Prevention Techniques Of False Data Injection Wsn Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In wireless sensor networks, there are many Prevention techniques are used in the WSN for false data injection and provable security use in WSN. First we define the false data injection in wireless sensor networks. And we can define many techniques in prevention techniques for data injection.

5.1.1 False Data Injection in wireless sensor Networks:-

Sensors are usually deployed in unattended or even hostile environments, and an adversary may Capture or compromise sensor nodes. Node compromise occurs when an attacker gains control of a node in the network after deployment. Once in control of that node, the attacker can alter the node to listen to information in the network, input malicious data, cause Denial of Service , black hole, or any one of a number of attacks on the network. Once this happens, the compromised nodes can easily inject false data reports of nonexistent events. Even worse, when an adversary compromises more nodes and combines all the obtained secret keys, the adversary can freely forge the event reports which not only "happen" at the locations where the nodes are compromised, but also at arbitrary locations in the field.

In Table shows the attacks caused by compromised nodes at different layer. These fabricated reports not only produce false alarms, but also the waste valuable network resources, such as energy and bandwidth, when delivering the falsified reports to base station. Therefore, it is important to design an effective filtering scheme to defend and minimize the impacts of false data injection attack.

The four main attacks are caused by the compromised node are:

A compromised node purposely drops aggregation message.

A compromised node alters a message being relayed to the sink

A compromised node purposely falsifies its own sensed reading.

A compromised node purposely falsifies the aggregate value it is relaying to its parent in.

a hierarchical network structure.

Physical layer

Jamming attack

Data Link layer

Jamming attack, collision attack

Network Layer

False routing information, selective forwarding, disrupt routing protocol

Transport layer

False data injection, Packet dropping, Interrogation attack.

Table 5.1: Layer-wise node Compromisation attack

5.1.2 Statistical En-Route Filtering (SEF) :

There are many ways to perform this technique. Some of them are: Dynamic (active), Statistical, and Commutative cipher-based, Constrained function-based, Priority-based, Group rekeying-based, and secure ticket-based and few more. The following part of the composition will cover some of these before-mentioned schemes

Statistical en-route filtering (SEF) is the first en-route filtering scheme proposed by F. Ye, H. Luo to address the fabricated report injection attacks in the presence of compromised nodes and introduce an en-route filtering framework. In SEF, there is a global key pool, which is divided into n non-overlapping partitions. Before deployment, each node stores a small number of authentication keys randomly selected from one partition of globe key pool. Nodes with keys from same partition are considered as the same group. In this way, all nodes are divided into n groups via non-overlapping key partitions. The SEF scheme adopts T-authentication, that is, the legitimate report must carry T MACs generated by T nodes from different groups. Each of these T nodes generates MAC with one of authentication keys it stored.. Each event detecting sensor endorses the report by producing a keyed MAC using one of its stored keys. A report with insufficient number of MACs will not be forwarded.

When the sink receives event reports, it can verify all the MACs carried in the report because it has complete knowledge of the global key pool. False reports with incorrect MACs that pass through en-route filtering will then be detected. The SEF mechanism detects and drops bogus reports from compromised nodes. The verification of MACs is done probabilistically. SEF cannot detect which nodes are compromised because reports are filtered en-route probabilistically, but it can prevent the false data injection attack with 80 - 90 percent probability within 10 hops. In SEF if a node is compromised the attacker can obtain the keys for number of compromised nodes since more than one node store keys from common key pool.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\Statistical En-Route Filtering.jpg

Figure 5.1: Statistical En-Route Filtering

This scheme takes advantage of the large-scale and dense deployment of sensor networks. Its detection and filtering power increases with the deployment density and the sensor field size. It can effectively detect false reports even when the attacker has obtained the security keys from a number of compromised nodes, as long as those keys belong to a small number of the key pool partitions. It can filter out 80- 90% false data by a compromised node within 10 forwarding hops. It represents a first step towards building resilient sensor networks that can withstand compromised nodes. To prevent any single compromised node from breaking down the entire system, this scheme carefully limits the amount of security information assigned to any single node, and relies on the collective decisions of multiple sensors for false report detection. When an event occurs in the field, multiple surrounding sensors collectively generate a legitimate repot that carries multiple message authentication codes.

