【作者】 史文明；

【导师】 黄传河；

【作者基本信息】 武汉大学 ， 计算机软件与理论， 2013， 博士

【摘要】 无线传感器网络技术和网联网的兴起,将逻辑上的信息世界和真实的物理世界紧密地结合在一起,实现了“无处不在的计算”模式。无线传感器网络技术被认为是21世纪最重要的技术之一。随着无线通信技术和计算机技术的发展,无线传感器网络正由高科技概念逐步走向大规模应用,将掀起继计算机、互联网和移动通信网之后的世界信息产业第三次浪潮。它的发展和广泛使用将对人们的社会生活和产业变革带来极大的影响,并产生巨大的推动力。无线传感器网络的安全是无线传感器网络研究领域的重要组成部分之一。随着无线传感器网络在军事、安防等领域的广泛使用,无线传感器网络的安全问题显得尤为重要。由于无线传感器本身电源能量、计算能力、存储空间有限,而且很多传感器网络被部署在环境恶劣的地方或者敌对区域,这使得无线传感器网络的安全受到更大的威胁,传感器节点很容易被对方俘获。如今,人们已经对无线传感器网络的安全做了不少研究,使用密钥管理、身份认证等技术,加强了无线传感器网络的安全防范。但这些措施缺乏入侵的自适应能力,不能有效的检测和发现无线传感器网络中存在的入侵行为。入侵检测作为一种积极主动的深度防护技术,可以通过检测网络日志、网络流量活主机运行状态等来发现恶意入侵行为,并针对不同的入侵行为作出不同的响应。然而,由于无线传感器网络特有的性质使得现有的一些入侵检测机制很难应用其中,因此,研究适合于无线传感器网络的入侵检测方法尤为重要。本文针对无线传感器网络节点定位、数据传输和整体运行等不同的状态分别进行了研究,提出了针对性的面向取证的无线传感器网络安全检测方法。首先,在无线传感器网络定位过程中,本文提出一种利用联通节点之间握手通信的方法来快速确定各置信节点集合(已经确定位置的并且集合是强连通的),并根据置信节点集合来计算出未知节点的位置。节点定位过程中,很容易受到入侵攻击,其中复制攻击是最常见的一种攻击。在本文提出的定位算法的基础上,又进一步对其安全特性展开研究,提出一种针对该定位方法的入侵检测算法,在保证快速、准确定位的同时,实现节点定位过程中的安全。第二,本文提出一种利用隧道技术实现的混合无线传感器僵尸网络入侵检测算法。该算法利用僵尸网络的时空相似性,对已有的僵尸网络检测算法做了改进,将其从传统网络转移到无线传感器网络中,从而实现在数据传输过程中检测无线传感器网络的安全方法。第三,本文改进了一种基于遗传算法的成本敏感无线传感器网络检测方法。利用花费矩阵来计算规则的合适度,并利用最相关的5个属性代替原来的9个检测属性。由于聚类过程中属性的个数减少,算法的运行时间明显获得了提高,同时算法的准确率并未受到影响。本文的主要工作和贡献包括：1.提出了一种无线传感器网络室内定位的算法,并在该定位算法的基础上进行了节点复制安全检测研究。针对利用单个信标节点定位容易产生较大误差的问题,本文提出一种基于置信节点集合定位的无线传感器定位算法。该算法首先利用信标节点之间的握手通信来确定每个信标节点的邻居节点。待定位节点向外发出定位请求以后,附近的每个信标节点均向其发送自己的位置信息和邻居表信息。待定位节点根据接收的信息,生成置信节点集合,并利用集合中的信标节点来计算自己的坐标位置。算法利用多个信标节点的相互协作,减少了单点定位产生的误差,提高了定位的精确度。同时,算法改进了节点位置计算的方法,降低了节点位置计算的复杂度,提高了节点定位的效率。为了保证算法的安全性,在本文提出的定位算法的基础上,本文对其进行安全检测研究。复制攻击是针对传感器网络常见的一种攻击方式。目前很多机构都对复制攻击的检测方法展开了研究。现有方法一般都需要精确地节点位置信息,或者利用系统的时间信息作为依据。这些方法的往往开销较大,为了保证检测率,需要收发大量的数据包,从而增加了能量和传输开销。鉴于此点不足,本文提出了一种改进的节点复制攻击检测方法,利用简单的节点测距方法检测复制攻击节点,利用多节点间相互测距的方法检测网络中的伪节点,不需要知道每个节点的具体位置,只根据节点间的相对位置,利用生成的三条判断规则,即可找出待检测网络中的复制节点。该算法实现灵活、稳定,能够达到对本文提出的无线传感器网络组网方式进行快速检测的要求,且不需要添加额外的软硬件。2.提出了一种基于隧道技术的无线传感器IPv4/IPv6混合僵尸网络安全检测算法。由于无线传感器网络的快速发展,传感器网络的数量急剧增加,必将占用大量的IPv4地址。目前而言,IPv4地址的数量已经非常紧缺,解决IPv4数量不足的一种途径就是利用IPv6来代替IPv4。由于IPv4网络是目前Internet的主要组成部分,规模十分庞大。因此,IPv6代替IPv4不是短时间内能够实现的,中间必然会有很长一段时间处于IPv4与IPv6网络混合使用的状态。针对僵尸网络这一主要的网络安全威胁方式,由于IPv6网络与IPv4网络存在较大的差异,原来IPv4网络中的僵尸网络检测方法不能被直接运用到IPv4/IPv6混合网络中来,这使得IPv4/IPv6混合网络面临着严重的网络威胁。本文提出了一种基于隧道协议的混合僵尸网络检测方法。该方法主要适用于利用隧道技术实现数据传输的IPv4/IPv6混合网络。该方法将每个无线传感器网络模拟为检测网络中的一个节点,这些节点可以是IPv4类型或者IPv6类型。本文假定他们与控制网络进行数据交互是利用隧道技术实现IPv4/IPv6转换的。本文方法利用协议分析技术,根据网络通信协议特有的高度规则性,对网络层纯IPv4数据包、纯IPv6数据包、IPv4in IPv6数据包、IPv6in IPv4数据包四种类型的数据包进行解析,从中提取源IP地址、源端口、目的IP地址、目的端口和网络协议五元组。利用聚类算法对获取的数据进行聚类分析,根据僵尸网络数据具有时空相似性的特点,从数据流信息中找出僵尸主机。该算法不需要考虑其他层次的数据协议,只需要利用网络层的数据包即可找出监控网络中的僵尸网络,具有速度快、准确率高的特点,为以后混合网络僵尸网络的入侵检测奠定了基础。3.改进了基于遗传算法的成本敏感无线传感器网络安全检测方法。针对传统传感器网络入侵检测系统报警事件数量多、误报率高的问题,本文提出了一种面向取证的成本敏感入侵检测遗传算法。由于无线传感器网络在计算能力、存储空间和电池电量等方面与传统网络具有较大不同,必须最大限度地降低无线传感器网络入侵检测算法的复杂度。遗传算法是目前被广泛采用的一种入侵检测算法。遗传算法的一个关键问题是对错误的兼容性,本算法中利用密歇根算法来实现规则集合的生成,这样既可以解决错误兼容性问题,同时又可以高效地产生结果集合。本文采用KDDCup99数据集,该数据集目前被广泛使用,是一种有效准确的数据集。该数据与入侵检测相关的四个分类分别是Dos (denial-of-service)、Probe、U2R (user-to-root)和R2L (remote-to-local),数据的属性包括9个基本属性和32个衍生属性。目前使用的检测方法中,主要是采用9个基本属性对攻击进行划分。本文对这种划分方法进行了改进,提出利用5个最相关的属性分别对每个攻击类型进行划分,这样可以较大地提高检测方法的检测效率。由于入侵检测对检测成本比较敏感,本文提出了利用花费矩阵来计算规则的适合度,更快地找到最合适的划分规则,很大程度上提高了算法的检测效率,降低了检测误报率。更多还原

