A three-tier scheme for sybil attack detection in heterogeneous IWSN

. Industrial wireless sensor network is a new application of wireless sensor network in the field of industry in recent years. However, IWSN may be subject to different attacks and security risks, among which the Sybil attack is the most harmful type of base attack. According to the characteristics of wireless sensor networks in industrial environment, a new three-tier detection scheme is proposed. In the first-level, all common nodes and Sybil nodes were detected by RSSI-based quadratic difference method. In the second layer, the residual energy-based method is used to continue the detection of the nodes that have been detected in the first-level. The detection of first and second-level high-energy nodes is finally completed by the base station. The simulation results show that our proposed scheme significantly improves network lifetime and effectively improve the detection rate of Sybil nodes.


Introduction
Wireless sensor network (WSN) is a self-organizing distributed network system, which composed of a large number of tiny sensor nodes with wireless communication and computing capabilities [1]. It collects and processes the information from the target area by cooperate with each node. Wireless sensor networks have broad application prospects in military reconnaissance, environmental monitoring, medical health monitoring, agricultural cultivation and industrial production control [2]. The WSN utilized in industrial (IWSN) is used for controlling and monitoring various industrial tasks [3]. Due to the nodes in industry wireless network are self-organizing and self-healing, they can adapt to environmental changes to perform efficiently. IWSN is generally one-time arrangement, and the possibility of later energy supplement is very small. Therefore, how to save energy and extend the survival time of the network has become the primary consideration. To solve this problem, a heterogeneous IWSN is proposed, especially IWSN based on energy heterogeneous. Although we have solved the network problems caused by the conditions of network nodes, in the actual use process, IWSN often suffers from different attacks and security threats, such as Wormhole attack, Hello flood, Sinkhole and Sybil attack. Sybil attack is one of the most harmful and easy attacks. In Sybil attack, malicious nodes are disguised as multiple nodes, for example, by imitating the target node or only by declaring false identity. Therefore, in IWSN, only relying on identity authentication and encryption and other defensive measures is not enough to resist malicious attacks. The effective Sybil attack monitoring scheme is urgently needed to maintain the normal operation of the factory.
At present, various protection mechanisms have been developed to protect sensor nodes from Sybil attack. The Sybil attack was first described by Douceur in the context of peer-to peer networks [4]. In [5], it proposed that wireless sensor networks could use voting for a number of tasks. The Sybil attack could be used to "stuff the ballot box" in any such vote. However, the Sybil node can use multiple identities to vouch for each other, and it would influence the outcome of voting. In [6], it proposed the notion of location-based keys (LBKs) by binding private keys of individual nodes to both compromised nodes IDs and geographic locations. The method is computationally complex and requires many resources per node. In [7], the author argued the node identities are verified simply by analyzing the neighboring node information of each node. In [8], a lightweight solution for Sybil attack problem based on received signal strength indicator (RSSI) readings of messages is proposed.
However, previous studies did not consider how to detect in the energy heterogeneous IWSN. On the contrary, they only considered how to detect Sybil nodes in the heterogeneous network. In order to improve the network life, it is generally deployed as energy heterogeneous network in IWSN deployment.
In this paper, we propose a three-tier detection scheme for heterogeneous IWSN monitoring. Unlike previous schemes, the mechanism does not utilize the neighbor's information or location information. In our scheme, we use three kinds of nodes with different energy levels to form a network, namely normal node, first energy node and second energy node. We use the quadratic difference based on RSSI for detection. In the second layer, the secondary high energy node layer, we use the principle of residual energy to further detect. Finally, the final detection is performed by the base station.

Three-tier detection scheme
In our proposed scheme, Sybil node detection rate, IWSN network life and energy consumption were considered comprehensively. In this scheme, heterogeneous IWSN is composed of three sensor nodes, namely normal node, primary energy node and secondary energy node. In order to ensure that every normal node can communicate with its adjacent second-level high-energy nodes, two first-level high-energy nodes are deployed in the communication range of each normal node, and one second-level high-energy nodes is deployed in the communication range of each first-level high-energy node. Each high-energy node can balance the network cost, help the base station detect Sybil attack node and pass important information, show in figure 1. In our scheme, the second high energy node only receives control packets from the first high energy node. However, only normal nodes are eligible to be selected as cluster heads to participate in other important activities in the network.