A report with an inadequate number of MACs will not be delivered. As a sensing report is forwarded towards the sink over multiple hops, each forwarding node verifies the correctness of the MACs carried in the report with certain probability. Once an incorrect MAC is detected, the report is dropped. The probability of detecting incorrect MACs increases with the number of hops the report travels. Depending on the path length, there is a non-zero probability that some reports with incorrect MACs may escape en-route filtering and be delivered to the sink. In any case, the sink will further verify the correctness of each MAC carried in each report and reject false ones. Collaborative filtering of false reports requires that nodes share certain amount of security information. The more security information each forwarding node possesses, the more effective the en-route filtering can be, but the con is that if somehow more number of nodes is compromised, then the attacker can obtain more secret from a compromised node.

Secure Ticket-Based En-Route Filtering

Secure Ticket-Based En-route Filtering proposed by Krauss et al., uses a ticket concept, where tickets are issued by the sink and packets are only forwarded if they contain a valid ticket. If a packet does not contain a valid ticket, it is immediately filtered out. This scheme addresses false data injection and Denial of Service attack in sensor networks. This is a lightweight ticket concept which is applicable in resource constrained WSNs. Messages to the sink are only valid if they contain a valid ticket. Each en-route node which forwards a message is able to verify the validity of the ticket and drops the message if the ticket is invalid. Hence, a false message can be filtered out immediately. The ticket concept enables the separation of report generation with sink verification, and the en-route filtering, without the need for symmetric key sharing between sensor nodes. This results in a high resiliency against node compromise. Even if an adversary compromises several nodes, he is not able to inject as many messages as desired to perform a successful Denial of service of Service attack because he does not possess the necessary tickets. If a region is under suspicion to be compromised, it can be easily excluded by simply not sending query messages Containing valid tickets there, Moreover, node compromises are limited to the immediate vicinity of the compromised nodes and do not affect the whole network. Taking performance into consideration, this scheme is able to significantly reduce the energy consumption by immediate filtering of false reports. It energy savings increase with the number of injected false messages and with the distance to the sink where an adversary injects false messages. Furthermore, the storage requirements in the sensor nodes is very low, and thus, it is applicable in high density networks, and leaves room for further security mechanisms, that can add to the concept of defense-in-depth for the sensor network. STEF is similar in nature to SEF and DEF. The packets contain a MAC and cluster heads share keys with their immediate source sensor nodes in their vicinity and with the sink. The drawbacks of STEF is its one way communication in the downstream for the ticket traversal to the cluster head

Secure Ticket-Based En-Route Filtering description:-

In this section, we present STEF. First, we describe the basic scheme for en-route filtering supporting authenticity and integrity of transmitted data. We then show how our scheme can be easily modified to support the confidentiality of queries and reports in response messages.

Fundamental Scheme:-

The main idea of STEF is that reports from sensor nodes are forwarded towards the sink only if they contain a valid ticket. The ticket concept is realized with a query-response communication which is a typical operational mode in sensor networks. The sink randomly selects a node in the area of interest and sends a query containing a ticket to this node. This node acts as the current cluster head for this query-response communication. Cluster head builds a dynamic cluster with its direct neighbors. The ticket is specific for cluster head, i.e., it can be used by this cluster head only. Before sending a response to the query, the cluster head generates a report according to the query which must be endorsed by multiple nodes and attaches the ticket to the report. The report is sent back towards the sink, and the en-route nodes are able to verify the correctness of the ticket. Messages including no or invalid tickets are dropped immediately by intermediate nodes that apply STEF.

STEF consists of five phases: Bootstrapping, Queries from Sink, Report Generation, En-route Filtering, and Sink Verification. These five phases are presented below.

(1) Bootstrapping: The bootstrapping phase is performed only once to configure the sensor nodes before deployment, and to execute some initialization procedures directly after deployment. This phase is assumed to be secure as mentioned above.

Each sensor node Si for i = 1, . . . , n has a unique identifier IDSi and is preloaded with a unique key KSi shared with the sink, henceforth called personal key.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\Slide1.png

Figure:5.2 Query message sent from the sink to node S4 acting as CH

After the nodes are deployed, they obtain their location using a localization scheme and report it to the sink. To decrease the communication overhead, the location reports can be aggregated or piggybacked in other messages. Furthermore, a sensor node establishes pair wise keys with its one-hop neighbors using some existing schemes. After the bootstrap-ping phase, the network can be queried by the sink.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\Slide2.png

Figure:5.3 Response message sent back from node S4 to the sink

(2) Queries from Sink: On run-time, the sink sends queries to the sensor nodes. A query might look like "What is the temperature at location X?". The ticket concept is realized as follows: The sink generates a random value c €R {0, 1}l of a certain length, e.g., l = 64 bits. Next, a collision-resistant one-way function h: {0, 1} l → {0, 1} l, e.g., a hash function, is applied to the value c, so that c€ = h(c). By definition, a collision-resistant one-way function has the property that, for any given x, it is easy to compute y = h(x) but given a value y, it is not feasible to compute a value x˜ such that y = h(˜x).

