Pattern-based digital investigation of x-hole attacks

in wireless adhoc and sensor networks

Slim REKHIS and Noureddine BOUDRIGA
CN&S Research Lab., University of the 7th of November at Carthage, Tunisia
slim.rekhis@isetcom.rnu.tn, nab@supcom.rnu.tn
Abstract-We introduce in this paper the concept, generation,
and usage of security attack patterns as a valuable technique
for conducting digital investigation. A formal approach based on
the use of these patterns is introduced for the reconstruction of
potential attack scenarios and characterizing provable properties
and actions. To exemplify the proposal, a case study dealing with
investigation on wormhole attacks is provided.
I. INTRODUCTION

Digital investigation aims to conduct a post-incident analysis on compromised systems and make inquiries to past events.
The purpose is to collect digital evidences left on the system
further to the attack scenario occurrence, and analyze them in
order to answer questions about digital states and events and
reconstruct information about past events. Digital evidences
are ubiquitous and used to support or disprove a theory of how
the security incident occurred. They include any digitalized
information such as images, text, audio, and video. During
the process of analysis, an investigator requires to formulate
theories about the potential events and the behavior of the
compromised system in order to a) determine the vulnerabilities exploited to compromise the system; b) reconstruct the
conducted attack scenario; c) trace attackers to their source in
the network; d) study the attackers trends and motives; and e)
propose a set of countermeasures to mitigate the effect of the
incident.
Few research works were proposed by the literature in order
to make the digital investigation process based on formal
methods, theories and principles. Such feature allows generating irrefutable proofs regarding reconstructed attack scenarios,
reducing the complexity of their generation, and automating
the reasoning on incidents. Stephenson took interest in [9] to
the root cause analysis of digital incidents and used Colored
Petri Nets. Stallard and Levitt used in [8] an expert system with
a decision tree that exploits invariants relationship between
existing data redundancies within the investigated system.
Gladychev provided in [4] a Finite State Machine (FSM)
approach for the construction of potential attack scenarios
discarding scenarios that disagree with the available evidences.
Carrier and Spafford proposed in [2] a model that supports
existing investigation frameworks. It uses a computation model
based on a FSM and the history of a computer. A digital
investigation is considered as the process that formulates and
tests hypotheses about occurred events or states of digital data.
Willanssen takes interest, in [11], in enhancing the evidentiary
value of timestamp evidences. The aim is to alleviate problems
9781-4244-3941-6/09/$25.00 2009 IEEE

related to the use of evidences whose timestamps were modified or referred to an erroneous clock (i.e., which was subject
to manipulation or maladjustment). The proposed approach
consists in formulating hypotheses about clock adjustment and
verifying them by testing consistency with observed evidences.
Later in [12], the testing of hypotheses consistency is enhanced
by constructing a model of actions affecting timestamps in the
investigated system. An action may affect several timestamps
by setting new values and removing the previous ones. In [1], a
model checking-based approach for the analysis of log files is
proposed. The aim is to search for pattern of events expressed
in formal language using the model checking technique. Using
this approach logs are modeled as a tree whose edges represent
extracted events in the form of algebraic terms. In [7], we
provided a logic for digital investigation of security incidents
and its high level-specification language. The logic is used
to prove the existence or non-existence of potential attack
scenarios which, if executed on the investigated system, would
produce the different forms of specified evidences.
Generally speaking, the solutions provided by the above
described approaches are unsuitable to cope with wireless
attacks. In fact, the dynamic aspect of routing protocols and
topology in wireless multihop systems makes it necessary to
provide techniques and mechanisms for distributed collection
of evidences, correlation of scattered collected evidences,
handling of the of incompleteness evidences which occurs
due to the existence of network areas that are uncovered
by the deployed security solutions. Second, most of the
provided approaches require the use of libraries of attacks
which should be explored at every process of attack scenario
reconstruction to assemble the suitable sequence of executed
actions that vindicates the availability of evidences. Such
feature requires heavy resources and may increase the overload
on the mobile wireless nodes, which could be resourceimpoverished devices. Third, most of the attack scenarios
reconstruction techniques require the availability of evidences
showing the description of some actions, which happened on
the compromised system, and their attributes. In practice, the
identification of actions and their attributes is difficult and
may be subject to different false positives. In fact, most of
the security solutions do not directly monitor actions, but they
supervise the system behavior and identify malicious events
starting from the observed effect on the system. Providing
a technique of digital investigation which allows to identify
occurred attack scenarios starting from evidences describing