【Abstract】 The rise of wireless sensor network technology, the logical world of information and the real physical world, together achieve a "ubiquitous computing" mode. The wireless sensor network technology is considered one of the most important technologies in the21st century. As wireless communication technology and computer technology are growing, wireless sensor networks are gradually moving towards the concept of large-scale high-tech applications, which will set off a second computer, Internet and mobile communication network in the world after the third wave of the information industry. It will be the development and widespread use of people’s social life and industrial revolution brought great impact and a great impetus.The security of wireless sensor networks is one of the important part of wireless networks. As wireless sensor networks in the military, security and other fields are widely used, wireless sensor network security issues are very important. As the wireless sensor itself supply the energy,, computing power, storage space is limited。 And many sensor networks are deployed in environments where harsh or hostile areas, which makes the wireless sensor network security is a greater threat to the sensor nodes can easily be captured.Nowadays, people did a lot of research on the security of wireless sensor networks. The use of key management, authentication and other technologies are to enhance the security of wireless sensor networks. However, these measures lack invasion adaptive capacity, can not effectively detect and wireless sensor networks exist intrusion. Intrusion detection depth as a proactive protection technology, you can detect network logs, network traffic and other activities to discover host running malicious intrusions, and for different types of intrusion respond differently. However, due to the unique nature of wireless sensor networks makes some of the existing intrusion detection mechanism is difficult to apply them, so research suitable for wireless sensor network intrusion detection method is particularly important.In this thesis, the wireless sensor network node localization, data transmission and the overall operation of such different states were studied, proposed targeted forensics-oriented wireless sensor network intrusion detection method. First, in the wireless sensor network localization process, this thesis presents a handshake between nodes using the Unicom communication method to quickly determine the confidence set of nodes (locations have been identified and the collection is strongly connected), and according to the set of nodes to calculate confidence the unknown node’s location. Node localization process is vulnerable to intrusion, which copy is the most common form of attack attack. Localization algorithm presented in this thesis, based on the further expansion of its security features, the positioning method is proposed for intrusion detection algorithms, to ensure fast, accurate positioning, while achieving node localization process of security. Second, we propose a hybrid tunnel technology to achieve wireless sensor zombie network intrusion detection algorithm. The algorithm uses the botnet temporal similarity to the existing botnet detection algorithm has been improved to be transferred from the traditional network to a wireless sensor network, enabling data transmission in wireless sensor network security detection methods. Third, this thesis based on genetic algorithm