Distributed Detection of Sensor Worms Using Sequential Analysis and Remote Software Attestations
Recent work has demonstrated that self-propagating worms are a real threat to sensor networks. Since worms can enable an adversary to quickly compromise an entire sensor network, they must be detected and stopped as quickly as possible. To meet this need, we propose a worm propagation detection scheme for sensor networks. The proposed scheme applies a sequential analysis to detect worm propagation by leveraging the intuition that a worm's communication pattern is different from benign trafc. In particular, a worm in a sensor network requires a long sequence of packets propagating hop-by-hop to each new infected node in turn.We thus have detectors that observe communication patterns in the network, a worm spreading hop-by-hop will quickly create chains of connections that would not be seen in normal trafc. Once detector nodes identify the worm propagation pattern, they initiate remote software attestations to detect infected nodes. Through analysis and simulation, we demonstrate that the proposed scheme effectively and efciently detects worm propagation. In particular, it blocks worm propagation while restricting the fraction of infected nodes to at most 13.5Percent with an overhead of at most 0.63 remote attestations per node per time slot.
Wireless sensor networks, sequential analysis, worm detection.