modeling tools for detecting dos attacks in wsns · 2021. 1. 30. · stochastic petri nets (gspn)....

HAL Id: hal-01817483https://hal.archives-ouvertes.fr/hal-01817483

Submitted on 18 Jun 2018

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinée au dépôt et à la diffusion de documentsscientifiques de niveau recherche, publiés ou non,émanant des établissements d’enseignement et derecherche français ou étrangers, des laboratoirespublics ou privés.

Modeling tools for detecting DoS attacks in WSNsPaolo Ballarini, Lynda Mokdad, Quentin Monnet

To cite this version:Paolo Ballarini, Lynda Mokdad, Quentin Monnet. Modeling tools for detecting DoS attacks in WSNs.Security and communication networks, John Wiley & Sons, Ltd, 2013, 6 (4), pp.420-436. �10.1002/sec�.�hal-01817483�

https://hal.archives-ouvertes.fr/hal-01817483

https://hal.archives-ouvertes.fr

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 0000; 00:1–17

DOI: 10.1002/sec

RESEARCH ARTICLE

Modeling tools for detecting DoS attacks in WSNsPaolo Ballarini1, Lynda Mokdad2∗and Quentin Monnet2

1Laboratoire MAS, École Centrale de Paris2Laboratoire LACL, Université Paris-Est, Créteil

ABSTRACT

Detecting Denial of Service (DoS) attacks and reducing the energy consumption are two important and frequentrequirements in Wireless Sensor Networks (WSNs). In this paper, we propose an energy-preserving solution to detectcompromised nodes in hierarchically clustered WSNs. DoS detection is based on using dedicated inspector nodes (cNodes)whose role is to analyze the traffic inside a cluster and to send warnings to the cluster-head whenever an abnormalbehavior (i.e. high packets throughput) is detected. With previously introduced DoS detection schema cNodes are staticallydisplaced in strategic positions within the network topology. This guarantees a good detection coverage but leads to quicklydraining cNodes battery. In this paper we propose a dynamic cNodes displacement schema according to which cNodesare periodically elected among ordinary nodes of each atomic cluster. Such a solution results in a better energy balancewhile maintaining good detection coverage. We analyze the tradeoffs between static and dynamic solutions by means oftwo complementary approaches: through simulation with the NS2 simulation platform and by means of statistical modelchecking with the Hybrid Automata Stochastic Logic.Copyright c© 0000 John Wiley & Sons, Ltd.

KEYWORDSDoS attacks; Detection method; Statistical model checking; Modeling tools∗CorrespondenceLynda Mokdad — UPEC Laboratoire LACL, 61 avenue du Général de Gaulle, 94010 Créteil, France.E-mail: [email protected]

Received . . .

INTRODUCTION

Detecting phenomena such as forest fires or seismicactivities implies to keep watch over wide areas. WirelessSensor Networks (WSNs) are often used so as to achievethis watch. The sensors that make up those WSNsare devices able to perform measurements on theirsurrounding environment, and to send the collected datato a Base Station (BS). Due to their small size, thesensors have very limited resources: memory, computingcapability as well as available energy must be spent withcare [GA09][BY10][BF12].

Other uses of WSNs include activities such aspreventing chemical, biological or nuclear threats in anarea, or collecting data on a military field [LB09] [CS11].In such sensitive domains, the deployment of a WSNbrings out strong requirements in terms of security. Variousworks deal with ways of preventing unauthorized accessto data, or with the necessary precautions to guaranteedata authenticity and integrity inside the network [MS11][BBBP12] [BB12][YB10]. But confidentiality as well as

authentication are of poor use if the network is not evenable to deliver its data correctly.Denial of Service in WSNs. Denial of Service (DoS)attacks indeed aim at reducing, or even annihilatingthe network ability to achieve its ordinary tasks,or try to prevent a legitimate agent from using aservice [HS05][DFHV10] [FH11]. Because of the limitedresources of their nodes, WSNs tend to be rathervulnerable to DoS attacks. For instance, a compromisedsensor node can be used in order to send corrupted data ata high rate, either to twist the results or to drain the node’senergy faster.

The problem we deal with in this paper is thedevelopment and analysis of detection mechanisms whichare efficient both in terms of detection (i.e. they guaranteea high rate of detection of flooding nodes) and in terms ofenergy (i.e. they guarantee a balanced energy consumptionthroughout the network).Clustered WSNs. One way to save some battery powerduring communications may reside in the choice of thenetwork architecture and of the protocol used to route the

Copyright c© 0000 John Wiley & Sons, Ltd. 1Prepared using secauth.cls [Version: 2010/06/28 v2.00]

Modeling tools for detecting DoS attacks in WSNs P. Ballarini, L. Mokdad, Q. Monnet

data from a sensor to the BS [ATB05]. In a hierarchicalWSN, the network is divided into several clusters. Thepartition is done according to a clustering algorithm suchas LEACH [HW00] [OX09], HEEDS [YF04], or onebased on ultra-metric properties [FL11]. In each cluster,a single common node is elected to be a Cluster Head(CH), responsible for directly collecting data from theother nodes in the cluster. Once enough data has beengathered, the CHs proceed to data aggregation [YL11].Then they forward their results to the BS. CHs are theonly nodes to communicate with the BS, either directly,through a long-range radio transmission, or by multi-hopping through other CHs. So as to preserve the nodes’energy as long as possible, the network reclustering isrepeated periodically, with different nodes being electedas CHs. Note that clustering is not limited to a “single-level” partition. We can also subdivide a cluster into several“sub-clusters”. The CHs from those “sub-clusters” wouldthen send their aggregated data to the CHs of their parentclusters.DoS detection: from static to dynamic guardingpolicies. In a hierarchically organised WSN, a control node(cNode in the remainder) is a node which is chosen toanalyze the traffic directed to the CH of the cluster itbelongs to, and potentially detect any abnormal behavior.Therefore cNodes provide us with an efficient way todetect DoS attacks occurring in the network. Note thatcNodes are only meant to detect DoS attacks, thus they donot perform any sensing, nor do they send any data (apartfrom attack detection alarms). cNodes-based detectionwas first presented in [LC08], but the authors do notmention any periodical (cNodes) re-election scheme. Onecan suppose that the renewal of the election occurs eachtime the clustering algorithm is repeated. In [GM12],we proposed a dynamic approach: cNodes are re-electedperiodically (any node in a cluster may be chosen, exceptthe CH) with the election period selected to be shorterthan that between two network clusterings. Intuitively suchdynamic approach (in comparison to that of [LC08]), leadsto a more uniform energy consumption while preserving agood detection ability.Our contribution. In this paper we address the problemof validating the above conjecture by means of modelingtechniques. More specifically our contribution regards thefollowing aspects:

i. we present a characterization of Markov chainsmodels for representing DoS detection mechanismsand detail relevant steady-state measures analytically(i.e. we give the expression for the probability ofdetection of attacks in the Markov chain model);

ii. we present a number of numerical results obtainedby simulation of DoS detection on WSN modelsby means of the network simulator NS2 [NS2]. Inparticular we simulate models of grid topology WSNincluding DoS (static and dynamic) detection policies;

iii. we present formal models of the DoS detectionmechanisms expressed in terms of GeneralizedStochastic Petri Nets (GSPN). In combination toGSPN models we also present a number ofperformance and dependability properties formallyexpressed in terms of the the Hybrid AutomataStochastic Logic (HASL) [BDDHP11].

The structure of the paper is as follows: in Section 1 wegive an overview of DoS attack detection for cluster-basedWSNs. In Section 2 we detail the networking solutionwe want to model including LEACH clustering algorithmwhich we refer to. In Section 3 we describe the structure ofMarkov chain models for modelling an attacked network.In Section 4 we present simulation experiments obtainedwith the NS2 platform. In Section 5 we present theapplication of statistical model checking performanceanalysis to Petri Nets models of attacked WSNs. Finallywe give some final remarks in the Conclusion.

1. RELATED WORKS

To deal with DoS attacks in wireless sensor networks,many research studies have been conducted.

In [LC08], the authors propose a system detection basedon static election of a set of special nodes called “guardingnodes” which analyze the network traffic. When detectingabnormal traffic from a given node, “guarding nodes”identify it as a compromised node and they inform thecluster head of it. In this study, the authors show thebenefit of their method by presenting numerical analysisof detection rate but they don’t consider the energy of theelected node which dies very quickly.

Back in 2001, most works focused on making WSNsfeasible and useful. But some people already involvedthemselves into security. For instance, Perrig et al.proposed SPINS (Security Protocols for Sensor Networks)in [AP01] to provide networks with two symmetric key-based security building blocks. The first block, calledSNEP (Secure Network Encryption Protocol), providesdata confidentiality, two-party data authentication and datafreshness. The second block, called µTESLA (“micro”version of the Timed, Efficient, Streaming, Loss-tolerantAuthentication Protocol) assumes authenticated broadcastusing one-way key chains constructed with secure hashfunctions. No mechanism was put forward to detect DoSattacks.

