果G在指定时间t内没有监听到M转发X发送的数据包，则视M有丢包行为，1) If G does not listen to the data packet sent by M forwarded by X within the specified time t, it will be regarded as M has a packet loss behavior,2)如果G在指定时间t内监听到M转发了X发送的数据包，但包头或包内容被修改了，则视M篡改了数据包，完整性认证通常采用MAC机制实现，为了简化操作和节省资源，G可以对来自X的数据包和M当前转发的数据包做异或操作，如果不为零，即可判断转发包被篡改，2) If G detects that M has forwarded the data packet sent by X within the specified time t, but the header or content of the packet has been modified, it will be deemed that M has tampered with the data packet, and integrity authentication is usually implemented using the MAC mechanism. In order to simplify operations and To save resources, G can perform an XOR operation on the data packet from X and the data packet currently forwarded by M. If it is not zero, it can be judged that the forwarded packet has been tampered with.3)如果G监听到M转发了声称是X发送的数据包，但G并没有收到X发来的包，则视M在伪造包。3) If G hears that M has forwarded the data packet claimed to be sent by X, but G has not received the packet sent by X, then M is regarded as forging the packet.4、根据权利要求1所述的适用于无线传感器网络的混合入侵检测方法，其特征在于内部攻击检测模块包括以下步骤：4. The hybrid intrusion detection method suitable for wireless sensor networks according to claim 1, characterized in that the internal attack detection module comprises the following steps:3.1)判断接收到的数据包是否来自邻居节点，若是，则执行步骤3.2)；若否，执行步骤3.18)，3.1) determine whether the received data packet is from a neighbor node, if so, perform step 3.2); if not, perform step 3.18),3.2)判断邻居节点是否邀请自己监视某邻居节点，若否，则执行步骤3.3)；若是，执行步骤3.8)，3.2) Determine whether the neighbor node invites itself to monitor a certain neighbor node, if not, then perform step 3.3); if so, perform step 3.8),3.3)判断邻居节点声称可以到达的节点是否是基站节点，若是，执行步骤3.4)；若否，执行步骤3.6)，3.3) Determine whether the node that the neighbor node claims to be reachable is a base station node, if so, perform step 3.4); if not, perform step 3.6),3.4)查看基站是否是该邻居节点的邻居，若否，记录下该邻居节点的身份标识号，并使记录谎称自己是基站的邻居节点的异常行为，计数器加1；若是执行步骤3.22)，3.4) check whether the base station is the neighbor of the neighbor node, if not, record the identity number of the neighbor node, and make the record falsely claim that it is the abnormal behavior of the neighbor node of the base station, and add 1 to the counter; if it executes step 3.22),3.5)判断步骤3.4)中记录异常行为的计数器值是否大于既定的阀值，若是，断定该邻居节点试图发起污水池攻击，执行步骤3.20)；若否，将该邻居节点的异常行为信息发送给簇头，执行步骤3.21)，3.5) Determine whether the counter value of recording abnormal behavior in step 3.4) is greater than the established threshold value, if so, determine that the neighbor node attempts to initiate a sewage pool attack, and perform step 3.20); if not, send the abnormal behavior information of the neighbor node to cluster head, execute step 3.21),3.6)判断邻居节点声称的可达节点是否是其邻居节点，若否，记录下该邻居节点的身份标识号，并使记录该异常行为的计数器加1；若是，执行步骤3.22)，3.6) Determine whether the reachable node claimed by the neighbor node is its neighbor node, if not, record the identity number of the neighbor node, and add 1 to the counter for recording the abnormal behavior; if so, perform step 3.22),3.7)判断步骤3.6)中记录异常行为的计数器值是否大于既定的阀值，若是，断定该邻居节点和其声称的可达邻居节点合谋蠕虫洞攻击，执行步骤3.20)；若否，将该邻居节点的异常行为信息发送给簇头，执行步骤3.21)，3.7) Determine whether the counter value of the abnormal behavior recorded in step 3.6) is greater than the established threshold, if so, determine that the