Detecting Node Replication Attacks in WSN

Journal of Network and Computer Applications 35 (2012) 10221034
Contents lists available at SciVerse ScienceDirect
Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca
Review
Detecting node replication attacks in wireless sensor networks: A survey

Wen Tao Zhu a,n, Jianying Zhou b, Robert H. Deng c, Feng Bao b
a
b
c
State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences, 19A Yuquan Road, Beijing 100049, China
Cryptography & Security Department, Institute for Infocomm Research, 1 Fusionopolis Way, Singapore 138632, Singapore
School of Information Systems, Singapore Management University, 80 Stamford Road, Singapore 178902, Singapore
a r t i c l e i n f o
a b s t r a c t
Article history:
Received 5 September 2011
Received in revised form
14 December 2011
Accepted 12 January 2012
Available online 4 February 2012
A wireless sensor network (WSN) consists of a number of tiny, low-cost, and resource-constrained
sensor nodes, but is often deployed in unattended and harsh environments to perform various
monitoring tasks. As a result, WSNs are susceptible to many application-dependent and applicationindependent attacks. In this paper we consider a typical threat in the latter category known as the node
replication attack, where an adversary prepares her own low-cost sensor nodes and deceives the
network into accepting them as legitimate ones. To do so, the adversary only needs to physically
capture one node, extract its secret credentials, reproduce the node in large quantity, and then deploy
the replicas under her control into the network, possibly at strategic positions, to cripple various WSN
applications with little effort. Defending against such node replication attacks has recently become an
imperative research topic in sensor network security, and the design issues may involve different and
more threatening challenges than detecting typical application-dependent attacks. In this survey, we
classify existent detections in the literature, and explore the various proposals in each category. We
look into necessary technical details and make certain comparisons, so as to demonstrate their
respective contributions as well as limitations. We also present the technical challenges and indicate
some possible directions for future research.
& 2012 Elsevier Ltd. All rights reserved.
Keywords:
Wireless sensor network
Security
Node replication attack
Detection
Contents
1.
2.
3.
4.
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1023
Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
2.1.
Sensor Node Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
2.2.
Network-related discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
2.3.
Intrusion detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
2.4.
A quick overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
Centralized detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
3.1.
Straightforward scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025
3.2.
Set operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
3.3.
Detecting cloned keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
3.4.
Fingerprint verication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
3.5.
Speed test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1026
Distributed detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
4.1.
Node-to-network broadcasting (N2NB). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
4.2.
Deterministic multicast (DM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1027
4.3.
Randomized multicast (RM) and line-selected multicast (LSM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
4.3.1.
RM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
4.3.2.
LSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1028
4.3.3.
Countering counterattacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
4.4.
Single deterministic cell (SDC) and parallel multiple probabilistic cells (P-MPC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Corresponding author. Tel.: 86 10 88256432x411; fax: 86 10 88255549.

E-mail addresses: wtzhu@ieee.org, wtzhu@computer.org (W.T. Zhu), jyzhou@i2r.a-star.edu.sg (J. Zhou), robertdeng@smu.edu.sg (R.H. Deng),
baofeng@i2r.a-star.edu.sg (F. Bao).
1084-8045/$ - see front matter & 2012 Elsevier Ltd. All rights reserved.
doi:10.1016/j.jnca.2012.01.002
W.T. Zhu et al. / Journal of Network and Computer Applications 35 (2012) 10221034
1023
4.5.
4.6.
4.7.
4.8.
5.
Randomized, efcient, and distributed (RED) detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030