detected patterns of attacks, would be of high interest. Such

solution would allow detecting a wide range of attacks and
does not require extensive resources for generating evidences.
In this paper, we introduce the concept, generation, and
usage of security attacks patterns as a valuable technique for
reconstructing identifying and reconstructing attack scenarios.
A network of observation, which can be integrated to a
wireless adhoc or sensor network, is defined for the purpose
of covering the whole sensor or adhoc network and collecting
pattern-based evidences. Since every observer is in charge of
monitoring a separate area in the network, not all information
may be available for the computation of the whole pattern.
To cope with such issue, patterns are partitioned into pattern
fragments, which will be distributively detected by observers
in the network. Our proposed technique allows to cover, not
only specific types of attacks, but a generic class of routingbased attacks, including wormhole, sinkhole, and blackhole
attacks, denoted in this paper by x-hole attacks.
The paper contribution is two-fold. First the proposed
formal investigation technique, is not limited to specific type
of incidents, it could be used to cover wide classes of
wireless attacks. The only requirement to achieve this, is to
accurately define the patterns and extend the algorithms used
to generate evidences in observer nodes and analyze them in
the investigation node. Second, to the best of our knowledge,
none investigation-based proposal has considered the use of
the concept of patterns for the purpose of digital investigation.
As in intrusion detection, the simplicity of implementing such
technique would facilitate the implementation of tools for
digital investigation.
The remaining part of the paper is organized as follows.
The next section shows the need for attack patterns-based
investigation. Section III defines a set of patterns for characterizing x-hole attacks in wireless adhoc and sensor networks.
In Section IVan architecture for an observed adhoc or sensor
network is described in order to monitor nodes communication
and generate pattern-based evidences. Section V provides a
formal model of attack scenarios and patterns. It also defines
temporal operators for generating advanced patterns starting
from simple ones. Section VI formally describes a model
of observed attack scenarios and provides a methodology
for pattern-based digital investigation. In Section VII, a case
study dealing with the investigation of wormhole attacks is
described. The last section concludes the work.
II. NEED FOR ATTACK PATTERNS INVESTIGATION
Providing a technique for investigation of security incidents
in wireless networks starting from evidences defined in the
form of attack patterns, is of high interest for a variety of
reasons.
First, determining the executed action starting from collected evidences is not always possible, especially if the
collected evidences do not provide sufficient information to
prove the occurrence of such action. Typically, most of the
security solutions determine the execution of an action starting
from the effect obtained on the system state further to its

execution. Therefore, such feature is subject to several false

positives and negatives.
Second, monitoring of actions requires not only the detection of their occurrence but also the determination of their
attributes. While not all actions attributes may be visible, the
latter are crucial for the correlation of actions and reconstruction of attack scenarios.
Third, the use of patterns has shown its efficiency in the
field of intrusion detection, and such technique was widely
implemented by many solutions, including misuse intrusion
detection. The coding and representation of patterns, if well
defined, would considerably keep the false positives rate very
low.
Fourth, by providing functions to combine patterns, the
digital investigation may allow to better characterize advanced
and complex attacks and cover a wide range of malicious
events. Moreover, since in wireless networks, not all nodes,
in charge of collecting evidences, are able to observer the
same events, detected patterns would be different from a node
to another. This makes the need for techniques of patterns
combination more and more important.
Fifth, by providing techniques for reasoning about provable
attacks based on patterns, evidences required to reconstruct
attack scenarios will be reduced so that only those that focus
on the detection of patterns will be collected.
Sixth, broadly speaking, techniques provided by the literature for investigation or detection, are highly tailored to
specific type and techniques attacks. Considering, for instance,
attacks on routing protocols in wireless multi-hop systems,
the recent approaches provided by the literature regarding the
detection of wormhole, sinkhole, and blackhole attacks, were
very different, although they belong to the same class of attack.
In this context, the use of patterns allows to provide a generic
technique of investigation which allows to cover a wide class
of attack scenarios.
III. TOWARD THE USE OF PATTERNS FOR THE
IDENTIFICATION OF X-HOLE ATTACKS
We identify in this section a set ofpatterns for characterizing
several types of attacks on wireless adhoc and sensor networks,
namely wormhole, blackhole, sinkhole and Sybil attacks.
a) Wormhole attack: In a wormhole attack, an adversary
node receives packets from one location, tunnels them to another location in the network, and re-send them. The wormhole
tunnel can be established using several methods including
packets encapsulation, datagrams sending via external wired
infrastructure or out-of-band channel, and use of high power
transmitters. Several propositions were made by the literature
to mitigate such attack, including MobiWorp [5] and WAP [3].
We describe in the following a list of patterns that can
be used to detect potential sign of wormhole attacks in the
network. The later can be used with an on-demand routing
protocol such as Dynamic Source Routing protocol (DSR).
The route request message, which is considered here in after,
corresponds to the message sent by the source node who wants
to discover a route to the destination. Every intermediate nodes