A sensor network may be recursively and periodicallyreclustered with an algorithm such as LEACH, asin our proposal. The resulting hierarchically clusterednetwork often presents a good ability for distributingthe energy consumption among the sensor nodes. Butsecurity concerns (other than DoS) also apply to thosenetworks. In [LO07], Oliveira et al. propose to addsecurity mechanisms via a revised version of LEACHprotocol. SecLEACH uses random key pre-distributionas well as µTESLA (authenticated broadcast) so as to

2 Security Comm. Networks 0000; 00:1–17 c© 0000 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Prepared using secauth.cls

P. Ballarini, L. Mokdad, Q. Monnet Modeling tools for detecting DoS attacks in WSNs

protect communications. But the authors do not mentionany mechanism to fight DoS attacks.

Elements from game theory have been used in severalstudies to detect DoS attacks in WSNs. In [MM09], Mohiet al. propose another another way to secure the LEACHprotocol against selfish behaviors. With S-LEACH, theBS uses a global Intrusion Detection System (IDS) whileLEACH CHs implement local IDSs. The interactionsbetween nodes are modeled as a Bayesian game, thatis, a game in which at least one player (here, the BS)has incomplete information about the other player(s) (inthis case: whether the sensors have been compromised ornot). Each node has a “reputation” score. Selfish nodescan cooperate (so as to avoid detection) or drop packets.The authors show that this game has two Bayesian Nashequilibriums which provide a way to detect selfish nodes,or to force them to cooperate to avoid detection.

The best way to detect for sure a DoS attack in a WSNis simply to run a detection mechanism on each singlesensor. Of course, this solution is not feasible in a networkwith constraints. Instead of fitting out each sensor withsuch mechanism, Islam et al. propose in [HI09] to resortto heuristics in order to set a few nodes equipped withdetection systems at critical spots in the network topology.This optimized placement enables distributed detectionof DoS attacks as well as reducing costs and processingoverheads, since the number of required detectors isminimized. But those few selected nodes are likely to runout of battery power much faster than normal nodes.

Sensors authentication and DoS detection in clusterednetworks may be assumed by a single architecture. In[MH07], Hsieh et al. present SecCBSN, an adaptive se-curity design intended to Secure Cluster-Based Commu-nication in Sensor Networks. Each node is equipped witha system that includes three modules. One is involved inthe cluster head election, and responsible for rememberingthe decision which were made. Another module providesciphered communication and secure authentication pro-tocols between sensors. It uses the TESLA certificate toenable deployed sensors to authenticate new incomingnodes. It allows the creation of secure channels as wellas broadcast authentication between neighboring sensors.The last security module is responsible for the detection ofcompromised nodes. When a node is suspected to harm thenetwork, alarm protocols are used to warn the base station.The use of trust value evaluation then enables the settingand the propagation of black and white lists of sensors.

Some works examine the possibility to detect thecompromising of nodes as soon as an opponent physicallywithdraw them from the network. In the method thatHo develops in [JH10], each node keeps watching onthe presence of its neighbors. The Sequential ProbabilityRadio Test (SPRT) is used to determinate a dynamic timethreshold. When a node appears to be missing for a periodlonger that this threshold, it is considered to be dead orcaptured by an attacker. If this node is later redeployedin the network, it will immediately be considered as

compromised without having a chance to be harmful.Nothing is done, however, if an attacker manages tocompromise the node without extracting the sensor fromits environment.

In [SM10], Misra et al. propose a revised version ofthe OLSR protocol. This routing protocol called DLSRaims at detecting distributed denial of service (DDoS)attacks and at dropping malicious requests before theycan saturate a server’s capacity to answer. To that end,the authors introduce two alert thresholds regarding thisserver’s service capacity. They also introduce the useof Learning Automata (LAs), automatic systems whosechoice of next action depends on the result of its previousaction. There is no indication in their work about theoverhead or the energy load resulting from the use of theDLSR protocol.

Son et al. propose in [JS10] a novel broadcastauthentication mechanism to cope with DoS attacksin sensor networks. This scheme uses an asymmetricdistribution of keys between sensor nodes and the BS, anduses the Bloom filter as an authenticator, which efficientlycompresses multiple authentication information. In thismodel, the BS or sink shares symmetric keys with eachsensor node, and proves its knowledge of the informationthrough multiple MAC values in its flooding messages.When the sink floods the network with control messagesit constructs a Bloom filter as an authenticator for themessage. When a sensor node receives a flooded controlmessage, it generates their Bloom filter with its keys andin the same way the sink verifies message authentication.

Li and Batten expose in [LB09] their method to detectand to recover from Path-based DoS (PDoS) attacks inwireless sensor networks. They consider WSNs whoseaim is to collect data and to store it into small databases.PDoS attacks may prevent legitimate communication,lead the sensors to battery exhaustion and corrupt thegathered data. So the authors introduce the use of MobileAgents (MAs), which use hash function values, nodeIDs and traffic table to analyze the traffic and identifycompromised sensors. Thus the MAs are able to detectPDoS attacks with ease and efficiency, and to reply tothe attack by proceeding to a recovery process. There arethree distinct recovery processes available, depending onthe percentage of compromised nodes in the network. Notethat the authors use the assumption that MAs can not becompromised.

2. DETECTION OF DOS ATTACKS

2.1. Wireless Sensor Networks

We focus on the problem of detecting denial of service(DoS) attacks in a WSN. We recall that a WSN consistsof a finite set of sensors plus a fixed base station(BS). Traffic in a WSN (mainly) flows from sensornodes towards the BS. Furthermore since WSN nodeshave inherently little energy, memory and computing

Security Comm. Networks 0000; 00:1–17 c© 0000 John Wiley & Sons, Ltd. 3DOI: 10.1002/secPrepared using secauth.cls


capabilities, energy efficiency is paramount when it comeswith mechanisms/protocols for WSN management. Alsocommunications between sensors and the BS rely onwireless protocols. In the following we assume that thenodes’ mobility is limited or null.

Our goal is to set an efficient method to detectcompromised nodes which may try to corrupt data, or tosaturate the network’s capacity, by sending more data thanit should. In this case, efficiency can be measured in tworespects:

• the detection rate of the compromised node(s);• the network’s lifetime, as we want to spend as little

energy as possible.

In order to achieve these goals we focus on the followingtechniques: hierarchical network clustering, and dynamicalelection of control nodes responsible for monitoring thetraffic.

2.2. Hierarchical clustering

The class of WSNs we consider is that of hierarchicallycluster-based networks. The set of sensors has beenpartitioned into several subsets called “clusters”. Thoseclusters are themselves split into “sub-clusters”. For abetter clarity, we will call 1-clusters the sets resulting fromthe first clustering of the global set, and k-clusters thesubset issued from the splitting of any (k−1)-cluster. Thesuccessive clusterings are carried out with the use of anyexisting clustering algorithm, such as LEACH [HW00][OX09], HEEDS [YF04], algorithms based on ultra-metricproperties [YL11], etc. Each cluster contains a singlecluster head (CH), designated among the normal nodes.The CH is responsible for collecting data from the othernodes of the subset. To follow up our naming conventions,we will call k-CHs the CHs belonging to the k-clusters. Thek-CHs send the data they gathered to their (k−1)-CH, the“0-CH” being the base station. In that way, the k-CHs arethe only nodes to emit send packets towards the (k− 1)-CHs. Normal nodes’ transmissions do not have to reachthe base station directly, which would often consume muchmore energy than communicating with a neighbor node.

LEACH functioningLEACH is probably one of the easiest algorithm to

apply to recluster the network. It is a dynamical clusteringand routing algorithm. We use it for our simulations usingNS2. It splits a set of nodes into several subsets, eachcontaining a cluster head. This CH is the only node toassume the cost-expensive transmissions to the BS.

Here is the LEACH detailed processing. Let P be theaverage percentage of clusters we want to get from ournetwork at an instant t. LEACH is composed of cyclesmade of 1

P rounds. Each round r is organized as follows:

1. Each node i computes the threshold T (i):

T (i) =

P

1−P ·(r mod 1

P

) if i has not been CH yet

0 if i has already been CH

Each node chooses a pseudo-random number 0 ≤xi ≤ 1. If xi ≤ T (i) then i designates itself as a CHfor the current round. T (i) is computed in such away that every node becomes CH once in everycycle of 1

P rounds: we have T (i) = 1 when r =1P −1.

2. The self-designed CH inform the other nodes bybroadcasting a message with the same transmittingpower, using carrier sense multiple access (CSMA)MAC.

3. The other nodes choose to join the clusterassociated to the CH whose signal they receive withmost power. They message back the CH to informit (with the CSMA MAC protocol again).

4. CHs compile a “transmission order” (time divisionmultiple access, TDMA) for the nodes which joinedtheir clusters. They inform each node at what timeit is expected to send data to its CH.

5. CHs keeps listening for the results. Normal sensorsget measures from their environment and send theirdata. When it is not their turn to send, they stay insleep mode to save energy. Collisions between thetransmissions of the nodes from different clustersare limited thanks to the use of code divisionmultiple access (CDMA) protocol.

