A Malicious and Malfunctioning Node Detection Scheme for Wireless Sensor Networks

Wireless sensor networks are often used to monitor physical and environmental conditions in various regions where human access is limited. Due to limited resources and deployment in hostile environment, they are vulnerable to faults and malicious attacks. The sensor nodes affected or compromised can send erroneous data or misleading reports to base station. Hence identifying malicious and faulty nodes in an accurate and timely manner is important to provide reliable functioning of the networks. In this paper, we present a malicious and malfunctioning node detection scheme using dual-weighted trust evaluation in a hierarchical sensor network. Malicious nodes are effectively detected in the presence of natural faults and noise without sacrificing fault-free nodes. Simulation results show that the proposed scheme outperforms some existing schemes in terms of mis-detection rate and event detection accuracy, while maintaining comparable performance in malicious node detection rate and false alarm rate.


Introduction
Wireless sensor networks are often deployed in an unattended area of interest for the purpose of remote monitoring in a homogeneous or heterogeneous environment [1].Sensor nodes comprising the networks, in practice, have limited power, memory, and computational capabilities.Such networks are vulnerable to faults and malicious attacks.Hence it is important to detect faulty or malicious nodes in the networks to make correct decisions in the monitoring applications.
Several fault detection and tolerance schemes for wireless sensor networks have been proposed in the literature [2][3][4][5][6][7][8][9].They are developed based on centralized, distributed, and hierarchical models.Due to the importance of energy efficiency, most schemes employ a distributed model, using either neighbor coordination or clustering.These fault detection schemes mainly deal with noise with a certain distribution or randomly and independently generated faults.Malicious nodes, however, have not been deeply investigated, although they are likely to exist in wireless sensor networks due to resource constraints, unreliable communications, and unattended operation.
There are a number of attacks that an attacker can launch against wireless sensor networks once a certain number of sensor nodes have been compromised [10].In the network and routing layer, the attacks include selective forwarding, sinkholes [11], Sybil [12], wormholes [13], HELLO flood attacks [11], black hole attack [14], and DDOS attacks [15], etc.In application layer, attackers may compromise sensor nodes and inject false data to fool data aggregators.To cope with the attacks both prevention-based and detection schemes have been investigated.
Curiac et al. [16] proposed a malicious node detection scheme using an autoregression technique.It uses time series of measured data provided by each sensor node and relies on autoregressive predictor placed in base stations.Signal strength is used to detect malicious nodes in [17], where a message transmission is considered suspicious if the strength is incompatible with the originator's geographical position.Several trust management schemes have been proposed primarily in routing and communication.Various efforts have also been made to combine communication and data trusts [18].
A special type of attack where the compromised nodes behave normally but report false readings to lead to an incorrect decision has recently been investigated in [19,20].Atakli et al. [19] proposed a novel scheme for detecting malicious nodes reporting false data in a hierarchical sensor network.They employed a weighted trust evaluation (WTE in this paper) to make a decision on the correctness of the reports.The weights assigned to sensor nodes are updated after each cycle by reflecting the ratio of the number of incorrectly reporting nodes to the total number of nodes.Ju et al. [20] proposed an improved scheme based on WTE, named weighted-trust application (WTA).The weight of each sensor node is updated based on the behavior of the node itself.
Both WTE and WTA reduce the weights and normalize them after each cycle to keep the values in the range from 0 to 1.In the worst case, however, malicious nodes are likely to be detected with sacrificing some normal nodes.The loss of normal nodes might be problematic due to the resulting lack of network connectivity and sensing coverage.In addition, faults are only partially taken into account in detecting malicious nodes.Consequently, both schemes might not achieve the expected performance in a sensor network where noise, natural faults, and malicious nodes coexist.
In this paper, we propose a dual weighted trust evaluation (DWE) scheme to detect malicious nodes in the face of faults in a hierarchical sensor network, where sensor nodes report their readings to a forwarding node for aggregation.Each sensor node is assigned two trust values.They are increased or decreased depending on its reading and the aggregation result at the forwarding node.An efficient updating policy is developed to keep mis-detection rate low while achieving high malicious node detection rate for a wide range of fault and related probabilities.Moreover, event detection accuracy and false alarm rate are also taken into account to be practically useful.
The rest of the paper is organized as follows.Section 2 describes the network model and fault model to be used throughout the paper.Our dual weighted trust evaluation scheme is presented in Section 3. Experimental results are shown in Section 4. Section 5 concludes the paper.