to improve the cost-sensitive detection method for wireless sensor networks. Use cost matrix to calculate the suitability of the rules, and use the most relevant five attributes instead of the original nine detection properties. Since clustering to reduce the number of attributes, the algorithm running time was gained increased, while the accuracy of the algorithm is not affected.The main work and contributions include:1. An indoor positioning algorithm in wireless sensor networks was proposed.For positioning beacon nodes using a single large error prone problem, this thesis proposes a set of confidence-based localization in wireless sensor node localization algorithm. The algorithm uses beacons handshake communication between nodes to determine each beacon node neighbors. Node to be positioned outward positioning request after near each beacon node to send their location information and the neighbor table information. Node,which is positioned according to the received information, generates confidence collection of nodes, and use the collection beacon nodes to calculate their coordinates. Method using a plurality of beacon nodes mutual cooperation, reducing the resulting single-point positioning error, improves the positioning accuracy. Meanwhile, the node position calculation algorithm to improve the method of calculating the position of node reduces complexity and improves the efficiency of the node location. To ensure the security of the algorithm, the proposed localization algorithm based on its intrusion detection research thesis. To copy the attack is for sensor networks common attacks. At present, many organizations are detection methods for replication attacks carried out research. Existing methods generally require precise location information of nodes, or the use of the system as the basis of the time information. Larger overhead of these methods, in order to ensure the detection rate, send and receive large amounts of data packets, thereby increasing the energy and the transmission overhead. In view of this point deficiencies, this thesis proposes an improved node replication attack detection method, using a simple method for detection of copy nodes ranging attack nodes, the use of multi-node mutual distance method to detect the pseudo-node network, without knowing each the specific location of a node, only on the relative position of the node, using the generated the three decision rule, to find the network to be detected replicate. Algorithm flexible, stable, able to achieve the proposed wireless sensor network for rapid detection of networking requirements and do not need to add additional hardware and software.2. A tunnel-based botnet wireless sensor network security detection algorithm was proposed.As the rapid development of wireless sensor networks, sensor networks has increased dramatically, which will take up a lot of IPv4addresses. For now, IPv4address number is already very scarce. To solve the insufficient number of IPv4One way is to use IPv6to replace IPv4. The IPv4network is the main component of the Internet, is very large, therefore, IPv6instead of IPv4is not a short period of time can be achieved, the middle bound for a long time after the IPv4and IPv6networks is mixed state. For this major botnet network security