阅读说明：本技术 无线传感器网络中基于相关性理论的恶意共谋攻击抵抗方法 (Malicious collusion attack resisting method based on correlation theory in wireless sensor network ) 是由 童丽媱 赖英旭 刘静 于 2020-09-30 设计创作，主要内容包括：本发明公开了无线传感器网络中基于相关性理论的恶意共谋攻击抵抗方法,本发明首先基于时间相关性,利用二阶离差差分滤波获取同类传感器数据异常情况的时间序列。然后,基于空间相关性检测恶意节点,该方案包括两个主要阶段,基于近距离的各属性传感器的D-S检测和基于远距离的簇内节点间行为序列贴近度检测。最后,基于事件相关性验证恶意节点。本发明利用WSN中共谋FDI攻击的攻击范围有限的缺点,发挥其全面挖掘各节点间相关性的优势,该发明在WSN恶意节点检测方面具有较好的性能。(The invention discloses a malicious collusion attack resisting method based on a correlation theory in a wireless sensor network. Then, malicious nodes are detected based on spatial correlation, and the scheme comprises two main stages of D-S detection based on close-range attribute sensors and close-range detection based on remote inter-cluster behavior sequence. Finally, the malicious node is verified based on the event correlation. The method utilizes the defect that the attack range of collusion FDI attack in the WSN is limited, exerts the advantage of comprehensively excavating the correlation among the nodes, and has better performance in the aspect of WSN malicious node detection.)

1. A malicious collusion attack resisting method based on correlation theory in a wireless sensor network is characterized in that,

firstly, based on the existence of time correlation of the data of the same type of sensors, the detection of the abnormal condition of the data of the same type of sensor nodes can be realized; due to the fact that the environmental information acquired by the sensing nodes has periodicity in time, the abnormal data in the similar sensors are detected by modeling the historical data acquired by the sensing nodes;

detecting malicious nodes through the spatial correlation among the nodes by using the abnormal conditions of each attribute data in the nodes; if collusion FDI attack exists in the event environment, the associated fusion value of the attacked node deviates from other surrounding nodes, and therefore the collusion FDI attack is identified; the detection of the malicious nodes is realized by analyzing the abnormal conditions of the nodes and associating the fusion values;

and then, based on the event correlation, comprehensively considering the advantages of the time correlation and the space correlation, and verifying the malicious node in the WSN through the fault node.

2. The method for defeating collusion attack based on correlation theory in a wireless sensor network according to claim 1,

constructing an iterative state estimation mode on the prediction model by using a DDF-2 algorithm; the node constructs a normal range of the next received data by using the predicted data state and a preset threshold, and when the received data exceeds the constructed normal range, the node judges the data to be abnormal; an iterative error data detection mechanism based on threshold judgment is formed at the sensing node through continuous cyclic updating, the correction and judgment of the predicted state value of the model are realized, and the evolution direction of the system is corrected by using a measured value and a posterior estimation;

the time correlation-based abnormal data detection process of the similar sensors comprises the following steps:

a. acquiring time series dynamic data of an observed system by methods of observation, investigation, statistics, sampling and the like;

b. judging whether the time sequence is stable, if not, carrying out d times of differential processing until the sequence is stable;

c. making a correlation diagram according to the processed sequence data, performing correlation analysis, and solving an autocorrelation coefficient diagram and a partial autocorrelation coefficient diagram;

d. determining coefficients p and q of the model according to the obtained correlation diagram and rules;

obtaining a model ARIMA (p, d, q) with the formula:

φ_p(B)(1-B)^dZ_t＝θ_q(B)a_t

where d is the difference number, B is the backshifting operator, a_tIs a white noise sequence, z_tFor observing the sequence

e. White noise detection is carried out on the built model to determine the usability of the model

Calculating DDF-2 by using the obtained model to predict data; calculating a dispersion matrix, prior estimation and estimation error at the t-1 moment according to the obtained state equation and measurement equation, then calculating the estimation error at the t moment based on the result, comparing the estimation error with a preset threshold, if the estimation error exceeds the threshold, determining that the estimation error is abnormal, otherwise determining that the estimation error is normal, obtaining a binary sequence related to the abnormality and the normal, and circulating the step for updating; the specific steps are as follows:

a) posterior value for t-1 timeAnd estimation errorCalculating a dispersion matrix;

b) computing t-time prior estimatesAnd its estimation error

c) Will be provided withAnd the measured value Z_tSubtracting, comparing with a threshold value, and returning to be abnormal if exceeding; otherwise, returning to normal;

d) and (4) updating and circulating to realize the detection of the abnormal conditions of the sensor data in the WSN.