which receives such message should append its identity before

forwarding it for the first time. The route reply is the message
sent from the destination to the source to inform it about the
selected route.
A node, say X, which receives a datagram from a
neighbor node, say Y, does not forward that request to
any neighbor node within a time out period.
A node, say X, has two neighbors, say Y and Z. It
receives a datagram from Y and replays it to Z using
the identity of Y as a physical source address. Also, it
does not append its identity in the route record.
A node, say X, which receives a datagram from a
neighbor node, say Y, forwards that request to a non
neighbor node.
A node, say X, generates a datagram containing a route
request. The identity of the source node who initiated the
request does not correspond to the identity of X, and the
route record is equal to, or different from (X).
A node, say X, receives a packet containing a route
request/reply from a non-neighbor node.
A node receives a route request, say RREQ later after
forwarding another packet request, say RREQ'. REQ
and RREQ' share the same source and destination addresses, and request identifier.
A node, say X, generates a route reply where in the route
record X is succeeded by the identity of a non neighbor
node.
The number and identities of nodes contained in the route
record, is not proportional to the sum of processing delay
averages of those nodes
A node, say X, sends a datagram to a node say Y
informing it about a new route to a destination D through
itself. The node X has not previously received a RREQ
message sent by Y to establish a route to D.

b) Blackhole attack: Blackhole attacks [10] represent a

simple and an effective Denial of Service attack in Wireless
Sensors and Adhoc networks. Using a blackhole attack, an
adversary or a compromised node attempts to advertise itself
as having a valid route to the destination and attracts all the
traffic from a particular area. Later, it selectively or totally
drops all the received datagrams. We describe in the following
a list of patterns that can be used to detect potential signs of
blackhole attacks in the network.
An adversary node advertises itself as being the neighbor
of a distant node, say Y. Node X may not necessarily
be unable to exchange traffic with node Y.
Two nodes with the same identity exist in the network at
different places within the same time period.
An adversary node, say X, advertises itself as having a
route to the destination, say Y over a node Z. Node X
has not previously discovered a routed data to Y over Z.
An adversary node, say X, advertises itself as having a
route to the destination, say Y over a node Z. Node Y
has not previously routed data to Z.

The sinkhole attack [6] provides a slight variation ofblackhole.

An attacker attracts surrounding nodes with unfaithful routing
information, and then performs selective forwarding or alters
the data passing through it. To detect such attack the following
pattern can be checked: "All the traffic within a monitored area
converges to the same destination which is compromised by
the attacker".
c) Sybil attack pattern: Typically a Sybil attack [13]
occurs in a distributed environment, where an adversary node
exploits the absence of a central authority useful to the
verification of nodes identities. An adversary node pretends to
be multiple distinct nodes called Sybil nodes. A list of patterns
that can be used to reveal the existence of Sybil attack in the
network is given here in after
A group of nodes, which typically corresponds to adversary and Sybil identities, move simultaneously, and not
at will.
A node X, which moves out of communication range of
an adversary node, say Y, at the same time all the Sybil
nodes created by Y become out of communication range
of X.
The adversary and Sybil nodes do not transmit data in
parallel (since they share the same radio resources).
The resources available at the adversary and the Sybil
identities appear to be the same. All of these nodes
have the same performance including processing time of
packets, and detection sensitivity
IV. ARCHITECTURE OF AN OBSERVED MOBILE ADHOC
AND SENSOR NETWORK

We consider a flat and multi-hop Mobile Adhoc or Sensor

Network (MASNet), which is composed of set of mobile
nodes which can be legitimate or malicious. All links are
bidirectional and two neighbor nodes can always generate or
forward datagrams to each other. All nodes are assumed to
be equipped with the same transmission system, and send
datagrams using the same transmission power to communicate
with neighbors. They can also connect and disconnect to the
network at any time.
To support digital investigation, some nodes in the network,
called observers, are endowed with enhanced computational
resources and powerful antenna reception gain. Every observer
allows to monitor a separate area in the network called clusters,
and is able to detect the transmission of any datagram sent or
received by a regular node within the cluster it monitors. Every
observer in the network is in charge of: a) maintaining a library
of attack patterns; b) detecting the existence of patterns or
fragment of patterns within the monitored traffic and network
mobility scheme; c) generating digital evidences containing
information regarding the detected pattern, the time-stamp of
detection, and values of some parameters extracted from the
datagrams sent by users to differential between datagrams
related to the same attack scenario; and c) sending and
forwarding evidences to the investigator node. An investigator
node, is an observer node which is dynamically chosen based,
for instance, on the degree of its connectivity with other