threat, to the IPv6network and IPv4network there is a big difference between the original IPv4network botnet detection methods can not be directly applied to the mixed IPv4/IPv6network in the past, which makes IPv4/IPv6hybrid network faces serious Internet threats.This thesis presents a tunneling protocol-based botnet detection methods. This method is mainly applied to the use of technology to achieve data transmission tunnel IPv4/IPv6hybrid networks. The method of each wireless sensor network simulation detects a node in the network. These types of nodes can be IPv4or IPv6type. This article assumes that they exchange data and control network technology is the use of the tunnel IPv4/IPv6conversion.This method uses protocol analysis technology, network communication protocol based on highly specific rules of the network layer of pure IPv4packets, IPv6packets, IPv4in IPv6packets, IPv6in IPv4packets are four types of data packets for analysis, extract the source IP address, source port, destination IP address, destination port, and network protocols quintuple. Use clustering algorithm to obtain the cluster analysis of data, according to the botnet data similar characteristics with time and space, from the data stream information to identify bots. The algorithm does not need to consider other levels of data protocols, only need to use the network layer packets to identify botnet monitoring networks, high speed, high accuracy characteristics for future hybrid network intrusion detection botnet laid the foundation.3. A genetic algorithm-based cost-sensitive security detection method for wireless sensor networks was improved.Compareid with the traditional sensor network intrusion detection methods, this thesis presents a cost-sensitive evidence genetic algorithm for intrusion detection. As the wireless sensor network in computing power, storage space and battery power and other aspects of traditional networks have significantly different. We must maximize the reduction of wireless sensor network intrusion detection algorithm complexity.Genetic algorithm is currently widely used in intrusion detection algorithms. Genetic algorithm’s key issues are the compatibility of the error. The algorithm is implemented using rule sets Michigan algorithms to generation, so that both can resolve the error compatibility issues, but they can efficiently produce the result set. In this thesis, KDDCup99data sets, the data set is now widely used, is an effective and accurate data sets. The data related to four categories of intrusion detection are Dos (denial-of-service), Probe, U2R (user-to-root) and R2L (remote-to-local). Data attributes include nine basic properties and32derived attributes. Detection methods currently used, the main properties is the use of nine basic divisions of attacks. This division of this method is proposed to improve the use properties of the five most relevant separately for each type of attack to be divided. This detection method can be greatly improved detection efficiency. Because intrusion detection more sensitive testing costs, this thesis proposes the use of cost matrix calculation rules of fit and faster to find the most appropriate division rules and greatly improves the detection efficiency of the algorithm and reduces the false alarm rate.更多还原