Review Article Detection and Mitigation of Node Replication...

Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2013 Article ID 149023 22 pageshttpdxdoiorg1011552013149023

Review ArticleDetection and Mitigation of Node Replication Attacks inWireless Sensor Networks A Survey

Wazir Zada Khan1 Mohammed Y Aalsalem2

Mohammed Naufal Bin Mohammed Saad1 and Yang Xiang3

1 Electrical and Electronic Engineering Department Universiti Teknologi PETRONASBandar Seri Iskandar 31750 Tronoh Perak Malaysia

2 School of Computer Science amp Information System Jazan University Jazan 45142 Saudi Arabia3 School of Information Technology Deakin University 221 Burwood Highway Burwood Melbourne VIC 3125 Australia

Correspondence should be addressed to Wazir Zada Khan wazirzadakhanyahoocom

Received 25 January 2013 Accepted 22 March 2013

Academic Editor Muhammad Khurram Khan

Copyright copy 2013 Wazir Zada Khan et al This is an open access article distributed under the Creative Commons AttributionLicense which permits unrestricted use distribution and reproduction in any medium provided the original work is properlycited

Wireless sensor networks are a collection of a number of tiny low-cost and resource-constrained sensor nodeswhich are commonlynot tamper proof As a result wireless sensor networks (WSNs) are prone to awide variety of physical attacks In this paper we deema typical threat known as node replication attack or clone node attack where an adversary creates its own low-cost sensor nodescalled clone nodes andmisinforms the network to acknowledge them as legitimate nodes To instigate this attack an adversary onlyneeds to physically capture one node and after collecting all secret credentials (ID cryptographic keys etc) an adversary replicatesthe sensor node and deploys one or more clones of the compromised node into the network at strategic positions damaging thewhole network by carrying outmany internal attacks Detecting the node replication attack has become an imperative research topicin sensor network security and designing detection schemes against node replication attack involves different threatening issuesand challenges In this survey we have classified the existing detection schemes and comprehensively explore various proposals ineach category We will also take a glance at some technical details and comparisons so as to demonstrate limitations of the existentdetections as well as effective contributions

1 Introduction

Advancement in technology has made it possible to developtiny low-cost sensor nodes with off-the-shelf hardware Awireless sensor network (WSN) which is a distributed andself-organized network is a collection of such sensor nodeswith limited resources that collaborate in order to achievea common goal These sensor nodes are comprised of low-cost hardware components with constraints on battery lifememory size and computation capabilities [1] Wirelesssensor networks are often deployed in harsh and hostile envi-ronments which are inaccessible and even hazardous areasto perform various monitoring tasks For example they canbe used to monitor factory instrumentation pollution levelsfreeway traffic and the structural integrity of buildings [2]Some of the other applications of WSNs include patient

monitoring climate sensing control in office buildings andhome environmental sensing systems for temperature lightmoisture and motion

WSNs are viable solutions for a wide variety of real-worldchallenges however a set of new security challenges arise insensor networks due to the fact that current sensor nodes lackhardware support for tamper-resistance (because it is uneco-nomical to enclose each node in a tamper resistant hard-ware) and are often deployed in unattended environmentswhere they are vulnerable to capture and compromise by anadversary Taking an example of a battlefield WSNs musttackle the threats and attacks from attackers because theseareas are sometimes physically accessible to camouflagedenemies [3] who would like to acquire the private locationsof soldiers from or inject wrong commands into the sensornetwork [4] Similarly an unattended WSN can be deployed

2 International Journal of Distributed Sensor Networks

in hostile environments which imply the existence of anadversary For example WSN can be used to monitor firearmdischarge illicit crop cultivation drugweapons smugglinghuman trafficking nuclear emissions in a rogue region andother illegal activities [5] Thus it is very important to ensurethe security of sensor networks in such scenarios

The unattended nature of wireless sensor networks can beexploited by adversaries which are able to launch an array ofdifferent physical attacks including node replication attacksignal or radio jamming denial of service (DoS) attack nodeoutage eavesdropping and Sybil attack and other attackslike sinkhole wormhole and selective forwarding attackThreats to sensor networks can be either layer dependentor layer independent Attacks in the former category can beapplication dependant and are specific to different OSI layerstargeting specific network functionalities such as routingnode localization time synchronization and data aggrega-tion while the attacks in the latter category are applicationindependent affecting a wide variety of applications fromobject tracking and fire alarming to battlefield surveillanceand these attacks are not launched on any OSI layer Theattacks of the latter category are also application independent[2] This attack taxonomy is also shown in Figure 1 In orderto protect wireless sensor networks from layer dependentattacks many schemes have been proposed To alleviate theeffects of routing disruption attacks secure routing schemeshave been proposed [6 7] Authentication schemes [8ndash10] areused to mitigate false data injection attacks Data aggregationcan be secured by using secure data aggregation protocolsproposed in [11ndash14] To defend localization and time synchro-nization protocols from different attacks and threats manyprotocols have been proposed in [15ndash21] Nevertheless mostof these schemes are attack resilient rather than they candetect and remove the source of attack Thus there is a needto detect and revoke the sources of attacks as soon as possibleto substantially reduce the costs and damages incurred byemploying attack resilient approaches

In this comprehensive survey we consider a very severeand important physical attack on WSN which is called nodereplication attack or clone attack It is also known as identityattack In this attack an adversary first physically capturesonly one or few of legitimate nodes then clones or replicatesthem fabricating those replicas having the same identity (ID)with the captured node and finally deploys a capricious num-ber of clones throughout the network This whole processof node replication attack and the various stages are shownin Figure 2 This vexing problem arises from the actualitythat sensor nodes are unshielded It is stated in [22] that anexperienced attacker can completely compromise a typicalsensor node by using only a few readily available tools andit can then obtain copies of that node memory and datawithin 1min of discovering it The clones or replicas mayeven be selectively reprogrammed to subvert the network bylaunching further insider attacks like falsifying sensor data orsuppressing legitimate data extracting data from the networkand disconnect the network by triggering correct executionof node revocation protocols that rely on threshold votingschemes and staging denial of service (DoS) attacks Clonenodes may create a black hole initiate a wormhole attack

Attacks on wireless sensor networks

Layer-independentattacks

Routing attacks Node replicationattacks

Data aggregationattacks

attacks

Sybil attacks

Localization

Time synchronizationattacks

Layer-dependentattacks

Figure 1 Classification of attacks on wireless sensor networks

with a collaborating adversary or may also leak data in anenvironment in which sensed data must be kept private [23]If these replicated nodes or clones remain undetected orunattended for a long time they can further commence thechanges in protocol behavior and intrusion into the systemssecurity [24] It is easy for an adversary to launch such attacksdue to the fact that the clones created by an adversary havelegitimate information (codes key materials and creden-tials) and they may be considered as legitimate nodes andtotally honest by its neighbors which are participating in thenetwork operation in the same way as the noncompromisednodes

The above mentioned traditional security schemes forWSNs are inept to detect and prevent node replication attackThus in the last few years a number of detection and pre-vention techniquesschemes have been proposed in the liter-ature According to [2] the detection schemes are classifiedon a high level as network-based or radio-based detectionOnly one instance of radio-based detection is found in [25]The former category is further categorized into two types asfor mobile WSNs and for stationary WSNs Both techniquesfor mobile and stationary WSNs are further divided into twobroad categories namely centralized and distributed Thiscan be summarizedwith Figure 3which shows a detailed clas-sification of all replica detection schemesThis categorizationprovides a first step to better understand the node replicationdetection schemes

A WSN can be either stationary or mobile In staticwireless sensor networks (SWSNs) the sensor nodes arestationary or static that is the sensor nodes are deployed ran-domly and after deployment their positions do not changeOn the other hand in mobile wireless sensor networks(MWSNs) the sensor nodes canmove on their own and afterdeployment they can interact with the physical environmentby controlling their own movement Advances in roboticshave made it possible to develop such mobile sensors which

International Journal of Distributed Sensor Networks 3

Step 1 Sensor Nodes Deployed in Field

Step 2 Capture one sensor node physically Step 5 Deploy these clones at strategic positions

Step 3 Collects all secret credentials

Step 4 Replicate or make clones of captured nodes

Figure 2 Steps of node replication attack

are autonomous and have the ability to sense computeand communicate like static sensors The prime differencebetween static and mobile WSNs is that mobile nodes areable to reposition and organize themselves in the networkand after initial deployment the nodes spread out to gatherinformation [26 27] Mobile nodes can communicate withone another when they are within the range of each otherand only then they can exchange their information gatheredby them Another important difference is that in static WSNsfixed routing or flooding is used for data distribution whilein mobile WSNs dynamic routing is used As static andmobile WSNs differ in their characteristics hence replicationdetection schemes for stationary and mobile WSNs will besubstantially different In a static or stationaryWSN a sensornode has a unique deployment position and thus if onelogical node ID is found to be associated with two or morephysical locations node replication is detected But this isinapplicable tomobileWSNs where sensor nodes keep roam-ing in the deployment field So replication detection in suchmobile WSN involves different scenarios and techniques

For mobile WSNs both centralized and distributedtechniques have been proposed in the literature In thecase of stationary WSNs centralized techniques are furthercategorized into five types namely straightforward basestation-based technique key usage-based technique SEToperations techniques cluster head-based techniques andneighborhood social signature-based techniques The dis-tributed techniques for stationary WSNs are further dividedinto four types naming Node to Network Broadcastingclaimer-reporter-witness-based techniques neighbor-basedand generation- or group-based techniques On the otherhand mobile centralized detection techniques are furtherdivided into two types including key usage-based and nodespeed-based techniques The mobile distributed detectiontechniques are divided into three main types namely nodemeeting-based mobility-assisted-based and information-exchange-based techniquesThis inclusive categorization canbe summarized with Figure 3 which provides a first step inbetter understanding node replication detection schemes


Replica detection schemes

Network-based schemes Radio-based schemes

For static WSNs For mobile WSNs

Keys usage based

Key usage-basedtechniques

Centralizedtechniques techniques

Distributed Centralizedtechniques techniques

Distributed

Carryingfingerprint based

Carrying locationclaim based

Neighborhood based

Neighborhood socialsignature based

Generation or groupbased

Node speed basedWitnessnode based or claimer-reporter-witness based

Node meetingbased

Mobility assistedbased

Informationexchange based

Cluster head-basedtechniques

Not seen manytimes

Not yet met Encountering same IDson different locations

Random valueexchange

basedToken exchange

Node to networkbroadcasting

Seen many times

Straightforward basestation-based

techniques

SEToperations-based

techniques

Figure 3 Taxonomy of replica detection schemes

11 Motivation With the rapid use of vast technologies inWSNs the threats and attacks to WSN are escalating and arealso being diversified and deliberate A typical threat callednode replication attack is a very severe and niggling probleminwhich an adversary replicates a sensor node after physicallycapturing it and then uses these replicas to disrupt the net-work operations by redeploying them at strategic positionsof the network Thus the research related to node replicationattack in WSNs has been followed with much interest inrecent years The research of authentication and securitytechniques is already quite mature but such solutions fail todetect node replication attack and thus no longer provideWSN with adequate security from this attack Furthermorethe detection of node replication attack in mobile WSN is fardifferent and more challenging than in static WSNs

The development of replicaclone detection techniquessuitable for static WSNs and mobile WSNs is thereforeregarded as an essential research area which will make WSN(either static or mobile) to be more secure and reliable Mostrecently Zhu et al [2] did a survey on the countermeasures ofnode replication attack which has pointed out some valuabletechnical weaknesses and advantages of some of the tech-niques but latest progress of replica detection schemes isabsent and it also lacks the detailed analysis of all existingtechniques for mobile WSNs

This motivates us to present our paper as a completeguideline of replicaclone detection schemes both for static

andmobileWSNs Moreover in this paper we have identifiedthe advantages and shortcomings of all the techniquesschemes Finally some variations of node replication attackare also identified and discussed This paper is helpful inunderstanding all the replica detection schemes developedso far and it can assist the researchers and developers in thedevelopment of new robust and effective detection schemes

12 General AdversaryModel Conventionally some assump-tions are made about an adversary in order to scrutinizesecurity of a sensor network First of all an adversary is asmart and powerful attacker who can launch a clone attack[4] and it has the ability to secretly capture a limited numberof legitimate sensor nodes [28] Secondly an adversary cancreate replicas by using cryptographic information whichis obtained from the compromised node An adversary hasalso full control over the compromised and replicated nodesand can communicate with them at any time Thirdly themain goal of an adversary is to protect its replicas frombeing detected by the detection protocol used in the networkbecause if any replicas are detected besides starting a revokeprocess to revoke replicas the network may start a sweepingprocess to sweep out [29] the compromised node and mayalso drawhuman interventionThus it ismostly assumed thatnodes controlled by an adversary still follow the replica detec-tion protocol as an adversary always wants to be overlookedFourthly an adversary is so powerful that it is able to subvert


the nodes thatwill possibly act aswitnesses To copewith suchan adversary it could be possible to assume that nodes aretamper-proof But as tamper proof hardware is expensive andenergy demanding a large part of the literature has assumedthat nodes in the network are not tamper resistant

In case of mobile WSNs the method of attack is the samebut difference is that an adversary is mobile The scenario ofmobileWSN is that the sensors are unable to transmit senseddata at their will because the sink is not always presentThus the data accumulated in theirmemories become targetsof many adversaries In [30] a mobile adversary model isproposed in whichmobile adversary visits and travels aroundthe network trying to compromise a subset of sensors withinthe time interval when sinks are not present in the networkThe time taken by a mobile adversary to compromise a set ofsensors is much shorter than the time between two successivedata collections of a sink