3. The method for defeating collusion attack based on correlation theory in a wireless sensor network according to claim 1,

for each node, there is an abnormal condition sequence with sample data of X, namely the previous stage, and the abnormal condition sequence contains T groups of data, each group of data has N attributes, and the weights of the N attributes are rho_nN is 1,2,. cndot.n; let the weight of each group of data beWeight change of samples after multiple iterations

The sensor can generate T groups of behavior data, and each group of data has N attribute characteristics;

each column of the matrix represents an attribute, each row represents the abnormal condition of each attribute at the current moment, so the value in the matrix represents that whether the attribute data is abnormal or not is judged by taking time as an axis, the abnormality is 0, and the normality is 1;

wherein the ith set of data is denoted as [ x ]_i1,x_i2,…,x_iN]At this time, the attribute weight ρ of each sample is weighted by a weighted average method_nThe set of data weights at the number of iterationsAnd sample data x_inMultiplying, dividing by a normalization factor, which is the component gravity center of the sampleMeaning the feature representation of a set of data for each attribute sample at the p-th iteration;

according to the Euclidean distance calculation method, after the p-th iteration and the p + 1-th iteration which are adjacent twice, the barycentric deviation value d of the sample is obtained_p+1。

4. The method for resisting malicious collusion attack based on correlation theory in wireless sensor network according to claim 1, wherein whether the node is malicious or not depends on the evaluation of the node by the rest nodes in the cluster, that is, the evaluation of the node j comes from the fusion of the other nodes in the cluster to the associated value thereof;

design correlation coefficient G_i,jAnd weight ω_kThe calculation method of (1); according to the number of normal/abnormal data of the nodes in a period of time, under the condition that the number of normal nodes is stable, the expressionThe node can rapidly approach 0 along with the increase of the number of the exceptions, which indicates that the abnormal condition of the node can rapidly increase the possibility that the node is a malicious node, and when r_ij(Δ t) and u_ij(delta t) when the proportion is higher, the judgment of the malicious node is not greatly influenced, so that the influence of the node fault can be eliminated; and (4) measuring the similarity of each evaluation node to the evaluated node j in the same monitoring time period by using a maximum-minimum proximity theory at the gateway.

5. The method for resisting malicious collusion attack based on correlation theory in wireless sensor network according to claim 1, wherein in WSN, if Euclidean distance between two nodes is smaller than sensing radius of the node, the two nodes are neighbor nodes; exist in a certain sectionPoint s_mIs s is_kAnd s is a neighbor node of_mIs a normal node, s_kIs a failed node, then node s can be connected_kAs the dividing point of the fire area and the non-fire area; the area formed by a plurality of demarcation points is the area where the fire happens;

(1) calculating the circle center coordinate of the coverage area according to the boundary point coordinate

(2) Calculating the distance between the central node and each demarcation point, and taking the maximum distance value as the radius;

therefore, the area where the fire occurs is (x)_c,y_c) As the center of a circle, r is the circular area of radius.

6. The method for resisting malicious collusion attack based on correlation theory in the wireless sensor network according to claim 5, wherein a temperature field is established by using a kriging interpolation method, and the temperature range of the fire scene can be determined by the temperature field information; for s_k∈s_iIf node s is {1,2, …, n }, i ═ n ═ i_kIf a fire is detected, the node s_kAnd the temperature of the neighbor node is in the temperature range of the fire, if the temperature does not accord with the correlation, the node s is judged_kAre malicious nodes.

Technical Field

The invention belongs to the field of malicious node detection in a wireless sensor network, and particularly relates to a correlation theory-based malicious collusion attack resistance method and system.