Memory efcient multicast: B-MEM, BC-MEM, C-MEM, and CC-MEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030
Randomly directed exploration (RDE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Rethinking the claimerreporterwitness framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
4.8.1.
A brief sum-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
4.8.2.
Potential deciencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
4.8.3.
Formalized design goals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
4.9.
Other related work. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1032
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033
1. Introduction
Technological advances have made it possible to develop tiny
commodity sensor nodes with off-the-shelf hardware at very low
cost. It is convenient to deploy a wireless sensor network (WSN)
which is a distributed and self-organized network consisting of a
number of such sensor nodes, to inaccessible and even hazardous
areas to perform various monitoring tasks. For example, current
implementations monitor factory instrumentation, pollution levels,
freeway trafc, and the structural integrity of buildings. Other
applications include climate sensing, control in ofce buildings,
and home environmental sensing systems for temperature, light,
moisture, and motion (Chan and Perrig, 2003). WSNs are quickly
gaining popularity owing to the fact that they are economically
viable solutions to a variety of real-world challenges. However,
because of inherent constraints (e.g., sensor nodes are not made
tamper-resistant due to cost considerations), security in WSN also
poses signicant challenges. The proliferation of WSNs will inevitably extend to criminals who can use them for illegal purposes, and
the security issues posed by WSNs represent a rich eld of research
problems (Chan and Perrig, 2003).
Threats to sensor networks can be either application-dependent or application-independent. Attacks in the former category
target specic network functionalities such as routing (Karlof and
Wagner, 2003), node localization (Poovendran et al., 2007; Sun
et al., 2007), time synchronization (Poovendran et al., 2007), data
aggregation (Sun et al., 2007; He et al., 2007), and so on, while
attacks in the latter category affect a wide variety of applications
from object tracking and re alarming to battleeld surveillance.
Until recently, research on intrusion detection in WSNs has
focused on the former category (see a recent survey Sun et al.,
2007 for an example, where application-independent detection is
completely absent).
In this work, we consider a typical application-independent
threat known as the node replication (a.k.a. clone) attack (Parno
et al., 2005), where an adversary prepares her own commodity
sensor nodes out of off-the-shelf sensor hardware and induces the
network to accept them as legitimate ones. Such a vexing
problem arises from the fact that sensor nodes are typically
unshielded. According to Deng et al. (2005), only a few readily
available tools are needed for complete compromise of a typical
sensor node, and an attacker could obtain copies of all the nodes
memory and data (including cryptographic keys) within 1 min of
discovering it, given the proper level of experience. On one
hand, the fact that sensor nodes are not made tamper-resistant
contributes to WSNs economical feature and thus its wide
adoption. On the other hand, such a low-cost design principle
is highly exploitable by an adversary; she only needs to capture
one genuine sensor node from the network, replicate it with
the exposed secret credentials like codes and cryptographic
materials, and then insert the duplicated nodes at chosen network
locations to undermine the upper-layer applications with little
effort.
The above intrusion scenario is unique to sensor networks.

Since a WSN is geographically dispersed and usually large-scale,
sensor nodes in nature are susceptible to physical capture. Due to
the lack of tamper-resistant protection, once a sensor node is
compromised, all the information inside can be easily revealed,
and thus the adversary can crank out as many replicas as she
desires, all of which are seemingly legitimate (actually, identical
to the original captured one). The adversary then surreptitiously
deploys the replicas, all of which have been maliciously reprogrammed, back into the network, possibly at strategic positions,
to stage a variety of insider attacks (Chan and Perrig, 2003), for
example, to easily bias data aggregation result to manipulate the
decision making. Note that herein the considered threat model is
quite different from the traditional DolevYao one (Dolev and Yao,
1983), where the adversary can overhear, intercept, and synthesize
any message but is limited by certain computational constraints
upon which the security of cryptographic methods is based. In the
threat model introduced for node replication attacks, the adversary
is allowed to compromise nodes, reveal any cryptographic secret,
and insert clones. Further discussion on modeling the intrusion
scenario can be found in Bonaci et al. (2010), which provides a
control theoretic framework to model physical node capture, cloned
node detection, and revocation of compromised nodes.
The corresponding detection (referred to as node replication
detection, clone detection, or replica detection) schemes, which
have only been proposed recently, are then to discern whether
there are such replicas in a WSN, and as will be demonstrated
later, the detection price is usually evaluated in terms of network
communication and node storage overheads. Note that applicationdependent intrusion detections (e.g., Karlof and Wagner, 2003;
Poovendran et al., 2007; Sun et al., 2007) are irrelevant to this
problem because replication attacks can jeopardize any WSN
application. On the other hand, general-purpose security protocols like Perrig et al. (2002) have turned out to be ineffective for
counteracting the attack, either; it is difcult to identify the
replicas because just like genuine sensor nodes they bear legitimate cryptographic materials for authenticated and condential
communications.
This article surveys the literature since year 2005 on the
detection of node replication attacks in WSNs. Although it might
be possible to prevent such attacks from the very beginning
(Zhang et al., 2006; Duan and Xu, 2011), prevention in itself is
orthogonal to detection, and thus is not our emphasis. In this
survey, we classify, review, and compare existent research efforts
on replication detection, as well as making necessary clarications. We also present the technical challenges and indicate some
possible directions for future research. We hope this survey will
better highlight the urgency for defending against node replication attacks (and other application-independent attacks in WSNs)
and spawn further research in this area.
The rest of the article is organized as follows. Section 2
sketches some technical but fundamental backgrounds, which
help us understand the essence of the attack and also simplify the
1024
article presentation. Specically, two indispensable building