13 Node Replication Attack and Its Effects on the SecurityGoals of WSNs High level security issues are basically iden-tical to the security requirements of both static and mobileWSNs Thus when dealing with security of WSNs one isfaced with achieving some of the following common securitygoals including availability authenticity confidentiality anddata integrity When node replication attack is launched byan adversary all of these security goals are affected severelybecause of two reasons First if any proper specific andefficient detection scheme is not used to identify and revokethese replicas because the existing general purpose securityprotocols would allow the replica nodes to encrypt decryptand authenticate all of their communications as if theywere original captured nodes Second when the detec-tion probability of the detection technique used is very lowto detect these clones or replicas Node replication attack issignificantly harmful to the networks because these replicasor clones have legitimate keys and they are recognized aslegitimate members of the network since they carry allcryptographicmaterials extracted from the captured nodes sothat an adversary can use them to mount a variety of insiderattacks [2] for example it can monitor all the informationpassing through the nodes or monitor significant fractionof the network traffic that passes through the nodes falsifysensor data launch denial of service (DoS) attack extractdata from the network inject false data to corrupt the sensorrsquosmonitoring operation subvert data aggregation and jamlegitimate signals and can also cause continual disruptionto network operations by undermining common networkprotocols

Availability ensures the survivability of network servicesdespite attacks [31] In case of node replication attack anadversary is able to compromise the availability of WSN bylaunching a denial of service (DoS) attack which can severelyhinder the networkrsquos ability to continue its processing Byjamming legitimate signals the availability of the networkassets to authorized parties is also affected

Authenticity is a security goal that enables a node toensure the identity of the sensor node it is communicatingwith In case of node replication attack an adversary createsclone nodes which are seemingly legitimate ones (identical

to the original captured node) as they have all the secretcredentials of the captured node thus it is difficult for anynode to differentiate between a clone node and the original orlegitimate node Also the existing authentication techniquescannot detect clone nodes as they all hold legitimate keysThis is how the authenticity of the network is affected

Confidentiality is the assurance that sensitive data is beingaccessed and viewed only by those who are authorized to seeit But when node replication attack is launched confiden-tiality of data is not assured as clone nodes are the duplicatednodes of the compromised ones and thus they behave likeoriginal compromised nodes These clone nodes can have allthe data that contains trade secrets for commercial businesssecret classified government information or private medicalor financial records and thus by misusing such sensitivedata it can damage the network or organization person andgovernmental body

Data integrity ensures that the contents of data or cor-respondences are preserved and remain unharmed duringthe transmission from sender to receiver Integrity representsthat there is a guarantee that a message sent is the messagereceived meaning that it was not altered either intentionallyor unintentionally during transmission But in case of nodereplication attack an adversary can falsify sensor data orcan inject false data to corrupt the sensitive data and thussubverting the data aggregation using the replicated or clonenodes

14 Evaluation Metrics for Replication Detection TechniquesFor the performance analysis and evaluation of replicadetection protocols four vital evaluation metrics are mostlyused by all the detection schemes These are communicationoverhead storage ormemory overhead detection probabilityand detection time [26]

Communication overhead is defined as the average num-ber of messages sent by a sensor node while propagating thelocation claims Storage overhead defines the average numberof the location claims stored in a sensor node Detectionprobability is an important evaluation metric which showshow accurately a protocol can identify and detect the clonesor replicas The detection time is simply the delay betweenactual replica node deployment and detection

To make the current survey more comprehensive anddetailed here in Section 2 we have discussed all the existingschemes for the replica detection in stationary WSNs whichare accordingly compared in Section 3 Section 4 describes allthe replication detection schemes in mobile WSNs proposedso far in the literature which are then compared in Section 5In Section 6 we have highlighted some important issues andchallenges associated with the node replication attack in bothstatic and mobile WSNs Finally Section 7 concludes thepaper

2 Detection Techniques for Stationary WSNs

Many techniques have been proposed for the detection ofnode replication attack in static WSNs which are categorizedmainly into two types as centralized and distributed tech-niques


21 Centralized Techniques In centralized techniques basestation is considered to be a powerful central which is respon-sible for information convergence and decision makingDuring the detection process every node in the network sendsits location claim (ID Location Info) to base station (sinknode) through its neighboring nodes Upon receiving theentire location claims the base station checks the node IDsalong their location and if it finds two different locationswiththe same ID it raises a clone node alarm

211 On the Detection of Clones in Sensor Networks UsingRandom Key Predistribution This technique falls into thecategory of key usage based techniques Brooks et al [32] haveproposed a cloned key detection protocol in the context ofrandom key predistribution [33] The basic idea is that thekeys employed according to the random key predistributionscheme should follow a certain pattern and those keys whoseusage exceeds a threshold can be judged to be cloned In theprotocol counting Bloom filters is used to collect key usagestatistics Each nodemakes a counting Bloomfilter of the keysit uses to communicate with neighboring nodes It appendsa random number (nonce) to the Bloom filter and encryptsthe result using base station public key this encrypted datastructure is forwarded to base station Base station decryptsthe Bloom filters it receives discards duplicates and countsthe number of time each key used in the network Keys usedabove a threshold value are considered cloned Base stationmakes a bloom filter from the cloned keys encrypts the listusing its secret key and broadcasts this filter to the sensornetwork using a gossip protocol Each node decrypts basestations bloomfilter removes cloned keys from its keying andterminates connections using cloned keys

212 SET Detecting Node Clones in Sensor Networks Thistechnique falls into the category of base station-based tech-niques Choi et al [23] have proposed a clone detectionapproach in sensor networks called SET In SET the networkis randomly divided into exclusive subsets Each of the subsetshas a subset leader and members are one hop away fromtheir subset leader Multiple roots are randomly decided toconstruct multiple subtrees and each subset is a node ofthe subtree Each subset leader collects member informationand forwards it to the root of the subtree The intersectionoperation is performed on each root of the subtree to detectreplicated nodes If the intersection of all subsets of a subtreeis empty there are no clone nodes in this subtree In the finalstage each root forwards its report to the base station (BS)The BS detects the clone nodes by computing the intersectionof any two received subtrees SET detects clone nodes bysending node information to the BS from subset leader to theroot node of a randomly constructed subtree and then to theBS

213 Real-Time Detection of Clone Attacks in Wireless Sen-sor Networks This technique falls into the category ofneighborhood social signature-based techniques Xing et al[34] have proposed real-time detection of clone attacks inWSN In their approach each sensor computes a fingerprintby incorporating the neighborhood information through a

superimposed s-disjunct code [35] Each node stores thefingerprint of all neighbors Whenever a node sends amessage the fingerprint should be included in the messageand thus neighbors can verify the fingerprint The messagessent by clone nodes deployed in other locations will bedetected and dropped since the fingerprint does not belongto the same ldquocommunityrdquo The motivation behind theirscheme for detection of clone attacks is exploring the socialcharacteristics of each sensor Once they are deployed thesesensors reside within a fixed neighborhood The sensor andits neighborhood form a small ldquocommunityrdquo or a ldquosocialnetworkrdquo A cloned sensor can have the same legitimatecredentials (ID keys etc) as the original node but cannothave the same community neighborhood Thus each sensorcan be distinguishably characterized by its social communitynetwork In a small community a newcomer can be easilyrecognized if speaking with a different accent Similarly aclone node can be easily identified by its neighbors if carryinga ldquosocial signaturerdquo belonging to a different community

214 Hierarchical Node Replication Attacks Detection inWire-less Sensor Networks This technique falls into the categoryof cluster head-based techniques Znaidi et al [36] have pro-posed a cluster head selection-based hierarchical distributedalgorithm for detecting node replication attacks using aBloom filter mechanism including the network reactionsMore precisely the algorithm relies on a cluster head selectionperformed using the local negotiated clustering algorithm(LNCA) protocol [37] Each cluster head exchanges themem-ber node Ids through a Bloom filter with the other clusterheads to detect eventual node replications The algorithmworks in three steps In the first step all the material requiredfor Bloom filter computations and for cryptographic opera-tions that will be performed in the network predistributedin each sensor node The second step performs the clusterhead election In the third step Bloom filter constructionis performed by each cluster head and the Bloom filterverification is performed by the other cluster heads

215 CSI Compressed Sensing-Based Clone Identification inSensor Networks This technique falls into the category ofbase station-based techniques Yu et al [38] have proposeda centralized technique called compressed sensing-basedclone identification (CSI) for static wireless sensor networksThe basic idea behind CSI is that each node broadcastsa fixed sensed data (120572) to its one hop neighbors Sensornodes forward and aggregate the received numbers fromdescendant nodes along the aggregation tree via compressedsensing-based data gathering techniques Base station (BS) asthe root of the aggregation tree receives the aggregated resultand recovers the sensed data of the network According tothe reconstructed result the node with the sensory readinggreater than 120572 is the clone since a nonclone node can onlyreport the number once

22 Distributed Techniques In distributed techniques nocentral authority exists and special detection mechanismcalled claimer-reporter-witness is provided in which thedetection is performed by locally distributed node sending


the location claim not to the base station (sink) but to a ran-domly selected node called witness node Distributed tech-niques are classified into four types and these are describedbelow

221 Node-to-Network Broadcasting (N2NB) and Determinis-tic Multicast (DM) This technique falls into the category ofnode-to-network broadcastingTheN2NB andDMprotocolsare two unappealing examples proposed by Parno et al [28]Both of protocols received relatively less attention In N2NBeach node floods the entire network with authenticatedbroadcast to claim its own location (instead of its neighbors)Each node stores the location information for its neighborsincurring a storage cost of 119874(119889) Each node upon receiving aconflicting claim invokes a revocation procedure against theoffending nodes and eventually any replica will be cut off byall its neighbors (thus isolated from the WSN) The N2NBprotocol achieves 100 detection rate as long as the broadcastreaches every node if the network size is assumed to be 119899 andcertain duplicate suppression algorithm is employed so thateach node only broadcasts a given message once

The DM protocol is a good example to illustrate theclaimer-reporter-witness framework The claimer is a nodewhich locally broadcasts its location claim to its neighborseachneighbor serving as a reporter and employs a function tomap the claimer ID to a witness Then the neighbor forwardsthe claim to the witness which will receive two differentlocation claims for the same node ID if the adversary hasreplicated a node One problem can occur that the adversarycan also employ the function to know about the witness for agiven claimer ID andmay locate and compromise thewitnessnode before the adversary inserts the replicas into the WSNso as to evade the detection

222 Distributed Detection of Node Replication Attacks inSensor Networks Both RM and LSM fall into the categoryof witness node-based techniques Parno et al [28] haveintroduced twomore distributed algorithms for the detectionof clone nodes in wireless sensor networks which are quitemature schemes as compared to DM The first protocol iscalled randomizedmulticast (RM) which distributes locationclaims to a randomly selected set of witness nodes Thebirthday paradox [39] predicts that a collision will occur withhigh probability if the adversary attempts to replicate a nodeTheir second protocol line-selectedmulticast (LSM) exploitsthe routing topology of the network to select witnesses fora node location and utilizes geometric probability to detectreplicated nodes

In RM each node broadcasts a location claim to itsone-hop neighbors Then each neighbor selects randomlywitness nodes within its communication range and forwardsthe location claim with a probability to the nodes closest tochosen locations by using geographic routing At least onewitness node is likely to receive conflicting location claimsaccording to birthday paradox when replicated nodes exist inthe network In LSM themain objective is to reduce the com-munication costs and increase the probability of detectionBesides storing location claims in randomly selected witnessnodes the intermediate nodes for forwarding location claims

can also be witness nodes This seems like randomly drawinga line across the network and the intersection of two linesbecomes the evidence node of receiving conflicting locationclaims

223 A New Protocol for Securing Wireless Sensor Networksagainst Node ReplicationAttacks This technique falls into thecategory of generation- or group-based techniques Bekaraand Laurent-Maknavicius [40 41] have proposed a newprotocol for securing WSN against node replication attackby limiting the order of deployment using symmetric poly-nomial for pair-wise key establishment and defined group-based deploymentmodelTheir scheme requires sensors to bedeployed progressively in successive generations (or group)Each node belongs to a unique generation In their schemeonly newly deployed nodes are able to establish pairwise keyswith their neighbors and all nodes in the network know thenumber of the highest deployed generation Therefore theclone nodes will fail to establish pair-wise keys with theirneighbors since the clone nodes belong to an old deployedgeneration

224 A Randomized Efficient and Distributed Protocol forthe Detection of Node Replication Attacks in Wireless SensorNetworks This technique falls into the category of witnessnode-based techniques Conti et al have proposed a random-ized efficient and distributed protocol called RED [42 43]for the detection of node replication attack It is executed atfixed intervals of time and consists in two steps In first step arandom value 119903119886119899119889 is shared between all the nodes throughbase station The second step is called detection phase Inthe detection phase each node broadcasts its claim (ID andlocation) to its neighboring nodes Each neighbor node thathears a claim sends (with probability 119901) this claim to a setof 119892 pseudorandomly selected network locationsThe pseudorandom function takes as an input ID random number and119892 Every node in the path (from claiming node to the witnessdestination) forwards the message to its neighbor nearest tothe destination Hence the replicated nodes will be detectedin each detection phase When next time the RED executesthe witness nodes will be different since the random valuewhich is broadcasted by the BS is changed