observers, or on the availability rate of its computational

resources. Since the process of evidences analysis may require
the centralization of some operations, the investigator node
will be the observer node which executes investigation-related
algorithms. It is in charge of: a) securely collecting observations from the remaining observer nodes and the compromised
node; b) combining patterns located in the collected evidences;
c) maintaining a library which associates for every attack
scenario the list of patterns that should be detected; and d)
identifying potential attack scenarios satisfying the combined
patterns; and c) hypothetically generating unobserved events.
Observer nodes are assumed to: a) have sufficient resources
to store and process evidences; b) be compromise independent,
well behaving, and able to securely exchange evidences and
decisions between them. In this context, a set of key credentials
are supposed to be securely distributed and stored in each
node before the system initialization; c) communicate using a
frequency range which is different from the one supported by
user nodes; d) have synchronized clocks. This property can be
stated using different possible time synchronization protocols;
and d) monitor the network topology within their cluster. In
this context, every regular node is supposed to periodically
perform a one-hop broadcast of a Hello message, so that each
neighbor node can append the sender identity to a list, called
list of one-hop neighbors. Moreover, every regular node is
assumed to periodically perform a one-hop broadcast of its
list of one-hop neighbors. The observer node, which is able
to listen to all forwarded Hello messages and lists of onehop neighbors sent with the monitored cluster, will be able to
determine the network topology in that cluster. Observer nodes
form together a separate virtual network, called observation
network.
Mobile nodes in the network are aware of the existence
of observers, but are unable to determine their identities. The
implementation of the observation network can be performed
using one of the two following approaches:
extending the role of some basic nodes in the network to
be in charge of doing observation-related activities. They
interact with the remaining regular nodes to maintain
the network connectivity and forward traffic. To monitor
transmission between regular nodes within their transmission range, observers set their network interface in
promiscuous reception mode. The double role they will
play should be undetectable by the remaining user nodes;
deploying a set of observer nodes, which are totally independent of other nodes and in charge of only performing
observation-related tasks.
We suppose that the probability of datagrams collision is
reduced to its lowest value, and the used routing protocol
is assumed to avoid loops in the process of routing. Figure
1 illustrates the architecture of the above discussed observed
mobile adhoc or sensor network.

,,

,--------------------------,
,

C-~_~ ---------_

""
,/

r------r~-------'1

J __

Integrated observation network

J
:

l __ J'

,/

""

:
j

Figure 1.

Observer node
Regular MASNet node

Architecture of an observed mobile adhoc or sensor network

V.

PREPARING FOR INVESTIGATION

The aim of this section is to formally represent attack

scenarios, and describe patterns of attacks.
A. Formalizing attack scenarios

We consider a system specification Spec that models the

investigated system by a set of variables V and a library
of elementary actions A. An action in A denotes the event
to be executed on the specified system. It could represent a
legitimate or malicious event on the system. A system state
8 E S, which is generated by the execution of actions, is a
valuation of all variables in V. Formally, a state 8 is given
by s = (vds], ..., vn[s]), where Vi E [l..n] : V i E V and
Vi [8] is the value of V i in state 8. This valuation allows the
provide a complete description of the investigated at any step
of the executed attack scenario. An action A describes for
every variable V in V the relation between its value in the
previous state state, say 8, and its value in the new state, say
t. A( 8) = true, iff action A is enabled in state 8 and the
execution of action A on state 8 would produce state t.
An attack scenario, say w, is generated by sequentially
executing a series of actions in A, starting from an initial state,
say 80, letting the system move to a state, say 8 n , along by
a series of intermediate states. Formally, we define a system
execution w in the following form w = (8 0' . . . , 8 n ) , where:
V(A E A 1\ i E [l..n]): A(8 i-l) = 8 i, state 80 and 8n
represent the initial and final system state state, respectively,
and 3j E [O ..n] such that ( 80 ' . .. ,8j) is composed of a secure
states and (8)+1, .. . , 8 n ) is composed of insecure system states
(i.e., the system looks compromised starting from state 8)+1)'
B. Modeling patterns

Several definitions and use of attack patterns were considered by the literature. In this paper, we consider an attack
pattern as a combination of predicates over the set of system
states through which the system progresses during the attack.
We distinguish two types of predicates: single-state based
predicate, and multi-state based predicate.
A single-state predicate, say 7T, is defined over a single
system state of an execution to specify possible values or

properties of some system variables in that state. It can be

used to verify whether some undesirable property, which is
computed over the values of system variables, is true or false
in some instantaneous step of an attack scenario. Contrarily
to a single-state predicate, a multiple-state predicate is defined
over a set of system states or the whole system execution.
Formally, given a predicate it, and an execution w.
1r( s., ..., S J) and 1r( s) represent a single-state and multiplestate based predicate, respectively. {s, s., ..., Sj} is a non
ordered set of system states that belong to the execution w.