The sink knows the location of all nodes in the area of interest, and randomly selects one node as CH(cluster head) and sends a query message to it. The message contains a unique query identifier QID, the value c€, the query Q representing the interest of the user expressed in multiple attribute-value pairs, and the value c encrypted with the personal key KCH shared between the sink and CH (cluster head) representing the ticket. Thus, the query message has the following form:

Sink → CH : QID, c€, Q, {c}KCH (1)

The en-route nodes can verify the ticket in the response message later in the en-route filtering phase using the value c€. For each query message, a new value for c is randomly chosen and the appropriate c€ value is calculated. The message is authenticated by an authentication scheme which supports immediate authentication, e.g., RPT or LEA.

In the example shown in Figure 1, the sink sends out the query message, which is forwarded hop-by-hop to CH (node S4). All intermediate nodes (nodes S1, S2, and S3) store the tuple (QID, c€) for future verification purposes.

(3) Report Generation: When CH receives the query message, it generates a report R according to the query; e.g., "The temperature at location X is 23â-¦C." and sends this report to its neighbors. In the example shown in Figure 1, node S4 sends R to nodes S5, S6, and S7. Each sensor node that agrees on the report within a certain error range, uses its personal key to generate a MAC on R, and sends the MAC to CH. The authenticity and integrity of these messages is ensured using the pair wise keys shared between the nodes and CH. CH also generates a MAC, and additionally, chooses t different MACs randomly, where t is a system parameter, and compresses them to one SMAC by bitwise XOR operation. SMAC can be verified by the sink. In the example shown in Figure 2, nodes S5, S6, and S7 agree on the report and send the generated MACs to node S4. Assume that t = 3, thus SMAC is generated by t + 1 = 4 different MACs. Node S4 calculates SMAC as follows:

SMAC = MAC(R, KS4) . . . MAC(R, KS7) (2)

CH decrypts c from the query message and generates the final report for the sink containing QID, R, c, SMAC, its own identifier IDS4 and the identifiers of the t endorsing nodes IDS5, IDS6, and IDS7. In the example shown in Figure 5.2, node S4 sends the following message to the sink:

S4 → Sink: QID, R, c, SMAC, {IDS4, IDS5, IDS6, IDS7} (3)

(4) En-route Filtering: The response is forwarded along the reversed query message path. Each intermediate node checks if it has stored the appropriate QID and the value c€. If not, the report is dropped. Otherwise, the node checks if c€ =h(c). If the equation holds, the ticket is valid and the message is forwarded to the next hop and the tuple (QID, c€) is deleted. In the example shown in Figure 2 nodes S3, S2, and S1 perform this verification.

If the response message to a query message does not arrive within a certain period of time, the en-route nodes delete the tuple as well, to save memory, since the query message might have been lost during the transmission.

(5) Sink Verification: The sink performs the final verification. First it checks if QID matches a recently sent query message and if the value c in the response message is valid. Next, the sink verifies if the SMAC is correct, and whether the t endorsing nodes are indeed in the local neighborhood of the CH(cluster head) and their location matches the location of the report. If one of these checks fails, the report is dropped, and the sink sends out a new query message to another node in this area. If all checks are valid, the sink finally accepts the report.

Confidentiality Enhancement:

Some sensor network applications may need confidentiality of the queries and responses. Since en-route nodes do not need to know the contents of Q or R to filter false messages, these values can be encrypted before transmission. In the query message, Q is also encrypted with the shared key between the sink and the CH(cluster head). Thus, the query message has the following form:

Sink → CH: QID, c€, {Q, c} KCH (4)

Before CH sends the response to the sink, it encrypts the report R using its pair wise key shared with the sink. For the example shown in Figure 2, sensor node S4 sends the following message to the sink:

S4 →Sink: QID, {R} KS4, c, SMAC, {IDS4, IDS5, IDS6, IDS7} (5)

This enhancement introduces only marginally increased overhead for the CH(cluster head) by performing one symmetric encryption operation. En-route nodes are not affected by this enhancement.