225 Efficient Distributed Detection of Node ReplicationAttacks in Sensor Networks These techniques falls into thecategory of witness node-based techniques Zhu et al [44 45]have proposed two distributed protocols for detecting nodereplication attacks called single deterministic cell (SDC) andparallel multiple probabilistic cells (P-MPC) In both proto-cols the whole sensor network is divided into cells to form ageographic grid In SDC each node ID is uniquely mappedto one of the cells in the grid When executing detectionprocedure each node broadcasts a location claim to itsneighbors Then each neighbor forwards the location claimwith a probability to a unique cell by executing a geographichash function [46] with the input of node ID Once anynode in the destination cell receives the location claim itfloods the location claim to the entire cell Each node in the


destination cell stores the location claim with a probabilityTherefore the clone nodes will be detected with a certainprobability since the location claims of clone nodes will beforwarded to the same cell Like SDC in the P-MPC schemea geographic hash function [46] is employed to map nodeidentity to the destination cells However instead of mappingto single deterministic cell in P-MPC the location claim ismapped and forwarded to multiple deterministic cells withvarious probabilities The rest of the procedure is similar toSDC

226 (Space-Time)-Related Pairwise Key PredistributionScheme for Wireless Sensor Networks This technique fallsinto the category of base station-based techniques Fei et al[47] have proposed a polynomial based space-time-relatedpairwise key predistribution scheme (PSPP-PKPS for shortPSPP) for wireless sensor networks which relates the keyingmaterial of a node with its deployment time and locationIn PSPP the keying material of a node can only work at itsinitial deployment location If a node leaves its deploymentlocation its keying material will become invalid By usingthis idea their scheme provides resistance against the cloneattack

227 A Neighbor-Based Detection Scheme for Wireless SensorNetworks against Node Replication Attacks This techniquefalls into the category of neighborhood-based techniques Koet al [48] have proposed a real time neighbor-based detectionscheme (NBDS) for node replication attack in wireless sensornetworksThemain idea of their scheme is thatwhen a personmoves to another community he will meet new neighborsand tell his new neighbors where he comes from throughchatting But new neighbors will not check if he lies or notHowever if some of his new neighbors ask his previousneighbors whether this newcomer really comes from thecommunity that he claims the identity of the newcomercan be implicitly verified If previous neighbors say that thisperson still lives in the original neighborhood the newcomercan be detected as a replica This observation motivates theirresearch on node replication attacks and replicas are detectedin the same way

228 Distributed Detection of Node Capture Attacks in Wire-less Sensor Networks This technique falls into the categoryof base station-based techniques Ho [49] has proposed anode capture detection scheme for wireless sensor networksTheir scheme detects the captured sensor nodes by usingthe sequential analysis They use the fact that the physicallycaptured nodes are not present in the network during theperiod from the captured time to the redeployment timeAccordingly captured nodes would not participate in anynetwork operations during that period By leveraging thisintuition the captured nodes can be detected by using thesequential probability ratio test (SPRT) [50] The protocolfirst measures the absence time period of a sensor node andthen compares it to a predefined threshold If it is more thanthreshold value the sensor node is considered as a capturednodeThe efficient node capture detection capability dependson a properly configured threshold value

229 Memory Efficient Protocols for Detecting Node Replica-tion Attacks in Wireless Sensor Networks These techniquesfall into the category of witness node-based techniquesZhang et al [3] have proposed four memory efficient mul-ticast protocols for replication detection namely memoryefficient multicast with Bloom filters (B-MEM) memoryefficient multicast with Bloom filters and Cell Forwarding(BC-MEM) memory efficient multicast with cross forward-ing (C-MEM) and memory efficient multicast with crossand cell forwarding (CC-MEM) The first protocol B-MEMuse Bloom filters to compress the information stored at thesensors and the location claim C120572 of a node 120572 is multicastvia its neighbors to a number of randomly selected locationsin the network Each neighbor 120573 has a probability 119901 toparticipate in the multicast If it does it becomes a witnessnode and sends C120572 to a random location in the networkThenode closest to that location will be another witness node wto store C120572 The watcher nodes on the routing path 119875 from 120573

to w only store the membership of ID120572 and l120572 in the Bloomfilters Such membership information can help them detectany conflicting location claim Crsquo120572 received later and guideCrsquo120572 along 119875 to either 120573 or 119908 which will then broadcast bothC120572 and Crsquo120572 to the entire network in order to revoke node 120572and its replicas

The second protocol BC-MEM is designed on top of B-MEM It adopts a cell forwarding technique that not onlysolves the crossover problem but also reduces the memoryoverhead The deployment area is divided into virtual cellsIn each cell an anchor point is assigned for every node in thenetwork The anchor point for a node 120572 is determined by 120572ID The node closest to the anchor point is called the anchornode for 120572 In B-MEM when a location claim is forwardedon a line segment all intermediate nodes on the line serveas watchers while the first node and the last node serve aswitnesses In contrast in BC-MEM a claim is not forwardedon the line segment It is forwarded to the anchor point inthe next cell where the line segment intersects The claim isforwarded from one anchor node to another until reachingthe last cell The anchor nodes in the intermediate cells arewatchers and the anchor nodes in the first and last cells arewitnesses

The third protocol C-MEM is designed on top of B-MEMIt incorporates a new cross forwarding technique to solvethe crowded center problem B-MEM stores the informationabout a location claim along randomly selected line segmentswhich are likely to pass the center area of the deployment Onthe other hand C-MEM first selects a random point (calledthe cross point) in the network and forwards the locationclaim to that point From there it forwards the claim along thehorizontal and vertical lines that pass the cross point Whilethe node closest to the cross point is a witness node the nodesalong the horizontal and vertical lines are watchers Since thecross points for all location claims are distributed uniformlyat random in the network it is no longer true that the linespass the center area more frequently C-MEM does not usecell forwarding

The fourth protocol CC-MEM combines cross forward-ing and cell forwarding to solve both the crowded centerproblem and the crossover problem such that it can detect


node replication attack with high probability and low over-head

2210 Active Detection of Node Replication Attacks Thistechnique falls into the category of base station-based tech-niques Melchor et al [51] have proposed a distributed proto-col for the detection of replication attack for wireless sensornetworks in which each node verifies at random a few othernodes in the networkThe proposed protocol does not build adistributed database of location claims that will contain localconflicting claims when replicas exist The idea is that eachnode will actively test if 1 k other randomnodes are replicatedor not they call them the scrutinized nodes In order to testwhether a scrutinized node 120572 is replicated or not 2 k nodesare randomly chosen in the network and asked to forward to120572 a request for a signed location claim If two replicas existeach will probably receive a request and if both answer twoconflicting claims will be obtained by the queerer

2211 Randomly Directed Exploration An Efficient NodeClone Detection Protocol in Wireless Sensor Networks (RDE)This technique falls into the category of witness node-basedtechniques Zhijun et al [52] have presented a novel clonenode detection protocol called randomly directed explo-rationThis protocol does not call for any unrealistic assump-tions Each node only needs to know its neighbor nodesDuring the detection procedure nodes issue claiming mes-sages containing neighbor list with a maximum hop limit torandomly selected neighbors The previous transmission of aclaiming message forms a direction and then the intermedi-ate node tries to follow the direction to forward the messageDuring forwardingmessages the intermediate nodes explorethe claiming messages for node clone detection In such asimple way the proposed protocol can efficiently detect clonenodes in the dense sensor networks In addition the protocolconsumes almost minimum memory during detection andcommunication payload is satisfactory It can scale to largeconfigurations They have implemented the protocol in theOMNet++ simulation framework

2212 Random-Walk-Based Approach to Detect Clone Attacksin Wireless Sensor Networks These two techniques fall intothe category of witness node-based techniques Zeng et al [4]have proposed two protocols RAndom WaLk (RAWL) andTable-assisted RAndom WaLk (TRAWL) for the detectionof clone attack in wireless sensor networks The RAndomWaLk (RAWL) starts several random walks randomly in thenetwork for each node a and then selects the passed nodesas the witness nodes of node a RAWL works in four stepsin each execution In the first step each node broadcastsa signed location claim In the second step each of thenode neighbors probabilistically forwards the claim to somerandomly selected nodes In the thirds step each randomlyselected node sends a message containing the claim to starta random walk in the network and the passed nodes areselected as witness nodes and will store the claim In thefourth step if any witness receives different location claimsfor same node ID it can use these claims to revoke thereplicated node

The second protocol Table-assisted RAndom WaLk(TRAWL) is based on RAWL and adds a trace table at eachnode to reduce memory cost Usually the memory cost isdue to the storage of location claims but in TRAWL eachnode only stores 119874(1) location claims (although the size ofthe trace table is still 119874(radic119899 log 119899) the size of a table entryis much smaller than the size of a location claim) When arandomly chosen node starts a random walk all the passednodes will still become witness nodes However now theydo not definitely store the location claim instead they storethe location claim independently with probability 119888

2radic119899 log 119899

where 1198882is a constant Also each witness node will create a

new entry in its trace table for recording the pass of a locationclaim

2213 CINORA Cell-Based Identification of Node ReplicationAttack in Wireless Sensor Networks GautamThakur [24] hasproposed two distributed methods for detecting node repli-cation attack based on intersecting sets called CINORA-Insetand restricted cell two-phase authentication model calledCINORA-Hybrid Initially the sensor network is divided intogeographical cells similar to the existing cellular networkHowever their approach does not deterministically map anodes identity to a cell In CINORA-Inset location claimsfrom the nodes are distributed among a subset of cellsto detect any replication These cells are generated from anonnull intersecting subset algorithmThe inherent propertyof this algorithm is for any two subsets119862

119894and119862

119895of total 1 le 119894

119895 le 119873 cells and 119862119894cap 119862119895= 0 Thus during the authentication

phase at least one cell receives conflicting location claimsif adversary has ever attempted to replicate a legitimatenode In CINORA-Hybrid a base station-based two-phaseauthentication scheme is used in which a sensor node has avalid residence entry permit for a cell If permitted and nodescurrent residing cell is different or two (or more) similarpermits are detected with different location claims then thatidentity node is removed from the network

2214 A Note-Based Randomized and Distributed Protocolfor Detecting Node Replication Attacks in Wireless Sensor Net-works This technique falls into the category of witness node-based techniques Meng et al [53] have proposed a note-based randomized and distributed protocol called NRDPfor detecting node replication attacks which introduces nosignificant overhead on the resource-constrained sensorsThis protocol does not need the geographic locations of nodesas well Three types of nodes are assumed in the networknamely a claimer node a reporter node and a witness nodeA node which broadcasts a claim message is a claimer nodeNeighbor node which forwards a claim message is a reporternode And the destination node of a claimmessage is awitnessnode This protocol works in two phases neighbor discoveryperiod and replication detection period In the beginningof NRDP it is a neighbor discovery period in which eachnode in the network broadcasts a message within its one-hopneighbors After neighbor discovery period each node in thenetwork gets a neighbor listThe replication detection periodstarts when the neighbor discovery period ends Replication


detect period consist of two steps The first step is calledrequest-note step and the second step is called send claimstep In request-note step node 120572 randomly chooses a node120574 from its neighbor list as its reporter node and then sendsa request-note message to the reporter node Upon receiving120572 request-note message node 120574 replies with a signature notemessage which contains a note The parameter time is freshtime of the note Nodes in the network use it to identify thevalidity of a note received in different iterations Note is anevidence to prove that the reporter node of a claimer node isexisting and valid In the send-claim step every node gener-ates a claim message which includes a signed subneighborlist and a note got from the corresponding reporter nodeThe parameter list in the claim message is an ID list whichconsists of q 120572rsquos neighbor node IDs And the reporter node 120574must be in the list Each node 120572 then broadcasts the claimmessage in one-hop neighbors When the reporter nodereceives corresponding claim message it first verifies thesignature and the time fresh of the note contained in the claimmessage Further the reporter node verifies that the list in theclaim message contains its ID If all the verifications succeedusing a pseudorandom function the reporter node calculates119892 witness nodes for the claimer node This function takes ininput the ID of the claimer node which is the first argumentof the claimmessage the current rand value and the number119892 of witness nodes that has to be generatedThewitness nodesof a certain node change in different iterations A trustedentity broadcasts a seed rand to the network before eachdetection iteration starts This prevents the adversary fromanticipating the witness nodes in a given protocol iterationThe reporter node analyzes the claimmessage then generatesa forwarded claim message and forwards the forwardedclaimmessage to all the119892witness nodesThe forwarded claimmessage just contains the subneighbor list signed by claimernode without note When a node receives a claim messageit first checks whether it is the corresponding reporter nodeIf it is the reporter node of the claimer node it checks thesignature the fresh of the note and the list in the claimmessage If it is not the reporter node with probability pcit does the checking jobs as the reporter node does It isnecessary for nonreporter node neighbors to do the checkingjobswith probability pcThis can prevent a claimer node fromspecifying a nonexisting neighbor node as its reporter nodeEach node in the network has to specify an actual neighbornode as its reporter node or it will be detected as a replicatednode by its neighbor nodes

Each witness node that receives a forwarded claim mes-sage verifies the signature and time fresh firstly Then itcompares the claim to each previously stored claim If it is thefirst time received claim contains ID120572 then it simply storesthe claim If a claim from ID120572 has been received the witnesschecks whether the claimed neighbor list is the same as thestored claim If a conflict is found the witness detects a nodereplication attack Then the witness triggers a revocationprocedure for ID120572 Actually because there is always onlyone reporter node for a claimer node if the claimer node isa valid node its corresponding witness nodes would neverreceive more than one forwarded claim message from theclaimer node Therefore once a witness node receives two

claims containing the same ID in one detection iteration itdetects a replication attackThe two signature claims becomeevidence to trigger the revocation of the replicated nodeThewitness node forwards both claims to the base station Thebase station will broadcast a signature message within thenetwork to revoke the replicated node