blocks are introduced. We then generally categorize mainstream
detection methodologies into centralized and distributed ones, and
review the two categories in Sections 3 and 4 respectively. Such a
rudimentary classication is not very balanced since research
efforts have focused on the latter so as to conform to the
distributed nature of WSNs. Finally, Section 5 concludes this
article with certain comparisons, where we also indicate some
possible directions for future research.
2. Preliminaries
Before one can dive into the nuts and bolts of a concrete
replication detection protocol (particularly a distributed one),
there are certain building blocks that we need to make clear.
This also gives us a chance to conduct certain clarication and
classication.
2.1. Sensor Node Identity
Since sensor nodes are produced in large quantity out of the
same hardware, each node in a WSN is assigned and then identied
by its software identity, id for short. The replicated sensor nodes are
the same with the original node captured from the network;
everything including the id has to be cloned (though sometimes
based on their roles they may be strategically reprogrammed
slightly differently). If the secret credentials are cloned but the id
is not, the attack is very likely to fail. Herein the point lies in that a
key management scheme for WSNs can bind the keys preloaded to a
node to its id, so that all the cryptographic behaviors of a node are
tied to its id.
Take symmetric pairwise key assignment for example. If a
replicated node claims an id different from that of the originally
captured node, it will be immediately revealed when it is unable
to employ certain pairwise keys that it is supposed to possess (i.e.,
keys bound to the claimed id). Alternatively but more importantly, the id-based public key cryptosystem binds ones public
key (and thus the corresponding private key for signing a
message) to ones id. With an id-based signature scheme, it is
very convenient for a sensor node to authenticate itself to others,
and id-based signature has been necessarily adopted in replication detections since (Parno et al., 2005). Extensive discussions of
the id-based signature technique can be found in Parno et al.
(2005). Recent advances in id-based signature schemes for sensor
nodes (along with real implementation) can be found in Liu et al.
(2010).
An attack supercially similar to the node replication attack is
the Sybil attack (Newsome et al., 2004), where one physical sensor
node gains an unfair advantage by claiming multiple ids. The Sybil
attack is also application-independent and enables one malicious
node to multiply its inputs to subvert many protocols like
distributed storage, routing, data aggregation, voting/agreement,
resource allocation, and so on (Newsome et al., 2004); it is just
like the opposite of replication attack, where one logical node id is
reused by multiple physical sensor nodes. The Sybil attack is
outside the scope of this survey article, but is often mentioned in
research efforts against replication attacks (e.g., Parno et al., 2005;
Conti et al., 2007; Brooks et al., 2007; Zhu et al., 2007) as a related
note. Some (Conti et al., 2007) regard Sybil attack as orthogonal to
replication attack. Indeed, if an id-based signature scheme is
adopted, then the adversary cannot associate a compromised
node with extra ids due to not being able to generate the
corresponding private keys. Nevertheless, the id-based signature
only binds a nodes public/private key pair to its node id, but by
itself does not counteract the replication attack.
2.2. Network-related discussions

On a high level, the detection of sensor node replication
attacks can be either network-based or not. A typical (but perhaps
the only) instance in the latter case is found in Hussain and
Rahman (2009), where radio signal strength is utilized at a
receiver node to detect node replication (and other attacks like
the Sybil Newsome et al., 2004 one). The main idea is to harness a
physical characteristic (the radio ngerprint) (Zeng et al., 2010;
Mathur et al., 2010), which is outside the realm of autonomous
network intrusion detection. As a result, the proposal is impractical for unattended and geographically widespread WSNs. Hereinafter, we only consider network-based detections.
A WSN can be either stationary (which is the prevalent case) or
mobile, and replication detection scenarios in stationary and
mobile WSNs can be substantially different. The detection philosophy for stationary WSNs, on a coarse level, is based on the
exclusiveness of node location (Boukerche et al., 2007). That is, a
sensor node should be related to a unique deployment position; if
one logical node id is found to be associated with two or more
physical locations, node replication is detected. Clearly, this
principle is inapplicable to the emerging mobile WSNs, where
sensor nodes may roam in the deployment eld all the time. So
far little (Yu et al., 2008; Ho et al., 2009b; Yu et al., 2009; Xing and
Cheng, 2010) has been done to address node replication detection
for mobile WSNs, but we have just made an effort in a separate
work (Zhu et al., 2011). Replication detection in a mobile WSN
involves signicantly different scenarios and techniques, and we
will only show a very brief example in Section 3.5. To make the
current survey more focused, herein we are mainly concerned
with detecting replication attacks in stationary WSNs, where all
sensor nodes are xed and immobile.
Besides the aforementioned id-based signature technique,
another important building block for node replication detection
is a geographic routing scheme (Ruhrup,