6. CHs aggregate, and possibly compress the gathereddata and send it to the BS in a single transmission.This transmission may be direct, or multi-hopped ifrelayed by other CHs.

7. Steps 5) and 6) are repeated until the round ends.

It is possible to extend LEACH by adding the remainingenergy of the nodes as a supplementary parameter for thecomputation of the T (i) threshold [MH02].

Note that each node decides whether to self-designateitself as a CH or not. Its decision does not take into accountthe behavior of surrounding nodes. For this reason, wecan possibly have, for a given round, a number of CHsvery different from the selected percentage P. Also, allthe elected CHs may be located in the same region of thenetwork, leaving “uncovered” areas. In that case, one canonly hope that the spatial repartition will be better duringthe next round.

k-LEACHOnce the LEACH algorithm has been applied to

determine a first set of clusters, nothing prevents us toapply it again on each cluster. This is the way we gotour k-clusters: we applied k times the LEACH algorithmrecursively. We call those recursive iterations the k-LEACHalgorithm. In practice, we had k equal to 2, for thefollowing reasons:

• so as to save more energy than what we would dowith 1-LEACH;




• so as to have a finer clustering of the network, inorder to elect control nodes in each of the 2-clusters,to maximized the cover area and the probability todetect compromised nodes.

Other algorithmsOther possible clustering algorithms include HEED

[YF04], which is designed to save more energy thanstandard LEACH, and could lead to a better spatialrepartition of the CHs inside the network. But in ournetwork, all the sensors have the same initial availableenergy, and every one of them is able to directly reach theBS if need be. Under those assumptions, LEACH may notconsume more energy than HEED protocol, and remainseasier to use.

2.3. Attacks detection through cNodes

Along with normal nodes and cluster heads, a third type ofnode is present in the lower k-clusters of the hierarchy.

Figure 1. Cluster-based sensor network with cNodes

The cNodes — for control nodes — were introducedin [LC08] to analyze the network traffic and to detect anyabnormal behavior from other nodes in the cluster. Werefer the reader to [LC08] for a detailed description ofthe cNodes based detection mechanism. In brief, cNodesanalyze the input traffic for the 2-CH of their 2-cluster, andwatch out for abnormal traffic flows. Detection takes placewhenever a cNode observes that at least one amongst thesensor nodes under its controlled perimeter sends data ata rate that is not within “regular behavior” thresholds. Inthat case the cNode sends a warning message to the CH.Once the CH has received warnings from a sufficientlylarge number of distinct cNodes (note that in order toprevent a compromised cNode to declare legitimate nodesas compromised the detection protocol requires that the

CH receives warnings by a minimum number of distinctcNodes before actually recognising the signalling as anactual anomaly), it starts ignoring the packets comingfrom the detected compromised sensor. cNodes may alsomonitor output traffic of the CHs and warn the BS if theycome to detect a compromised CH.

cNodes are periodically elected among normal sensors.The guarding functionality of cNodes may lead to anenergy consumption higher than that of “normal” (i.e.sensing) nodes. In order to maximize the repartition ofthe energy load, we propose a scheme by which a newset of cNodes is periodically established with an electionperiod shorter than the length of a LEACH round (thatis, the period between two consecutive CH elections). Wepropose three possible methods for the election process:self-election as for the CHs, election processed by the CHsand election processed by the BS.

Distributed self-electionA first possibility to elect the cNodes is to reuse

the distributed self-designation algorithm defined for theelection of the CHs. With this method, each non-CH nodechooses a pseudo-random number comprised between 0and 1. If this number is lower than the average percentageof cNodes in the network that was fixed by the user, thenthe node designates itself as a cNode. Otherwise, it remainsa normal sensor.

This method has two drawbacks. Firstly, each nodehas to compute a pseudo-random number, which may notbe necessary with other methods. Secondly, each nodechooses to designate (or not) itself, without taking intoaccount at any moment the behavior of its neighbors. As aresult, the election is proceed with no consideration for theclustering that has been realized in the network. Indeed itis unlikely that the set of elected cNodes will be uniformlydistributed among the 2-clusters that were formed, and it iseven possible to end up with some 2-clusters containingno cNodes (thus being completely unprotected againstattacks).

A possible workaround for this second drawback couldbe a two-steps election: in a first round nodes self-designate (or not) themselves. Then they signal theirstate to the 2-CHs they are associated to. In the secondround, the 2-CHs may decide to designate some additionalcNodes if the current number of elected nodes in the clusteris below a minimal percentage.

CH-centralized electionA second possibility is to get the cNodes elected by the

2-CHs. In this way, each 2-CH elects the required numberof cNodes (i.e. corresponding to user specifications). Forexample, if the 2-cluster contains 100 nodes and thedesired percentage of cNodes in the network is 10 %,the 2-CH will compute 10 pseudo-random numbers andassociate them with node IDs corresponding with sensorsof its 2-cluster. This solution is computationally lessdemanding as only the 2-CHs have to run a pseudo-random



number generation algorithm. However it has yet anotherdrawback: if a CH gets compromised, it won’t be ableto elect any cNode in its cluster thus leaving the clusteropen to attacks. As, with the LEACH protocol, everysensor node becomes, sooner or later, a CH, the problemmay occur for any compromised node hence propagating,potentially, throughout the network. Note that, nothingprevents a compromised sensor to declare itself as a CHnode to the others at any round of the LEACH algorithm.

This method is the one that we have implement inour NS2 simulation whose simulation outcomes will bediscussed in Section 4.

BS-centralized electionA third method consists in a centralized approach where

the BS performs cNodes election. With this method CHssend the list of nodes that compose their clusters tothe base station and the BS returns the list of electedcNodes. Observe that, opposite to sensor nodes, theBS has no limitation in memory, computing capacitynor energy. Thus the clear advantage of BS-centralizedelection is that all costly operations (i.e pseudo-randomnumbers calculation) can be re-iterated in a (virtually)unconstrained environment (i.e. the BS) This technique isexplained in detail in [GM12].

From a robustness point of view not the method isnot completely safe either. In fact if a compromised nodewas to declare itself as a CH, its escape method to avoiddetection would consist in declaring its cluster as empty(i.e. by sending an empty list instead of the actual sensorsin its cluster to the BS). In this case, the BS would not electany cNode in its cluster hence the compromised CH wouldnot be detected. To avoid such situation the BS should reactdifferently in case it receives an indication of empty clusterfrom some nodes. Specifically, in this case, the BS wouldhave to consider that nodes not detected as or by CHs mightnot simply be dead, thus still consider them as eligiblecNodes. The main drawback of this method is that thedistributed nature of election (together with its advantages)is completely lost.

3. MODELLING USING MARKOVCHAINS

Continuous Time Markov Chains (CTMC) are a classof discrete state stochastic process suitable to modeldiscrete-event systems that enjoy the so-called memoryless property (Markov property): i.e. systems such that thefuture evolution depends exclusively on the current state(and not on the history that lead into it). It is well knownthat in order to fulfill the Markov property delay of eventsmust be Exponentially distributed.

In this section we describe how to structure ContinuousTime Markov chains (CTMC) models for modelling ofa WSN subject to DoS attacks and equipped with DoSdetection functionalities. To illustrate the CTMC modeling

approach we focus on a specific (sub)class of WSNcorresponding to the following points:

• the network consists of a single cluster containingone CH, N sensing nodes and K cNodes

• (exactly) one amongst the N sensing nodes is acompromised node.

• sensing node i (1≤ i≤N) generate traffic accordingto a Poisson process with rate λi

• the compromised node c generates traffic accordingto a Poisson process with rate λc >> λ1

• each cNodes periodically performs a detectioncheck with period distributed Exponentially withrate µ . On detection of abnormal traffic a cNodereports the anomaly to the CH

• the network topology corresponds to a connectedgraph: each node node can reach any other node inthe cluster

The dynamics of WSN systems agreeing with theabove characterization can straightforwardly be modelledin terms of a K·(N +1)-dimensional CTMC. States of sucha CTMC consist of K-tuples x=(x1,x2, . . . ,xK) of macro-states xk = (xk1 ,xk2 , . . . ,xkN ,xkd ) encoding the number ofoverheard packets by cNode k. More precisely componentxk j (1 ≤ j ≤ N) of macro-state xk is a counter storingthe total number of packets sent by node j and overheardby cNode k, whereas component xkd is a boolean-valuedvariable which is set to 1 on detection, by cNode k, ofabnormal traffic. We also consider a threshold functionf : NN → {0,1} which is used (by cNodes) to decidewhether traffic rate have exceeded the “normal” threshold.The arguments of f are an (N)-tuples (n1, . . .nN), whereni∈N is the number of overheard packets originating fromnode i.

