Secure Ired Protocol For Detecting Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract- Nodes of Wireless Sensor Network (WSN) are often deployed in the antagonistic environment, and many nodes are unattended. Due to this nature, nodes are easily tracked by the adversary to initiate clone attack. The clone attack is taken through obtaining the credentials of a node in the WSN. They capture and compromise the node and make replicas of them to launch various attacks through the replicated nodes. The cloned nodes are referred as the clones. The clone attack acts as the basic method to mount a huge insider attack. Therefore, it becomes necessary to detect the cloned nodes that are introduced by the adversary in a sensor network. Many techniques and protocols have been proposed to identify the replicated nodes that are presented in the literature review section. Nevertheless, they do not meet the requirements in detecting the attack. To address this issue, authors of this article have proposed a protocol named Intensified Randomized Efficient Distributed (IRED). The proposed work is carried out in two folds. First, authors have analyzed the properties of the mechanism for detecting cloned nodes. Second, the authors have proposed the IRED protocol. The proposed protocol is the enhancement of RED protocol. Here, authors have focused on preventing the clone attack to pervade. Though the protocol prevents the attack, some attack penetrates into the network. In that scenario, the replicated nodes are detected by IRED. The Empirical results show that the proposed protocol IRED has higher resistance against the attack and also performs better in terms of computation, memory and communication.

Keywords: - WSN security, node replication, clone detection, efficiency, distributed protocol, secure IRED.


Advancements in technology lead a way to design and develop sensor nodes at very low cost along with off-the-shelf hardware. These types of sensor nodes are very convenient to deploy a WSN that is of self-organized and distributed network containing numerous numbers of nodes. These are deployed to carry out various monitoring tasks like pollution levels, structural integrity of buildings, freeway traffic, climatic sensing, home environmental sensing, control in office building, light, motion and moisture monitoring, and so on. There exits significant challenges in the security of WSN. Threat to the WSN can be of two types (1) Application independent and (2) Application dependent. The attacks in the application independent category has influence on broad variety of applications from tracking of objects to battlefield surveillance, whereas possible attacks found in the latter category is routing, node localization, data aggregation, time synchronization, etc.

As the WSN are often deployed in harsh and unattended environment there exist many ways for the adversary to capture and compromise the senor nodes. The compromised nodes are then used to interrupt network operations, insert counterfeit data into the WSN, and snoop on the network communication. In such a scenario, clone attacks are launched by the attacker into the network, in which the attack captures and obtains the keying materials that are secret from a compromised node and stimulate the generation of replicated nodes that share the keying material and other details of the compromised nodes. Through which the nodes of the WSN are replicated in huge quality and spread it throughout the sensor network. On compromising a single node, an adversary can replicate nodes in the network. This type of replication attacks are referred as clone attack. Clone attack is an application independent attack. This attack can be classified through two ways.

A replicated node is considered completely truthful by its neighbors. In fact, the nodes that are honest are not aware of the clone nodes among them without any global countermeasures.

In order to huge number of compromised node an adversaries are not required to compromise large number of nodes. It is more enough to capture and compromise a single node, the cost of compromising the attack has been persistent. Further generation of clones in the network requires and considered very cheap.

It is not trivial to detect the clone attack. The major problem in this type of attack is that the replicas possess all information about the security of the compromised original sensor node. Replicated nodes can pass all the identity check thereby escape from being distinguished from a genuine sensor. Moreover, a smart clone tries to hide itself from being identified by all ways. The replicated nodes cheat the administrator of the network into believing that they are authorized. It is evident that the attacker may distribute the replicated nodes anywhere in the WSN. Therefore, this made the localized and centralized detection scheme do not scale well. In addition to that centralized protocols have the disadvantage of high communication cost and single point failure. Essentially, detection of clone nodes in the sensor network is relatively unnoticed research area. The cost of detection is usually computed in terms of storage and communication overhead caused by the detection mechanism in the network.