5.2 An Interleaved Hop-by-Hop Authentication Scheme (IHA)

The hop-by-hop authentication is designed to keep 'bogus' traffic out of the network by providing a mechanism to prevent un-authenticated sources from injecting it.  The hop-by-hop security assumes that the appropriate keys and policy are in the network.  You are right in that if a malicious node can forge a signature for a bundle and inject it into the network, then after the first hop there's nothing in the BAB machinery to restrict that bundle's movement (though other security policies that use non-single-hop mechanisms like the payload security block might be in place)

The notion was that some networks may have very constrained, expensive, or critical links and that it would be desirable to deter someone who could connect to the network from being able to inject traffic that would cross those links, consuming resources.  End-to-end security like IPSec doesn't do this.

This is purposed by Zhu the interleaved hop-by-hop authentication scheme. In this scheme, the base station periodically initiates an association process enabling each node to establish pair wise keys with other nodes that are n hops away, which is a security threshold. All nodes are detecting nodes and forwarding nodes, generating reports about events, forwarding them and verifying report correctness. At least t+1 node must agree on a report for it to be considered valid. The drawback of IHA is, it requires the existence of a fixed path for transmitting control messages between the base station and every cluster-head. Other problem in interleaved hop-by-hop authentication is every en-route node must exchange its associated key with lower and upper associated node. The high communication overhead incurred by the association process makes interleaved hop-by-hop authentication unsuitable for the networks whose topologies change frequently.

5.3 Commutative Cipher Based En-Route Filtering (CCEF)

Yang et al. presented a commutative cipher based en-route filtering scheme. In commutative cipher based en-route filtering, each node is preloaded with a distinct authentication key. When a report is needed, the base station sends a session key to the cluster-head and a witness key to every forwarding node along the path from itself to the cluster-head. The report is appended with multiple MACs generated by sensing nodes and the cluster-head. When the report is delivered to the base station along the same path, each forwarding node can verify the cluster-heads MAC using the witness key. The MACs generated by sensing nodes can be verified by the base station only. commutative cipher based en-route filtering has several drawbacks. First, it relies on fixed paths as IHA does. Second, it needs expensive public-key operations to implement commutative ciphers. Third, it can only filter the false reports generated by a malicious node without the session key instead of those generated by a compromised cluster-head or other sensing nodes.

5.4 Location-Based Resilient Security (LBRS) Scheme

This eliminates the threshold breakdown problem by exploiting a location-based approach as the fundamental mechanism towards resilient security. The location-binding property constraints the scope for which individual keys can be misused, thus limiting the damages caused by a collection of compromised nodes; however, LBRS assumes that once deployed every node can obtain its geographic location via a location scheme. We comment that such an assumption may not always be practical, because the overhead incurred may be huge if every sensor needs to obtain its geographic location. As an alternative to LBRS scheme, in this thesis, we propose a sink filtering scheme in clusters of heterogeneous sensor networks. In addition to basic sensors, some powerful data gathering sensors termed as cluster heads (CHs) are added. Each aggregation report generated by a CH must carry multiple keyed message authentication codes (MACs); each MAC is generated by a basic sensor that senses the event. The sink node checks the validity of the carried MACs in an aggregation report and filters out the forged report. We analyze the resilience and overhead of the scheme. Both analytical and simulation results show that the scheme is resilient to an increasing number of compromised nodes, without threshold breakdown problem. We also adopt Poisson Approximation to investigate the performance tradeoff between resilience and overall cost. Suggestions on how to choose the parameters are also given. In addition, the scheme is scalable and efficient in communication, computation and storage.

LBRS has a major improvement over SEF, and mitigates T-threshold limitation problem in SEF by location-ware authentication key. In LBRS, a sensing field is divided into square cells, and each cell is associated with some cell keys that are determined based on the cell's location. Each node stores two types of cell keys. One type contains the keys bounded to their sensing cells to authenticate the reports from those cells. The other type contains the keys of some randomly chosen remote cells, which are very likely to forward their reports through the node's residing cell. In LBRS, a forwarding node verifies the received reports and filters out false ones in the same way as SEF.