We illustrate the transition equations for such a CTMC.For simplicity we illustrate only equations regardingtransitions for a generic macro-state xk: the equations fortransitions of a generic (global) state x = (x1,x2, . . . ,xK)can be straightforwardly obtained by combination of thosefor the macro-states. In the following xkc denotes thecounter of received packets from the compromised node.

xk → Normal transmission

→ (xk1 , . . . ,xki +1, . . . ,xkc , . . . ,xkN ,0) with rate λi 6=λc

→ Transmission by compromised node

→ (xk1 , . . . ,xki , . . . ,xkc +1, . . . ,xkN ,0) with rate λc

→ Check and Detection of abnormal traffic

→ (0, . . . ,0, . . . ,0, . . . ,0,1)

with rate µ×1 f (xk)≥threshold

→ Check and No-Detection of abnormal traffic

→ (0, . . . ,0, . . . ,0, . . . ,0,0)

with rate µ×1 f (xk)<threshold




We assume that in the initial state all counters xki aswell as the boolean flag xkd are set to zero. The aboveequations can be described as follows. When cNode k isin state xk a “Normal transmission” from node i (1 ≤i ≤ N, i 6= c) takes place at rate λi leading to a statesuch that the corresponding counter xki is incremented byone, leaving all remaining counters unchanged. Similarlya “Transmission by the compromised node” c happenswith rate λc leading to a state such that the correspondingcounter xkc is incremented by one. Finally checking forabnormal traffic conditions happens at rate µ and wheneverthe controlling function f detects that in (macro) state xkthe number of overheard packets from any node is abovethe considered threshold ( f (xk)≥ threshold), the detectionflag xkd is raised (i.e. alarm is sent to the CH), and countersxk j are all resets (so that at the next check they are updatewith “fresh” traffic data). On the other hand if traffic hasnot been abnormal over the last Exp(µ) duration ( f (xk) <threshold) counters xk j are reset while the detection flag isleft equal to zero.

The detection probability for cNode k (DPk) can becomputed in terms of the steady-state distribution of theabove described CTMC in the following manner:

DPk =∞

∑xk1 ,...,xkN

π(xk1 , . . . ,xkN ,xkd = 1)

where π(xk1 ,xk2 , . . . ,xkN ,xkd ) denotes the steady-stateprobability at (macro)state xk =(xk1 ,xk2 , . . . ,xkN ,xkd ) of theCTMC.Discussion. The above described CTMC modelingapproach relies on the assumption that the period withwhich detection checking is performed is an Exponentiallydistributed random variable. Indeed such an assumptionmay introduce a rather significant approximation as inreality detection checking happens at interval of fixedlength, or even “continuously”. Therefore stochasticmodeling of DoS attacks detection requires to exitthe Markovian sphere and to consider non-markovianstochastic processes. (more specifically periodic detectionchecking can more accurately be modeled by meansDeterministic Distributions). We discuss non-Markovianmodeling of DoS detection mechanisms in Section 5.

4. NUMERICAL RESULTS

A possible alternative to stochastic modeling is to developexecutable implementations of the WSNs of interest bymeans of existing simulative framework, such as, forexample, the NS-2 Network Simulator [NS2]. In thissection, we present a selction of numerical results obtainedby simulation of NS-2 models of WSN systems equippedwith DoS detection mechanisms. The experiments wepresent are referred to one cluster consisting of a (10×10)regular grid topology with the following characteristics(see Figure 2):

• grid is a square of size a;

• cluster head is placed at the centre of the grid (i.e.red node in Figure 2;

• the grid contains 100 (sensing) nodes displacedregularly;

• each node can communicate directly with thecluster head (i.e. the transmission power is suchthat all nodes — for example: the nodes in greenin Figure 2 — can reach a circle of radius a

√2/2.

In this way all nodes, included corner’s, can reachthe CH). No power adjustment is done by the nodesfor transmission.

In such network cNodes (represented in green inFigure 2) are elected periodically either using the staticapproach or using the dynamic election mechanismdescribed in previous sections. We have designed ourexperiments focusing on two performance measures:the rate of detection of attacks and the overall energyconsumption. Table I reports about the (range of)parameters considered in our simulation experiments.

!

"#$%&'()*$+%,$%&-.)/0$+%/.%*#$%)/1('!*/-.%/)%!%+$2('!+%2+$$03)/4$5%!%6%!%789%:;%)$.)-+)%6%

:;%)$.)-+)<="#$%&'()*$+%#$!0%/)%*#$%+$0%)$.)-+%!*%*#$%&$.*$+%->%*#$%2+$$0%3.-+1!'%.-0$)?@A%B%

:;:%)$.)-+)%/.%*-*!'<=

!"#$%&$

C!&#%.-0$%1()*%D$%!D'$%*-%+$!&#%*#$%@'()*$+%A$!0%0/+$&*'E=%F-%*#$%*+!.)1/*/.2%G-,$+%,!)%)$*%*-%!%H!'($%,#/&#%$.!D'$%*#$%&-+.$+%

.-0$)%*-%+$!&#%*#$%&$.*$+%->%*#$%2+/05%G!&I$*)%>+-1%!%.-0$%,/''%D$%

+$&$/H$0%DE%$H$+E%-.$%!*%!%0$/)*!.&$%'$))%-+%$J(!'%*-%3!#K<LK%3#!'>%*#$%0/!2-.!'%->%*#$%)J(!+$<=

&M-0$)%1-./*-+%*+!>/&%*#$E%+$&$/H$%!.0%,#-)$%0$)*/.!*/-.%.-0$%/)%*#$%

@'()*$+%A$!0=

!

"#$%&'()*$+%,$%&-.)/0$+%/.%*#$%)/1('!*/-.%/)%!%+$2('!+%2+$$03)/4$5%!%6%!%789%:;%)$.)-+)%6%

:;%)$.)-+)<="#$%&'()*$+%#$!0%/)%*#$%+$0%)$.)-+%!*%*#$%&$.*$+%->%*#$%2+$$0%3.-+1!'%.-0$)?@A%B%

:;:%)$.)-+)%/.%*-*!'<=

!"#$%&$

C!&#%.-0$%1()*%D$%!D'$%*-%+$!&#%*#$%@'()*$+%A$!0%0/+$&*'E=%F-%*#$%*+!.)1/*/.2%G-,$+%,!)%)$*%*-%!%H!'($%,#/&#%$.!D'$%*#$%&-+.$+%

.-0$)%*-%+$!&#%*#$%&$.*$+%->%*#$%2+/05%G!&I$*)%>+-1%!%.-0$%,/''%D$%

+$&$/H$0%DE%$H$+E%-.$%!*%!%0$/)*!.&$%'$))%-+%$J(!'%*-%3!#K<LK%3#!'>%*#$%0/!2-.!'%->%*#$%)J(!+$<=

&M-0$)%1-./*-+%*+!>/&%*#$E%+$&$/H$%!.0%,#-)$%0$)*/.!*/-.%.-0$%/)%*#$%

@'()*$+%A$!0=

Figure 2. A 10x10 regular-grid cluster of size a

4.1. Detection rate

In order to evaluate the considered performance measurethat is attack detection rate, we have considered theparameters given in table I. We have assumed that thetraffic generation follows a Poisson distribution with rateλ which varies as the average transmission of an attackingnode exceeds the average transmission of a normal node.In the experiments we have considered a cluster with 100nodes.

Figure 3 represents the detection rate for differentnumbers of cNode groups and for groups of differentsizes. The same node is considered compromised in allthe graphs. Notice that for 10 cNodes, the group 2 didnot detect any attack. With 15 cNodes, in average 3 nodesdetect an attack in each group. We also note that when weincrease the number of cNodes (20 and 25), the behavior



Simulation time 100–3,600 sRate 10–800 kbits/sPacket size 500–800 bytesNodes number 100 (+ cluster head)cNodes number 0–30Compromised nodes number 1–10Nodes queue size 50

Table I. Simulation parameters

remains similar which suggests that we do not need to usemore nodes than 15 nodes in each group.

0

20

40

60

80

100

1 2 3 4 5 6 7 8 9 10

Dete

ction p

erc

enta

ge

Group #

10 cNodes15 cNodes20 cNodes25 cNodes

Figure 3.Detection versus Group.

Above λ = 4 packets/s, the dynamic method detectsmore attacks than the static one. To enhance this difference,we give other results in figure 4 below for an average of 10compromised nodes.

0

20

40

60

80

100

1.5 2 2.5 3 3.5 4 4.5 5 5.5

Dete

ction p

erc

enta

ge in the n

etw

ork

Lambda (average transmission rate of compromised node)

static methoddynamic method

Figure 4.Detection versus Lambda.

In Figure 4, we notice that as the average transmissionof attacking nodes increases, our dynamic solution detectsmore attacks than the static solution.

Number of sensor nodes 100Simulation time 500 secondsReception consumption 0.394 WEmission consumption 0.660 W

Table II. Simulation parameters

4.2. Consumed energy

All the simulations which were run to produce the resultspresented in this section used the parameters given in tableII.

The Figure 5 shows the average energy consumptionfor all nodes (except for the cluster head and the floodingcompromised node, which consume much more than usualnodes, and act in the same way for both methods) at theend of the simulation, for various percentages of electedcNodes. The number of cNodes goes from 0 (no detection)to 30 % (nearly one third of the nodes).

Note that the “normal nodes” (non-cNodes sensors) donot receive messages from their neighbors, as they are“sleeping” between their sending time slots (see LEACHdetailed functioning).