C. Operations on patterns
In order to investigate complicated and advanced attack scenarios and reduce false positives, we defined in the following
examples of temporal-like operators over the attack scenarios.
These operators allow to construct advanced patterns starting
from simple ones.
Global t: : The predicate 1r should always hold at every
state of the execution.
1r BeforeT,T' : the predicate 1r holds, at least, T time instants before the predicate becomes true. After it holds,
the predicate 1r remains true during T' time instants.
1r AfterT, T' : the predicate 1r should become true after,
at least, T time instants the predicate became true.
After it holds, the predicate 1r remains true during T'
time instants.
AtT 1r: the predicate 1r holds at some time instant, say T,
of an execution.
EverYT 1r: the predicate 1r should hold, at least one time,
in each T time instants.
Exist x 1r: the predicate 1r should be true at least x times
in the execution.
1r Until : the predicate 1r should hold until holds.
1r Next : the predicate 1r becomes true at the time instant
that succeeds the time instant at which the predicate
holds.
Note that, if the specification is timeliness, a time instant
can refer to a separate state in the execution. The expression
EverYT1r will mean that the predicate 1r should be true, at
least, one time after the transition of each T states. Despite
temporal-like operators, logic operators including 1\, V, -, can
be used to build compound patterns.
VI. ATTACK INVESTIGATION
This section provides a formal model of observed scenarios
and describes a methodology for pattern-based digital investigation.
A. Observing attack scenarios

Collecting evidences regarding the execution of wireless

attack scenarios, is subject to two main issues. First, in the
context of wireless adhoc and sensor networks, the attacker,
the security solutions (Le., the observer nodes), and the intermediate nodes used to route the malicious traffic, may be
mobile. Therefore, for an attack scenario w = (so, ..., sn),
not all the states of the execution will be noticeable for

the security solution in charge of monitoring patterns and

generating evidences. In fact, an observer node may go out of
the transmission range of the attacker node, the victim node,
and/or the intermediate nodes used to route the traffic. We
denote by wQ the system execution noticed by the observer
o after deleting unobserved states from w.
Second, a security solution is deployed to monitor specific
components of the system, so that it cannot determine the
description of the whole system state through the execution of
the attack scenario. Formally, only some of the specification
variables will be observable by the security solution. We
consider an observation function obs() over states, and attack
scenarios. It allows to characterize security solutions used to
monitor the investigated system. The output of obs( ) function
allows to represent the evidence generated by the related
security solution. Such evidence will only show incomplete
information regarding the executed actions and the description
of the system states generated consequently.
We define the observable part of a state s, as obs( s) =
[l(Vl[S]), l(V2[S]), ..., l(vn[s])] where l() represents a labeling
function, which is used to affect to Vi[S], a value from the
following three:

Vi[s]: The variable Vi is visible and its value can be

captured by the observer. The variable value is thus kept
unchanged.
A fictive value E. The variable is visible by the observer
but the variation of its value does not bring it any supplementary information (e.g., the observer is monitoring
a variable value which is encrypted). The variable value
is transformed to a fictive value E.
An empty value 0: The variable is invisible, such that none
information regarding its value could be determined by
the observer.
Note that l(Vi[s]) can be defined in a conditional form letting it
depend on the value of an additional predicate. In the dynamic
form, the label of a variable V in a state s depends on a
predicate p. It is defined in the following form l(v[s]) =
IF p(s ) THEN x ELSE Y where each of x and yare equal to
anyone of the labels defined above (Le., variable value, fictive
value, or empty value).
Given an attack scenario w = (so, ..., sn), we define the
observable part of w, by obs(w). The observation obs(w) is
computed in two stages. First, by transforming w to W. Second,
by letting obsA(w) be the sequence of states observations
obtained from w after replacing each state s in w by obs(s).
Formally, obs(w) = (obs(so), ..., obs(sm)) where m < n. The
final observation obs(w) is obtained from obsA(w) by replacing
any maximal sub-sequence (ObS(Si), ..., obs(sj)) such that
ObS(Si) = ... = obs(sj) by a single state observation, namely
ObS(Si).
The second and third steps followed to compute obs(w)
is based on that fact that: a) the great majority of installed
security solutions are able to monitor the system behavior
further to the execution of an action and not the executed
action itself; and b) if a set of successive states has the

same observation, an observer of the execution is not able

to distinguish whether the system has progressed from a state
to another or not.
B. Methodology for pattern-based investigation