5.5 Dynamic En-Route Filtering (DEF) Scheme

In sensor networks, adversaries can inject false data reports containing bogus sensor readings or nonexistent events from some compromised nodes. Such attacks may not only cause false alarms, but also drain out the limited energy of sensor nodes. Several existing schemes for filtering false reports either cannot deal with dynamic topology of sensor networks or have limited filtering capacity. In our scheme, a legitimate report is endorsed by multiple sensing nodes using their distinct authentication keys from one-way hash chains

In the Dynamic En-route Filtering (DEF) scheme, a legitimate report is endorsed by multiple sensing nodes using their own authentication keys. Before deployment, each node is preloaded with a seed authentication key and secret keys randomly chosen from a global key pool. Before sending reports, the cluster head disseminates the authentication keys to forwarding nodes encrypted with secret keys that will be used for endorsing. The forwarding nodes store the keys if they can decrypt them successfully. Each forwarding node validates the authenticity of the reports and drop the false ones. Later, cluster heads send authentication keys to validate the reports. The DEF scheme involves the usage of authentication keys and secret keys to disseminate the authentication keys; hence, it uses many keys and is complicated for resource-limited sensors.


5.6 Virtual Energy-Based Encryption and Keying for Wireless Sensor Network

This is a secure network protocol for wireless sensor Network. This protocol minimizes the overhead associated with refreshing keys and uses a one-time dynamic key for one message generated by the source sensor. In Virtual Energy-Based Encryption and Keying uses RC4 encryption mechanism to provide simple confidentiality of the packet. The key to the encryption is obtained from Virtual Energy based keying module. The receiving node must keep track of the energy of the sending node to decode and authenticate a packet when a forwarding node receives the packet, it checks its watch list to determine if the packet came from a node it is watching. If not the packet is forwarded without modification. Virtual Energy-Based Encryption and Keying supports two operational modes Virtual Energy-Based Encryption and Keying -I and Virtual Energy-Based Encryption and Keying -II. In Virtual Energy-Based Encryption and Keying -1 mode all nodes watch their neighbors. When a packet is received from a neighbor sensor node, its authenticity and integrity are verified. Virtual Energy-Based Encryption and Keying -I reduce the transmission over head as it can catch malicious packets in the next hop itself. But increases processing overhead because of the decode or encode that occurs at each hop. In Virtual Energy-Based Encryption and Keying -II operational mode, node in the network is configured to only watch some of the nodes and it cannot catch malicious packets in the next hop. In Virtual Energy-Based Encryption and Keying -II more energy will be spend for node synchronization and this occurs as overhead.

5.7 A Bandwidth-Efficient Cooperative Authentication (BECAN) Scheme

We propose a novel bandwidth-efficient cooperative authentication (BECAN) scheme for filtering injected false data. The proposed bandwidth-efficient cooperative authentication scheme can save energy by early detecting and filtering the majority of injected false data with minor extra overheads at the en-route nodes. In addition, only a very small fraction of injected false data needs to be checked by the sink, which thus largely reduces the burden of the sink. The bandwidth-efficient cooperative authentication achieves high filtering and reliability when compared with other en-route filtering mechanisms. In bandwidth-efficient cooperative authentication each node requires fixed (k) number of neighbors for cooperative neighbor router(CNR) based authentication. The bandwidth-efficient cooperative authentication filter injected false data through cooperative authentication of the event report by k neighboring nodes of the source node. The bandwidth-efficient cooperative authentication distributes the authentication of en-routing to all sensor nodes along the routing path to avoid complexity. This scheme adopts bit compressed authentication technique to save bandwidth. The proposed technique is suitable to handle False Data Injection Attack and its Countermeasures in Wireless Sensor Networks compromise and filter injected false data in wireless sensor networks. It also prevents the gangs injecting false data attack from mobile compromised sensor nodes using Ad hoc on-demand distance vector (AODV) routing protocol. The bandwidth-efficient cooperative authentication is not able to address attacks such as selective dropping, false routing information injected by compromised node etc.

Analysis about En-Route Filtering Schemes:-

Many en-route filtering schemes have been proposed to reduce false data injection attack in WSN. Performance of the en-route filtering schemes can be analyzed based on false data filtering efficiency, false data filtering hops and energy consumption. The statistical en- filtering (SEF) scheme, is the first to address false data injection attack. SEF has limited filtering capacity and cannot prevent impersonating attacks. In SEF single shared key is used for generating and verifying MACs. Hence keys may be misused to generate reports. To avoid this problem, a secure ticket-based en-route filtering (STEF) Scheme was introduced with ticket concept. Here a MAC on the report uses a key shared between the en-route node and the BS.STEF produce some additional overhead due to query response communication for the ticket traversal. But the storage requirement is very less and STEF can be used in high density network. The IHA defines a new concept of association among sensor nodes. IHA guarantees that the BS will detect any injected false data packages when no more than t nodes are compromised. In IHA there is only one path from the source cluster to the BS. This scheme requires pre-route interleaved associations maintained between sensor nodes to share the sensor secrets between upper associated nodes and lower associated nodes. Due to the unpredictable nature of the wireless medium it is not possible for a large sensor network to have determined routing paths regularly.