0

2

4

6

8

10

12

0 5 10 15 20 25 30 35

Mean c

onsum

ed e

nerg

y a

t t =

500 s

(J)

Number of cNodes


Figure 5. Average energy consumption.

The average consumption is the same for static anddynamic method: both method use the same quantity ofnormal and cNode sensors.

The Figure 6 depicts the standard deviation for theenergy consumption at the end of the simulation. Onceagain, the cluster head and the compromised node are nottaken into account.

One can observe that the standard deviation is muchhigher for the static solution: only the initial (and notre-elected) cNodes have a significant consumption overthe simulation time, while the consumption is distributedamong all the periodically-elected nodes in the dynamicsolution.

For the Figure 7, we have supposed that the nodes havean initial energy of 4 J. This is a small value, but 500seconds is a small duration for a sensor lifetime. Accordingto Wikipedia values and to what we have computed, a




0

2

4

6

8

10

12

14

16

18

0 5 10 15 20 25 30 35

Std

devia

tion o

f consum

ed e

nerg

y a

t t =

500 s

(J)

Number of cNodes


Figure 6. Energy consumption standard deviation.

lithium battery (CR1225) can offer something like 540 J,and a LR06 battery would provide something like 15,390 J.Note that the compromised node was given an extra initialenergy (we did not want it to stop flooding the networkduring the simulation). However, we set the initial energyto 4 J, and we notice for the first node’s death for severalpercentages of cNodes.

0

50

100

150

200

250

300

0 5 10 15 20 25 30 35

First node d

eath

in the n

etw

ork

(s)

Number of cNodes

dynamic methodstatic method

Figure 7. First death in the network.

As the cNodes are re-elected and the consumption isdistributed for the dynamic method, the first node to runout of battery power logically dies later (up to 5 times laterwith few cNodes) than in the static method.

4.3. Nodes’ death and DoS detection

The duration of this new simulation was extended to onehour (3,600 seconds). 10 % of the sensors are elected ascNodes. The initial energy power was set to 10 J. So theconsidered parameters are given in table IV.

The Figure 8 shows the evolution of the number of alivenodes in time.

As for the previous section, the non-cNodes sensorsbarely consume any energy regarding to cNodes’consumption (cNodes consume each time they analyze amessage coming from one of their neighbor; other sensors

Number of sensor nodes 100cNodes percentage 10 %Simulation time 3,600 secondsReception consumption 0.394 WEmission consumption 0.660 WInitial energy amount 10 J

Table III. Simulation parameters

Table IV. .

90

92

94

96

98

100

0 100 200 300 400 500 600 700 800

Num

ber

of nodes s

till

aliv

eTime (seconds)


Figure 8. Nodes remained alive

don’t). In the static method, elected cNodes consume theirbattery power, and die (at about t = 150 seconds). Thatis why the ten first sensors die quickly, whereas the othernodes last much longer (we expect them to live for 5hours). For the static method, the cNodes are re-elected,so the first node to die lives longer than for the previousmethod. It is a node that was elected several times, butnot necessarily each time. Only two nodes have run outof energy at t = 700 seconds for the dynamic method. Butat this point, the amount of alive nodes decreases quickly,and there is only one node left at the end of the first hourof simulation. Note that this was not reported on the abovecurve.

It is obvious that the nodes die much faster in thedynamic method, given that cNodes, the only nodes whoseconsumption is significant, are re-elected, whereas thereare no more consuming cNodes in the network for thestatic method after the ten first nodes are dead. Hence itis interesting to consider how many nodes do effectivelydetect the attack as the time passes by. This is what isshown on the Figure 9. The average number of cNodeswhich detected the attack (out of 10 cNodes) is presentedfor each 60 second-long period.

After the fourth minute, every cNode is dead for thestatic method, and the compromised node is no moredetected. With the dynamic method, a raw average of 6.5out of 10 cNodes detect the compromised nodes duringeach 10 second-long period corresponding to the dynamic



0

1

2

3

4

5

6

7

8

0 500 1000 1500 2000 2500

Avera

ge n

um

ber

of cN

odes d

ete

cting the a

ttack

Time (seconds)


Figure 9.DoS detection.

election. The flooding sensor is still detected by more thanone node after half an hour.

In the following, we present a modeling approach ofDoS detection using of Generalized Stochastic Petri Nets(GSPN) and we give some numerical results.

5. NON-MARKOVIAN MODELINGAND VERIFICATION OF DOS

In previous sections we have pointed out that using Markovchains to model DoS detection mechanisms may inherentlyimply a significant approximation. To obtain more accuratemodels of DoS detection it is necessary to resort to amore general class of stochastic processes, namely the so-called Discrete Event Stochastic Processes (DESP, alsooften referred to as Generalized Semi-Markov Processesor GSMP). The main characteristics of DESP is thatthey allow for representing generally distributed durations,rather than, as with CTMC, being limited to Exponentiallydistributed events.

In this section we present a modeling approachof DoS detection in terms of Generalized StochasticPetri Nets (GSPN) [AMBCDF95], a class of PetriNets suitable for modeling stochastic processes. Bydefinition the GSPN formalism is a high-level languagefor representing CMTCs. However herein we refer toits straightforward extension where timed-transitions canmodel generally distributed durations. Such extendedGSPN (eGSPN in the following) becomes a high-levellanguage for representing DESPs. Furthermore eGSPNis also the formal modeling language supported bythe COSMOS [BDDHP11] statistical model checker,a tool which allows for verification of (sophisticated)performance measures in terms of the Hybrid AutomataStochastic Logic (HASL) [BDDHP11]

In the following we provide a succinct descriptionof both the GSPN modeling formalism and the HASLverification approach, before describing their applicationto the DoS attack detection case.

5.1. Generalized Stochastic Petri Nets

A GSPN model is a bi-partite graph consisting of twoclasses of nodes, places and transitions (Figure 10). Places(represented by circles) may contain tokens (representingthe state of the modeled system) while transitions(represented by bars) indicate the events the occurrenceof which determine how tokens “flow” within the net(thus encoding the model dynamics). The state of aGSPN consists of a marking indicating the distributionof tokens throughout the places (i.e. how many tokenseach place contains). Roughly speaking a transition isenabled whenever all of its input places contains a numberof tokens greater than or equal to the multiplicity ofthe corresponding input arc (e.g. transition T1 in left-hand part of Figure 10 is enabled, while T2 is not).An enabled transition may fire consuming tokens (in anumber indicated by the multiplicity of the correspondinginput arcs) from all of its input places and producingtokens (in a number indicated by the multiplicity of thecorresponding output arcs) in all of its output places.Such informally described rule is known as the PetriNet firing rule. GSPN transitions can be either timed(denoted by empty bars) or immediate (denoted by filled-in bars, e.g. transition T2 in left hand side of Figure 10).Generally speaking transitions are characterized by: (1) adistribution which randomly determines the delay beforefiring it; (2) a priority which deterministically selectsamong the transitions scheduled the soonest, the oneto be fired; (3) a weight, that is used in the randomchoice between transitions scheduled the soonest withthe same highest priority. With the GSPN formalismthe delay of timed transitions is assumed exponentiallydistributed, whereas with eGSPN it can be given byany distribution with non-negative support. Thus whethera GSPN timed-transition is characterized simply by itsweight t ≡w (w∈ R+ indicating an Exp(w) distributeddelay), a eGSPN timed-transition is characterized by atriple: t ≡ (Dist-t,Dist-p,w), where Dist-t indicates thetype of distribution (e.g. Unif, Deterministic, LogNormal,etc.), dist-p indicates the parameters of the distribution (e.g[α,β ]) and w ∈ R+ is used to probabilistically choosebetween transitions occurring with equal delay∗

P1

P2

T1 T2Exp(λ)

T1

P1

P2

T2Det(t)

3

P3

Figure 10. Simple examples of eGSPN: timed-transitions,immediate transition and inhibitors arcs

∗a possible condition in case of non-continuous delay distribution




In the following we describe how eGSPN modelscan be derived for modeling WSN scenario with DoSmechanisms. More specifically in our eGSPN models wewill use only two types of timed transitions, namely:Exponentially distributed timed transitions (denoted byempty-bars, e.g. T1 in left-hand side of Figure 10) andDeterministically distributed timed-transitions (denoted byblue-filled-in bars, e.g. T1 in right-hand side of Figure 10).In our Petri Nets models we will also extensivelyexploit inhibitor arcs, an additional element of the GSPNformalism. An inhibitor arc is denoted by an edge with anempty-circle in place of an arrow at its outgoing end (e.g.the arc connecting place P1 to transition T2 in the righthand side of Figure 10). In presence of inhibitor arcs thesemantics of GSPN firing rule is slightly modified, thus:a transition is enabled whenever all of its input placescontains a number of tokens greater than or equal to themultiplicity of the corresponding input arc and strictlysmaller than the multiplicity of the corresponding inhibitorarcs (e.g. transition T2 in right-hand part of Figure 10is also enabled, because P1 contains less than 3 tokens).Having summarized the basics of the syntax and semanticsof the eGSPN formalism we now describe how it can beapplied to formally represent WSN systems featuring DoSmechanisms.