We describe in this subsection a methodology for the

investigation of attack scenarios using patterns.
In the first step, observer should monitor communication
between nodes and network topology within their related
cluster. They generate observations regarding the executed
attack scenarios, in accordance to their available observation
functions.
In the second step of this methodology, every observer
should inspect the generated evidences and verify which of
the patterns, which are available in its library of patterns,
hold in the generated evidences. Several issues complicate
the verification of patterns. First, a pattern may be compound
(Le., composed of several pattern fragments). Some pattern
fragments hold only at some specific part (Le., time instant)
of an attack scenario. However, due to mobility aspect, a
single observer may not be able to compute all the pattern
fragments. In fact, the execution part, over which the pattern
is computable, may not be detectable by the observer or may
be incomplete (does not cover the whole number of states).
Second, every pattern is computable over a different set of
system variables. Since an observer is not able to observe
the whole description of system states, it will compute the
predicates in the pattern over the observable part of the
detectable execution and states. Unfortunately, depending on
the available observations, the pattern component mayor not
be computable. To cope with these issues, observers should
communicate their detected pattern or pattern fragments to the
investigation node together with the time instant at which it
was detected, so that pattern fragments collected from different
observers can be correlated together. To differentiate between
a single pattern fragment which holds one time but is detected
by several observers, from a pattern fragments which occurs
several times in the attack scenario, every observers should
append to the sent message the hash(s) of the packet digest(s)
over which the predicate was computed. If an observer is
unable to compute a pattern fragment because the execution
part is incomplete, it should also append, to the forwarded
evidence, the generated observation and indicate the pattern
fragment that was unable to determine due to some missing
information in the generated observation..
At the third step, the investigator node computes the whole
patterns starting from the pattern fragments received from
observer nodes. The pattern fragment needs first to be correlated based on the appended timestamps. A set of correlation
rules are expected to be defined. Considering for instance the
pattern 1r BeforeT,T' . The observer should :a) receive a
message from at least an observer stating that pattern fragment
1r held true at some observed attack scenario; b) receive at
least T' message from other observers in the network stating
that pattern fragment held true at different subsequent time
instants in the same attack scenario; and c) the timestamps

related to the detection of the first occurrence 1r and the

last occurrence of should be separated by T time instants.
Due to mobility and multiplicity of observers, a single pattern
fragment may be detected by several observers. For the case of
pattern fragments that cannot be computed by observer nodes
due to missing information, the investigator node assembles
and correlates the received observations with observations
collected from other observer nodes. It verifies again whether
the pattern fragment becomes computable.
In the last step of this methodology, once patterns become
computable, the investigator node identifies the potential attack
scenarios related to that pattern. In the case where some pattern
fragments remain non computable, hypotheses may be generated to complete the missing values of unobserved variables or
attack scenarios fragments. Since, several hypotheses may be
generated to complete unobserved values of some variables,
rules for guaranteeing the consistency of hypotheses based
on knowledge of the investigated system may be defined and
used for that purpose. Examples of consistency checking rules
include the following:
Two variables may not be allowed to get some specific
values together in the same state of an execution. For
instance, a user cannot get response for its request while
the requested service is down.
The value related to some variable, in some state, say s,
of an execution, should be consistent with the history of
other variables in the previous state ofthe same execution.
For instance, a user account cannot become locked unless
several authentication errors were observed previously in
the attack scenario.
VII. CASE STUDY: WORMHOLE ATTACK INVESTIGATION
The aim of this section is to demonstrate the use of
patterns for the investigation of wormhole attacks in Mobile
Adhoc and Sensor Networks. An attacker could use such
technique to attract traffic through it and potentially generate
a denial of service. We consider in this example the case
of reactive routing protocols. To model the routing establishment phase of such protocol, we use four variables, namely
src, cid, nid, nl, pid, rreq. The first variable stands for the
source address of the node who initiates the route request.
The second variable stands for the identity of the node which
is forwarding the datagram in the current step of the attack
scenario. The third variable represents the identity of the node
to which the node cid has forwarded the datagram. The fourth
variable stands for the list of identities of nodes that are
neighbors to the node cid in the network. The fifth variable
represents the value of the packet digest computed over
the immutable fields of the packet header. The last variable
represents the route record field to which an intermediate node
appends its identity when it forwards the route request.
Figure 2 shows a network topology containing twelve nodes,
where ri; represents the i t h node. Node nl has generated and
broadcasted a route request datagram to establish a route to
the destination node n12. An encapsulation-based wormhole
attack is created between nodes n2 and nIl so that the path

Figure 2.