Background

Wireless Sensor Networks (WSNs) integrate advanced technologies such as microelectronics, embedded technologies, modern networks, and Wireless communications, and are therefore widely used in various fields such as environmental monitoring, scientific observation, and traffic monitoring. The WSN is composed of a plurality of nodes with low price and small volume, and can be generally divided into three parts, namely a sensing node, a cluster node and a gateway. The sensing node can acquire environmental information in a coverage area, process the environmental information through the cluster head node, and finally, the cluster head sends the processed information to the gateway in a wireless mode and responds at the gateway. The environment can be monitored through the steps.

Since the nodes are usually exposed to an environment uncontrollable by the outside, and physical resources such as energy, computing power, storage capacity, communication capacity and the like of the sensor nodes are very limited, the sensor nodes are extremely susceptible to interference of environmental factors and data corruption caused by man-made malice. Therefore, the WSN can divide the abnormal nodes into two categories for the two situations, one category is the abnormal node (for example, fire incident) caused by the abnormal node itself failing to work normally or the occurrence of the event, and the abnormal node is called as a failure node; the other type is a malicious node, and different from a fault node, the malicious node can modify detection data at will, intentionally generate an error report, and influence the monitoring of the environment. The malicious attacks of the nodes comprise challenge black hole attacks, distributed denial of service attacks, error data injection attacks, black hole attacks, Sybil attacks and the like.

The intrusion detection system which has been researched at present can show better detection and defense effects on the attacks, and the intrusion detection defense system does not show better performance for resisting collusion attacks with high collaboration. Because the overall performance and decision of the system often depend on Data collected by the sensor nodes, False Data Injection (FDI) can influence the final decision result in a way of injecting False Data, and the combination of FDI and collusion attack enables the attack behavior to be highly hidden, thereby increasing the difficulty in detecting malicious nodes.

The data collected by the sensor nodes has correlation, which can be summarized into time, space and event correlation. The time correlation means that sampling values of the same type of sensor data show certain continuity before and after, and the data values at adjacent moments are similar. The spatial correlation means that the data collected by the sensor nodes which are adjacent to each other in physical positions in the monitoring area have higher similarity. Spatial correlation can be divided into close-range spatial correlation (correlation between different attributes in the same sensing node) and far-range spatial correlation (correlation between different nodes in the same area). Event correlation means that the occurrence of an event (such as a fire) causes the data of nodes around the event to be changed in a correlation manner. Because the three correlations can better distinguish the node behaviors or node identities, the invention solves the collusion FDI attack problem in WSN according to the correlation theory.

Disclosure of Invention

In order to detect malicious nodes in the WSN, the invention provides a collusion attack resisting method based on a correlation theory. Malicious nodes in the WSN are detected in a distributed manner, as shown in fig. 1. Distributed detection disperses detection tasks to three parts of sensing nodes, cluster heads and gateways, and the hierarchical processing of data is realized. The present invention takes advantage of this approach to building a collusion resistant FDI attack model, since distributed detection distributes data and consumes less energy. The sensing nodes collect the environment information and then upload the collected information to the cluster heads for relevant calculation. Finally, the cluster head uploads the calculation result to the gateway and responds at the gateway.

In order to achieve the purpose of the invention, the technical scheme adopted by the invention is a correlation theory-based malicious collusion attack resisting method, a model for realizing the method consists of three parts, namely a sensing node, a cluster head and a gateway, and the detection of malicious nodes is realized through time, space and event correlation. As shown in fig. 2, the detection principle of correlation can be generalized from three points of view. The sensing node in the WSN is responsible for collecting the environment information, the step 21 is based on a time correlation principle, as the environment information collected by the sensing node has periodicity in time, an iterative state estimation mode can be constructed on a prediction model by modeling the historical data collected by the node and using a Second Order differenced Difference Filtering (DDF-2) algorithm, the correction and evaluation of the prediction state value of the model are realized, and the estimation error can be effectively reduced by using a measured value and a posterior estimation to correct the system evolution direction. And step 22, fusing the abnormal conditions of the attribute data by using D-S evidence reasoning by the cluster head based on a spatial correlation theory to obtain the abnormal conditions of the nodes. And introducing a proximity theory through the abnormal condition of the node to obtain the associated fusion value of the node, thereby realizing the detection of the malicious node. And step 23, comprehensively considering the advantages of the time correlation and the space correlation based on the event correlation. In a fire, the position of the fire is determined through a fault node, and the development trend of an event is observed by using the condition of a nearby temperature field, so that a malicious node in the WSN is verified.