5.2. Modeling DoS attacks with eGSPN

We describe the eGSPN models we have developedfor modeling DoS attacks in a grid-like network. Forsimplicity we illustrate an example referred to a 9x9 gridtopology. The proposed modeling approach can easily beextended to larger networks.

In a WSN with DoS detection mechanisms thefunctionality of sensing nodes is different from that ofcNodes. Here we describe GSPN models for representing:i) sensing nodes, ii) statically elected cNodes and iii)dynamically eligible cNodes.

5.2.1. GSPN model of sensing nodesSensing nodes functionality is trivially simple: they

simply keep sending sensed data packets at a pace which(following Section 3) we assume, being Exponentiallydistributed with rate λi. This can be modeled by a simple

sensing Node

�i

TX

InBu↵i1

InBu↵ij

Figure 12. GSPN model of a sensing node

GSPN that consists of a single exponentially distributedtimed-transition (labeled TX) with no input places (i.e.always enabled) and with as many outgoing arcs leadingto the input buffer of the neighboring nodes (represented

by dashed places labelled InBuffi j in Figure 12). Note thattransition TX in Figure 12 has no input places, whichmeans (according to the Petri Net firing rule) that it isalways (i.e. perpetually) enabled. Note also that TX isan exponentially distributed timed transition with rate λi,which complies with the assumption that each sensornode performs a sensing operation every δs time withδs ∼ Exp(λi). To summarize: the sensing functionality ofa specific node in WSN is modeled by a single timed-transition provided with as many outgoing arcs as thenumber of neighbors of that node. The complete sensingfunctionality of a WSN can be modeled by combiningseveral such GSPN modules.

5.2.2. GSPN model of cNodesA cNode functionality, on the other hand, is entirely

devoted to monitoring of traffic of the portion of WSN heis guarding on. From a modeling point of view a distinctionmust be made between the case of statically elected cNodes(as in [LC08]) and that of dynamically eligible cNodes (asin [GM12]). In fact with dynamic cNodes election eachnode in the network can be elected as cNode, thereforeeach node can switch between a sensing-only functionalityand a controlling functionality. On the other hand staticcNodes will be control-only nodes.

GSPN models for both static and dynamic cNodesare depicted in Figure 11(a), respectively Figure 11(b).A cNode detects an attack whenever the overheardtraffic throughput (i.e. number of overheard packets perobservation period) exceeds a given threshold ρattack.Place “InBuff” (Figure 11(a)) represents the input buffer ofa node, where packets received/overheard from neighborsnodes are placed. The “InBuff” place receives tokens(corresponding to overheard packets) through input arcsoriginating from neighbors sensing-node modules (i.e. theinput arcs of place "InBuff" are the output arcs of thetimed-transition representing the corresponding sensingactivity of each neighbor node).

To model the traffic monitoring functionality of cNodeswe employ two mutually exclusive, deterministicallydistributed timed-transitions labelled “checkYES” and“checkNO” in Figure 11(a) and Figure 11(b). Theycorrespond to the periodic verification performed by thecNode to check whether the frequency of incoming traffichas been abnormal (over the last period). At the end ofeach (fixed) interval [0,∆] either: transition “checkYES”is enabled, if at least k packets have been received (i.e.place “InBuff” contains at least k tokens); or transition“checkNO” is enabled, if less than k packets have beenreceived (i.e. place “InBuff” contains less than k tokens);in the first case (i.e. “checkYES” enabled) a token is addedin the output place “det” representing the occurrence ofan DoS detection, otherwise (i.e. “checkNO” enabled) notokens is added to place “det”. After firing of either the“checkYES” or the “checkNO” transition the emptying ofthe input-buffer starts by adding a token in place “empty”.This enables either immediate transition “e-on” (which



det

K

In_buff

check_YES(static) cNode

K

check_NO

emptyingbuff

e-on

e-end

(a) GSPN model for a statically elected cNode

det

K

In_buff

check_YESgeneric Node

K

check_NO

emptyingbuff

e-on

e-end

cNode

TX

(b) GSPN model for a dynamically eligible cNode

Figure 11. GSPN components representing cNodes behaviour in a WSN with DoS detection mechanisms

gN9

det3

det4

compromised node

λc λ2

λ5 λ6

λ7 λ8 λ9

K

Deterministic Delay Td (T_detection)Exponential Delay

bf2 bf3

bf4

bf7 bf8 bf9

bf6bf5

input buffer of node i bf_i

det_i num. of detections by gNode i

TX2

TX9TX8TX7

TX6TX5

chkYES3

chkYES4

K

NODE 1 NODE 2

NODE 5 NODE 6

NODE 3

NODE 7 NODE 8 NODE 9

NODE 4

cNode

cNode

emptyingbuff

K

emptyingbuff

K

chkNO4

chkNO3

Figure 13. GSPN model of a 9x9 grid-topology with 1 (fixed)compromised node and 2 static cNodes

iteratively fires until the input buffer is empty), or “e-end”which represents the end of the emptying cycle. Note thatbuffer emptying does not consume time, and it is needed inorder to correctly measure the frequency of traffic at eachsuccessive sampling interval [0,∆].

The GSPN model for the dynamic cNodes (Fig-ure 11(b)) is a simple extension of that for static cNodesobtained by adding an auxiliary place “cNodes” and anauxiliary exponentially distributed timed-transition “TX”.This is needed because with dynamically elected cNodes,each node in the network may periodically switch fromsensing-only to controlling-only functionality, hence thecorresponding GSPN model must represent both aspects.If the auxiliary place “cNode” contains a token then the“controlling” functionality (i.e. the left part of the GSPN)is switched-on, and in that case the GSPN of Figure 11(b)behaves exactly as that of Figure 11(a). Conversely ifplace cNode is empty then the “sensing” functionality isswitched-on (i.e. transition “TX” is enabled due to the

inhibitor arc between place “cNode” and transition “TX”)while the “controlling” part of the net is disabled (i.e. inthis case the net of Figure 11(b) behaves exactly as that ofFigure 12).

The above described GSPN models for sensing-nodes,static cNodes and dynamic cNodes can be used as basicbuilding blocks to compose models of specific WSNtopologies. In the following we provide examples of GSPNfor 9x9 WSN grid-topology equipped with DoS detectionfunctionalities.

5.2.3. GSPN model of DoS detection with staticcNodes

Figure 13 illustrates a complete GSPN model for a 9x9grid topology representing an example of DoS detectionwith static election of cNodes (as in [LC08]). In particularin this example we consider the presence of 2 cNodes (i.e.node 3 and 4) and 1 compromised node (i.e. node 1). Notethat for simplicity the “emptying buffer" part in the GSPNmodules of the cNodes (i.e. node 3 and 4) is depicted as abox (i.e. the content of that box corresponds to the subnetresponsible for emptying the "inBuff" place as depicted inFigure 11(a) and Figure 11(b)).

This model can be used to study the performances ofDoS detection with static cNodes in many respect, such as:measuring the expected number of detected attacks withina certain time bound, or also e.g. assessing the averageenergy consumption of cNodes. In the next section wedescribe how to build GSPN models of WSNs with DoSdetection and dynamic election of cNodes. The resultingGSPN is more complex than that for statically electedcNodes, as it must include an extra module, namely aGSPN module for periodically electing the cNodes.

5.2.4. GSPN model of DoS detection withdynamic cNodes

Figure 14 illustrates the GSPN model of a 9x9 gridtopology for the case of DoS detection with dynamicelection of cNodes (as in [GM12]). For simplicityFigure 14 consists of two parts: the actual networktopology part (Figure 14(a)) and the cNodes randomelection mechanism (Figure 14(b)). The network model




gN4

gN3gN2

gN8gN7

gN6gN5

gN9

det2 det3

det6det5det4

det7 det8

det9

compromised node

�c �2 �3

�4 �5 �6

�7 �8 �9

K K

K KKK

KK

Deterministic Delay

Exponential Delay

b2 b3

b4

b7 b8 b9

b6b5

input buffer of node i b_idet_i num. of detections by node i

gN_i node i is a gNode

TX2

TX9TX8TX7

TX4 TX6TX5

TX3

ck2 ck3

ck4 ck5 ck6

ck7 ck8 ck9

(a) the traffic part in a 9x9 topology

gN2

gN2gN2gN2

gN2gN2gN2

gN3

gN4gN5gN6gN7gN8

gN9gN3

gN3

gN3

gN3gN3

gN4

gN5

gN6gN7

gN8gN3

gN9gN4

gN5

gN4

gN4

gN4

gN4

gN5

gN5

gN5gN

6

gN7

gN8

gN9

gN6

gN7

gN8

gN5

gN6

gN6

gN6

gN7gN

9

gN7

gN8

gN9

gN8

gN7 gN

9gN

8 gN9

gN2gN2

gN2

gN2gN2gN2

gN2

gN3

gN4

gN5

gN6

gN7gN8

gN9 gN3

gN3gN3

gN3

gN3

gN4

gN5

gN6

gN7gN8

gN3gN9

gN4gN5

gN4

gN4

gN4

gN4

gN5

gN5

gN5 gN

6

gN7

gN8

gN9

gN6

gN7

gN8

gN5

gN6

gN6

gN6

gN7 gN

9

gN7

gN8

gN9

gN8

gN7

gN9

gN8

gN9

Deterministic-delayd transitions Immediate transitions

(b) the random election policy part: 2 cNodes are elected out of 8

Figure 14.GSPN model of a 9x9 grid-topology with 1 (fixed) compromised node and 2 randomly elected cNodes