2009) like Karp and Kung
(2000), which is especially pertinent to distributed detections for
stationary WSNs. In a geographic routing protocol, a message
recipient is identied by a physical position (instead of a node id
or an IP address), and is typically relayed hop-by-hop from one
node to its neighbor that is closest to the destination, until there
is no node closer to the position than the current node (which
then eventually becomes the receiver). It is supposed that each
node is aware of its own location (hence node localization
Boukerche et al., 2007 is an implicit assumption), and that a
message sender can somehow (e.g., randomly) determine the
location of the delivery destination. With this information a
message can be routed to the destination without the knowledge
of the network topology or a prior route discovery.
Distributed replication detections prefer geographic routing to
traditional addressing (e.g., by node ids) because the latter
method does not scale well in a dynamic environment (such as
a WSN): messages destined for a node id will get lost if the
intended node has perished, and newly added nodes will not have
the chance of being message recipients if their ids are not
foreseeable for the senders. Moreover, geographic routing protocols (Karp and Kung, 2000) such as Choi et al. (2007) are
intrinsically self-protective in that they are resistant to sinkhole
and wormhole attacks (Karlof and Wagner, 2003).
2.3. Intrusion detection
In this subsection we talk about node replication detection in
terms of intrusion detection system (IDS). In the traditional
context of computer security, a typical case could be a host-based
IDS auditing the log les generated by the operating system and
various applications and looking for suspicious user actions, or a
network-based IDS eavesdropping the trafc exchanged over a

wired network and performing string matches to identify ongoing attacks. In the context of intrusion detection in a wireless
sensor network (Sun et al., 2007), however, a typical case is that
sensor nodes monitor each others behaviors, and sometimes a
consensus is needed (e.g., by means of majority voting) to
diagnose the presence of an attack. As will be shown later, node
replication detection is usually based on the collaborative efforts
of a large number of sensor nodes.
The design and implementation of any security service for
WSNs must keep in mind that compared with conventional
computers, the low-cost sensor nodes have limited energy supply
and stringent capabilities. For node replication detection, it has
been identied that communication and storage are the major
overheads for performing the intrusion detection, and there can
be various tradeoffs. The higher the communication cost is, the
faster a sensor node will deplete its batter-powered energy
supply. The larger the storage consumption is, the less room a
sensor node can make for other applications like data collection
and processing. As a result, to make the overall WSN solution
applicable, one may have to trade certain detection metrics (e.g.,
detection rate) for communication efciency and/or memory
efciency.
Traditionally, there are two types of intrusion detection techniques (Sun et al., 2007), misuse detection and anomaly detection (Xie
et al., 2011):
Misuse detection encodes known attack patterns; if a deployed
IDS nds a match between current activities and pre-dened

patterns, an alarm is generated. For example, to detect application-based attacks, it is necessary to integrate the detection
patterns with corresponding applications (Sun et al., 2007). A
general drawback is that misuse detection is ineffective to
discover unknown attacks.
Anomaly detection creates normal proles of system states or
user behaviors and compares them with current activities; if a
signicant deviation is observed, the IDS raises an alarm.
Anomaly detection can detect unknown attacks but may suffer
high false positives.
For node replication detection, since it is to identify a known and

dedicated attack, most solutions follow misuse detection (Section
3.3 will review one exception Brooks et al., 2007, which follows
anomaly detection Xie et al., 2011). The attack pattern for misuse
detection is derived from the aforementioned exclusiveness.
Recall that id-based signature binds a nodes cryptographic keys
to its logical node id, and that a physical node is supposed to have
a distinctive location. Therefore, the pattern for detecting replicas
(particularly for distributed detection) is that two or more nodes
at different locations possess the same node id. Basically, no false
positives will be incurred when following such a misuse detection.
Nevertheless, there may be false negatives; in other words, the
detection rate may not be 100%. The detection rate may by design
be traded for benets like communication efciency, and may
also be subject to runtime factors like the actual number of
replicas existent in the network and the topology of the deployment eld (and thus be difcult to predict).
2.4. A quick overview
This section can be summarized with Fig. 1, which establishes
a rudimentary classication, and provides a rst step in better
understanding node replication detections. Now we are ready to
explore the various detection schemes recently proposed in the
literature. We rst look into centralized solutions in Section 3 and
then turn to distributed ones in Section 4, where representative
1025
Fig. 1. The big picture for node replication detection in wireless sensor networks,
with an elementary taxonomy. The state of art is represented by the distributed
detections, which typically employ id-based signature and geographic routing as
two building blocks.
proposals in the literature are reviewed basically following the