2215 Distributed Detection of Replication with DeploymentKnowledge in Wireless Sensor Networks This technique fallsinto the category of group-based techniques Ho et al [54]have proposed three group deployment knowledge-basedschemes for the detection of node replication attack inwireless sensor networks Their schemes are based on theassumption that nodes are deployed in groups By takingadvantage of group deployment knowledge the proposedschemes perform replica detection in a distributed efficientand secure manner The sensors can be preloaded with rele-vant knowledge about their own grouprsquos membership and allgroup locations Then the sensors in the same group shouldbe deployed at the same time in the location given to thatgroup The three proposed schemes are basic location claimand multigroup approaches The first scheme is the basicscheme in which each node only accepts the messages fromthe memberrsquos of their own group (trusted nodes) not fromother groups (untrusted nodes) It stops intercommunicationbetween groups An advantage of this basic scheme is lowcommunication and computational or memory overheadBut the problem that is even honest nodes suffer fromcommunication due to the fact that the deployment pointsare far away from their group The network becomes poorlyconnected and not suitable for high resilient applicationsTo solve this problem second scheme is proposed whichalso forwards messages from untrusted nodes as long as theyprovide provable evidence that they are not replicas but basedon only predetermined locations for replica detection Thesecond scheme achieves high replication detection capabilitywith less communication computational and storage over-heads as compared to the first scheme but there is a risk ofDoS by flooding fake claims

The third scheme protects against this kind of aggressiveadversary Every sensor node sends its neighborrsquos locationclaims to multiple groups rather than a single group Thisscheme has higher communication overhead It can provide atrade-off between the overhead and resilience to attack Thisscheme provides very strong resilience to node compromisesince attacker needs to compromise multiple groups of nodesto prevent replicas being undetected

2216 Distributed Detection of Node Replication AttackResilient to Many Compromised Nodes in Wireless Sensor Net-works This technique falls into the category of group-basedtechniques Sei andHoniden [55] have proposed a distributedprotocol for the detection of node replication attack that isresilient tomany compromised nodesTheirmethod does notneed any reliabletrusted entities To prevent an attacker fromlearning the location of a witness node of a compromisednode the protocol uses a one-time seed for each replicatednode detection process that is each node has the role of


starting a detection process and it is preloaded with theassigned turn number and seed for the turn

When node has a turn starting detection process it sendsthe seed and its ID with a signature Other nodes verify thesignature and execute the detection process if the verificationsucceedsThey divide nodes into groups to increase resiliencyto fault nodes and compromised nodes The role of thestarting detection process is not assigned to each node but toeach group If at least one node of a group survives the groupcan start the detection process during its turn An attackermust compromise the first node of a group which has thenext turn starting detection process if he wants to learn thelocation of the witness node in the next detection process

2217 A Resilient and Efficient Replication Attack DetectionScheme for Wireless Sensor Networks This technique fallsinto the category witness node-based techniques Kim et al[56] have presented a distributed deterministic approach todetect node replication attack Their scheme works in threesteps initialization witness node discovery phase and noderevocation phase In initialization phase before deploymenta base station (BS) associates a particular location coordinate(hereafter referred to as the verification point vp) with eachnode id using geographic hash function 119865 A vp is the targetlocation coordinate in the network where each sensor nodewill be verified and it can be predetermined by a networkoperator to a certain extent with experience In witnessnode discovery phase the replicas with the same id butdifferent deployment locations are detected through locationclaim message In the last phase of node revocation basestation BS floods the revocation node lists after checking outthe revocation request message received from the witnessnodes Once a BS receives this revocation request messageit checks whether the revocation request message is correctlyencrypted by witness node using a pair-wise key shared withwitness node If the key is correct a BS floods a list of replicanodes including reporter node through the network If thekey fails which means that an attacker sent the forged replicarevocation message the BS regards that reporter node hasbeen compromised

3 Comparison of Node Replica DetectionSchemes for Static WSNs

In this paper we have addressed an important attack onWSN referred to as node replication attack or clone nodeattack So far many techniques have been proposed to detectnode replication attack in static WSNs which are broadlycategorized into centralized and distributed techniques Wehave compared all the techniques according to their year ofpublication identifying their shortcomings

31 Centralized Techniques Centralized techniques are con-sidered to be the first solutions for detecting replicated nodeswhich are simple but suffer from several common drawbacksSome of the limitations of centralized techniques are found tobe fairly serious like the base stationwhich introduces a singlepoint of failure and any compromise of the base station will

render the solution useless also even if there are no attacksthe nodes surrounding the base station will suffer an unduecommunication burden which may shorten the lifetime ofa network and this approach also incurs an observableprocessing delay Consequently centralized detections havebarely an advantage over distributed detections making adistributed solution a necessity The asymptotic performanceof centralized techniques (including their memory andcommunication cost) is shown in Table 1 Localized votingprotocols are also considered as the first naıve solutions forthe detection of clone nodes which are unable to deal withdistributed node replication attacks in which replicas areplaced at least two hops away from each other In order todetect replicas which are spreading anywhere in the networka fully distributed solution is needed that also incurs smallmemory and energy overhead

In 2004 one of the first solutions for detecting replicatednodes was proposed by Dutertre et al outlined in [57] whichwas based on a centralized base station for node replicadetectionThis scheme was themost straightforward one anda naive solution that provided a low defense against nodereplication attacks suffering from several drawbacks as men-tioned before

In 2007 Brooks et al [32] proposed a clone detectionprotocol which was based on random pairwise key pre-distribution schemes and used to tackle with detection ofcloned cryptographic keys rather than clones sensor nodesThis solution seemed effective but only when the size of thekeys predistributed to each node is small and more clonesexist in the network thus implying poor detection accuracyMoreover it is assumed in the protocol that the connectionsbetween all nodes are possibly equal while practically inWSNs any sensor node can only communicate with a limitednumber of neighbors within a finite wireless communicationradius Another drawback of this solution is that it hasneglected to ensure that the participating clones report theirkeys honestly to the base station

Choi et al [23] proposed another centralized detectiontechnique named SET in 2007 which was an attempt toreduce the detection overhead by computing set operationsBut the message authentication codes used for additionalsecurity resulted in even higher detection cost in terms ofcomputation and communication Moreover SET protocolis highly complex due to its complicated components andunexpectedly an adversary can misuse the detection protocolto revoke honest nodes

Another centralized approach was proposed in 2008by Xing et al [34] which used social fingerprint for thedetection of clones but it was purely based on fixed WSNsand thus neither node addition nor disappearance can behandled Furthermore besides all the common limitations ofcentralized solutions it cannot handle a sophisticated replicawhich can cleverly compute by itself a fingerprint consistentwith its neighborhood in order to flee the detection at thesensor side A more intelligent replica can dodge and avoidthe detection at the base station simply by not communicatingwith the base station

The most recent solution for the detection of nodereplication attack or clones is a centralized technique given


Table 1 Asymptotic performance of centralized schemes

Type of scheme Techniquescheme Communication cost Memory costKey usage based Brooks et al scheme [32] 119874(119899 log 119899) mdash

Base station based SET [23] 119874(119899) 119874(119889)

CSI [38] 119874(119899 log 119899) mdashNeighborhood social signature based Xing et al scheme [34] C sdot (1 + ratio) 119874(119889) + min(119872 120596 sdot log

2119872)

Cluster head-based techniques Znaidi et al scheme [36] 119874(1199052) 119874(119905)

119899 no of nodes in the network 120596 the column weight in the superimposed 119904-disjunct code C message generated by sensor node d degree of neighboringnodesM the number of rows in the superimposed s-disjunct code ratio = log

2119872119871packet times 100 and 119871packet the bit-length of a regular message

by Yu et al [38] in 2012 They have used a novel concept ofcompressed sensing for the identification of clones in the sen-sor network This technique has the lowest communicationoverhead but it suffers from all the common drawbacks ofcentralized techniques as BS is responsible for the aggregationof the result (decision) about the identification of clones in thenetwork

Considering the limitations of centralized detectionschemes the researchers move to a distributed solution fordetecting clones and the first naıve solution that was pro-posed was called node-to-network broadcasting (N2NB)Although the scheme was simple it also suffered from highmemory and communication cost for large sensor networks

32 Distributed Techniques We have investigated a dozendistributed detection protocols by asymptotically comparingtheir communication and memory costs and they are shownin Table 2 As all the proposed solutions use different moti-vations and assumptions and thus have their respectivestrengths and weaknesses we cannot make any general ordefinite remarks that which solution is the best one

Distributed techniques for the detection of clone nodeattack are categorized into threemain classes namely witnessnode-based neighbor-based and generation-based or group-based techniques All the three categories have their ownpros and cons For neighbor-based technique [48] the neigh-boring nodes should be static and any addition or removalof nodes is not possible throughout the detection processbecause in doing so the detection process is affected severelyFor the generation- or group-based techniques [40 41 54 55]all the nodes are deployed in groups and no new node canbe added in a particular group Also nodes should havelocation or network information before node deploymentThese techniques only prevent the node replication attack butare unable to detect the clone nodes

The witness node-based techniques use a frameworkcalled claimer-reporter-witness framework in which a nodereferred to as claimer locally broadcasts it location claimto its neighbors Each neighbor serves as a reporter andemploys a function to map the claimer ID to a witness Theneighbor forwards the claim to the witness and if it receivestwo different location claims for the same nodded id then itmeans that the adversary has replicated a nodeThe adversarycan also employ a function to know about the witness for thegiven claimer ID and may also locate and compromise thewitness node before she inserts the replicas into the wirelesssensor networks in order to evade the detection

A relatively more mature distributed detection schemewas proposed in 2007 by Parno et al [28] known as deter-ministic multicast (DM) which was the first to use a frame-work called claimer-reporter-witness framework Althoughits design goal was to reduce communication cost it wastreated as an unfavorable protocol because of its severaldrawbacks Firstly it does not provide much security as anadversary only needs to compromise all the 119892 witnesses fora given claimer id deploying as many replicas as she desireswithout activating an alarm Secondly it does not work forlarge 119892 as both the network communication and the nodestorage are proportional to 119892 and with very small 119892 anadversary can produce unlimited replicas Considering DMas unappealing due to its deterministic property Parno et al[28] have proposed and developed two more techniques asimprovements of DM protocol namely randomized multi-cast (RM) and line selected multicast (LSM) The securitywas improved but at the price of increased communicationmemory costs In both of these protocols the problem liesin the selection of witness nodes (ie Probabilities) and alsoit is not always true that location claims of clone nodes arereceived to the same witness node Moreover both RMand LSM are unable to detect masked replication attack Todecrease the communication cost of RM protocol LSM wasdeveloped as a less expensive version of RM but it suffersfrom uneven distribution of witnesses nodes As majority ofwitness nodes are selected from the center of the networkthus the energy of these nodes is depleted soon and also theybecome the point of interest for the adversary

Zhu et al [44 45] proposed two techniques called singledeterministic cell (SDC) and parallel multiple probabilisticcells (P-MPC) in 2007 as the variations of DM Practicallyboth of these techniques depend upon the careful selectionof a cell size (s) because if the cell size is too large theyincur high communication cost like N2NB and if s is toosmall it will be very easy for an adversary to trounce them bycompromising all nodes in the 119892 deterministic tiny cells Animportant problem with SDC is that in order to reduce thebroadcast overhead it requires to execute the flooding onlywhen the first copy of a node location claim arrives at the celland the following copies are ignored In doing this the nodein the cell that first receives the location claim is unable todistinguish between claims of original node and replica node

Another attempt to detect clones was made by Contiet al [42 43] in 2007 who have proposed a randomizedefficient and distributed protocol named RED by combining


Table 2 Asymptotic performance of distributed schemes

Type of scheme Techniquescheme Communication cost Memory costNode-to-network broadcasting N2NB [28] 119874(119899

2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)

RED [42 43] 119874(119892 sdot 119901 sdot 119889119899radic119899) 119874(119892 sdot 119901 sdot 119889)

SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

B-MEM [3] 119874(119896 sdot 119899 sdot radic119899) 119874(119905119896 + 1199051015840119896radic119899)

BC-MEM [3] mdash 119874(119905119896 + 1199051015840119896radic1198991015840)

C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)

CC-MEM [3] mdash 119874(119905 + 1199051015840radic1198991015840)

Melchor et al [51] 119874(radic119899) 119874(119889)

RDE [52] 119874(119889 sdot 119899 sdot radic119899) 119874(119889)

RAWL [4] 119874(radic119899 log 119899) 119874(radic119899 log 119899)TRAWL [4] 119874(radic119899 log 119899) 119874(1)

2

Kim et al [56] 119874(radic119899) 119874(radic119899)

Generation or group based

Bekara and Laurent-Maknavicius [40 41] 119874(radic119899) 119874(1)

Basic scheme [54] 119874(119898) 119874(119898)

Location claim base scheme [54] 119874(119898 + 119889) 119874(119889 + 2119898)

Multigroup base scheme [54] 3 lowast 119874(119898 + 119889) 119874(119889 + 2 lowast 119898 (1 +119863max))

Sei and Honiden [55] 119874(119903) 119874(119903 sdot radic119899)

mdash Ho [49] 119874(119899radic119899) 119874(119899)

Neighborhood based NBDS [48] 119874(119903 sdot radic119899) 119874(119903)