(Figure 14(a)) is obtained by composition of node’s GSPNcomponent in the same fashion as for the model of theWSN for DoS detection with static cNodes, only thatnow all nodes must be reconfigurable as either sensorsor controllers (thus the basic GSPN components used tobuild the network topology are those of Figure 11(b)).The cNodes election component (Figure 14(b)), on theother hand, consists of a single place, n mutually-exclusivedeterministically distributed timed-transitions (blue-filled)and n mutually-exclusive immediate transitions (black-filled) (with n =

(82)

= 28, as we assume that, at eachround, 2 cNodes are elected out of 8 possible candidates,thus, for simplicity we rule out the compromised nodefrom the eligible ones). The deterministically distributedtimed-transitions (blue-filled) of Figure 14(b) correspondto all possible different pairs of “cNode” places. At theend of each selection period only (exactly) one such timed-transition will be enabled and will fire retrieving, in thisway, the tokens from the current pairs of active cNodes andinserting one token in the only (central) place of the netin Figure 14(b). At this point all 28 immediate transitionswill become enabled and a random choice will take placeresulting in the selection of only (exactly) one of them. Theselected transition will fire and by doing so will insert onetoken into each “cNode” place of the corresponding pair ofcNodes to which it is connected, activating, in this way, thecontrolling functionality of the newly elected cNodes.

5.3. HASL verification of DoS detection models

One of the main motivation for developing GSPNmodels of discrete-event systems is that a fairly largeand well established family of formal methods can beapplied to analyze them. Recently a new formalismcalled Hybrid Automaton Stochastic Logic (HASL) hasbeen introduced which provides a unified frameworkboth for model checking and for performance anddependability evaluation of DESP models expressed inGSPN terms. In essence, given a GSPN model, we canexpress sophisticated performance measures in terms ofan HASL formula and apply a statistical model checkingfunctionalities to (automatically) assess them. In thefollowing we informally summarize the basics aboutthe HASL verification approach, referring the reader to[BDDHP11] for formal details.

5.3.1. HASL model checkingModel checking [CGP99] is a formal verification

procedure by which given a (discrete-state) model Mand a property formally expressed in terms of atemporal logic formula φ , an algorithm automaticallydecides whether φ holds in M (denoted M |= φ ). Inthe case of stochastic models (i.e. stochastic modelchecking [KNP07a]) formulae are associated with ameasure of probability and verifying M |= φ correspondsto assess the probability of φ with respect to the stochasticmodel M. HASL model checking extends this very simpleconcept in the sense that an HASL formula can evaluate

to any real number (thus it can represents a measure ofprobability as well as other performance measures). Todo so HASL uses Linear Hybrid Automata (LHA) asmachineries to encode the dynamics (i.e. the executionpaths, or trajectories) of interest of the considered GSPNmodel. An LHA, simply speaking, is a generalization ofTimed Automaton where clock-variables are replaced byreal-valued data-variables. In practice a formula of HASLconsists of two parts:

• an LHA used as a selector of relevant of timedexecution of the considered DESP (path selection isachieved by synchronization of a generated DESPtrajectory with the LHA).

• an expression Z built on top of data variables of theLHA according to the syntax given in (1) and whichrepresent the measure to be assessed.

Z ::= E(Y ) | Z +Z | Z×Z

Y ::= c | Y +Y | Y ×Y | Y/Y | last(y) | min(y)

| max(y) | int(y) | avg(y)

y ::= c | x | y+ y | y× y | y/y

(1)

The informal meaning of an HASL expressions Z (1)is as follows: x is a data-variable of the LHA automatonassociated to the expression. y is an (arithmetic) expressionof data-variables. Y is a path random variable, i.e. avariable which is evaluated against a synchronization path,a path resulting by the synchronization of a trajectory ofthe DESP with the LHA associated to the formula. Thebasic operators (i.e. last(y),min(y),max(y), int)y),avg(y))on top of which a path variablr Y is built have intuitivemeanings. In particular: last(y) indicates the last valueof expression y along an accepted synchronized path;min(y)/max(y) indicates the minimum (maximum) of yalong a path; int(y) the integral of y along a path; avg(y)the average of y along a path.

The HASL statistical model checking procedure worksas follow:

• it takes a GSPN model and an HASL formula• it iteratively generate trajectories of GSPN model

state-space and synchronize them with the LHA• the trajectories that have been “accepted” by the

LHA are considered in the estimation of themeasure of interest, the others are dropped.

5.4. HASL formulae for DoS models

Having seen the nature of HASL verification we providehere few examples of HASL formulae (i.e. LHA +expression) which can be used to assess performancemeasures of the DoS (GSPN) models presented in theprevious section. Such formulae may be readily assessedthrough the COSMOS model checker and the results canbe used to compare different DoS detection mechanisms.

The LHA we present are based on the following data-variables:




xt :1xdi

:0

true, {chkY ESi}, xdi:=xdi

+1

true, {TXi}, xTXi:=xTXi

+1

xTXi:0

xbfi:M(bfi)

xt ==T, {ALL}, ∅

Figure 15. An LHA for assessing relevant measures of DoSGSPN models

• xt : global time• xdi : num. of attacks detected by cNode i (1≤ i≤N)• xT Xi : num. of data transmitted by node i (1≤ i≤N)• xb fi : flow of packets in buffer of node i (1≤ i≤ N)

The LHA in Figure 15 is a template automaton thatcan be used for calculating different measures of a node(either a sensing or a cNode) of a WSN model. It refersto GSPN models (Figure 13, Figure 14). It consistsof 2 locations and refers to the 4 data-variables abovedescribed. In the initial-location (l1) the rate of change (i.e.the first derivative) of data-variables is indicated (insidethe circle). The global time variable xt is incrementedwith rate xt = 1 following the linear flow of time.Counter variables xdi and xT Xi (used to count occurrencesof events) are unchanged in location l1 (i.e. their ratesare zero). Finally variable xb fi is incremented with rateproportional to the number of tokens in the input bufferof cNode i (i.e. xb fi = M(b fi)); this data-variable can beused to measure the average length of overheard packetsby cNode i, and thus to measure the average energyconsumption of a cNode. The two self-loops transitionson location l1 are used to increment the the countervariables xdi and xT Xi on occurrence of the associatedevents in the GSPN model. For example transition

l1true,{chkY ESi},xdi:=xdi +1−−−−−−−−−−−−−−−→ l1 indicate on occurrence of the

GSPN transition labeled chkY ESi (i.e. detection of anattack by cNode i) the variable xdi is incremented by 1.

Transition l1xt==T,{ALL}, /0−−−−−−−−−→ l2 from l1 to the accepting

location l2 indicates when the synchronization stop and theprocessed path is accepted. Precisely this happens as soonas xt ==T , where T ∈ R denotes a time-bound, that is: assoon as the observed trajectories is such that the simulationtime is T . In this case, no matter which GSPN transition isoccurring (i.e. synchronization set is {ALL}) the transitionfrom l1 to l2 will fire and the path generation will stop byaccepting the path. In oder words the LHA in Figure 15trivially accepts all paths of time duration T . The valueof the 4 data variables collected during synchronizationof the LHA with the GSPN model will be then used forestimating relevant Z expressions.

In the following we describe few examples of Zexpressions that can be used in association to the LHA in

Figure 15 to evaluate relevant measures of the DoS GSPNmodels.

• Z1 ≡ E(Last(xdi)): the expected num. of detectedattacks by cNode i after T time units

• Z2 ≡ E(Last(xdi + x(d′i))): the sum of attacks

detected by cNode i and i′′ after T time units• Z3 ≡ E(Last(xT Xi)): the expected value of packets

transmitted by node i after T time units• Z4 ≡ E(Avg(xb fi)): the expected cumulative flow of

packets received by node i within T time units

6. CONCLUSION

Detection of DoS attacks is a fundamental aspect ofWSN management. In this paper we have considered aclass of DoS detection mechanisms designed to operateon clustered WSNs. The detection methods we haveconsidered are based on deployment of special controlnodes in the sensing field: i.e. specific nodes whichare responsible for monitoring the throughput of trafficof specific parts of the sensing field and signaling thepresence of suspected attacked nodes in case anomaliesare detected. Control nodes election is a crucial aspectof DoS mechanisms. In the literature two basic electionapproaches have been proposed: a static election and adynamic (random) election.