Network Architecture
The proposed scheme is also based on a three-layer hierarchical network architecture shown in Figure 1 [19], only for comparison purposes, where SN, FN, and BS represent the corresponding layers, respectively.Sensor nodes in SN (sensor node) layer are grouped, and the member nodes in each group directly communicate with the corresponding forwarding node in FN (forwarding node) layer to provide their sensor readings.
Sensor nodes in SN layer are densely deployed to monitor the network area.They have limited power, memory, and computational capabilities.Sensor readings are assumed to be binary, 0 and 1 (alarm), and reported to the FN node.Nodes in FN layer are assumed to be more powerful as far as resources are concerned, and thus more dependable.

Modeling Malicious Nodes
In this paper, malicious nodes in a sensor network are assumed to behave normally but send wrong data to the forwarding node.Such sensor nodes can also be modeled as faulty nodes behaving differently from normal nodes, although the fault model becomes more complicated.In [19] malicious nodes are assumed to keep reporting the opposite information after being compromised.In [20], the ratio of sending wrong information is defined in the simulation.If the ratio is 80%, for example, malicious nodes report correctly 20% of the time to hide them to stay undetected.In reality, sensor readings will be affected by noise, faults, and malicious nodes.Hence malicious nodes have to be detected in the presence of faults and noise.
Both transient and permanent faults are included in the fault model.Transient faults are assumed to occur randomly and independently with the same probability p t .Permanent faults are also assumed to occur with the same probability p p for all the nodes in SN layer.In the case of permanent faults, both stuck-at-0 and stuck-at-1 (alarm) are assumed to occur with the same probability.Malicious nodes, although treated as faulty nodes, are assumed to behave more intelligently not to be detected.In the simulation later, they are assumed to report opposite to the sensor readings with probability p inv .For convenience we list in Table 1 the notation to be used throughout the paper.

Dual Weighted Trust Evaluation
In detecting malicious nodes, we employ trust values of sensor nodes to reflect their track records in decision making process.Each forwarding node maintains trust values of its associated sensor nodes in SN layer as shown in Figure 2, where U n represents the binary sensor reading of the sensor node SN n .Here U n = 1 indicates an alarm to the FN.FN will make a decision on an event based on weighted majority voting with the trust values and s n U  .Two trust values (weights), W0 n and W1 n , ranging between 0 and 1, and initialized to 1, are assigned to each sensor node SN n , 1 ≤ n ≤ N. W0 n represents the trust value of SN n in case of no-events, while W1 n denotes that of SN n in case of events.Employing two weights is to eliminate the cancelation effect due to transitions between event and no-event.The weights represent the sensor node's dependability.That is, the readings of a sensor node with a higher weight are more trustworthy.Updating the values is important to reflect the correctness of the current readings in the future decision making process.
FN collects sensor readings of its associated sensor nodes where "1" denotes an alarm.It then computes weighted sums of 1's and 0's, respectively, as follows.
  The aggregation result at the forwarding node (FN), E, is equal to 1 (i.e., and event) if the decision will be delayed until the inequality is satisfied.
At the end of the aggregation at FN, all the weights assigned to the member nodes are updated as follows: where θ is a penalty ranging between 0 and 1.If U n is not equal to E, the corresponding weight of SN n is reduced by θ.Otherwise, it is increased by θ × r, where r, named here the recovery rate of the lost weight due to a transient fault, is assigned based on the transient fault probability p t .The reason for not simply choosing r = 1 is that a malicious node reporting 0 and 1 at almost the same rate, for example, keeps the weight close to 1, and the node is likely to remain in the network without being detected.To lower the weights of malicious nodes while maintaining the weights of normal nodes close to 1, even in the face of transient faults, an appropriate value of r needs to be chosen.For a given transient fault probability, p t , we set r to be   where δ is proportional to the variance of p t .If p t = 0.1 and δ = 0.05, for example, normal sensor nodes with transient faults up to 15% for a certain period of time, can maintain the weights close to 1.In that case, 0.15 0.176 0.85 r   .A normal node with 15% of incorrect readings due to transient faults for a certain period of time loses its weight by θ each time it reports incorrectly, but gains it by 0.176×θ each time it reports correctly.Eventually, nodes with W n (=min (W0 n , W1 n )) less than or equal to a specified threshold value W low will be determined as faulty (including malicious).For the weight ranging from 0 to 1 the value W low is expected to be 0 unless otherwise stated.