Association among en-route nodes requires global knowledge of the network which is considered as tedious task. In CCEF the intermediate forwarding nodes are equipped with witness key which is used to verify the authenticity of the reports. But CCEF has several drawbacks. It relies on fixed paths as IHA does and it needs expensive public-key operations to implement commutative ciphers.

Filtering schemes

authentication message

Energy efficiency

false data filtering hops

Dynamic en-route


Event report contain authentication

message from all nodes in the cluster

Saves 50% of


90% of false report is

dropped within 10 hops

Statistical En-Route


Event report contains MAC from all

detecting nodes

Saves 80% of


90% of false report is

dropped within 20hops


message from all neighboring nodes each

represented with one bit

Saves 80% of


90% of false report is

dropped within 15 hops

Table 5.2: analysis the Performance of en-route filtering schemes

Filtering schemes Amount of authentication message false data filtering hops Energy efficiency

The Statistical En-Route Filtering Event report contains MAC from all detecting nodes. 90% of false report is dropped within 20hops Saves 80% of energy Dynamic en-route filtering Event report contain authentication message from all nodes in the cluster 90% of false report is dropped within 10 hops Saves 50% of energy Virtual Energy-Based Encryption and Keying Energy value of a sending node and node id. 90% of false report is dropped within 15 hops Saves 60-100% of energy BECAN Each report contain authentication message from all neighboring nodes each represented with one bit 90% of false report is dropped within 15 hops Saves 80% of energy DEF has higher filtering capacity. DEF and SEF are independent of topology changes. Also it can only filter the false reports generated by a malicious node without the session key instead of those generated by a compromised cluster-head or other sensing nodes. Dynamic en-route filtering techniques are more attack resilient than static ones, a significant disadvantage is that they increase the communication overhead due to keys being refreshed or redistributed from time to time in the network. There are a lot of reasons for key refreshing which includes updating keys after revocation, refreshment of keys to avoid them from becoming old, or due to dynamic changes in the network topology LBRS suffers a severe drawback: It assumes that all the nodes can determine their locations and generate location-based keys in a short secure time slot. DEF is more complicated than SEF by introducing extra control message and the use of this control message not only increases operation complexity, but also incurs extra overhead. DEF is complicated for resource limited sensors. BECAN saves energy with reduced bandwidth. BECAN can filter false data injection attack to some extend but does not detect other attacks caused by compromised node.

Table 5.2: describes about the performance of en-route filtering schemes. The efficiency of the en-route filtering scheme can be detected based on the size of the message used to authenticate the event report, filtering capacity of the each en-route node on the path of data transfer, amount of energy consumed for filtering the false data injected. Consumed less energy compared to other schemes. DEF filters the false data as early as possible but the size of the authentication message required for filtering is more compared to other schemes. Table 3 specifies the case study on en-route filtering schemes.

Existing system for wireless security and attack

We study different exist system. Once a node is compromised it is difficult to identify the node since most of the filtering mechanisms use the symmetric key technique. Usually, wireless sensor networks are deployed at unattended or hostile environments. Therefore, wireless sensor network is vulnerable to various security attacks such as selective forwarding Sybil attacks or wormholes. In other word the wireless sensor network may also suffer from injecting of false data attack. For an injecting of false data attack, an adversary first compromises several sensor nodes, accesses all keying materials stored in the compromised nodes, and then controls these compromised nodes to inject bogus information and sends the false data to the sink to cause upper-level error decision as well as energy wasted in en-route nodes. For instance, an adversary could fabricate a wildfire event or report wrong wildfire location information to the sink, and then expensive resources will be wasted by sending rescue workers to a non- existing or wrong wildfire location. Therefore, it is crucial to filter the false data as accurately as possible in wireless sensor networks. The simultaneous flooding of false data into the sink results not only huge energy wastage in the en-route nodes but also heavy verification burdens on the sink. It could paralyze the entire network quickly. Therefore, to mitigate the energy waste, the filtering of false data should be carried out as early as possible. It is difficult to find a node once compromised while most of these filtering mechanisms use the symmetric key technique. It can be described that the compromised node abuses its keys to generate false reports and reliability of the filtering mechanisms degrade.