119899 no of nodes in the network 119889 degree of neighboring nodes 119892 no of witness nodes 119903 communication radius s the number of sensors in a cell119901 probabilitythat neighboring node will forward the location claim 120596 the column weight in the superimposed 119904-disjunct code and 120585 distinct IDs from set of nodes asmonitor

the benefits of both DM and RMThis protocol is consideredto be the most promising detection protocol which hassolved the crowded center problem as the selection of witnessnodes is random and fully distributed Also RED [4] issuch an ldquoarea obliviousrdquo protocol that associates sensor nodeswith almost even responsibility and the selection of witnessnodes is pseudorandom which leads to a uniform witnessdistribution Besides these advantages the only drawback ofRED is the deterministic selection of witness nodes and thatthe infrastructure for distributing REDrsquos random seed maynot always be available RED is also unable to detect maskedreplication attack

Bekara et al [40 41] in 2007 proposed a solution forpreventingWSN from node replication attack which exploitsthe fact that excluding new nodes from joining the networkcan prevent replication attacks The main drawback of thisscheme is that the sensor nodes are bound to their groupsand geographic locations

In 2009 Zhang et al [3] have proposed four memoryefficient multicast protocols for the detection of replicatednodes namely Bloom filter MEM Bloom filters and cellforwarding MEM cross forwarding MEM and last is crossforwarding and cell forwarding MEM B-MEM is an exten-sion of LSM but it incurs additional memory consumptionper node and it may also lower the detection rate of LSMdue to false verifications (false positives of Bloom filters)

BC-MEM requires highly accurate localization due to itscell division and anchor node selection which may not beaffordable for current generation ofWSNs Also an adversarycan elude BC-MEM by compromising certain deterministicanchor nodes In case of both C-MEM and CC-MEM crossforwarding achieves high detection probability for convexdeployment field (particularly for rectangle-shaped deploy-ment field) but for other irregular topologies considered byLSM (like thin cross and large H) these two schemes maywork poorly by dropping the detection rate significantly

A simplified version of N2NB was proposed by Zhanget al [3] in 2009 known as randomly directed exploration(RDE) Its network communication overhead is reduced butstorage cost remains the same with N2NBThe detection rateis also decreased and may not be very significant even for aconvex deployment field concluding that RDE appears to befeasible only for an ideal network model

Another work in this area is done by Zeng et al [4] in2010 who have proposed two detection protocols namelyRAndom WaLk (RAWL) and Table-assisted RAndom WaLk(TRAWL) for the detection of node replication attack Bothof these protocols are an extension of LSM and thus sufferfrom the same drawbacks Although they have much higherdetection probability than LSM both RAWL and TRAWLrequire more than twice the communication overhead ofLSM


For an inclusive survey we have also analyzed some otherdistributed techniques which are neither very popular norhave promising results in detecting node replication attackThese techniques includeHo et al [54] proposed in 2009Kimet al [56] proposed in 2009 andMeng et al [53] proposed in2010

4 Detection Techniques for Mobile WSNs

Mobility has become an important area of research for WSNcommunity In mobile WSNs mobility plays a key role in theexecution of the application as the introduction of mobileentities can resolve someproblems andoffermany advantagesover the static WSNs The node replica detection techniquesdeveloped for static WSNs do not work when the nodes areexpected to move as in mobile WSNs and thus they haveturned out to be ineffective for mobile WSNs As a resultsome techniques (still not mature enough) have also beendeveloped for mobile WSNs to detect the replica or clonenodes These techniques are classified into two main classesas centralized and distributed and are described below

41 Centralized Techniques

411 Fast Detection of Replica Node Attack in Mobile Sensor

Networks Using Sequential Analysis Ho et al [58 59] haveproposed a mobile replica detection scheme based on thesequential probability ratio test (SPRT) [50]Their protocol isbased on the fact that an uncompromisedmobile node shouldnever move at speeds in excess of the system-configuredmaximum speed As a result an uncompromised (original)mobile sensor node measured speed will appear to be atmost the system-configuredmaximum speed as long as speedmeasurement system with low error rate is employed Onthe other hand replica nodes will appear to move muchfaster than original nodes and thus their measured speedswill likely be over the system-configured maximum speedbecause they need to be at two (or more) different placesat once Accordingly if it is observed that a mobile nodemeasured speed is over the system-configured maximumspeed it is then highly likely that at least two nodes with thesame identity are present in the network By leveraging thisintuition the SPRT is performed on every mobile node usinga null hypothesis that themobile node has not been replicatedand an alternate hypothesis that it has been replicatedIn using the SPRT the occurrence of a speed that eitherlessens or exceeds the system-configured maximum speedwill lead to acceptance of the null and alternate hypothesesrespectively Once the alternate hypothesis is accepted thereplica nodes will be revoked from the network

412 A New Protocol for the Detection of Node Replication

Attacks in Mobile Wireless Sensor Networks Deng and Xiong[60] have proposed a new protocol to detect the replicasin mobile WSNs They have used the idea of polynomial-based pair-wise key pre-distribution and BloomFilters whichinsure that the replicas can never lie about their real iden-tifiers and collect the number of pair-wise keys established

by each sensor node Replicas are detected by looking atwhether the number of pair-wise keys established by themexceeds the threshold The protocol works in three stepsnode initialization pair-wise establishment and detectionIn node initialization before nodes are deployed the keyserver randomly generates a bivariate symmetric polynomialover a finite field After deployment between nodes pairwisekeys are established Each node periodically constructs areport which includes its ID and counting Bloom filter (orcompressed counting Bloom filter) and sends it to the basestation At base station counting bloom filters collect thenumber of pairwise keys established by each node Nodeswhose number of pair-wise keys exceeds the threshold valueare considered to be the clones

42 Distributed Techniques

421 Mobile Sensor Networks Resilient against Node

Replication Attacks Chia et al [61] proposed a novel protocolcalled extremely efficient detection (XED) against nodereplication attack inmobile sensor networksThe idea behindXED is motivated from the observation that for the networkswithout replicas if a sensor node 119904

119894meets the other sensor

node 119904119895at earlier time and 119904

119894sends a random number 119903 to 119904

119895

at that time then when 119904119894and 119904119895meet again 119904

119894can ascertain

whether this is the node 119904119895met before by requesting the

random number 119903 Based on this observation a ldquorememberand challenge strategyrdquo is proposed Once two sensor nodes119904119894and 119904119895 are within the communication ranges of each other

they first respectively generate random numbers 119903119904119894rarr 119904119895

and 119903119904119895rarr 119904119894of 119887 bits and then they exchange their generated

random numbers They also use a table to record the nodeID the generated random number and the received randomnumber in their respective memory In case the pair of twonodesmet before the above procedure is also performed suchthat the random number stored in the memory is replaced bythe newly received random number Consider the exampleshown in Figure 4 in which the sensor node 119904

119894meets another

sensor node 119904119895 If 119904119894never meets 119904

119895before they exchange

random numbers Otherwise the sensor node 119904119894requests the

sensor node 119904119895for the random number 119903119904

119894rarr 119904119895exchanged

at easier time For the sensor node 119904119894 if the sensor node 119904

119895

cannot replies or reply a number which does not match thenumber in 119904

119894memory 119904

119894announces the detection of a replica

When the replicas meet the genuine nodes the replicas canalways pretend that they meet for the first time However ifthe genuine nodes have a record showing that they ever metat earlier time the replicas are also detected

422 Efficient and Distributed Detection of Node Replication

Attacks in Mobile Sensor Networks Chia et al [62] proposedan efficient and distributed detection (EDD) scheme and itsvariant storage-efficient EDD (SEDD) scheme to detect thenode replication attack The idea behind EDD and SEDD ismotivated from the following observations For a networkwithout replicas the number of times1205831 inwhich the nodeuencounters a specific node V should be limited in a given time


119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051

Generate a random number119903 = 2 and a record (119904119894 2)

119905 = 1199052

Check its own record anddiscover that the received

number matches the record

119904119895 accepts 119904119894 asits neighbor

Figure 4 The operations between two genuine nodes in XED attime 119905

1and 1199052(gray and black nodes are genuine) [61]

interval of length 119879with high probability For a network withtwo replicas V the number of times1205832 inwhich119906 encountersthe replicas with the same ID V should be larger than athreshold within the time interval of length 119879 According tothese observations if each node can discriminate betweenthese two cases each node has the ability to identify thereplicas The EDD scheme is composed of two steps offlinestep and online step The offline step is performed by thenetwork planner before the sensor deployment The goal isto calculate the parameters including the length 119879 of thetime interval and the threshold 120595 used for discriminationbetween the genuine nodes and the replicas On the otherhand the online step will be performed by each node permove Each node checks whether the encountered nodes arereplicas by comparing 120595 with the number of encounters atthe end of a time interval It can be observed from EDDthat each node should maintain a list 119871 leading to 119874(119899)

storage overhead A storage-efficient EDD (SEDD) schemeis proposed based on the tradeoff between storage overheadand time interval length The basic idea behind SEDD is thatinstead of monitoring all nodes each node only monitors asubset of nodes calledmonitor set in a specific time intervalWhen the cardinality of the monitor set is selected as 120585the simplest way for each node to select the nodes to bemonitored at the beginning of a time interval is to randomlypick 120585 distinct IDs from 1 119899 Since the storage overheadis equal to the number of nodes being monitored the storageoverhead is reduced to the cardinality of the monitor set119874(120585) in the SEDD scheme

423 Patrol Detection for Replica Attacks on Wireless Sensor

Networks Wang and Shi [63] have employed mobile nodesas patrollers to detect replicas distributed in different zonesin a network in which a basic patrol detection protocol andtwo detection algorithms for stationary and mobile modesare presented The detection of replicas in stationary sensorsis based on the assumptions that if two or more sensors indifferent locations have the same ID then all the nodes withthe ID will be regarded as compromised nodes or its replicasAlso for mobile sensors (patroller) if a mobile node moveswith a speed higher than the denoted maximum speed it willbe regarded as a replica attack In the replica detection ofstatic sensor nodes when a mobile patrol node moves to anew zone it first discovers its location and then broadcasts

its patrol claim Each node will be patrolled by at least twomobile nodes After receiving the location messages thestationary node takes the mobile nodes who patrolled himas the anchor nodes and will send the patrol node its locationclaim After collecting the answer message patrol node willcheck the location of node and if the distance is larger thanthe signal range it ignores the wrong message Otherwise itwill check the ID of the answer message by using the securityassumption ldquoA legitimate ID only has one locationrdquo Thenit saves the answer from the original node (benign node)in a whitelist saves the replica node ID in a blacklist andrevokes the replica ID by refusing to distribute secretmaterialand broadcasting its two answer messages to other mobilesnodes Then patrol node will move to another location tosend his patrol claim in another interval After a round itcollects all the saved information of the white- and blackliststo the user when collecting the sensing data If the replicas aredeployed in a zone where a patrol node collects their answermessage in a patrol interval then the patroller can revokethem immediately after he receives the second answer andthe distance between the two locations exceeds Else if thereplicasrsquo answers are collected by different patrol nodes thentheywill be found by the base station or by exchangemessagesof patrollers after a round If the adversary compromisesand replicates the patrol node firstly an original mobilepatroller will wait for the answer message after he reachesa new position and sends his claim in time 119879 so there is astatic period interval after the patrol broadcasts his claimAccordingly if the patroller node moves and changes itsposition in time (119879 119879 + interval) then it is highly likely thatat least two nodes with the same identity are present in thenetwork Further the mobile patroller should never movefaster than the system-configured maximum speed 119881max

424 Single-Hop Detection of Node Clone Attacks in Mobile

Wireless Sensor Networks Lou et al [64] have proposed anode clone attack detection protocol namely the single hopdetection (SHP) for mobile wireless sensor networks TheSHD protocol exploits the fact that at any time a physicalnode (or equivalently its node ID and private key) cannotappear at different neighborhood community otherwisethere must be replicas in the network The neighborhoodcommunity of a node is characterized by its one-hop neigh-bor node list which is readily available in a typicalWSN sincesensor nodes need to know their neighbors in order to com-municate with each other The SHD protocol consists of twophases the fingerprint claim and the fingerprint verificationphases In the fingerprint claimphase each node is required tosign its neighbor node list The signed neighbor node list is afingerprint of its current neighborhood community hereafterreferred to as fingerprint claim The fingerprint claim isbroadcasted in one-hop neighborhood Upon reception of afingerprint claim from a neighboring claim node the receivernode will decide whether to become a witness node of theclaim node When it decides to become a witness nodethe node will then verify the fingerprint claim and finallystore the fingerprint claims of the witnessed nodes locally ifthe claim passed the verification process In the fingerprint


verification phase when twonodesmeetwith each other theyexchange their witnessed node lists and this can be done bypiggybacking the witnessed node list in the two nodes andthen checking for a possible fingerprint claim conflict withreceived claims In a fingerprint claim conflict there are twofingerprint claims with the same ID and private key claimingtwo different neighborhood communities which implies twodetected replicas

425 Detecting Node Replication Attacks in Mobile Sensor

Networks Theory and Approaches Zhu et al [65] haveproposed two replica detection algorithms for mobile sensornetworks First algorithm is a token-based authenticationscheme proposed for the detection of replication attack inwhich the replicas do not cooperate (nonconspiring case) Forthe case in which the replicas cooperate by communicatingwith each other in an efficient manner a detection methodis proposed which is based on statistics and the randomencounters between physical nodes In the first algorithmthe base station periodically broadcasts to the entire sensingregion a timestamp protected by a broadcast authenticationprotocol The broadcast announces the beginning of a detec-tion round Upon hearing the timestamp a genuine mobilenode randomly selects a secret seed 119904