Normal node
First-level High-energy node Second-level High-energy node Fig. 1. The network model.

RSSI Detection based on Large-scale Fading Model
In the first layer, we use the large-scale fading model to calculate the RSSI value, thus using RSSI to detect the Sybil node.
One obvious feature of the Sybil attack is that malicious nodes forge multiple identities, which convincing the base station that the data is being transmitted from different nodes. But in fact, the forged identities are nodes in the same geographical location. A method based on RSSI is proposed to detect these malicious nodes.
In actual industrial network environment, the distance between transmitter and receiver is relatively long, so it usually includes path loss and shadow fading problems [9]. Generally, when the relative position between the receiver and the transmitter changes within the range 1~10m, the average power of the received signal basically remains unchanged, but when their relative position changes far beyond the above range, the average power of the received signal will change by several orders of magnitude. Large-scale fading is used to describe the change of the average power value of the received signal, when the distance between the receiver and the transmitter has a large-scale change. The relation between the received signal power Pr and distance d is usually expressed by Eq. 1.
Here,α ≥ 2, is the path loss, can be 3~4. It is generally believed that the actual loss obeys logarithmic normal distribution. In addition to path loss, large-scale fading also includes shadow fading. Shadow fading makes the actual loss to be a random variable. Considering the factors of path loss and shadow fading, the RSSI calculation method under large-scale fading model can be obtained as Eq. 2.
Here, R is the RSSI value calculated by the receiver, P0 is the transmitting power, α is the path loss, d represents the distance between the receiving node and the transmitting node, d0 is the reference distance, which is 1m indoors and 100m or 1km outdoors. represents path loss due to shadow fading, ~(0, 2 ). In the most empirical equations, the standard deviation σ 2 can be 4~12dB.
Assume that at time ti, node N1 transmits control packets to the two adjacent first-level high-energy nodes Fh1 and Fh2. The first-level high-energy nodes receive control packets from N1, and use equation 2 to calculate its RSSI value, and get Eq. 3.
Here, P0 is the transmitting power, α is the path loss, dFh1 represents the distance between the N1 and Fh1, d0 is the reference distance, 1~( 0, 2 ) is the shadow fading.
For Fh2, another first-level high-energy node, which receives the control packet from N1 node, we can also calculate its RSSI value, as shown in Eq. 4. Here, dFh2 represents the distance between the N1 and Fh2, 1~( 0, 2 ), the other parameters are the same as above.
Assume at time tj, node N2 transmits control packets to the two adjacent first-level high-energy nodes Fh1 and Fh2. Similarly, node N2 also can obtain the RSSI D-value from the first-level high-energy nodes Fh1 and Fh2, as shown in Eq. 6. ) + ∆ Here, ∆ = ∆ − ∆ , ∆X~(0,4 2 ). If node N1 is a malicious node, node N2 is its forged Sybil node, according to the Sybil attack principle, node N1 and node N2 are actually in the same physical location. Therefore, into Eq. 7,we can obtain Eq. 8.
As a general rule, the confidence level is usually 95%. When ∆R falls in this range, we think there is a Sybil attack.

Residual energy-based sybil attack detection
In industrial production, in order to ensure the quality and quantity of automated production threads, the detection rate of Sybil attack nodes in WSN is required to reach 100%. We propose a detection scheme based on residual energy, to further detect the Sybil attack node sneaked through the first-order high-energy nodes. This is occurs on the second-order high-energy nodes.
For each Sybil node, it has several different identities, and it transmits multiple control packets to the nearest first-level high-energy nodes to verify its forged identity. If they get away with the first-level high-energy detection, then first-order high-energy node transmits its control packet to the second-level high-energy node. Suppose IDi is represent the every forged identities of the one Sybil node, Ei is represent the residual energy of each identity, the whole structure is shown in Fig.2.
In every control packet, it contains the residual energy and the ID of the forged identity. The control packets of sneaked Sybil nodes and other normal nodes are stored in the first-level high-energy, and continues convey to the second-level high-energy nodes. Second-level high-energy receive these control packets begin to compare the Ei, showed in Fig.3.  From the Fig.3 We can find ID5 and ID7 have the similar energy, but they are different identities. So in the each second-level high-energy node, we set a subtracter in each secondary-level high-energy node. In each round, let the residual energy value of ID1 node be taken as the minuend, and subtract the residual energy value of other nodes respectively. To improve the accuracy, we set the accuracy of the remaining Ei to five decimal places. If the value after subtraction is 0, it indicates that these IDi are the forged identities from the same Sybil node and Sybil attack occurs. The second-level high-energy nodes will put them to the blacklist and prevent them from compete to the cluster heads.
The second-level detection can greatly improve the detection rate of Sybil node, and make up for the missing detection occurred in the first-level high-energy level. But if our first-level high-energy nodes and second-level high-energy nodes are attacked by Sybil node, the control packets that the second-level high-energy nodes eventually transmit to the base station must have been tampered. To prevent this kind of error operation, another scheme is proposed in the base station.