Proposed system:-

In this work, the mechanism of using Bloom Filter for data filtering injected false data in WSN is proposed and it is called as band width-efficient cooperative authentication scheme. This scheme achieves high filtering and reliability when comparing with the previously reported mechanisms.

C:\Documents and Settings\Administrator\Desktop\diagram\diagram\Slide2.PNG

Figure: 5.4 WSN architecture with different Sensor Node

Architecture model:-

In this model, a typical wireless sensor network architecture is formed which consists of a sink and a large number of sensor

nodes N = {N0,N1, . . .} randomly deployed at a certain interest region (CIR) is considered with the area S. The sink is a data collection device which has sufficient computation and storage capabilities. The sink is responsible for initializing the sensor nodes and collecting the data. The communication between two sensor nodes is bidirectional as their wireless transmission range (R) communicates with each other. The closer sensor node to the sink can have direct contact with sink. The farther sensor node from the transmission range of the sink has to establish the route to communicate with the sink.


It is not possible for the attacker to generate correct MACs of other T-Nc distinct categories. The T−Nc key indices of in distinct partitions and T−Nc MACs have to be forged for producing seemingly legitimate reports. To be able to detect an incorrect MAC and drop the report, the probability of a forwarding node having one of the T-Nc keys has to be computed. In this work, the Bloom filter plays a major role for computing the probability. Formation of the routing using MAC is the primary task prior to check the security of the routing. Once the security of the routing is confirmed, the forwarding of the data from node to node will take place.

Experiments: Security Analysis

The main objective of this work is to effectively filtering the injected false data using BECAN authentication scheme of security analysis. The scheme of pair wise shared security for BECAN is used here. The RSA algorithm is used for generating and establishing pair wise key in this module.

Simulation Based Bloom Filtering Evaluation

The bloom filtering probability is tested using simulation model as

FPR = Number of false data filtered by en - route nodes

Total number of false data

The results of FPR from the simulation model are follows.

Simulation Settings: A Network Simulator is used to study FPR of the BECAN scheme. In the simulations, 1,000 sensor nodes with a transmission range R are randomly deployed in a CIR of region 200 Ã- 200 m2 interest region. It is considered that each sensor node could be compromised with the probability ρ. The list of simulation parameters is provided in Table. Then, the networks are tested when the numbers of en-routing nodes in the interest areas are varied from 5 to 15 in increment of 1. For each case, 10,000 networks are randomly generated and the average of bloom filtering probabilities over all of these randomly sampled networks is reported. The randomly deployed into a terrain of dimension 200m X 200m. The detailed information of the simulation environment is shown in Table . The simulation consists of 100 sensor nodes .The routing protocol adopted in our simulation is AODV. We preferred AODV as routing protocol because it does not need any central administrative system to control the routing process. Generally reactive routing protocols like AODV tend to reduce the control message overheads at the cost of increased latency in finding new routes [19]and also it reacts relatively fast to the topology changes in the network and updates only the nodes affected by these changes. It also saves storage place and energy. The destination node checks the integrity of the message m and the timestamp T. If the report is correct , the destination node forwards it to its upstream node. If the timestamp is out of date, the report (m,T,MAC) will be immediately discarded.



Simulation area

200 *200 m

Number of Sensor nodes


Transmission range R


Compromised Probability


Neighboring nodes k


Routing nodes l


Routing Protocol


Data Rate

8.6 Mbps

Packet Size

1026 bytes

Simulation Time

100 seconds

Table: 5.3 parameter sitting

Sink Verification:-

The sink receives the report (m T MAC), checks the integrity of the message m and the timestamp T. If the timestamp is out of date, the report (m,T,MAC) will be immediately discarded. Otherwise, the sink looks up all private keys kis of Ni,0<=i<=k , and invokes the Algorithm . If the returned value of algorithm is accepted the sink accepts the report m otherwise the sink rejects the report. The reliability of the BECAN scheme using MAC is shown in figure 2. This proposed scheme achieves 16% increase in reliability compared to previous one.