119894isin 0 1

119897 where 119897 isa common security parameter and empties its local storageof the previously received tokens The detection consists ofa token exchange phase and a mutual authentication phaseWhen a mobile node first meets with another mobile nodein the detection round they will exchange a token with eachother and will record the tokens in their memories Whenthese mobile nodes meet again in the same detection roundeach will ask the other for the previously exchanged tokenUpon receiving the correct reply each believes that the otheris authenticated Otherwise in case of replica when genuinenode asks a replica node (to whom it met before) about thetoken they have exchanged in their first meeting the replicanode will reply in no or with a wrong token which will markhim as replica

The second algorithm is a statistics-based detectionscheme for detecting replicas that cooperate with each othersThis idea is partially inspired by [66] whose detectionprinciple is that if a node is not ldquoseen againrdquo by others it islikely that the node has been captured Similarly herein theprinciple is that if in a certain detection round a node is ldquoseenagainrdquo too many times by others it is likely that the node is areplica Every genuine node contains a step counter ldquo119879rdquo andalso its ldquoacquaintance listrdquo consisting of 119899 Boolean variablesEach time a mobile node meets another mobile node itincreases the counter 119879 by 1 If this is its first meeting withany mobile node it treats it as an acquaintance and sets thecorresponding bit in the list to 1 Once the acquaintance listcontains all 1rsquos the statistics stops In the nondetection stageeach node reports its numbers of meetings with others whendropping by the base stationThe base station is employed forcentralized analysis Finally the node with more encountersis detected as replica and base station finally broadcasts theentire network for replicated IDs

426 Emergent Properties Detection of the Node Capture

Attack in Mobile Wireless Sensor Networks Conti et al [66]have proposed two algorithms for the detection of nodecapture attack in mobile wireless sensor networks Their firstalgorithm is simple distributed detection (SDD) in which theattack is detected using only information local to the nodesThe second algorithm is called cooperative distributed detec-tion (CDD) which exploits node collaboration to improvethe detection performance Both of the proposed algorithmsare based on the simple observations that if node a will notremeet node b within a certain period of time then it ispossible that node b has been captured Hence node a canautonomously know the probability that a ldquonot yet remetrdquonode has been actually captured by the adversary The SDDfollows the above simple observation that each node 119886 is giventhe task of tracking a specific set 119879

119886of other nodes For each

node 119887 isin 119879119886that a gets into the communication range of a

set the correspondingmeeting time to the value of its internalclock and start the corresponding timeout that will expireafter 120582 seconds If the time-out expires (ie 119886 and 119887 did notremeet) the network is flooded with an alarm triggered bynode 119886 to revoke node 119887 In CDD networkmobility and nodecooperation are leveraged to improve node capture detectionWhen two nodes 119886 and 119887 exchange information about thenodes (if any) that are tracked by both 119886 and 119887 that is thenodes in 119879

119886119879119887 the node exchanges information only when

cooperating nodes are in the same communication radiusThis shared information is further used for node capture

427 Mobility-Assisted Detection of the Replication in Mobile

Wireless Sensor Networks Deng et al [67] have proposedtwo schemes for the detection of node replication attack inmobile wireless sensor networks The first is called unarytime location storage and exchange (UTLSE) and secondis called multitime location storage and diffusion (MTLSD)In both protocols after receiving the time-location claimswitnesses carry these claims around the network instead oftransmitting them That means that data are forwarded onlywhen appropriate witnesses encounter each other Only iftwo nodes encounter each other they exchange their time-location claims that is if a tracer receives a time locationclaim from its tracked neighbor node it does not immediatelytransmit this time-location claim to the witness if the witnessis not currently within its communication range but storesthat location claim until encountering the witness UTLSEdetects the replicas by each of the two encountered witnesseswhich stores only one time-location claim On the otherhand MTLSD stores more time-location claims for eachtracked node and introduces time-location claims diffusionamong witnesses The detection probability of the MTLSDprotocol is greater than the probability of protocol UTLSE

5 Comparison of Node Replica DetectionSchemes for Mobile WSNs

Mobile wireless sensor networks (MWSNs) are still in theirinfancy and there are many challenges in MWSNs that are


still needed to be resolved These challenges include deploy-ment localization self-organization navigation and controlcoverage energy maintenance and data process [26] In caseof localization node position can be determined once dur-ing initialization when sensor nodes are deployed statically[68] However when sensor nodes are mobile they mustcontinuously obtain their positions as they navigate throughthe whole sensing region As a result in mobile WSNslocalization requires additional time and energy and also theavailability of a rapid localization service Due to the dynamicnetwork topology of mobile WSNs they cannot rely onrouting tables or recent route histories as static WSNs dofor passing messages through the network because table databecome outdated quickly thus route discovery data mustrepeatedly be performed extensively in terms of power timeand bandwidth

Ho et al [58 59] have proposed a centralized detectionscheme for mobile WSNs in which accurate measurement isa prerequisite for acceptable false-negative and -positive ratesIn result it requires dynamic and precise localization systemand a tight time synchronization which are both nontrivialtasks Also better and accurate sampling entails even muchmore expensive equipment (GPS) and thusmay not be afford-able for the current generation ofWSNs Another centralizeddetection technique is proposed by Deng and Xiong [60]in which there is no way to ensure the participating clonenode will report their keys honestly to the base station Itis possible that an original node number of pairwise keysexceed the threshold value due to its communication Alsoas the effectiveness of both the above centralized detectiontechniques relies on the involvement of the base stationthis easily incurs the problems of single-point failure andfast energy depletion of the sensor nodes around the basestation

Yu et al [61] have proposed distributed detection tech-nique called extremely efficient detection technique (XED)in which the authors have assumed that the replicas cannotcommunicate and collaborate (or cooperate) with each otherwhich is theweakness of this schemebecause in casewhen thereplicas cooperate with each other they can establish secretchannels among each other and then they can easily deceivethe detection technique Efficient and distributed detection(EDD) is another distributed detection technique for mobileWSNs proposed by Yu et al [62] which is inapplicable due tohigh storage overhead for large-scale WSNs

Zhu et al [65] have proposed a token-based detectiontechnique which fails when a smart attacker establishes secretchannels among replicas as by doing this replicas can sharethe tokens and make the protocol exist in name only

Conti et al [66] have proposed two solutions namelySDD and CDD for the detection of node capture Theirapproach is based on a simple observation which completelyassumes that there is no membership change in the networkfor example at least no nodes die out (meaning run out ofpower) which is not the case in reality Also it is assumedimplicitly that any senor node is able to flood the entiremobileWSN with a broadcast message which is also not pos-sible in reality

An asymptotic comparison of all the detection schemesfor mobile WSNs is shown in Table 3 where their communi-cation and memory costs are compared As all the proposedsolutions use different motivations and assumptions and thushave their respective strengths and weaknesses we cannotmake any general or definite remarks that which solution isthe best one

6 Discussion

Node replication attack or clone attack is one of the mostharmful and dangerous threat to an unattended wirelesssensor network because in this attack an adversary not onlycompromises the sensor nodes but can also carry out a largeclass of internal attacks for instance DoS attack Sybil attackand Black hole and wormhole attack by surreptitiouslyinserting arbitrary number of replicas at strategic positionsof the network Furthermore this is more niggling and trou-blesome because these replicated nodes under the controlof an adversary having all the keying materials pretendas authorized users in the network and thus deceiving thenetwork into accepting them as legitimate nodes It is difficultto identify replicas because of two major reasons First sincea clone or replica is considered to be completely honest byits neighbors the legitimate nodes cannot be aware of thefact that they have a clone among them Voting mechanisms[33 69] remain unsuccessful to detect clone nodes that arenot within the same neighborhood as a voting mechanismis used to detect misbehaving nodes and clones within theneighborhood to agree on the legitimacy of a given nodeThus there is a need for global countermeasure that candetect clones on the global level Second the general purposesecurity protocols for secure sensor network communicationwould allow replica nodes to create pair-wise shared keyswithother nodes and the base station and thus in doing so thereplica nodes are able to encrypt decrypt and authenticate allof their communications as if they were the original capturednodes

The process or stages of node replication attack canbe described in the form of a flow chart as shown inFigure 5 The flow chart concisely describes the instigationof node replication attack and its detection from physicalnode capture extraction of secret credentials cloning andredeployment and finally the detection and prevention ofnode replication attack At Stage 1 an adversary physicallycaptures a sensor node After physical capture the sensornode remains absent from the network for a specific periodof time If this absence of a sensor node is detected or atamper-proof hardware is used the attack will be preventedOtherwise an attacker or an adversary starts extracting allthe secret materials of the captured node at Stage 2 At Stage3 an adversary reprograms the captured node If an adversaryis unable to use a new hardware it can compromise thenode and then exploits the compromised node to disrupt thenetwork operations by its misbehaving activities At Stage 4an adversary makes clones or replicas of the captured nodesby using new hardware and these replicas have the same IDand all other keying materials as that of the captured nodeAfter making clones or replicas an adversary redeploys them


Table 3 Asymptotic performance of schemes against clone node attack in mobile sensor networks

Nature of scheme Type of scheme Techniquescheme Communication cost Memory cost

Centralized Node speed based Ho et al scheme [58 59] 119874(119899radic119899) 119874(119899)

Key usage based Deng and Xiong scheme [60] 119874(119899 log 119899) mdash

Distributed

Information exchange based XED [61] 119874(1) 119874(4 sdot 119889 sdot 119864[119883])

Node meeting based EDD [62] 119874(1) 119874(119899)

SEDD [62] 119874(119899) 119874(120585)

Mobility assisted based

Wang and Shi scheme with Base Station [63] 119874(119899) mdashWang and Shi scheme with out Base Station [63] 119874(119899 lowast radic119896) mdash

UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)

119899 no of nodes in the network 120585 distinct IDs from set of nodes as monitor 119889 degree of neighboring nodes and 119896 total number of zones

at strategic positions of the network for further insider attacksat Stage 5 Finally these replicas or clones can be detected byusing various detection schemes

Since clone nodes carry all the cryptographic and keyingmaterials all the traditional authentication and intrusiondetection techniques are ineffective to discover and detectthese clones or replicas in the network Keeping this in mindmany techniques have been proposed for the detection ofnode replication attack and recall that these are broadly cat-egorized into centralized and distributed techniques Somefairly serious limitations of centralized technique like the basestation introduces a single point of failure and any compro-mise of the base station will make the solution useless thusmaking distributed solutions a necessity One important classof distributed techniques is witness node-based techniqueswhich are considered to themost favorable techniques yet fordetecting clone nodes But according to Zeng et al [4] replicadetection protocols must be non-deterministic and fullydistributed in order to circumvent the existing drawbacks ofwitness-based strategies The witness node-based strategiesought to fulfill three requirements to have a high probabilityof detecting clones or replicas Firstly the selection ofwitness-nodes should be nondeterministic as it is more difficult foran adversary to launch clone attacks in nondeterministicprotocols successfully because the witnesses of node are notknown and are different in each execution of the protocolSecondly for any given node all the nodes should have anequal probability to be the witnesses of that node during thelifetime of the network Thirdly the witness-nodes should beselected from all over the network randomly and not fromparticular area of the network every time meaning that thewitness distribution should be uniform throughout the entirenetwork

There are two types of attacks which are the variations ofnode replication attack and can be launched by an adversaryagainst witness node-based schemes These are named assmart attack and masked replication attack Smart attack isa special witness compromising attack and in this attack anadversary avariciously chooses which sensor to corrupt inorder to maximize its chance for its replicas to go undetectedThe adversary finds out the witness nodes which are used todetect replicas and only compromises these witness nodes

to avoid detection The witness node-based techniques usea framework called claimer-reporter-witness framework inwhich a node referred to as claimer locally broadcasts itlocation claim to its neighbors Each neighbor serves as areporter and employs a function to map the claimer ID toa witness The neighbor forwards the claim to the witnessand if it receives two different location claims for the samenode ID then it means that the adversary has replicated anode The adversary can also employ a function to knowabout the witness for the given claimer ID and may alsolocate and compromise the witness node before she insertsthe replicas into the wireless sensor network in order to evadethe detection Inmasked replication attack the adversarymayturn to compromise all the neighbors of a replica so as toprevent a location claim from propagating to any witnessthus eliminating the reporters at all This attack makes itpossible for such a replica whose neighbors have all beencompromised to lie about its physical position So far all thewitness node-based techniques have assumed a static WSNand are seemed to be the most promising schemes till yetto detect replicas or clones in static WSN but alas thesewitness node-based schemes and location-based replicationdetection schemes are unable to detect and counter thesetypes of replication attacks

Nowadays mobility has become an important area ofresearch for WSN community In mobile WSNs mobilityplays a key role in the execution of the application [68] asthe integration of mobility inWSN can improve the coverageand utility of the sensor network deployment and enablesmore versatile sensing applications as well However besidesthat the introduction of mobile entities (which freely roam inthe network and are autonomous as being able to repositionand organize themselves in the network) can resolve someproblems by offering many advantages over the static WSNsthe unique properties of mobile WSNs and the dynamicmobile network topology pose many new challenges in thesecurity of mobile WSNs The idea of detecting clone nodesin static WSNs is extensively based on the elitism of the nodelocation meaning that a sensor node should be allied to aunique deployment position and if one logical node id isfound to be associated with two or more physical locationsthe node replication is detected But noticeably this is not


Stage-1 Physically capture sensor node

Stage-2

Stage-3

Extract information

from captured node

Yes

Yes

Extract all the secretinformation (ID key etc)