neighbor node and its claimed reachable neighbor node conspired to attack the wormhole, and perform step 3.20); if not, the neighbor node The abnormal behavior information of the node is sent to the cluster head, execute step 3.21),3.8)判断被监视的节点是否伪造数据包，若是，执行步骤3.9)；若否，执行步骤3.12)，3.8) judge whether the monitored node forges data packets, if so, perform step 3.9); if not, perform step 3.12),3.9)判断被监视节点转发的声称来源于同一非邻居节点的伪造包数量是否大于既定的阀值，若是，执行步骤3.10)；若否，执行步骤3.11)，3.9) Determine whether the number of forged packets forwarded by the monitored node claiming to be from the same non-neighboring node is greater than the predetermined threshold, if so, perform step 3.10); if not, perform step 3.11),3.10)确定被监视节点和其声称的伪造包的来源节点合谋蠕虫洞攻击，执行步骤3.20)，3.10) determine that the monitored node and the source node of the forged packet it claims conspire to attack the wormhole, and perform step 3.20),3.11)确定被监视节点伪造包攻击，执行步骤3.20)，3.11) Determine the forged packet attack of the monitored node, perform step 3.20),3.12)判断被监视节点是否有丢包行为，若是，执行步骤3.13)；若否执行步骤16)，3.12) judge whether the monitored node has a packet loss behavior, if so, perform step 3.13); if not perform step 16),3.13)判断丢包率是否在既定的合理范围内，若是，执行步骤3.14)；若否，执行步骤3.15)，3.13) determine whether the packet loss rate is within the established reasonable range, if so, perform step 3.14); if not, perform step 3.15),3.14)确定被监视节点正在进行选择性转发攻击，执行步骤3.20)，3.14) determine that the monitored node is conducting a selective forwarding attack, and perform step 3.20),3.15)判断丢包率是否大于既定阀值2，若是，断定被监视节点死亡或者故意不转发包，执行步骤3.20)；若否，执行步骤3.22)，3.15) Determine whether the packet loss rate is greater than the predetermined threshold 2, if so, determine that the monitored node is dead or does not intentionally forward packets, and execute step 3.20); if not, execute step 3.22),3.16)判断被监视节点是否篡改数据包且篡改次数超过既定阀值，若是，执行步骤17)；若否，执行步骤3.22)，3.16) Determine whether the monitored node has tampered with the data packet and the number of tampering exceeds the predetermined threshold, if so, perform step 17); if not, perform step 3.22),3.17)判定数据包的源节点有篡改数据包行为，执行步骤3.20)，3.17) determine that the source node of the data packet has the behavior of tampering with the data packet, perform step 3.20),3.18)使记录该非邻居节点到达次数的计数器加1，并判断其是否大于既定阀值，若是，执行步骤3.19)；若否，发送关于该节点的异常行为给簇头节点，执行步骤3.21)，3.18) Add 1 to the counter that records the number of arrivals of this non-neighbor node, and judge whether it is greater than a predetermined threshold, if so, perform step 3.19); if not, send the abnormal behavior of the node to the cluster head node, and perform step 3.21) ,3.19)判定数据包的源节点有拒绝服务攻击行为，节点休眠一小段时间，3.19) It is determined that the source node of the data packet has a denial of service attack, and the node sleeps for a short period of time.3.20)执行入侵跟踪和入侵响应模块，执行步骤3.22)，3.20) Execute the intrusion tracking and intrusion response module, perform step 3.22),3.21)簇头根据其掌握的簇内信息，对成员节点发来的节点异常行为做出入侵判断，执行相应的入侵响应模块，3.21) The cluster head makes an intrusion judgment on the abnormal behavior of the node sent by the member nodes according to the information in the cluster it has mastered, and executes the corresponding intrusion response module,3.22)等待下一检测周期到达，执行新一轮检测。3.22) Wait for the arrival of the next detection period, and perform a new round of detection.

Images