The method utilizes the defect that the attack range of collusion FDI attack in the WSN is limited, exerts the advantage of comprehensively excavating the correlation among the nodes, and has better performance in the aspect of WSN malicious node detection.

Drawings

FIG. 1 is a distributed detection model of the present invention.

FIG. 2 is a flow chart illustrating correlation calculation according to the present invention.

Fig. 3 is a schematic flow chart of detecting a malicious node according to the present invention.

FIG. 4 is a graph showing the results of the experiment of the present invention

Detailed Description

The present invention will be described in detail below with reference to specific embodiments shown in the drawings.

FIG. 3 is a flowchart of the overall calculation, as shown in FIG. 3, including:

and step 31, detecting abnormal conditions of the node data based on the time correlation.

Because the data of the same sensor node has time correlation, the invention introduces DDF into LFDD to realize the detection of abnormal condition of node data. Firstly, establishing a differential Integrated Moving Average Autoregressive Model (ARIMA), correcting and judging a predicted state value of the ARIMA Model through DDF-2, constructing a normal range of next received data by using a node according to a predicted data state and a preset threshold, and judging the data to be abnormal by the node when the received data exceeds the constructed normal range.

Establishing a difference integration moving average autoregressive model, which comprises the following steps:

a. acquiring time series dynamic data of an observed system by methods of observation, investigation, statistics, sampling and the like;

b. judging whether the time sequence is stable, if not, carrying out d times of differential processing (subtracting the previous time from the next time) until the sequence is stable;

c. making a correlation diagram according to the processed sequence data, performing correlation analysis, and solving an autocorrelation coefficient diagram and a partial autocorrelation coefficient diagram;

d. and determining coefficients p and q of the model according to the obtained correlation diagram and the rule.

Obtaining a model ARIMA (p, d, q) with the formula:

φ_p(B)(1-B)^dZ_t＝θ_q(B)a_t

where d is the difference number, B is the backshifting operator, a_tIs a white noise sequence, z_tFor observing the sequence, p and q are model coefficients, and theta and phi are backward shift operators.

e. White noise detection is carried out on the built model to determine the usability of the model

And calculating DDF-2 by using the obtained model to predict data. And calculating a dispersion matrix, prior estimation and estimation error at the t-1 moment according to the obtained state equation and a measurement equation, then calculating the estimation error at the t moment based on the result, comparing the estimation error with a preset threshold, obtaining a binary sequence related to the abnormality and the normality when the estimation error exceeds the threshold, and if the estimation error is not normal, obtaining a binary sequence related to the abnormality and the normality, and circulating the step for updating.

Through the scheme, the abnormal condition of the sensor data in the WSN can be detected.

And step 32, identifying the malicious nodes based on the spatial correlation.

And (4) detecting results by using the scheme, and distinguishing malicious nodes from fault nodes through the spatial correlation among the nodes. The detection can be divided into two stages, namely D-S detection based on short-distance multi-source information and proximity detection based on long-distance intra-cluster nodes. In the first stage, according to the detection result of the previous part after the time processing, utilizing Adaboost to classify the dimensional data of each attribute, adjusting the weight during fusion, and detecting the abnormal condition of the node according to the D-S fusion rule; and at the second stage, the malicious and fault nodes in the cluster are distinguished by calculating the similarity between the nodes in the cluster.

Step 321, improving the D-S evidence theory based on the Adaboost algorithm.

The invention provides a method for adjusting weight distribution to process conflict evidence, which solves the paradox problem of Zadeh. Before evidence fusion, firstly, calculating a weight influence coefficient according to the gravity center of a sample, and thus, adjusting fusion weights of different evidences in advance according to the degree of evidence conflict; then, the evidence which is determined to be in conflict is taken as the 'hard mark' evidence, and the Adaboost algorithm is used for reclassifying the evidence. And realizing the detection of the abnormal conditions of the nodes in the cluster.