chronological order. Centralized solutions heavily rely on a
powerful base station for information convergence and decision
making, and are relatively simple to understand, while distributed solutions are typically accommodated by a special detection
mechanism pioneered in Parno et al. (2005) which we call the
claimerreporterwitness framework. Generally, using distributed
manner for computing is a promising way for WSN applications,
particularly for intrusion detection (Zhu et al., 2004).
3. Centralized detection
In this section we briey investigate ve representative but
distinct centralized replication detection schemes. Besides their
contributions, their respective limitations are also pinpointed,
many of which are found to be fairly serious. In general,
centralized detections barely have an advantage over distributed
detections, which are the topic of the next section and the
emphasis of this survey. Consequently, we do not further compare
the proposals in the centralized category against each other.
3.1. Straightforward scheme
The most straightforward detection scheme is outlined in
Parno et al. (2005) (and similar to the centralized node registration method in Newsome et al., 2004). It requires each node to
send a list of its neighbors (more specically, a list of their ids)
and the positions claimed by these neighbors (and signed by
them, e.g., with an id-based signature scheme) to the base station,
which then examines every neighbor list to look for replicated
sensor nodes. In a stationary WSN, conicting position claims for
one node id indicates a replication. Once the base station spots
one or more replicas, it can revoke the replicated nodes by
ooding the network with an authenticated revocation message,
e.g., employing mTESLA (Perrig et al., 2002) or id-based signature
(see Section 2.1) for broadcast authentication.
While conceptually simple, this approach suffers from several
drawbacks (Parno et al., 2005) inherent in a centralized system.
First, the base station introduces a single point of failure and can
become a signicant bottleneck. Second, the nodes close to the
base station, referred to as hotspots hereinafter, will receive the
brunt of the routing load and thus will quickly deplete their
power supply (usually by irreplaceable batteries). Network connectivity may then be seriously affected. Moreover, besides the
base station, these hotspots will also become attractive targets for
attacks. Third, this approach may incur observable processing
1026
delay, since the base station has to wait for telling reports (to
propagate hop-by-hop and eventually converge), analyze them to
conrm conicts, and then ood revocations throughout the network. Fourth, some WSNs may not have the luxury of a powerful
base station.
3.2. Set operations
Choi et al. (2007) proposed another centralized detection
known as SET, which attempts to reduce the detection overhead
by computing set operations (intersection and union) of
exclusive subsets in the network. We conjecture that the underling idea is borrowed from secure WSN data aggregation employing network clustering (e.g., He et al., 2007): SET logically
partitions the network into non-overlapping regions (clusters)
respectively managed by leaders (cluster heads), and has these
leaders respectively report to the base station all the ids of the
nodes (including the leader herself) in the region, in the form of a
subset (which is a subset of all node ids network-wide). Intuitively, the intersection of any two subsets of reports should be
empty; otherwise, a replication is detected. Essentially, all node
ids in the network are pulled up by the base station and left to its
discretion.
Although SET declares reduced number of message transmissions, its comparison with other schemes (e.g., with RM and LSM
Parno et al., 2005, which are both distributed solutions; see the
next section) is not a fair one; the claimed reduction in the
number of message transmissions is just the result of increased
size per message (simply due to the union operation, i.e.,
combination). Therefore, one may have to question how a
centralized WSN solution like SET (Choi et al., 2007) can compare
with distributed ones like RM and LSM (Parno et al., 2005).
Interestingly, in Choi et al. (2007) it is exactly noted that reporting
every nodes id to the base station may cause the size of the report
to become too large, and this problem can be addressed by
using randomized optimization, where a leader (cluster head)
only generates a report of randomly selected members instead of
all nodes in the managed region (cluster). However, such optimization necessitates multiple rounds of reports (actually, this is
also pointed out in Choi et al., 2007), in each of which a certain
part of the members in a region is reported. Taking additional
security mechanisms such as message authentication codes into
consideration, such multiple-round optimization inevitably
results in even higher detection cost in terms of computation
and communication.
Although the above review by us may not be difcult to understand, the actual SET protocol (Choi et al., 2007) is highly complex
due to its complicated components (like authenticated subset
covering and interleaved authentication following Zhu et al.,
2004), which also contribute to increased overload. The real communication cost of SET is left in Choi et al. (2007) as unclear and for
future work. Moreover, the SET protocol may have to be performed
multiple rounds just to counter colluding replicas. Furthermore, an
unexpected design aw of SET is reported in Conti et al. (2011): an
adversary can misuse the detection protocol to revoke honest nodes.
A detection scheme similar to SET (but less known) is found in
Znaidi et al. (2009). It passes the workload of the base station on
to the cluster heads themselves.
category of anomaly detection (Xie et al., 2011). The basic idea is