In this work, we focus on both prevention and detection techniques name IRED for clone attacks. Before the construction of the IRED protocol, necessary requirement for and desirable properties of the distributed detection protocol is analyzed. The prevention work is carried in the network is as follows. The detection mechanism usually uses the location information of the nodes to detect a cloned node in a static WSN. But in this article, authors proposed a technique to detect the clone before it is introduced in to the sensor network. It is achieved through allowing communication among the node nodes continuously and thereby avoids blocking states among the nodes due to the replicated node attack thereby prevents the adversary to penetrate into the WSN. Due to unavoidable reasons the prevention method drop their power against the clone attack in such case authors used the detection mechanism, where the legitimate nodes autonomously detect the existence of replicated nodes and prohibit them from any further network activity. The proposed technique is designed in such a way that, its iterations are continuous without effectively affecting the performance of the network; also its detection rate is higher. Moreover, extensive simulations are carried out to prove the efficiency and performance measure of detection mechanism.

Remainder of this paper is structured as follows: Section 2 reviews the works that are related to the proposed protocol. Section 3, gives the threat model that the authors assumed in this paper is described. The requirements required to be satisfied by the IRED proposed protocol and their detection strategies are elaborately described in the section 4. Section 5 shows the experimental results of IRED in terms of storage, packet delivery ratio, and detection efficiency. The obtained results are then compared with the existing RED protocol. Finally, section 6 concludes the work along with an outlines of future research directions.


This section deals with the reviews related to the issues of clone detection. Initially, centralized solution was proposed by [2] in that the nodes of WSN collect the details of each node location and their neighbor and send it to the base station. If any two nodes in the list contain the same ID with different location then base station concludes that clone attack has been penetrated into the network. However, this technique has the following drawback.

Single point failure

As the number of messages required for communication with base station was high it implicitly increased the cost of communication

Operational life time of the nodes that where nearer to the base station was shorted. Since those nodes required forwarding enormous number of packets that were from various nodes to base station.

Authors of [3] [1] [2] and [4] have used location detection as a solution to the clone attack detection. Within the neighborhood nodes they have used the voting mechanism to concur the authenticity of a given node. This technique suffers and fails to detect the cloned nodes that were not within the same neighborhood. In article [5] authors have proposed a naïve distribution to detect the clone attack in the network. Here, clone attack was detected from the message packets that were flood into the network. Those packets contain the information about the location with that of its neighbor. If a node X’s neighbor named Y receives a claim that describes the location of the node Z that was found similar to X, but the position was not coherent with X. This scenario leads to the detection of clone attack. Though the technique proposed in [5] performed well in detecting the clone attack it consumed much energy for detection. Since WSN were energy constrained, this technique do not suited well for clone detection.

Similar to clone attack, sybil attack in [1] and [4] also based on the identity. However, both the attacks were independent. A mechanism depending on RSSI was proposed in [8] to address the Sybil attack. Other mechanism such as in [3] [6] [12] [9] and [10] have used authentication. They have used the fixed key knowledge for authentication. Node compromise problem was also focused in [7], [16], [18], and [19]. These node compromise detection technique was taken from intrusion detection system [24] seems to need more overhead when compared to done detection techniques. Some secure current solutions were proposed in [20], [21], [17], and [22] to recover the nodes that were secrecy after node compromising. However, these techniques were not coping with the clone attack.

As the centralized mechanism were also not up to the requirement level. Authors of [5] have introduced the distributed cloned node detection that was not based on naïve distribution. Though, this technique scales good, it does not meet the emerging requirements. To fulfill those requirements [11] have introduced two distributed detection protocol. The two protocols were named as follows.