For each node, sample data (abnormal condition sequence of the previous stage) is provided, wherein the sample data comprises Z groups of data, each group of data has a plurality of attributes, the weights of the attributes are the same under the initial condition, and the weights of the samples are changed after multiple iterations. And giving the same weight to each characteristic value, so that the gravity center of the data component vector of the p iteration can be obtained. According to the Euclidean distance calculation method, after two adjacent p-th iteration and p + 1-th iteration, the barycentric deviation value d of the sample can be obtained_p+1Shifting the center of gravity of the sample by an amount d_p+1And comparing with the set Euclidean distance threshold value d to judge whether the conflict evidence exists.

(1) When d is_p+1At > d, there is evidence of conflict:

let l be the correction factor, then:

and increasing the distance d, increasing l, and indicating that the weight given to the data difficult to be distinguished in the p iteration is too large, and adjusting the weight of the p observed data according to the size of l.

The weight calculation formula after adjustment is as follows:

wherein g (x)_i) Is one for x_iThe weak classifier of (1).

The adjustment factors are:

wherein

The strong classifier is:

the Adaboost algorithm must ensure that the correctness of most classifiers is greater than 1/2, so as to ensure that the final classification error rate of the combined classifier set tends to 0. Therefore, when e is 0 or e > 1/2, the iteration is stopped.

According to the scheme, the weight of the conflict evidence is reduced by using the correction coefficient l, so that the contradiction problem of some extreme conflict evidences can be fuzzified, the overall judgment of the Adaboost model can not be influenced, overfitting is reduced, and the problem is classified more accurately.

(2) When d is_p+1If d, the Basic Probability Assignment (BPA) of each attribute is directly calculated without conflict evidence.

Then, the weights and the abnormal conditions are fused to obtain the BPA of the multi-source information, namely:

therefore, compared with a multi-attribute weight distribution algorithm based on the information benefit, the BPA of each attribute can better process conflict evidence, and the accuracy is higher when evidence conflict is considered from the double dimensions of time and the attribute.

For the event A, the abnormal condition of the node can be obtained by using the combination rule fusion of D-S and judging the rule according to D-S.

And 322, improving a node association fusion value algorithm based on the closeness theory.

The invention realizes the detection of the malicious nodes by designing a calculation method of the similarity between the nodes in the cluster and introducing a concept of the closeness, and provides the detection of the malicious nodes in the WSN according to the long-distance spatial correlation.

Firstly, a method for calculating the similarity between nodes in a cluster is designed, the method has the characteristic of severe punishment on the occurrence of abnormal conditions of the nodes, and the influence of fault nodes on detection can be effectively reduced;

then, introducing fuzzy closeness theory on the basis of the spatial correlation between the nodes in the cluster. The invention introduces the maximum-minimum closeness degree into the calculation of the spatial correlation of the nodes. The proportion of the nodes in the fusion is determined through the association degree of the nodes in the cluster, namely if a collusion attack behavior of malicious nodes exists, the similarity between the malicious nodes can be identified due to obvious deviation, and a smaller weight is given to the similarity, so that the influence of the collusion attack is effectively weakened.

Whether the node is malicious or not depends on the evaluation of the node by the rest nodes in the cluster, namely the evaluation of the node j comes from the fusion of the associated values of the other nodes in the cluster.

Wherein G is_i,jAs a correlation coefficient, ω_kAre weights.

Designs the correlation coefficient G_i,jAnd weight ω_kThe method of (3). First, a calculation method for a correlation coefficient is as follows:

in the formula r_ij(Δ t) represents the number of normal data of the node, u, over a period of time_ij(Δ t) represents the number of abnormal node data in a period of time.

According to the number of normal/abnormal data of the nodes in a period of time, under the condition that the number of normal nodes is stable, the expressionThe node can rapidly approach 0 along with the increase of the number of the exceptions, which indicates that the abnormal condition of the node can rapidly increase the possibility that the node is a malicious node, and when r_ij(Δ t) and u_ijWhen the (delta t) ratio is high, the judgment of the malicious node is not greatly influenced, so that the influence of the node fault can be eliminated.