that in the context of random key pre-distribution, the keys
employed by genuine nodes should follow a certain pattern.
Therefore, it is possible to monitor the key usage (which refers
to the number of times a key is used to set up secure connections
between neighboring nodes, but not to the number of times a key
is used for encrypting or decrypting packets) as authentication
tokens and then detect statistical deviations that indicate clone
attacks. The approach detects the cloned keys by analyzing node
authentication statistics; those keys whose usage exceeds a
certain threshold (determined by the false positive rate) are
considered cloned and erased from the network. To this end,
each node is required to report its pre-loaded keys to the base
station, which then performs an anomaly detection to discover
cloned keys. Counting Bloom lter is utilized to collect the key
usage data.
Nevertheless, it seems that the detection only becomes effective when (i) the size of the keys pre-distributed to each node is
small, (ii) more clones exist in (i.e., are inserted into) the network,
and (iii) a high false positive rate is set. These conditions imply
possibly poor detection accuracy (high false negative and positive
rates) for actual scenarios. Moreover, the detection of cloned keys
+
nyi topology where connections
assumes an ideal ErdosRe
between all nodes are equally likely Brooks et al. (2007), while
in a practical WSN any sensor node can only communicate with a
limited number of neighbors within a nite wireless communication radius. This number is characterized by d, the average node
degree, also known as the network density, which can be adjusted
by selecting the appropriate transmission range (Zhang et al.,
2009) but still has to be very limited (d 5n). In Brooks et al.
(2007) possible methods for the clones to subvert the detection
are also discussed; the best strategy for a cloned node appears to
be not participating in the protocol. However, related problems
may be overlooked, e.g., how to ensure that the participating
clones report their keys honestly (and exactly) to the base station.
3.4. Fingerprint verication
Xing et al. (2008) proposed detecting clone attacks with nodes
encoded network community information called the social ngerprint. The scheme consists of two phases. In the rst phase, each
node u computes for each neighbor v A Nu the ngerprint FPv ,
which is a reection of vs xed neighborhood characteristics; node
v itself is also capable of computing FP v . In the second phase, the
legitimacy of the originator for each message is veried by checking
the enclosed ngerprint, and the detection is conducted both at the
sensor side (seemingly in a distributed manner by the notion) and
at the base station. However, even the detection at the sensor side
needs the base station to process the alarms for decision making,
and thus the scheme is throughout centralized.
Besides all the limitations commonly found in centralized
solutions, the employed coding system unusually asks for an
absolutely xed WSN: the intended number of nodes is nonadjustable, and thus neither node addition nor disappearance can be
handled. Moreover, a sophisticated replica can intelligently compute by itself a ngerprint consistent with its neighborhood so as
to escape the detection at the sensor side, and it can also dodge
the detection at the base station simply by not communicating
with the base station.
3.3. Detecting cloned keys

3.5. Speed test
Brooks et al. (2007) proposed a clone detection protocol based
on random pairwise key pre-distribution schemes. Its assumptions and application scenarios are quite different from other
approaches; in fact, it addresses the detection of cloned cryptographic keys rather than cloned sensor nodes and falls into the
While all the above research efforts against replication attacks

adopt a stationary network model, Ho et al. (2009b) proposed a
fast and effective replica detection scheme for a mobile WSN. It
works as follows. A node a locally broadcasts its location claim to
its temporary neighbors from time to time, and essentially its

