Intrusion detection system against SinkHole attack in wireless sensor networks with mobile sink Mohamed Guerroumi Department of Electronics and Computer Science, University of USTHB Algiers, Algeria guerroumi@gmail.com Abdelouahid Derhab Center of Excellence in Information Assurance (CoEIA), King Saud University Riyadh, Kingdom of Saudi Arabia abderhab@ksu.edu.sa Kashif Saleem Center of Excellence in Information Assurance (CoEIA), King Saud University Riyadh, Kingdom of Saudi Arabia ksaleem@ksu.edu.sa Abstract—In this paper, we propose an Intrusion Detection System (IDS) against Sinkhole attack in wireless sensor networks with mobile sink. In the detection model, the network area is divided into a flat grid of cells, and we use the signature-based technique, which is represented by the detection rate of a cell, to distinguish between real and fake sink nodes. The proposed IDS considers two types of sink mobility: periodic and random. In addition, as the cell leaders do not activate their IDS agent simultaneously, the additional energy consumption incurred by the IDS is low. Simulation results show the efficiency of the proposed IDS in terms of detection rate, efficiency, and energy consumption. Keywords- wireless sensor network; IDS; detection rate; sinkhole attack; energy; virtual grid; security I. INTRODUCTION Wireless sensor networks (WSNs) are a set of tiny and low-cost sensor nodes, which have scarce resources regarding energy, bandwidth, processing capacity and storage. Such networks are designed to gather environmental data from the sensor nodes and disseminate them to the base station (or sink) using a hop-by-hop communication. In order to optimize network performance in terms of throughput, end-to-end delay, and power consumption, the sink has to be near the source of event. As the events occur at different regions within the network area, such an optimization cannot be achieved using a static sink. By moving the sink to a region with high dissemination rate, it is possible to reduce the event delay, and increase the network lifetime. The main disadvantage of this scheme is that the sink node has to continuously update its position and advertise it in the network whenever it moves around. This feature can easily be exploited by the Sinkhole attack. The Sinkhole attack works by injecting false topological or positional information in the network in order to make a compromised node look attractive to the neighboring nodes with respect to the routing algorithm. The traffic in this case will be transferred towards a fake sink node instead of the real one. The issue in this paper is how to design an intrusion detection system that can distinguish between legitimate topological or positional advertisements originated by the mobile sink node and the fake ones originated by the malicious nodes. To the best of our knowledge, this is the first work that addresses this issue. The rest of this paper is organized as follows: Section 2 provides system model and assumptions. In Section 3, we present related work. Description of the proposed detection system is given in Section 4. In Section 5, we present simulation results. Finally, Section 6 concludes the paper. II. RELATED WORK Security domain and intrusion detection system are considered as an active research area in WSNs. Based on data consistency and network traffic analyzing, the authors in [4], proposed an IDS for detecting a sinkhole attack. Rasheed and Mahapatra [5] proposed a multi-tier framework using a pre- distribution pairwise key scheme. This framework uses any a pre-distribution pairwise key scheme and needs two separate key pools, one for the mobile sink, and the other for pairwise key establishment between the sensors. Eschenauer and Gilgor [6] proposed a robust probabilistic key pre-distribution scheme. In this scheme each sensor node chooses randomly a set of keys from a key pool before deployment. This idea is further extended in [7] and [8] using two key pre-distribution schemes. Using polynomial pool-based key pre-distribution protocol [10], Liu and Ning [9] designed another enhanced framework for pairwise key establishment. To detect sinkhole attacks in WSNs, Krontiris et al. [11], [12] proposed a variety of specification-based IDS based on watchdogs, which have pre-defined rules for raising intrusion alerts. This type of attack have been addressed in [19], [23], [24]. III. SYSTEM MODEL AND ASSUMPTIONS We make the following assumptions about the network: • Sensor nodes are randomly deployed in the network area. • The sensor nodes are stationary without movement except for the sink node. 2015 12th International Conference on Information Technology - New Generations 978-1-4799-8828-0/15 $31.00 © 2015 IEEE DOI 10.1109/ITNG.2015.56 307