Compromise capturednode

Stage-4Make replicas of the

captured node

Stage-5 Deploy the replicas

The adversary deploy these replica node into different parts ofnetwork to monitor or perform further insider attacks

Stage-6 Detect the replicas Use techniques to counterreplica nodes

The node will be absent for some time

Yes

No

No

No

New hardwareused

Hardware is tamperresistant

Reprogram the capturednode

Prevent clone attack

from the network

Misbehave and disturbthe network working

Other techniques usedto counter misbehaving

nodesLoad ID and cryptographic info into replica node

Detect the absence

Figure 5 Stages of node replication attack in wireless sensor networks

applicable to the emerging mobile WSNs where the sensornodes are moving freely all the time in the network Thusa little work (which includes significantly different scenariosand techniques) has been done so far to deal with replicas orclones in mobile WSNs

InmobileWSNs the adversary is alsomobile In the liter-ature the assumed scenario ofmobileWSN is that the sensorsare unable to transmit sensed data at their will becausethe sink is not always present Thus the data accumulatedin their memories become targets of many adversaries In


[30] a mobile adversary model is proposed in which mobileadversary visits and travels around the network trying tocompromise a subset of sensors within the time intervalwhen sinks are not present in the network The time takenby a mobile adversary to compromise a set of sensors ismuch shorter than the time between two successive datacollections of a sinkThus it ismuch difficult to snatchmobilecompromised nodes as well as mobile clones

Another challenge arises in mobile WSNs when a mobileadversary adopts amore sophisticated strategy named ldquogroupmobility strategyrdquo In this stratagem the replicas form aphysically close group which always moves together but onlya representative of them communicates with the genuinenodes whereas the rest of the replicas remain inactive asldquosilent learnersrdquo so that they can learn (from encounters withgenuine nodes) about any received token or correspondingmeeting instant Once the replicas have met all the ldquo119899rdquo gen-uine nodes (and thus acquired all the necessary knowledgeto pass later authentications) they can scatter in the sensingregion and each behaves actively and independently until thenext detection round starts

Also when themobile replicas communicate and collabo-rate with each other and share their keys or randomnumbersthey can make the detection technique fails to thwart themeasily Thus mobile WSNs offer much more challenges indetectingmobile replicas and it is highly needed to overcomethese challenges by developing some new different and moreefficient detection techniques for detectingmobile replicas orclones

7 Conclusion

This paper reviewed the state-of-the-art schemes for detec-tion of node replication attack also called clone attack Theexisting techniques are broadly categorized into two classesdistributed and centralized Both classes of schemes areproficient in detecting and preventing clone attacks but bothschemes also have some noteworthy drawbacks However tosum up the current study highlights the fact that there arestill a lot of challenges and issues in clone detection schemesthat need to be resolved to become more applicable to real-life situations and also to become accepted by the resourceconstrained sensor node

Acknowledgment

The authors wish to acknowledge the anonymous reviewersfor their valuable comments for the improvement of thispaper

References

[1] T Bonaci P Lee L Bushnell and R Poovendran ldquoDistributedclone detection in wireless sensor networks an optimiza-tion approachrdquo in Proceedings of the 2nd IEEE InternationalWorkshop on Data Security and Privacy in Wireless Networks(WoWMoM rsquo11) Lucca Italy June 2011

[2] W T Zhu J Zhou R H Deng and F Bao ldquoDetecting nodereplication attacks in wireless sensor networks a surveyrdquo Jour-nal of Network and Computer Applications vol 35 no 3 pp1022ndash1034 2012

[3] M Zhang V Khanapure S Chen and X Xiao ldquoMemoryefficient protocols for detecting node replication attacks inwireless sensor networksrdquo in Proceedings of the 17th IEEE Inter-national Conference on Network Protocols (ICNP rsquo09) pp 284ndash293 Princeton NJ USA October 2009

[4] Y Zeng J Cao S Zhang S Guo and L Xie ldquoRandom walkbased approach to detect clone attacks in wireless sensor net-worksrdquo IEEE Journal on Selected Areas in Communications vol28 no 5 pp 677ndash691 2010

[5] R Di Pietro L V Mancini C Soriente A Spognardi and GTsudik ldquoData security in unattended wireless sensor networksrdquoIEEE Transactions on Computers vol 58 no 11 pp 1500ndash15112009

[6] C Karlof and D Wagner ldquoSecure routing in wireless sensornetworks attacks and countermeasuresrdquo inProceedings of the 1stIEEE International Workshop on Sensor Network Protocols andApplications May 2003

[7] B Parno M Luk E Gaustad and A Perrig ldquoSecure sensornetwork routing a cleanslate approachrdquo in Proceedings of theACM CoNEXT Conference (CoNEXT rsquo06) December 2006

[8] F Ye H Luo S Lu and L Zhang ldquoStatistical en-route filteringof injected false data in sensor networksrdquo in Proceedings of theIEEE INFOCOM 2004

[9] L Yu and J Li ldquoGrouping based resilient statistical en-routefiltering for sensor networksrdquo in Proceedings of the IEEEINFOCOM 2009

[10] S Zhu S Setia S Jajodia and P Ning ldquoAn interleaved hop-by-hop authentication scheme for filtering of injected false datain sensor networksrdquo in Proceedings of the IEEE Symposium onSecurity and Privacy pp 259ndash271 May 2004

[11] H Chan A Perrig and D Song ldquoSecure hierarchical in-network aggregation in sensor networksrdquo in Proceedings ofthe13th ACM Conference on Computer and CommunicationsSecurity (CCS rsquo06) pp 278ndash287 November 2006

[12] J Deng R Han and SMishra ldquoSecurity support for in networkprocessing in wireless sensor networksrdquo in Proceedings of theACM Workshop on Security in Ad Hoc and Sensor Networks(SASN rsquo03) pp 83ndash93 2003

[13] B Przydatek D Song and A Perrig ldquoSIA secure informationaggregation in sensor networksrdquo in Proceedings of the 1st Inter-national Conference on Embedded Networked Sensor Systems(SenSys rsquo03) pp 255ndash265 November 2003

[14] Y Yang X Wang S Zhu and G Cao ldquoSDAP a secure hop-by-hop data aggregation protocol for sensor networksrdquo in Proceed-ings of the 7th ACM International Symposium onMobile Ad HocNetworking and Computing (MOBIHOC rsquo06) pp 356ndash367 May2006

[15] S Capkun and J P Hubaux ldquoSecure positioning in wirelessnetworksrdquo IEEE Journal on Selected Areas in Communicationsvol 24 no 2 pp 221ndash232 2006

[16] S Ganeriwal S Capkun C C Han and M B SrivastavaldquoSecure time synchronization service for sensor networksrdquo inProceedings of the ACM Workshop on Wireless Security (WiSersquo05) pp 97ndash106 September 2005

[17] X Hu T Park and K G Shin ldquoAttack tolerant time synchro-nization in wireless sensor networksrdquo in Proceedings of the 27thIEEE Conference on Computer Communications (INFOCOMrsquo08) pp 41ndash45 Phoenix Ariz USA April 2008

[18] Z Li W Trappe Y Zhang and B Nath ldquoRobust statisticalmethods for securing wireless localization in sensor networksrdquo


in Proceedings of the 4th International Symposium on Informa-tion Processing in Sensor Networks (IPSN rsquo05) pp 91ndash98 April2005

[19] D Liu P Ning andWDu ldquoAttack-resistant location estimationin sensor networksrdquo in Proceedings of the 4th InternationalSymposium on Information Processing in Sensor Networks (IPSNrsquo05) pp 99ndash106 April 2005

[20] H Song S Zhu and G Cao ldquoAttack resilient time synchroniza-tion for wireless sensor networksrdquo Ad Hoc Networks vol 5 no1 pp 112ndash125 2007

[21] K Sun P Ning C Wang A Liu and Y Zhou ldquoTinySeRSyncsecure and resilient time synchronization inwireless sensor net-worksrdquo in Proceedings of the 13th ACMConference on Computerand Communications Security (CCS rsquo06) pp 264ndash277 2006

[22] C Hartung J Balasalle and R Han ldquoNode compromise insensor networks the need for secure systemsrdquo Tech Rep CU-CS-988-04 Department of Computer Science University ofColorado at Boulder 2004

[23] H Choi S Zhu and T F L Porta ldquoSET detecting node clonesin sensor networksrdquo in Proceedings of the 3rd InternationalConference on Security and Privacy in Communication Networks(SecureComm rsquo07) pp 341ndash350 September 2007

[24] S GautamThakur ldquoCINORA cell based identification of nodereplication attack in wireless sensor networksrdquo in Proceedings ofthe IEEE International Conference on Communications Systems(ICCS rsquo08) 2008

[25] S Hussain and M S Rahman ldquoUsing received signal strengthindicator to detect node replacement and replication attacks inwireless sensor networksrdquo in Data Mining Intrusion DetectionInformation Security andAssurance andDataNetworks Security2009 vol 7344 of Proceedings of SPIE April 2009

[26] J Yick B Mukherjee and D Ghosal ldquoWireless sensor networksurveyrdquoComputerNetworks vol 52 no 12 pp 2292ndash2330 2008

[27] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo International Journal ofComputer and Telecommunications Networking vol 38 no 4pp 393ndash422 2002

[28] B Parno A Perrig and V Gligor ldquoDistributed detection ofnode replication attacks in sensor networksrdquo in Proceedings ofthe IEEE Symposium on Security and Privacy (IEEE S and P rsquo05)pp 49ndash63 May 2005

[29] A Seshadri A Perrig L van Doorn and P Khosla ldquoSWATTsoftWare-based attestation for embedded devicesrdquo in Proceed-ings of the IEEE Symposium on Security and Privacy (IEEE S andP rsquo04) pp 272ndash282 May 2004

[30] R D Pietro L V Mancini C Soriente A Spognardi and GTsudik ldquoCatch me (If you can) data survival in unattendedsensor networksrdquo inProceedings of the 6thAnnual IEEE Interna-tional Conference on Pervasive Computing and Communications(PerCom rsquo08) pp 185ndash194 March 2008

[31] F Hu and N K Sharma ldquoSecurity considerations in ad hocsensor networksrdquoAdHocNetworks vol 3 no 1 pp 69ndash89 2005

[32] R Brooks P Y Govindaraju M Pirretti N Vijaykrishnan andM T Kandemir ldquoOn the detection of clones in sensor networksusing random key predistributionrdquo IEEE Transactions on Sys-tems Man and Cybernetics C vol 37 no 6 pp 1246ndash1258 2007

[33] L Eschenauer and V D Gligor ldquoA key-management schemefor distributed sensor networksrdquo in Proceedings of the 9th ACMConference on Computer and Communications Security pp 41ndash47 Washington DC USA November 2002

[34] K Xing X Cheng F Liu andDH C Du ldquoReal-time detectionof clone attacks in wireless sensor networksrdquo in Proceedingsof the 28th International Conference on Distributed ComputingSystems (ICDCS rsquo08) pp 3ndash10 Beijing China July 2008

[35] K Xing X Cheng L Ma and Q Liang ldquoSuperimposedcode based channel assignment in multi-radio multi-channelwirelessmesh networksrdquo in Proceedings of the 13th Annual ACMInternational Conference on Mobile Computing and Networking(MobiCom rsquo07) pp 15ndash26 September 2007

[36] W Znaidi M Minier and S Ubeda ldquoHierarchical node repli-cation attacks detection in wireless sensors networksrdquo in Pro-ceedings of the 20th IEEE Personal Indoor and Mobile RadioCommunications Symposium (PIMRC rsquo09) pp 82ndash86 TokyoJapan September 2009

[37] D Xia and N Vlajic ldquoNear-optimal node clustering in wirelesssensor networks for environmentmonitoringrdquo in Proceedings ofthe 21st International Conference on Advanced Networking andApplications (AINA rsquo07) pp 632ndash641 IEEE Computer SocietyWashington DC USA 2007

[38] C M Yu C S Lu and S Y Kuo ldquoCSI compressed sensing-based clone identification in sensor networksrdquo in Proceedings ofthe IEEE International Conference on Pervasive Computing andCommunications Workshops (PERCOM Workshops rsquo12) pp290ndash295 Lugano Switzerland March 2012

[39] A J Menezes S A Vanstone and P C V Orschot Handbookof Applied Cryptography CRC Press New York NY USA 1996

[40] C Bekara and M Laurent-Maknavicius ldquoA new protocol forsecuring wireless sensor networks against nodes replicationattacksrdquo in Proceedings of the 3rd IEEE International Conferenceon Wireless and Mobile Computing Networking and Communi-cations (WiMob rsquo07) White Plains NY USA October 2007

[41] C Bekara and M Laurent-Maknavicius ldquoDefending againstnodes replication attacks on wireless sensor networksrdquo 2012httpwww-publicit-sudpariseu lauren marticlesbekara-SARSSI07pdf

[42] M Conti R Di Pietro L V Mancini and A Mei ldquoA ran-domized efficient and distributed protocol for the detectionof node replication attacks in wireless sensor networksrdquo inProceedings of the 8th ACM International Symposium on MobileAd Hoc Networking and Computing (MobiHoc rsquo07) pp 80ndash89September 2007

[43] M Conti R Di Pietro L Mancini and A Mei ldquoDistributeddetection of clone attacks in wireless sensor networksrdquo IEEETransactions on Dependable and Secure Computing vol 8 no5 pp 685ndash698 2011