Randomized Multicast (RM)

Line-Selected Multicast (LSM)

The first protocol selects a group of random nodes to distribute the location of all the nodes in the network. Whereas, LSM used the routing topology of the sensor network in order to find the replicated node. When a node broadcast locally its location, every node that were neighbor to that node signs a copy of its claim containing information about location to a set of selected node. This technique always used random selection. This mechanism requires high communication cost. To overcome this problem LSM was proposed. It used the routing topology of a sensor network to find the replicated nodes. LSM was enhanced by the authors of [15] to increase the probability of detection given by LSM. In [14] an interesting distributed detection protocol termed SET was proposed for node replication attack. Random values generated by BS was influenced by SET to carry out the detection, these values were used to produce cluster heads and cluster. This protocol used generates the cluster iteratively. If an ID of a node present in two different independent clusters, then it was decided that the node having the corresponding ID was cloned. The major problem with this protocol was that, an adversary can exploit the protocol with the aim to revoke the nodes that were not cloned. Due to this reason most of the research scholars have not used SET as their bench mark technique.

Requirements for the detection protocol have been discussed in the article [7]. According to it, LSM fails to satisfy the mentioned requirements. It suffers from some problems that were as listed below.

There exists a higher probability for some nodes in the WSN to act as witness

Also, there exist highest possibilities for an attacker to compromise the witness nodes.

Communication overhead was not evenly distributed among the nodes of the sensor network.

To overcome these disadvantages authors of [13] have proposed a new protocol named randomized, efficient, and distributed (RED) protocol, which also satisfies the requirements of [7]. RED was a self healing mechanism and also it denotes that their performance was better than LSM mechanism in terms of communication, detection, memory and computation.

Research scholars of the article [24] have studied the communication and storage cost the existing replicated node detection algorithms and protocols. In addition to their study they have proposed an optimized approach for distributed detection of cloned nodes. They have investigated on the witness-based detection mechanism. In [25] authors have developed an optimized framework for electing the parameters of the detection mechanism, which reduced the clone attack. They have also showed that the detection method can be described in terms of the following cost.

Influence of leaving the undetected replicated nodes in the sensor network.

The cost in detecting a non-compromised node as compromised node.

Storage and communication cost.

All the techniques that were proposed earlier has an assumption that the nodes deployed in WSN has very less or no mobility (i.e. static nodes). To address the clone attack issue in mobile sensor network, authors of [23] have used Sequential Probability Ratio Test (SPRT). This technique simulates the neighbor of a node that has moved to new location to ask for the claim to measure the probability and decide whether to forward or to drop the claim to base station. SPRT focused the basic idea of mobility of a node that a node do not exceeds the speed of the system configured speed.


Certain amount of nodes is deployed in the network and they pass their information to the sink node that gathers and then forward it to the access point. These access points are responsible to have further communication with the base station and the destination node correspondingly. Authors defined simple yet powerful adversary threat model. The defined attackers are possible to compromise a certain fixed amount of nodes and replicate one or multiple clones into the network. In order to handle with the threat, it would be probable to assume that nodes are tamper-proof. Authors have also assumed that the nodes are stationary, and the adversary would be in and around the network environment such that they can gain the access of access point nearer to BS and launch clone attack. Then, the adversary can compromise single or few nodes through obtaining the cryptographic information of the compromised node by which it produce the clone and insert it into the network. The compromised as well as cloned nodes are fully controlled by the adversary and can communicate with each other at any time. By this way, the attacker changes the data that are required and send it to the access point. Therefore, access-points are made more intelligent to avoid the penetration of an adversary.

In case if the adversaries are more powerful, then the preventing method of IRED drops its power, from where the detecting mechanism starts. The detection mechanism has the assumption that the goal of the adversary is to weaken the detection protocol that is distributed by compromising a minimal subset X of the nodes. The adversary has compromised Y nodes (a set of nodes) already, while TN is the total number of nodes in the sensor network. For every node z, the node request returns the probability that is a witness for next run of the protocol.


This section deals with the requirement and the design of proposed method. Corresponding subsections elaborates the requirement, prevention of clone attack and detection techniques requirement.

Requirement for IRED protocol

The following are the major requirements that should be meet out by the distributed detection mechanism.