Simulation Setups
Computer simulation is conducted to evaluate the performance of the proposed malicious node detection scheme in a hierarchical sensor network, where 20 sensor nodes are under the control of a single forwarding node.Faults and malicious nodes are generated in accordance with predefined probabilities, p t (transient fault), p p (permanent fault), and p m (malicious node).In the case of permanent faults, both stuck-at-0 and stuck-at-1 are assumed to occur with the same probability.If p t = 0.2, for example, normal nodes are expected to report incorrect readings with a probability of 0.2.If p p = 0.1, both stuck-at-1 and stuck-at-0 occur with probability of 0.05 each.Malicious nodes are randomly generated with probability p m .They are assumed to report opposite to the sensor readings with probability p inv .
Four metrics, malicious node detection rate (MDR), misdetection rate (MR), false alarm rate (FAR), and event detection accuracy (EDA), are defined to show the effectiveness of our scheme compared to the existing WTA and WTE, although they focus only on malicious node detection.MDR is defined to be the ratio between the number of detected malicious nodes and the total number of existing malicious nodes.MR is defined to be the ratio between the number of normal nodes determined to be faulty and the total number of normal nodes.FAR is defined as the ratio of the number of no-event cycles with E = 1 to the total number of no-event cycles.Lastly, EDA is the ratio of the number of event cycles with E = 1 to the total number of event cycles.
In our scheme, if necessary, each sensor node can be logically removed from the network when its weight is less than or equal to W low .Sensor nodes excluded may optionally join the aggregation process later if their weights reach W high .If W low = 0 and W high = 1, for example, suspicious nodes are detected when their weights reach 0. Sensor nodes can be reinstated if their weights increase up to 1 (i.e., W high ).