Performance and Evaluation:-

The computational and communication overhead of the basic scheme is analyzed. Energy saving is always crucial for the lifetime of wireless sensor networks. In this module, the performance of the proposed BECAN scheme is evaluated in terms of energy efficiency. In this scheme first the security is checked, and then the throughput and delay of the packet ratio is checked. The graph analysis report is given below. The energy consumption in non interactive key pair establishment and energy consumption in transmission are evaluated. It is observed that the BECAN scheme could be applied to other fast distributed authentication scenarios. We have evaluated our proposed scheme based on Bloom filter mechanism in terms of Packet Delivery Ratio, Throughput, End to End Energy, and End to End Latency. We have found a remarkable improvement in their performances

Packet Delivery Ratio

Packet Delivery Ratio also known as the ratio of the data packets is delivered to the destinations. The PDR shows how successful a protocol performs delivering packets from source to destination. The higher value gives better results. This metric characterizes both the completeness and correctness of the routing protocol and also reliability of routing protocol by giving its effectiveness. Scenario has been set up for 100 nodes. When the simulation is started the route discovery process of AODV is done and report forwarding nodes are chosen. Now the environment is ready for the sensor nodes to sense the events and report them to their respective upstream nodes. As the simulation time progresses the malicious nodes activity, it completely drops false injected data attack.

Hence Packet delivery ratio is analyzed in different scenarios such as in the presence of BECAN scheme without Bloom filter and in the presence of BECAN scheme with Bloom filter. It is observed to have 17 % increases in the Packet Delivery Ratio. After the En-route mechanism is employed using MAC based on Bloom filter. This is why because when reports are verified by every destination node, the destination node forwards report to its upstream nodes are done, it is difficult for an attacker to forge a false injected event that has not happened. Hence through En-route mechanism the false report is identified and thereby eliminated before they are forwarded to their destination nodes


The amount of data is transferred from one place to another or processed in a specified amount of time. Throughput is defined as the average rate of successful message delivery over a communication channel or sum of the data rates that are delivered to all nodes in a network. As there is heavy packet loss with the presence of malicious activity, the throughput of the network is declined to a percentage of 40. Throughput of the network highly suffers because of false report injection attacks. False report injection attack degrades the throughput level because of the single illegitimate MAC offered to the node. There is a great vulnerability of the reports being dropped by a legitimate node. En-route Filtering mechanisms achieve a throughput increase of 20% in the proposed scheme.

Average End-to-End Delay

There are possible delays caused by buffering during route discovery latency, queuing at the interface queue, retransmission delays at the MAC, propagation and transfer times. Average end-to-end delay is an average end-to-end delay of data packets. Once the time difference between every CBR packet sent and received was recorded, dividing the total time difference over the total number of CBR packets received gives the average end-to-end delay for the received packets. This metric describes the packet delivery time, the lower the end to- end delay the better the application performance. Same scenario is maintained in which the Average End to End Delay is computed by varying the number of attackers. The delay in the En-route mechanism is found to be comparatively less than that of the normal scenario because when the destination node finds a false report in the path, it breaks the path by discarding the report. Generally reactive protocols like AODV tend to reduce the control traffic messages overhead at the cost of increased latency in finding new routes. But with the proposed En-route mechanism it is observed to have a decrease of 0.6 seconds in the reception of sensed reports to the base station.

End-to-End Energy

In the energy Savings the total energy consumption for BECAN scheme using MAC. Total energy consumed for all the protocols is directly proportional to the number of transmissions, which is the sum of the number of data packets sent and the number of control packets sent per node. We propose to use a novel bandwidth-efficient cooperative authentication (BECAN) scheme that significantly reduces the energy consumption in wireless sensor networks without reducing the number of packets that meet end-to-end real-time deadlines. The proposed scheme maximizes energy savings by adaptively waiting for packets from upstream nodes to perform in-network processing without missing the real-time deadline for the data packets. We also use AODV routing protocol for nodes to adapt to network traffic to maximize energy savings in the network. Simulation results show that the proposed scheme improves the energy savings in sensor networks where events are sensed by multiple nodes and spatial or temporal correlation exists among the data packets.

The different BECAN scheme is proposed for filtering the injected false data based on Bloom filter. This proposed approach is efficient and can be used for making theoretical analysis on relevant works. It is observed from the experiments that the BECAN scheme can achieve better en- routing filtering probability and improved reliability with multi- reports. The performance of the packet delivery ratio, end-to- end latency and throughput of the proposed system are achieved in the simulation experiments. The result shows that the proposed system impresses performance on energy consumption, security of data and also the communication cost. This BECAN can also be applied on other distributed authentication. It prevents unauthorized access through injecting false data attack from mobile compromised sensor nodes through routing protocols.