Witness distribution


Due to the resource constraints of the sensor network it is often very difficult to design protocol for detection of such attack. Therefore, it is mandatory to produce little overhead on the network. In addition to the above requirement it also required to distribute the overhead to the entire network. Since, during the execution there may be possible for a subset of entire node to experience much higher overhead. If such situation arises then the nodes present in the subset exhaust their energy quickly, as a result those nodes fails to carry out network operation. Further, this is more suitable when memory is considered. If memory overhead is higher for a subset of nodes in the network then it may be possible for these nodes to overflow. During overflow, it is not possible for the node to execute the protocol. These requirements implicitly express that the overhead produced by the detecting protocol should be small and distributed evenly among the nodes.

Witness distribution

Choosing witnesses for detecting the clone attack is the major issue in WSN. If an attacker is able to detect the future witnesses in prior to the detection protocol execution, then it is easier for the adversary to interrupt the network so that the attack is not identified. Here, authors mentioned two different kinds of witness predictions.

Location-based prediction: The probability for a witness of a node does not depend on the geographical location of the corresponding node.

ID-based Prediction: The protocol does not provide any information about the ID of a node in the network, which may be the witness for the protocol for next run.


Before pervading: Prevention

The attackers can be blocked if the access-point is more intelligent that it is capable to block the communication or accepting the data from original and cloned nodes. The assumptions made on access-point is that, it receives or accepts the data packets from original and malicious nodes at different time of interval. The details of those data packets are recorded in data base. The variation in the recorded details makes confusion to the readers. If the access-point is able to block the communication nodes with same ID then it can remove conflict ID and data from the node and also announces all the nodes about the occurrence of replication. In order to obtain access to access-point, an attacker usually tries to insert the cloned node through the intermediate nodes of the network through a multi-hop communication. In such a scenario, if there is no proper updates for the nodes in the network. Then they are not able to have clear idea of the new node entry. In this situation, authors distribute the IRED protocol of prevention method among nodes that validate and prevent the new entry of nodes based on few constrains. Therefore, the cloned node are removed at the access-point itself without affecting the communication among original legitimate nodes.

After Penetration: Detection

In case if the adversaries are more powerful, then the preventing method of IRED drops its power, from where the detecting mechanism starts. Two steps are involved in detection of clone attack. At the first step, among the nodes of the network, a random value is shared. This value is then broadcasted with a centralized mechanism. Once the random value is shared successfully among the nodes then the second step on detection of the clone node is determined.

In the second step, each node signs digitally and broadcast the geographic location and the claim ID. On receiving the broadcast message, they claim a subset of network locations that are selected pseudo randomly. If a claim is sent to a node’s ID that is no longer alive in the network then such claims are lost. First deployed nodes are alone considered for witness. The IRED can easily adapted to work when a particular node is used as the message destination. For the detection purpose the authors have assumed that the messages of a node are sent to another node that is very closer to the sender nodes location. In addition to that, it is also assumed that the protocol never fails and forwarding message is not affected by wormhole attack or by dropping. Moreover, adversaries are capable to manipulate the witness set. However, it consumes more time to compromise those nodes because reaching them the detection protocol efficiently determines and avoid it.


In this section, authors have compared the IRED with RED and showed that IRED performs much better than the RED algorithm in several ways. The experiment is carried out using the software NS2 version 2.35. The simulation is taken with 800 nodes in WSN and communication radius as 0.2. The nodes are uniformly distributed in the network at random manner. The performance of the IRED is computed for the storage, detection accuracy, packet delivery ratio, and true positive.

Storage overhead

The major issue that gains more attention for the detection mechanism is the storage. The detection protocol requires certain amount of memory of all the nodes in order to execute in the corresponding network. It is more important that the detection protocol should get utilize less memory to get executed in the nodes since sensor nodes are normally resource constraints. The Figure 1 explains the storage overhead caused by the IRED and RED detection protocol. It stands evident for the IRED that it needs very less memory and causes very low overhead on the sensor nodes. Therefore, IRED outperforms RED in terms of storage requirements.