!
location vector L i and the corresponding time information Ti
during its movement are collected by as temporary neighbors
and then sent to the base station. The base station then computes
! !
the measured speed for a as vi 9 L i L i1 9=T i T i1 and compares it with the system-congured maximum speed vmax. Intuitively, a genuine node should never move faster than vmax; if the
measured vi is found beyond the congured vmax, it is very likely
that at least two nodes bearing the same id are present in the
mobile WSN.
The idea behind the detection protocol is intuitive. However,
accurate measurement is a prerequisite for acceptable false
negative and positive rates. This requires not only a precise
dynamic localization system but also tight time synchronization,
both of which have to be secured against attacks (Poovendran
!
et al., 2007). Particularly, for accurately sampling L i s, each
moving node localizing itself has to deal with unstable beacon
signals (or otherwise employ the expensive GPS). Therefore, the
detection may not be affordable for the current generation of WSNs
due to cost concerns. The replicas can also employ a group mobility
strategy (Ho et al., 2009b) such that the perceived velocity is less
than vmax, and thus evade quarantine by the base station.
4. Distributed detection
All the centralized solutions bear similar deciencies (Parno
et al., 2005). For example, any compromise of the base station (or
the communication channel around it) will render the solution
useless. For another example, even if there are no attacks, the
nodes surrounding the base station (i.e., the hotspots) will suffer
an undue communication burden that may shorten the life
expectancy of the WSN. All these make a distributed solution a
necessity. At rst glance it seems easy to design a decentralized
detection protocol, for example, by localizing the straightforward
scheme in Section 3.1, in a way similar to the neighbor position
verication approach in Newsome et al. (2004). However, such a
local detection may not be able to handle the case where no two
replicas share a neighbor. In fact, the rst set of nontrivial
distributed detections was proposed only recently (Parno et al.,
2005). Next, we focus on the relatively more mature schemes (i.e.,
distributed detections for stationary WSNs) and analyze their
respective pros and cons. We summarize in Table 1 the symbols
and parameters commonly employed by distributed detections.
4.1. Node-to-network broadcasting (N2NB)
A plausible approach to distributed detection of replicated
nodes is the decentralized (but network-wide) version of the
straightforward scheme in Section 3.1: Every node collects all its
neighbors ids and their positions, and oods the entire network
with this information employing authenticated broadcast. When
a node receives a broadcast message, it compares those nodes
Table 1
Notions for distributed replication detection.
IDa
la
/IDa ,la S
n
d
p
g
s
ps
Identier of node a
Deployment location claimed by node a
Location claim (with an id-based signature)
Network size (no. of nodes in the WSN)
Network density (average node degree)
The probability a neighbor becomes a reporter
No. of witnesses contacted by one reporter
Cell size (no. of nodes that a cell should contain)
The probability a node in the destination cell becomes a witness
1027
listed in the message with its own neighbors. Once nodes that
have conicting positions are spotted, they can be revoked also
with authenticated broadcasts. The major concern with this
approach is its prohibitive communication cost.
A similar but slightly simplied approach is the node-tonetwork broadcasting (Parno et al., 2005), N2NB for short, where
each node oods the entire network with authenticated broadcast
to claim its own location (instead of its neighbors). Each node
stores the location information for its neighbors, incurring a
storage cost of Od. Each node upon receiving a conicting claim
invokes a revocation procedure against the offending nodes, and
eventually any replica will be cut off by all its neighbors (thus
isolated from the WSN). The N2NB protocol achieves 100%
detection rate as long as the broadcasts reach every node. Assume
the network size is n and certain duplicate suppression algorithm
is employed so that each node only broadcasts a given message
once. Then each location broadcast incurs On messages, as
generally every node in the WSN has to be involved for hop-byhop propagation. For n broadcasts, the total communication cost
for N2NB is On2 . Given the simplicity of the scheme and the
detection rate achieved, this On2 cost may be justiable for
small WSNs.
The challenge for detecting replication attacks has roots in the
resource scarcity of sensor nodes. For stationary WSNs, such
detection essentially requires network-wide comparison of location-dependent authentication information, and the limited
memory capacity and energy supply place severe constraints on
how much authentication information can be stored per node and
exchanged in the network (Zhang et al., 2009). Hence it is
reasonable to trade the detection rate (e.g., 100% for N2NB) for
other major performance criteria like energy efciency and
memory efciency. Note that the wireless transceiver is the
biggest energy consumer for sensor nodes, while the communication cost for N2NB is On2 .
4.2. Deterministic multicast (DM)
The DM protocol is actually a negative (or unappealing)
example given in Parno et al. (2005), and has thus received
relatively less attention. However, we nd it a good example to
illustrate the claimerreporterwitness framework; we even
believe it has directly inspired other solutions like SDC and
P-MPC (Zhu et al., 2007), though both schemes are proposed in
Zhu et al. (2007) under another brand localized multicast (see
Section 4.4). The design goal for DM is reduced communication
cost, and the main idea is to only send a nodes location claim to a
limited set of deterministically chosen nodes serving as witnesses.
Next, we outline DM as follows.
When a node, referred to as the claimer, locally broadcasts its
location claim to its neighbors, each neighbor, serving as a reporter,
employs a function to map the claimer id to a witness. Then the
neighbor forwards the claim to the witness, which will receive two
different location claims for the same node id if the adversary has
replicated a node. One immediate issue arises: the adversary can also
employ the function to know about the witness for a given claimer id,
and may locate and compromise the witness node before she inserts
the replicas into the WSN so as to evade the detection. To alleviate
this problem, DM employs g instances of a function so that one
claimer id is mapped to g different witnesses (hence the adversary
needs g times more effort to thwart the detection by DM). Nevertheless, each of the d neighbors does not necessarily need to forward
the location claim to each of all g witnesses. Assume they do not
collaborate, i.e., each reporter behaves independently. The wellstudied coupon collectors problem (Cormen et al., 2001) tells us
P
that if the reporters randomly select in all g gi 1 1=i gln g 0:58
repeatable destinations from all g witnesses for the claimer, then
1028
Table 2
Summary of protocol costs: network-wide communication and memory consumption per node.
Detection protocol
Communication
Storage
N2NB (Parno et al., 2005)