In this paper we presented different modeling ap-proaches for obtaining models of WSNs with DoS func-tionalities. First we have described how Markov chainsmodel should be structured for modeling DoS attack anddetection, pointing out that because of the nature of DoSdetection, Markovian models may inherently come withsome significant approximation. We have then presentednumerical results obtained with virtual WSN implemen-tation by means of the NS-2 network simulator. The out-come of such simulative experiments confirm the intuitionthat cNodes dynamic allocation guarantees a more uni-form energy consumption (throughout the network) whilepreserving a good detection capability. Finally we havepresented formal non-Markovian models of DoS detectionin terms of Generalized Stochastic Petri Nets, a high levelformalism for generic Discrete Event Stochastic Process.We have illustrated how model of WSNs with DoS can bebuilt “incrementally” by combination of small GSPN mod-ules of single (sensing/controlling) nodes up to obtaining amodel of the desired network. We have also stressed howthe GSPN formalism is naturally well suited for modelingof the dynamic random cNodes election policy. Finallywe have briefly presented how expressive performancemeasures of the DoS GSPN models can be formally ex-pressed and assessed by means of the recently introducedHybrid Automata Stochastic Logic. Future developmentsof this work include the execution of actual verificationexperiments on the presented GSPN models by means ofthe COSMOS statistical model checker, as well as the



extension of the proposed modeling approaches to considermore complex network (different topologies and scales).

REFERENCES

[GA09]. G. Anastasi et al: Energy conservation in wirelesssensor networks: A survey. Ad Hoc Networks 7, p.537–668 (2009).

[LB09]. B. Li and L. Batten: Using mobile agents torecover from node and database compromise in path-based DoS attacks in wireless sensor networks. Journalof Network and Computer Applications 32, p. 377–387(2009).

[CS11]. W.R. Claycomb and D. Shin: A novel node levelsecurity policy framework for wireless sensor net-works. Journal of Network and Computer Applications34, p. 418–428 (2011).

[MS11]. M.A. Simplicio Jr. et al: Comparison ofAuthenticated-Encryption Schemes in Wireless SensorNetworks, 36th Annual IEEE Conference on LocalComputer Networks, Bonn, Germany, 2011.

[HS05]. F. Hu and N. Sharma: Security considerations inad hoc sensor networks. Ad Hoc Networks 3, pp. 69–89 (2005).

[ATB05]. J. Ai, D. Turgut and L. Bölöni: A Cluster-basedEnergy Balancing Scheme in Heterogeneous WirelessSensor Networks. Proceedings of International Confer-ence on Networking, p.467–474 (April 2005).

[HW00]. W.R. Heinzelman et al: Energy-Efficient Com-munication Protocol for Wireless Microsensor Net-works Proceedings of the IEEE Hawaii internationalconference on system sciences, 2000.

[OX09]. S. Ozdemir and Y. Xiao: Secure data aggre-gation in wireless sensor networks: A comprehen-sive overview. Computer Networks 53, p. 2022–2037(2009).

[YF04]. O. Younis and S. Fahmy: HEED: a hybrid,energy-efficient distributed clustering approach for adhoc sensor networks. IEEE Trans. Mobile Comput. 3(4), p. 366–379 (2004).

[FL11]. S. Fouchal and I. Lavallée: Fast and Flexible Un-supervised Clustering Algorithm Based on UltrametricProperties. Proceedings of the 7th ACM Symposiumon QoS and Security for Wireless and Mobile Net-works, Miami, USA, 2011.

[YL11]. Y. Liang: Efficient Temporal Compression inWireless Sensor Networks, 36th Annual IEEE Confer-ence on Local Computer Networks, Bonn, Germany,2011.

[LC08]. G. Hsin Lai and C-M. Chen: Detecting Denialof Service Attacks in Sensor Networks. Journal ofComputers Vol.18, No.4 (January 2008).

[GM12]. M. Guechari, L. Mokdad and S. Tan: DynamicSolution for Detecting Denial of Service Attacks inWireless Sensor Networks. ICC (June 2012).

[YB10]. Bashir Yahya, Jalel Ben-Othman: Energy effi-cient and QoS aware medium access control for wire-less sensor networks. Concurrency and Computation:Practice and Experience 22(10): 1252-1266 (2010)

[BY10]. Jalel Ben-Othman, Bashir Yahya: Energy effi-cient and QoS based routing protocol for wirelesssensor networks. J. Parallel Distrib. Comput. 70(8):849-857 (2010)

[MM09]. M. Mohi, A. Movaghar and P.M. Zadeh: ABayesian Game Approach for Preventing DoS Attacksin Wireless Sensor Networks. International Conferenceon Communications and Mobile Computing (2009).

[JH10]. J-W. Ho: Distributed Detection of Node CaptureAttacks in Wireless Networks. Smart Wireless SensorNetworks, H.D. Chinh and Y.K. Tan (Ed.) (2010).

[SM10]. S. Misra et al: An adaptive learning routingprotocol for the prevention of distributed denial ofservice attacks in wireless mesh networks. Computersand Mathematics with Applications 60, p. 294–306(2010).

[AP01]. A. Perrig et al: SPINS: Security Protocols forSensor Networks. Mobile Computing and Networking,Rome, Italy (2001).

[LO07]. L.B. Oliveira et al: SecLEACH – On the securityof clustered sensor networks. Signal Processing 87, p.2882–2895 (2007).

[HI09]. M.H. Islam et al: Optimal Sensor Placementfor Detection against Distributed Denial of ServiceAttacks. Pak. J. Engg. & Appl. Sci. Vol. 4, p. 80–92(2009).

[JS10]. J-H. Son et al: Denial of service attack-resistantflooding authentication in wireless sensor networks.Computer Communications 33, p. 1531–1542 (2010).

[MH07]. M-Y. Hsieh et al: Adaptive security designwith malicious node detection in cluster-based sensornetworks. Computer Communications 30, p. 2385–2400 (2007).

[MH02]. M. J. Handy, M. Haase, D. Timmerman: Low En-ergy Adaptive Clustering Hierarchy with DeterministicCluster-Head Selection. Proceedings of the 4th IEEEconference on Mobile and Wireless CommunicationsNetworks, Stockholm, Sweden (2002).

[SF11]. S. Fouchal, I. Lavallée: Fast and Flexible Unsu-pervised Clustering Algorithm Based on UltrametricProperties. Proceedings of the 7th ACM Symposiumon QoS and Security for WSN, Miami, USA (2011).

[BDDHP11]. P. Ballarini, H. Djafr, M. Duflot, S.Haddad, N. Pekergin: HASL: An Expressive Languagefor Statistical Verification of Stochastic Models.Proceedings of the 5th International Conference onPerformance Evaluation Methodologies and Tools(ValueTOOLS11), Cachan, France (2011).

[BDDHP11+]. P. Ballarini, H. Djafr, M. Duflot, S.Haddad, N. Pekergin: COSMOS: a Statistical ModelChecker for the Hybrid Automata Stochastic Logic.Proceedings of the 8th International Conferenceon Quantitative Evaluation of Systems (QEST11),Aachen, Germany (2011).




[NS2]. The Network Simulator NS-2. http://www.isi.edu/nsnam/ns/

[AMBCDF95]. M. Ajmone Marsan, G. Balbo, G. Conte,S. Donatelli, and G. Franceschinis. Modelling withGeneralized Stochastic Petri Nets. John Wiley & Sons(1995).

[BBBP12]. J. Ben-Othman, Karim Bessaoud, AlainBui, Laurence Pilard: Self-stabilizing algorithm forefficient topology control in Wireless Sensor Networks.Elsevier, Journal of Computational Science (JOCS), Inpress.

[FH11]. H. Fouchal, H. and Z. Habbas: Distributed back-tracking algorithm based on tree decomposition overwireless sensor networks. Concurrency and Computa-tion: Practice and Experience. doi: 10.1002/cpe.1804(September 2011).

[BB12]. J. Ben-Othman and Y. Saavedra Benitez: IBC-HWMP: a novel secure identity-based cryptography-based scheme for Hybrid Wireless Mesh Protocol

for IEEE 802.11s. Concurrency and Computation:Practice and Experience, Wiley, In press

[DFHV10]. N. Dessart, H. Fouchal, P. Hunel et N. Vidot:Anomaly Detection with Wireless Sensor NetworksThe 9th IEEE International Symposium on NetworkComputing and Applications (NCA 2010), IEEE CSPress, Cambridge, MA, USA (July 2010).

[BF12]. T. Bernard and H. Fouchal: A low energyconsumption MAC protocol for WSN. IEEE ICC 2012,Ottawa, Canada (June 2012).

[KNP07a]. M. Kwiatkowska and G. Norman and D.Parker: Stochastic Model Checking, In book “For-mal Methods for the Design of Computer, Commu-nication and Software Systems: Performance Evalua-tion (SFM’07)”, LNCS (Tutorial Volume), Vol. 4486(2007).

[CGP99]. E. M. Clarke and O. Grumberg and D. A. Peled:Model Checking. MIT Press (1999).


http://www.isi.edu/nsnam/ns/

http://www.isi.edu/nsnam/ns/

modeling tools for detecting dos attacks in wsns · 2021. 1. 30. · stochastic petri nets (gspn)....

Documents