D:\1.KATHYAINI\2012\-.12.2012(December)\UMA (AU)\Data from GM\Graph\Rhat-Rendous-2012-12-11-10-52-48.png

Figure 1: Storage overhead

Detection Efficiency

Efficiency of a protocol in detecting the clone attack depends on the density of the traffic, and number of nodes in the sensor network. Figure 2, express efficiency of the proposed algorithm in determining the clone attack at various traffic density. It also expresses that the detection efficiency for the IRED protocol is higher than the RED protocol. Initially, while the traffic is lesser, i.e. lesser than 20% the detection rate of the RED and IRED are the same. Whereas, when the traffic increases more than 20% then the performance of the RED protocol decreases gradually. In case of IRED, the detection efficiency is constant up to the 40% and start decreases only after the traffic density increases more than 40%.

D:\1.KATHYAINI\2012\-.12.2012(December)\UMA (AU)\Data from GM\Graph\Rhat-Rendous-2012-12-11-10-34-50.png

Figure 2: Traffic density Vs. Detection Efficiency

Detection efficiency is also affected by the number of nodes in the network. Figure 3 represents the detection capacity of the protocols for different number of nodes in the network. It is evident that the RED protocol performs better only when there is large number of nodes, whereas it detection efficiency is normal when the number of nodes are lesser. For the IRED protocol the detection efficiency increases the number of node increases continuously.

D:\1.KATHYAINI\2012\-.12.2012(December)\UMA (AU)\Data from GM\Graph\Rhat-Rendous-2012-12-11-10-35-31.png

Figure 3: Number of nodes Vs. Detection efficiency

Packet delivery Ratio

Delivery ratio is the more important factor in WSN. As the sensor nodes are normally deployed with very less storage capacity it may drop the packets when they are overloaded. So the design of the detection protocol should not overload the nodes. If the nodes are overloaded, then the packet delivery ratio gets decreased. Figure 4 portrays the packet delivery ratio of the nodes in the network while executing the detection algorithm. It also shows that the number of packets delivered to the sink node is higher for the IRED protocol even when the traffic increases while comparing with the RED protocol. It explicitly denotes that the IRED protocol has less computation overhead than the RED protocol. Therefore, it can be implemented effectively in the sensor networks.

D:\1.KATHYAINI\2012\-.12.2012(December)\UMA (AU)\Data from GM\Graph\Rhat-Rendous-2012-12-11-10-35-04.png

Figure 4: Packet delivery ratio

True positive

It is essential to find the attack correctly, i.e. the normal operations should not be detected as the clone attack. This measure is computed in the figure 5. It represents that the IRED detect the clone attacks more correctly than the RED protocol.

D:\1.KATHYAINI\2012\-.12.2012(December)\UMA (AU)\Data from GM\Graph\Rhat-Rendous-2012-12-11-10-37-07.png

Figure 5: True Positive


The most daunting problem in sensor network is the clone attack. This attack acts as the basic step to launch a huge insider attack. Various methods are proposed to detect the existence of the clone attack in the network. But those techniques are not satisfying the desirable properties of the detection techniques. In order to detect the clone attack as well as satisfying the detection algorithm techniques authors proposed the IRED protocol. Before designing the protocol for detection, authors have studied the requirements of the detection etiquette. This protocol initially prevents the attack to exist into the network, this technique. Prevention technique present in the access-point of the network to monitor the penetration of attack. Though the detection algorithm effectively blocks the attack earlier, some effective adversary may break the prevention technique and pervade into the network. Such pervaded attacks are detected using the detection technique. They determine the existence of the attack from the witness. The efficiency of the proposed IRED protocol is experimented in terms of storage overhead and the detection capacity in the network. As the IRED protocol is capable of being implemented in a network having very less or no mobility areas out future work concentrates in enhancing the IRED protocol to detect the clone attack in the mobile network.