IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 6, NO. 4, DECEMBER 2011 1185 Stochastic Modeling of Hello Flooding in Slotted CSMA/CA Wireless Sensor Networks Mohammad Sayad Haghighi, Kamal Mohamedpour, Vijay Varadharajan, and Barry G. Quinn Abstract—Broadcasting a request or challenge is a classic method of collecting local information in distributed wireless networks. Neighbor discovery is known to be a fundamental element in ad hoc and sensor networks topology formation, which takes advantage of such methods. Most of the current neighbor discovery protocols rely on a challenge or request broadcast by the discovering node called “Hello.” Hello flooding attack was specifically designed to exploit the broadcasting nature of these protocols in order to convince a large group of nodes that the sender is their neighbor by using very high transmission power. Several studies have been done to mitigate the effectiveness of the flooding threats but little effort has been made in modeling and analyzing this problem. Arguing that random channel access protocols must be inevitably employed in neighbor discovery, we propose an analytical approach for stochastic modeling of the challenge-broadcasting scenarios in networks using slotted carrier sense multiple access with collision avoidance (CSMA/CA) pro- tocols. We model the nonstationary channel right after issuance of the request by a recursive method and then put forward an approach to find the broadcaster’s approximate payoff. The model also supports the cases where the broadcaster is a malicious node with an abnormally high transmission and reception range, which is found in severe flooding attacks. We investigate the applications of the model in finding the optimal attack range for the flooding adversaries and deriving a flood-resilient medium access control (MAC) protocol design framework to increase the security of challenge-response protocols. The latter one is especially relevant to mobile networks as it provides a low-cost solution. This paper describes the detailed analysis of the proposed theoretical frame- work as well as the comprehensive evaluations that have been carried out via simulations. Index Terms—Carrier sense multiple access (CSMA), Hello flooding attack, sensor networks. I. INTRODUCTION W IRELESS sensor networks, as a subset of ad hoc net- works, are spontaneous systems that consist of several similar nodes which are devoid of any coordinator and are usu- ally employed for monitoring purposes. These networks have a variety of applications ranging from fire alarm systems in the Manuscript received October 29, 2010; revised June 30, 2011; accepted July 12, 2011. Date of publication July 29, 2011; date of current version November 18, 2011. The associate editor coordinating the review of this manuscript and approving it for publication was Dr. Wade Trappe. M. Sayad Haghighi and K. Mohamedpour are with the Department of Elec- trical Engineering, K. N. Toosi University of Technology, Tehran 16314, Iran (e-mail: sayad@ee.kntu.ac.ir; kmpour@kntu.ac.ir). V. Varadharajan is with the Department of Computing, Faculty of Science, Macquarie University, Sydney, NSW, 2109, Australia (e-mail: vijay.varad- harajan@mq.edu.au). B. G. Quinn is with the Department of Statistics, Macquarie University, Sydney, NSW, 2109, Australia (e-mail: bquinn@efs.mq.edu.au). Digital Object Identifier 10.1109/TIFS.2011.2163306 forests to enemy movement detection systems in the battlefield [1]. Security in sensor networks has always been a challenging issue since their conception. The infrastructure-less nature of the architecture along with the wireless connectivity, multihop transmission, and low energy and processing power give rise to a range of security threats and vulnerabilities [2]. The spe- cial characteristics of sensor networks have let new forms of threats emerge which are specific to these networks. In addi- tion to the previously known sleep deprivation attack, Karlof and Wagner [3] introduced a new effective attack for sensor net- works called Hello flooding which exploits the broadcasting na- ture of neighbor discovery protocols. Broadcasting a challenge or request is a very common way of data collection or data dissemination. For example, in sensor networks, a cluster head may issue a request through broad- casting to collect all the sensed values in its vicinity [4]. In neighbor discovery, as another example, every node broadcasts a request or challenge (Hello) which includes its identity (and potentially mutual cryptographic key constructing parts). In one-way protocols, the receivers add the sender’s ID to their neighbors list after processing the message. In two- or multiway protocols, the sender is able to identify its neighbors through processing the incoming responses. In the Hello flooding attack, Hello message is advertised with a very high power. This may convince many surrounding nodes that the malicious transmitter is one of their neighbors. Several works have been done to counteract this threat [3], [5]–[19], but little effort has been made in modeling it. Any protocol which relies on broadcast information to fulfill its tasks may be vul- nerable to flooding attacks. If the modeling leads to the devel- opment of a countermeasure for the Hello flooding attack, it can also be useful in securing other broadcast-based protocols. The necessity of using a two- or multiway protocol for neighbor discovery has been addressed previously with respect to the security constraints [3], [20], [21]. In a two-way pro- tocol, when a node broadcasts a request, each receiving node tries to send an appropriate reply packet back. The replying nodes’ medium access control (MAC) layers have to capture the common channel one at a time in order to transmit their data. In the absence of transmission-scheduling coordinators in infrastructure-less networks like sensor networks, random channel access protocols are the only candidates for the MAC layer. Besides in the neighbor discovery case, there exists no prior information about the network graph while running the protocol. Any scheduled type of transmission, including the time-division multiple-access methods, implies the existence of a table for transmission times and number of nodes sharing the channel which cannot be provided prior to neighbor discovery. 1556-6013/$26.00 © 2011 IEEE