wormhole attack

[n1' n2, n3, n5, n6, nS, nU, n12] will appear shorter than the
path [nl, n4, ng, n lO, n13, n12] ' Node n3 encapsulates the
route request forwarded by n2, forcing the subsequent nodes
in the path to append their identities on the new packet header.
At encapsulation, the route record of the inner packet becomes
invisible and the new outer packet appears with an empty route
record. The node n3 appends its identity to the new empty
route record. Later, node n u decapsulates the received route
request, appends its identity and forwards it. Node n12 extracts
from the received route request the series of nodes identities
appended during the forwarding of that datagram. Only the
identities of nodes nl, n2, n u , and n 12 will be visible.
Figure 3 shows the description of the attack scenario, say
w, as a series of eight states, where every state is a valuation
of the six variables. Formally, w = (so, ..., ss).
Since, by definition, the observer node is able to detect the
transmission of any datagram within its cluster, we define
P( s) ~ cid(s ) E ListCov(o) and PI(s) ~ (nid(s ) E
Li stCov(o) as the predicate which allows to test whether the
packet is sent by, or sent to, a node within the coverage of
some observer node say 0 , respectively. Function Li stCov( -)
takes as input the identity of the observer node and returns the
list of nodes within its coverage.
Th observation function related to the observer nodes in the
network is defined using the following dynamic labels on the
system variables.
l(s, src ) = IF (P( s) V P( S')) THEN src ELSE 0.
l(s , cid) = IF (P( s) V P (S')) THEN cid ELSE 0.
l(s, ni d) = IF (P (s ) V P(s'))THEN nidELSE0.
l(s, nl) = IF P (s) THEN src E LSE 0.
l(s, pid) = IF (P (s ) V P( S')) THEN src E LSE 0.
l(s, rreq) = IF (P( s) V P( S')) THEN sr cELSE 0.
Since all the fields in the datagram can be read by an
observer node if it able to detect it transmission, all system
variable, except variable nl, are visible if one of the predicates
P or P' is true. Especially, variable nl is visible if the
predicate P is true. In fact, the observer is able to determine
the list of neighbors of some node, only if its within its
coverage. Note that this information can be deduced later if
the observer asks its neighbor in the observation network to

forward it the list of neighbor regarding some sensor node in

the network.
The observation obtained from the first observer, say 0 1,
regarding the executed attack scenario is given by:
obso ! (w) = ([nl, n l, n2, {n1' n4}, h, (n1)], [n1, n2, n4,
{n1, n3}, h , (nl, n2)], [n1, n3, n5, {n2, n5}, h', (n3)],
[n1, n5, n6, 0, h' , (n3, n5))], [0,0,0,0,0,0]).
The observation obtained from the fourth observer, say 0 4,
regarding the executed attack scenario is given by:
obss, (w)
= ([0, 0, 0,
0, 0, 0] ,
[nl, ns, n u, 0,
h' , (n3, n5, n6, ns) ]
[n1, n u, n12 ,
{ns , n12}, h, (n1, n2, n u) ],
[nl, n12, - , {nu , n13},
h, (n1, n2, n u, n 12)]).
The observation obtained from the second observer, say 05,
regarding the executed attack scenario is given by:

obs o5 (w)
= ([0,0,0,
0,0,0] ,
[n1, n6, ns , 0,
h' , (n3, n5, n6)],
[n1, ns, n u, {n6, n7, n u }
h' , (n3, n5, n6, ns) ], [nl, n u, n12, 0, h , (n1, n2, n u) ],

[0, 0, 0, 0, 0, 0]).
To detect the attack, the following pattern fragments should
be defined. The first, say n , is a multi-state based predicate
which states that the packet hash changes when the route
request is forwarded from node ni d to node cid, and the packet
is forwarded to a neighbor node which appends its identity to
the route request. The second pattern fragment is a single-state
predicate which indicates that the route request includes only
the identity of the processing node. This processing node does
not represent the node which initiates the route request. The
third predicate, say 'IjJ, is a multi-state based pattern which
states that the route record contained in the route request
forwarded by a node does not include any node identity from
the route request it received.

'Jr(Si, Si+1) ~

1\
1\
1\

(s )

.<.

pid(Si+1) i- pid(Si)
ni d(si ) = cid(si+1)
cid(Si-1 ) (j rre q(Si)

I\rreq(s ) = (Cid (S))

I\rreq(s ) i- src(s )
I\rreq(s ) E nl(si- 1)

src = nl
cid = nl
nid = n2
nl = {n2, n4}
pid = h
rreq = (nl)

src = nl
cid = n2
nid = n4
nl = {nl, n3}
pid = h
rreq = (nl, n2)

src = nl
cid = ns
nid = nIl
nl = {n6, n7,nll}
pid = h'
rreq = (n3, ns, n6, ns)

src = nl
cid = n3
nid = ns
nl = {n2,nS}
pid = h'
rreq = (n3)

src = nl
cid = nIl
nid = n12
nl = {ns, n12}
pid = h
rreq = (nl, n2, nIl)
Figure 3.