The invention introduces a closeness theory in order to optimize the weight of the correlation coefficient between the nodes in the comprehensive judgment. And (4) measuring the similarity of each evaluation node to the evaluated node j in the same monitoring time period by using a maximum-minimum approach progress theory at the gateway. The weight thus obtained should contain all the information of the closeness of the association of node j with other nodes, as follows:

wherein sigma_k,l＝min{G_k,j,G_l,j}/max{G_k,j,G_l,j}，ω_jSatisfy the requirement of

And step 33, verifying the malicious node based on the event correlation.

In order to improve the accuracy of the detection scheme, the malicious nodes are verified according to the event correlation among the nodes.

Step 331, determine neighbor nodes.

In the WSN, if the Euclidean distance between two nodes is smaller than the sensing radius of the node, the two nodes are mutually adjacent nodes. There is a certain node s_mIs s is_kAnd s is a neighbor node of_mIs a normal node, s_kIs a failed node, then node s can be connected_kAs the dividing point of the fire area and the non-fire area. The area formed by the plurality of demarcation points is the area where the fire occurs.

Step 332, verifying the detection result based on the temperature field.

And establishing a temperature field by using a kriging interpolation method, and determining the temperature range of the fire field through temperature field information. For s_k∈s_iIf node s is {1,2, …, n }, i ═ n ═ i_kIf a fire is detected, the node s_kAnd the temperature of the neighbor node is in the temperature range of the fire, if the temperature does not accord with the correlation, the node s is judged_kAre malicious nodes.

According to the scheme of the invention, the time sequence of the abnormal condition of the node data can be obtained based on the time correlation, the malicious nodes and the fault nodes can be distinguished through the space correlation, and finally, the malicious nodes can be verified through the event correlation.

In the verification experiment, the scheme for detecting the malicious nodes based on the correlation is respectively subjected to experiments under the condition of different malicious node ratios, and the detection rate and the false alarm rate of the scheme under different malicious node detection algorithms are compared. We first define the following two evaluation indices:

detection rate: and the number of the detected malicious nodes accounts for the percentage of the total number of the malicious nodes.

False alarm rate: including the percentage of correct nodes that were misdetected as malicious nodes and the percentage of malicious nodes that were undetected.

The rate of missing reports: the malicious nodes are used as the percentage of the number of correct nodes to the total number of malicious nodes.

In order to show the influence of the improvement of each part on the experimental result, the invention adopts a way of improving a part of algorithms to observe the change of the detection result, and compares the change with the scheme of the invention in the aspects of detection rate and false alarm rate, and the comparison result is shown in fig. 4(a, b and c). The comparison result shows that the prediction model and the correlation fusion value have great influence on the experimental result, and the improvement of the D-S evidence reasoning has smaller influence than the other two.

As can be seen from the comparison result in fig. 4(d), the detection rates of the three schemes all show a descending trend along with the increase of the proportion of the malicious nodes, and the scheme before improvement declines fastest. The scheme of the invention is superior to other three methods under the condition of the same proportion of the malicious nodes, and compared with the scheme before improvement, the detection rate can be improved by nearly 20%. Meanwhile, as can be seen from comparison, the malicious node detection scheme based on the correlation is superior to the detection scheme based on the fuzzy reputation value and the reputation degree, and the advantage of detecting the malicious node based on the correlation is fully embodied.

As can be seen from fig. 4(e, f), the false alarm rate and the false negative rate of the malicious node are proportional to the malicious node ratio. Under the same malicious node proportion, the false alarm rate and the missing report rate of the scheme before improvement are higher than those of other three schemes due to the fact that the rules are insufficient; because the detection schemes based on fuzzy reputation value and based on reputation depend on too many factors, and part of the factors are assumed by an author, the false alarm rate and the false missing report rate of the two schemes are higher than those of the scheme.

The scheme of the invention fully considers the correlation of the nodes, the false alarm rate of the scheme is lower than that of other two schemes and is less than 10 percent, and the scheme of the invention has better performance.

It should be understood that although the description is made in terms of embodiments, not every embodiment includes only a single embodiment, and such description is for clarity only, and those skilled in the art will recognize that the embodiments described herein may be combined as appropriate, and implemented as would be understood by those skilled in the art.

The above-listed series of detailed descriptions are merely specific illustrations of possible embodiments of the present invention, and they are not intended to limit the scope of the present invention, and all equivalent embodiments or modifications that do not depart from the technical spirit of the present invention should be included within the scope of the present invention.