[44] B Zhu V G K Addada S Setia S Jajodia and S Roy ldquoEfficientdistributed detection of node replication attacks in sensornetworksrdquo in Proceedings of the 23rd Annual Computer SecurityApplications Conference (ACSAC rsquo07) pp 257ndash266 MiamiBeach Fla USA December 2007

[45] B Zhu S Setia S Jajodia S Roy and LWang ldquoLocalized mul-ticast efficient and distributed replica detection in large-scalesensor networksrdquo IEEE Transactions on Mobile Computing vol9 no 7 pp 913ndash926 2010

[46] S Ratnasamy B Karp L Yin et al ldquoGHT a geographichash table for data-centric storagerdquo in Proceedings of the 1stACM International Workshop on Wireless Sensor Networks andApplications (WSNA rsquo02) pp 78ndash87 September 2002

[47] F Fei L Jing and Y Xianglan ldquoSpace-time related pairwisekey predistribution scheme for wireless seneor networksrdquo in


Proceedings of the International Conference onWireless Commu-nications Networking and Mobile Computing (WiCOM rsquo07) pp2692ndash2696 Shanghai China September 2007

[48] L C KoH Y Chen andG R Lin ldquoA neighbor-based detectionscheme for wireless sensor networks against node replicationattacksrdquo in Proceedings of the International Conference on UltraModern Telecommunications and Workshops (ICUMT rsquo09) pp1ndash6 St Petersburg Russia October 2009

[49] J W Ho ldquoDistributed detection of node capture attacks inwireless sensor networksrdquo in Smart Wireless Sensor NetworksH D Chunch and Y K Tan Eds pp 345ndash360 InTech RijekaCroatia 2010

[50] AWald Sequential Analysis Dover New York NY USA 2004[51] C A Melchor B Ait-Salem P Gaborit and k Tamine ldquoActive

detection of node replication attacksrdquo International Journal ofComputer Science and Network Security vol 9 no 2 pp 13ndash212009

[52] Z Li and G Gong ldquoRandomly directed exploration an efficientnode clone detection protocol in wireless sensor networksrdquo inProceedings of the 6th IEEE International Conference on MobileAdhoc and Sensor Systems (MASS rsquo09) pp 1030ndash1035 MacauChina October 2009

[53] X Meng K Lin and K Li ldquoNote based randomized anddistributed protocol for detecting node replication attackrdquo inAlgorithms and Architectures for Parallel Processing vol 6081 ofLecture Notes in Computer Science pp 559ndash570 2010

[54] J W Ho D Liu M Wright and S K Das ldquoDistributed detec-tion of replica node attacks with group deployment knowledgein wireless sensor networksrdquo Ad Hoc Networks vol 7 no 8 pp1476ndash1488 2009

[55] Y Sei and S Honiden ldquoDistributed detection of node replica-tion attacks resilient to many compromised nodes in wirelesssensor networksrdquo in Proceedings of the 4th Annual InternationalConference on Wireless Internet (WICON rsquo08) 2008

[56] C Kim S Shin C Park and H Yoon ldquoA resilient and effi-cient replication attack detection scheme for wireless sensornetworksrdquo IEICE Transactions on Information and Systems vol92 no 7 pp 1479ndash1483 2009

[57] B Dutertre S Cheung and J Levy ldquoLightweight key manage-ment in wireless sensor networks by leveraging initial trustrdquoSDL Technical Report SRI-SDL-04-02 2004

[58] J W Ho M Wright and S K Das ldquoFast detection of mobilereplica node attacks in wireless sensor networks using sequen-tial hypothesis testingrdquo IEEE Transactions on Mobile Comput-ing vol 10 no 6 pp 767ndash782 2011

[59] J W Ho M Wright and S K Das ldquoFast detection of replicanode attacks in mobile sensor networks using sequential anal-ysisrdquo in Proceedings of the IEEE INFOCOM pp 1773ndash1781 Riode Janeiro Brazil April 2009

[60] X M Deng and Y Xiong ldquoA new protocol for the detectionof node replication attacks in mobile wireless sensor networksrdquoJournal of Computer Science and Technology vol 26 no 4 pp732ndash743 2011

[61] C M Yu C S Lu and S Y Kuo ldquoMobile sensor networkresilient against node replication attacksrdquo in Proceedings of the5th Annual IEEE Communications Society Conference on SensorMesh and Ad Hoc Communications and Networks (SECON rsquo08)pp 597ndash599 June 2008

[62] C M Yu C S Lu and S Y Kuo ldquoEfficient and DistributedDetection of Node Replication Attacks in Mobile Sensor Net-worksrdquo in Proceedings of the 70th IEEE Vehicular Technology

Conference (VTC Fall rsquo09) pp 20ndash23 Anchorage Alaska USASeptember 2009

[63] L M Wang and Y Shi ldquoPatrol detection for replica attacks onwireless sensor networksrdquo Sensors vol 11 no 3 pp 2496ndash25042011

[64] Y Lou Y Zhang and S Liu ldquoSingle hop detection of nodeclone attacks inmobilewireless sensor networksrdquo inProceedingsof the International Workshop on Information and ElectronicsEngineering (IWIEE) 2012

[65] WT Zhu J Zhou RDeng and F Bao ldquoDetecting node replica-tion attacks inmobile sensor networks theory and approachesrdquoSecurity and Communication Networks vol 5 no 5 pp 496ndash507 2012

[66] M Conti R Di Pietro L V MAncini and A Mei ldquoEmergentproperties detection of the node-capture attack in mobilewireless sensor networksrdquo in Proceedings of the 1st ACM Con-ference on Wireless Network Security (WiSec rsquo08) pp 214ndash219Alexandria Va USA 2008

[67] X Deng Y Xiong and D Chen ldquoMobility-assisted detectionof the replication attacks in mobile wireless sensor networksrdquoin Proceedings of the 6th Annual IEEE International Conferenceon Wireless and Mobile Computing Networking and Communi-cations (WiMob rsquo2010) pp 225ndash232 October 2010

[68] I Amundson and X D Koutsoukos ldquoA survey on localizationfor mobile wireless sensor networksrdquo in Proceedings of the2nd International Conference on Mobile Entity Localization andTracking in GPS-Less Environments (MELT rsquo09) vol 5801 ofLecture Notes in Computer Science pp 235ndash254 2009

[69] H Chan A Perrig and D Song ldquoRandom key predistributionschemes for sensor networksrdquo in Proceedings of the IEEESymposium on Security And Privacy (IEEE S and P rsquo03) pp 197ndash213 May 2003

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal ofEngineeringVolume 2014

Submit your manuscripts athttpwwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



in hostile environments which imply the existence of anadversary For example WSN can be used to monitor firearmdischarge illicit crop cultivation drugweapons smugglinghuman trafficking nuclear emissions in a rogue region andother illegal activities [5] Thus it is very important to ensurethe security of sensor networks in such scenarios

The unattended nature of wireless sensor networks can beexploited by adversaries which are able to launch an array ofdifferent physical attacks including node replication attacksignal or radio jamming denial of service (DoS) attack nodeoutage eavesdropping and Sybil attack and other attackslike sinkhole wormhole and selective forwarding attackThreats to sensor networks can be either layer dependentor layer independent Attacks in the former category can beapplication dependant and are specific to different OSI layerstargeting specific network functionalities such as routingnode localization time synchronization and data aggrega-tion while the attacks in the latter category are applicationindependent affecting a wide variety of applications fromobject tracking and fire alarming to battlefield surveillanceand these attacks are not launched on any OSI layer Theattacks of the latter category are also application independent[2] This attack taxonomy is also shown in Figure 1 In orderto protect wireless sensor networks from layer dependentattacks many schemes have been proposed To alleviate theeffects of routing disruption attacks secure routing schemeshave been proposed [6 7] Authentication schemes [8ndash10] areused to mitigate false data injection attacks Data aggregationcan be secured by using secure data aggregation protocolsproposed in [11ndash14] To defend localization and time synchro-nization protocols from different attacks and threats manyprotocols have been proposed in [15ndash21] Nevertheless mostof these schemes are attack resilient rather than they candetect and remove the source of attack Thus there is a needto detect and revoke the sources of attacks as soon as possibleto substantially reduce the costs and damages incurred byemploying attack resilient approaches

In this comprehensive survey we consider a very severeand important physical attack on WSN which is called nodereplication attack or clone attack It is also known as identityattack In this attack an adversary first physically capturesonly one or few of legitimate nodes then clones or replicatesthem fabricating those replicas having the same identity (ID)with the captured node and finally deploys a capricious num-ber of clones throughout the network This whole processof node replication attack and the various stages are shownin Figure 2 This vexing problem arises from the actualitythat sensor nodes are unshielded It is stated in [22] that anexperienced attacker can completely compromise a typicalsensor node by using only a few readily available tools andit can then obtain copies of that node memory and datawithin 1min of discovering it The clones or replicas mayeven be selectively reprogrammed to subvert the network bylaunching further insider attacks like falsifying sensor data orsuppressing legitimate data extracting data from the networkand disconnect the network by triggering correct executionof node revocation protocols that rely on threshold votingschemes and staging denial of service (DoS) attacks Clonenodes may create a black hole initiate a wormhole attack

Attacks on wireless sensor networks

Layer-independentattacks

Routing attacks Node replicationattacks

Data aggregationattacks

attacks

Sybil attacks

Localization

Time synchronizationattacks

Layer-dependentattacks

Figure 1 Classification of attacks on wireless sensor networks

with a collaborating adversary or may also leak data in anenvironment in which sensed data must be kept private [23]If these replicated nodes or clones remain undetected orunattended for a long time they can further commence thechanges in protocol behavior and intrusion into the systemssecurity [24] It is easy for an adversary to launch such attacksdue to the fact that the clones created by an adversary havelegitimate information (codes key materials and creden-tials) and they may be considered as legitimate nodes andtotally honest by its neighbors which are participating in thenetwork operation in the same way as the noncompromisednodes

The above mentioned traditional security schemes forWSNs are inept to detect and prevent node replication attackThus in the last few years a number of detection and pre-vention techniquesschemes have been proposed in the liter-ature According to [2] the detection schemes are classifiedon a high level as network-based or radio-based detectionOnly one instance of radio-based detection is found in [25]The former category is further categorized into two types asfor mobile WSNs and for stationary WSNs Both techniquesfor mobile and stationary WSNs are further divided into twobroad categories namely centralized and distributed Thiscan be summarizedwith Figure 3which shows a detailed clas-sification of all replica detection schemesThis categorizationprovides a first step to better understand the node replicationdetection schemes

A WSN can be either stationary or mobile In staticwireless sensor networks (SWSNs) the sensor nodes arestationary or static that is the sensor nodes are deployed ran-domly and after deployment their positions do not changeOn the other hand in mobile wireless sensor networks(MWSNs) the sensor nodes canmove on their own and afterdeployment they can interact with the physical environmentby controlling their own movement Advances in roboticshave made it possible to develop such mobile sensors which













Keys usage based




Distributed



Neighborhood based




Node meetingbased




Not seen manytimes



basedToken exchange


Seen many times


techniques

SEToperations-based

techniques
























































2radic119899 log 119899




119894and119862

119895of total 1 le 119894





























2119872)















2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)


SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)



C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)





2




Basic scheme [54] 119874(119898) 119874(119898)




mdash Ho [49] 119874(119899radic119899) 119874(119899)

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation





















Keys usage based




Distributed



Neighborhood based




Node meetingbased




Not seen manytimes



basedToken exchange


Seen many times


techniques

SEToperations-based

techniques
























































2radic119899 log 119899




119894and119862

119895of total 1 le 119894





























2119872)















2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)


SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)



C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)





2




Basic scheme [54] 119874(119898) 119874(119898)




mdash Ho [49] 119874(119899radic119899) 119874(119899)

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


























































2radic119899 log 119899




119894and119862

119895of total 1 le 119894





























2119872)















2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)


SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)



C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)





2




Basic scheme [54] 119874(119898) 119874(119898)




mdash Ho [49] 119874(119899radic119899) 119874(119899)

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


































2119872)















2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)


SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)



C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)





2




Basic scheme [54] 119874(119898) 119874(119898)




mdash Ho [49] 119874(119899radic119899) 119874(119899)

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












2) 119874(1)

Witness node

DM [28] 119874(119892 logradic119899119889) 119874(119892)

RM [28] 119874(1198992) 119874(radic119899)

LSM [28] 119874(119899radic119899) 119874(radic119899)


SDC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)

P-MPC [44 45] 119874(119903 sdot radic119899) + 119874(119904) 119874(120596)



C-MEM [3] mdash 119874(119905 + 1199051015840radic119899)





2




Basic scheme [54] 119874(119898) 119874(119898)




mdash Ho [49] 119874(119899radic119899) 119874(119899)

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

























119895


119894can ascertain






119894meets another







119895


119894memory 119904






119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










119904119895 119904119895

1199041198941199041198942

2

119905 = 1199051


119905 = 1199052

















119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













119894isin 0 1





















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation
















6 Discussion








Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation














Distributed



SEDD [62] 119874(119899) 119874(120585)



UTLSE [67] 119874(119899) 119874(radic119899)

MTLSD [67] 119874(119899) 119874(radic119899)









Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











Stage-2

Stage-3

Extract information

from captured node

Yes

Yes




captured node





Yes

No

No

No

New hardwareused




from the network




Detect the absence








7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













7 Conclusion


Acknowledgment


References













































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



































































RoboticsJournal of





Journal of



RotatingMachinery





VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Review Article Detection and Mitigation of Node Replication...

Documents

Transcript of Review Article Detection and Mitigation of Node Replication...