/\Vx E rreq (Si-l) : x

/\rreq(s) =1= (Cid ( S ) )

src = nl
cid = n6
nid= ns
nl = {nS, n7,nS}
pid = h'
rreq = (n3, ns, n6)

src = nl
cid = n12
nid= nl = {nIl, n13}
pid = h
rreq = (nl, tiz, nIl, n12)

Attack scenario description

tt rreq ( s, )

/\cid(s) E nl(si-l)

To detect encapsulation-based wormhole attack, the following pattern, defined as (( /\ 1r) Afterl, 1 -,( /\ 1r), (-,(1r /\
tt/J) After. 1 (1r /\ tt/J) ), can be used. It states that the predicate
/\ 1r should become true immediately after the predicate
-,( /\ 1r) became true. After it holds, the predicate /\ 1r
remains true during one step of the execution. Later in the
execution the predicate (1r /\ ) should become true, and
immediately after that the predicate -, (1r /\ ) holds for one
step of the execution.
Further to the attack scenario execution, the observer node
01 detects the holding of the predicate fragments 1r and . As
for the observer node 04, it detects the holding of the predicate
1r. However, since variable nl in the sixth state is unobservable,
the observer node 04 is unable to determine whether the
predicate tt/J is holding. It indicates in the message that it sends
to the investigator node that the predicate tt/J cannot be verified
unless the value of variable nl is visible. The observer node
Os is able to determine that the predicate fragment tt/J holds
after it is computed on the third and fourth elements of the
observations. By assembling all the messages received from
the observer nodes, which contain, additionally to the predicate
fragments that hold, the timestamps of their detection, the
investigator node will be able to compute the whole pattern
and prove therefore the execution of the encapsulation-based
wormhole attack scenario.
VIII.

src = nl
cid = ns
nid= n6
nl = {n3,n6}
pid = h'
rreq = (n3, ns)

CONCLUSION

We provided in this work a formal technique for patternbased digital investigation of attack scenarios in wireless adhoc
and sensor networks. The concept of evidences in the form
of patterns, their formal model, and techniques to generate
and verify them are defined. A network of observers in
charge of monitoring nodes communications and verifying
patterns in the forwarded traffic is defined. The use of patterns
for digital investigation allows to reduce the processing and

communication overhead and cover a wide class of attack

scenarios.
REFERENCES
[1] Ali Reza Arasteha, Mourad Debbabi, Assaad Sakhaa, and Mohamed
Saleh. Analyzing multiple logs for forensic evidence. Digital Investigation, 4(1):82-91, September 2007.
[2] Brian D. Carrier. A Hypothesis-Based Approach to Digital Forensic
Investigations. PhD thesis, Purdue University, 2006. CERIAS TR 200606.
[3] Sun Choi, Doo young Kim, Do hyeon Lee, and Jae il Jung. Wap:
Wormhole attack prevention algorithm in mobile ad hoc networks. In
Proceedings of IEEE International Conference on Sensor Networks,
Ubiquitous, and Trustworthy Computing (sutc 2008), pages 343-348,
Taichung, Taiwan, 11-13 June 2008.
[4] Pavel Gladyshev. Finite State Machine Analysis of a Blackmail Investigation. International Journal of Digital Evidence, 4( 1), May 2005.
[5] Issa Khalil, Saurabh Bagchi, and Ness B Shroff. Mobiworp: Mitigation
of the wormhole attack in mobile multihop wireless networks. Elsevier's
Journal of Ad Hoc Networks, 6(3):344-362, May 2007.
[6] Ioannis Krontiris, Tassos Dimitriou, Thanassis Giannetsos, and Marios
Mpasoukos. Intrusion detection of sinkhole attacks in wireless sensor
networks. In Proceedings ofthe 3rd International Workshop on Algorithmic Aspects of Wireless Sensor Networks (AlgoSensors 07), Wroclaw,
Poland, July 2007.
[7] Slim Rekhis and Noureddine Boudriga. A formal approach for the
reconstruction of potential attack scenarios. In Proceedings of the 3rd
International Conference on Information and Communication Technologies: From Theory to Applications (ICTTA '08), April 7-11 2008.
[8] Tye Stallard and Karl Levitt. Automated analysis for digital forensic
science: Semantic integrity checking. In Proceedings ofthe 19th Annual
Computer Security Applications Conference, Las Vegas, Nevada, USA,
December 2003.
[9] Peter Stephenson.
Modeling of post-incident root cause analysis.
International Journal of Digital Evidence, 2(2):1-16, 2003.
[10] Latha Tamilselvan. Prevention of co-operative black hole attack in
manet. JOURNAL OF NETWORKS, 3(5):13-20, May 2008.
[11] Svein Willassen. Hypothesis-based investigation of digital timestamps.
In Proceedings of Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27-30 2008.
[12] Svein Yngvar Willassen. Timestamp evidence correlation by model
based clock hypothesis testing. In Proceedings of the 1st international
conference on Forensic applications and techniques in telecommunications, information, and multimedia, 2008.
[13] Jian Yin and Sanjay Kumar Madria.
Sybil attack detection in a
hierarchical sensor network. In Proceedings of the 3rd International
Conference on Security and Privacy in Communication Networks, pages
494-503, Nice, France, September 17-20 2007.