Identity match-based scheme
In the base station, relevant information of each normal node and high-level node is stored. Information about Sybil nodes reported by secondary high-energy nodes to the base station is ultimately processed by the base station. Before the base station receives this information, it first checks the first and second high-energy nodes on the link one by one. Further, check whether the identities of these nodes are consistent with those stored on the base station. If not, an attack is considered to have occurred, and the control packet transmitted by this link is unreliable and cannot be received, the base station then blacklists the first and second-level high-energy nodes which attacked by the Sybil nodes. Then base station free the Sybil nodes which stored in those first and second high-energy nodes, let them re-select the link for detection.
Such a three-tier detection mechanism can ensure that every node is detected, and the base station ultimately needs to detect only the first and second-level high-energy nodes, which greatly reduces the pressure of the base station and prolongs the life of the whole network.

Experimental results and analysis
In this section, we provide a series of simulation results for our proposed scheme. We use a 200×200 square meter geographical area for our network deployment. Our network comprises of n (n=200) normal nodes and s (from 1 to 30) Sybil nodes, 20 first-level high energy nodes, 10 second-level high energy nodes. Normal nodes and Sybil nodes are isomorphic in terms of battery power, storage and processing capabilities.
We evaluate our scheme in terms of number of detected Sybil nodes, total number of candidates and optimal selection of cluster heads, energy consumption, network lifetime, packet loss rate and packet acceptance ratio. Fig. 4 illustrates the effect of s Sybil nodes and their forged identities on the detection rate for an IWSN. The number of Sybil identities from 5 to 25, n=200. The Sybil nodes and normal nodes have the same residual energy 2J. The first-level high-energy nodes have residual energy 5J, and the second-level high-energy nodes are 7J. In Fig.4, we compared the detection rate of Sybil node with that of [ 9] and [10]. Due to the three-tier detection of Sybil node in the proposed scheme, its detection rate is relatively high. With the increase of Sybil nodes, the detection rate is more and more ideal.

Lifetime of the network
Duo to the limited energy of each node in IWSN, once deployed, it is difficult to replenish energy in the later period. Therefore, the life of the network has become an important issue to consider. Inthe authors believes that when more than 97% of nodes die, the network can no longer carry out follow-up works. Therefore, in Fig.5, we compared the method proposed in this paper with the method by M.A.Jan and CAM method, mainly to see which scheme can carry more theoretical experiments before the death of 97% nodes. After about 1.7×10 4 rounds, the nodes in our proposed scheme are not available.

Analysis of energy consumption
The total energy consumption of IWSN is related to the number of Sybil nodes and the number of forged identities. In figure 6, we calculated the energy consumption with and without Sybil nodes. With Sybil nodes, the energy consumption was increased much; the main reason is the Sybil nodes transmitted the control packets. The other reason is the distance from the normal nodes and Sybil nodes to the high energy nodes and the base station. It can lead to the diverse of energy consumption.

Summary
In order to solve the Sybil attack problem in industrial wireless sensor networks, a three-layer detection scheme based on first-level high-energy nodes and second-level high-energy nodes and base station is proposed. Different detection methods are run depending on the size of each level of resources. The first-level high-energy node is detected by the method based on RSSI difference, and the second-level high-energy node is detected by the method based on residual energy. Finally, the base station forms the detection of the first-level high-energy node and the second-level high-energy node. The whole three-tier Sybil attack detection scheme improves the detection of the whole network, improves the detection accuracy, effectively reduces energy consumption and prolongs the network life.