Experimental Results
Malicious node detection schemes have to achieve high MDR while maintaining low MR.In addition, they need to guarantee high EDA while keeping FAR low.MDR and MR for various values of p inv for the proposed DWE when p t = 0.2, p p = 0.2, p m = 0.2, θ = 0.05, and δ = 0.05, are shown in Figures 3 and 4, respectively.Simulation results after 200 cycles of operation with W low = 0.4 are used for comparison since WTA and WTE stop simulation after a short period of time with the threshold.All the three schemes achieve almost perfect MDR for p inv > p t .WTA and WTE perform better in terms of MDR for p inv ≤ p t .They, however, achieved a higher MDR by sacrificing normal nodes, as can be seen in Figure 4, where mis-detection rate (MR) for WTA and WTE are higher than that for the proposed DWE.MR for DWE is only about 0.01 for the entire range of p inv .More importantly, malicious nodes behaving normally and reporting  similar to normal nodes (i.e., p inv ≤ p t ) do not cause a significant problem even if they stay in the network.Hence MDR for p inv ≤ p t does not carry much meaningful information.
Performance of a malicious node detection scheme partially depends on the correctness of the aggregation results at the forwarding node since wrong decisions at the node lead to inaccurate management of trust values.The resulting false alarms might waste energy and thus shorten the network lifetime.FAR for various values of p inv when p m = p t = p p = 0.2, δ = 0.05, and θ = 0.05 are shown in Figure 5.All the three schemes under comparison achieve extremely low FAR, although WTA performs the best.The proposed DWE is comparable to WTA, but shows a slightly higher FAR.It is due to the facts that stuck-at-0 nodes reduce the chances of having false alarms for all the three schemes, but the weights of normal nodes in WTA are generally lower than those of normal nodes in DWE since DWE recovers the weight lost by transient faults with time.In other words, an alarm from a normal node is counted less in WTA as compared to DWE, resulting in a slightly lower FAR.
The main reason that malicious nodes report false readings might be to lead the forwarding nodes to make an incorrect aggregation, especially in the case of an event.Malicious node detection schemes leading to a low event detection accuracy (EDA) are not acceptable.Hence we now evaluate EDA when an event occurs after 200 non-event cycles, under the assumption that all the sensor nodes associated with a forwarding node are in an event region.The results for various values of p inv for p m = p t = p p = 0.2, δ = 0.05, and θ = 0.05 are shown in Figure 6, where our DWE outperforms WTA and WTE, for the entire range of p inv , maintaining EDA of 0.95 even for relatively high fault probabilities.
The same simulation is conducted to see the changes in performance for four different values of p m .MDR is not included since almost perfect MDR can be obtained for the three different schemes under comparison.DWE consistently outperforms WTA and WTE in terms of MR and EDA as shown in Figures 7-9, respectively.
Stuck-at-1 faults are detected while there are no events.Stuck-at-0 faults, on the other hand, can be identified when an event occurs.After 600 non-event and event cycles almost all of the permanent faults are logically removed from the network, resulting in considerably better EDAs for all the three schemes, compared to Fig- ure 6, as shown in Figure 10.
Finally, we performed simulation to see the changes in performance depending on the values of θ (penalty).As θ increases, malicious nodes lose their weights more quickly, and thus be detected in a relatively short time.On the other hand, normal nodes are more likely to be misdetected as faulty nodes.Hence the value of θ has to be properly chosen to compromise between MDR and MR.MDR and MR for four different values of θ are shown in Table 2, where p inv = 0.2 and 0.3 are chosen to focus on non-trivial cases.
As can be seen in Table 2, MDR for θ = 0.1 is the best while MR increases with θ.Almost all of the malicious nodes are detected when p inv = 0.3 regardless of the value of θ under consideration.The loss of normal nodes due to the increase in θ becomes problematic.The appropriate value of θ for the cases under consideration lies between 0.05 and 0.1.

Conclusion
In this paper, we proposed a malicious and malfunctioning node detection scheme using dual weighted trust evaluation in a hierarchical sensor network.Malicious nodes are detected in the face of faults and noise by using a weighted majority voting.Trust values of sensor nodes are used as weights at the forwarding node to reflect the     correctness of their reports in the decision-making process.The weights are updated in such a way that normal nodes with some transient faults may retain their weights close to 1, while malicious nodes behaving differently from normal nodes gradually lose the weights to be detected.Implementing the scheme does not sacrifice normal nodes even for high fault probabilities.The scheme is presented using a simple hierarchical model for convenience.The simulation is also limited for comparison with some existing schemes.It, however, is developed for more realistic sensor networks, and can thus be applied to different structures without significant modifications.

Figure 2 .
Figure 2. Two trust values assigned to each sensor node.

Figure 3 .
Figure 3. MDR for various values of p inv.

Figure 4 .
Figure 4. MR for various values of p inv .

Figure 5 .
Figure 5. FAR for various values of p inv.

Figure 6 .
Figure 6.EDA for various values of p inv .

Figure 7 .
Figure 7. MR for various values of p m .

Figure 8 .Figure 9 .
Figure 8. FAR for various values of p m .

Figure 10 .
Figure 10.EDA for various values of p inv .
S. H. OH ET AL. 86 invProbability of reporting opposite to sensor readings δ Tolerable variation of transient fault probability