DM (Parno et al., 2005)
RM (Parno et al., 2005)
LSM (Parno et al., 2005)
SDC (Zhu et al., 2007)
P-MPC (Zhu et al., 2007)
RED (Conti et al., 2007)
B-MEM (Zhang et al., 2009)
RDE (Li and Gong, 2009a)
On2
p
Og ln g n n
On2
p
On n
p
Odp n n Os n
p
Odp n n Os n
p
Odpg n n
p
On n
p
Od n n
Od
Og ln g
p
O n
p
O n
Osps
Osps
Odpg
p
O n
Od
each witness will probably receive at least one location claim. Hence,
each reporter only needs to select g ln g=d random witnesses as the
forwarding destinations.
Each sensor node in the network both is a claimer and plays
the role of a witness, if the 1-to-g mapping is well designed.
Therefore, each node in the network stores on average 1=n
P
g gi 1 1=i n g ln g location claims. Assume the WSN deployment approximates any regular polygon. Then the average netp
work path length is O n, resulting in an overall communication
p
cost of Og ln g n n messages. (Table 1 in Parno et al. (2005)
summarizes the costs for the proposals, where DMs networkp
wide communication cost is labeled as Og ln g n=d and DMs
memory cost per node is labeled as Og; we believe both
inaccuracies there are due to analysis oversights, and similarly,
we summarize the performance analysis later in our Table 2.)
DM is treated as an unfavorable protocol in Parno et al. (2005)
because it does not provide much security. Since the 1-to-g
mapping is deterministic, an adversary only needs to compromise
all the g witnesses for a given claimer id to prevent the conicting
reports from converging, so that she can deploy as many replicas
with that id as she desires but without triggering any alarm, as
long as no two replicas share a neighbor. The dilemma for DM is
that a large g (for improved resilience) is not affordable because
both the network communication and the node storage are
proportional to g ln g, and yet a small g may allow the adversary
almost unlimited replication ability.
4.3. Randomized multicast (RM) and line-selected multicast (LSM)
Since DM is unappealing for its deterministic property, Parno
et al. (2005) developed two probabilistic algorithms RM and LSM,
which are generally accepted as the pioneering full-edged replica
detections. RM distributes node location claims to a randomly
selected set of witnesses, exploiting certain combinatorics theory
(the birthday paradox Cormen et al., 2001) to detect replicas, while
LSM exploits the routing topology of the network to nominate
additional witnesses for a claimer and utilizes geometric probability
for the detection. RM and LSM still follow the claimerreporter
witness approach, but the witnesses become unpredictable for the
adversary. Therefore, both schemes can be regarded as improvements of the above DM. They trade efciency for security, i.e.,
increased resistance is achieved at the price of also increased
communication and/or memory consumption. Both are based on
the emergent properties (Gligor, 2004), while further modications
and tradeoffs are possible (as to be shown in subsequent subsections). One major difference between RM and LSM lies in that in the
former protocol the reporters randomly select several witnesses,
while in the latter protocol nodes forwarding a location claim (i.e.,
on the path from a reporter to the corresponding witness) also save
the claim for inspection, serving as additional witnesses. Next, we
review them respectively. For completeness/clearness and also a
better understanding of subsequent proposals in the literature, we

include a little more technical details for the pioneering RM and
LSM, though similar assumptions may have already been made in
DM implicitly.
4.3.1. RM
In RM, a claimer node a with id IDa and location la locally
broadcasts to its neighbors its location claim /IDa ,la S signed with
an id-based signature scheme, where anyones public key is
essentially her id. Recall Section 2.1 that all replicas copying the
same public/private key pair have to reuse the same id with the
originally captured node, and that an adversary cannot create
new node ids due to not being able to generate the corresponding
private keys. The id-based signature also enables authenticated
broadcast, as anyone (herein any of the claimers neighbors) can
authenticate as location claim by verifying the signature with the
public key immediately derived from IDa . Each neighbor node,
aware of its own position (Boukerche et al., 2007), also veries the
plausibility of la with certain geometric constrains, and with
probability p, becomes a reporter (recall that p 1 in DM). Thus
there are on average dp reporters for node a. Each reporter selects
g random destinations in the network, and forwards the authenticated location claim to each witness node closest respectively
to each of the g selected destinations employing a geographic
routing protocol (recall Section 2.2).1 Thus there are dpg witnesses for a; as to be shown later, the choice of the product dpg
exploits the birthday paradox (Cormen et al., 2001). Assume a has
a replica a0 , which involves another set of dpg witnesses. The
probability that the two sets have no intersection can be estimated with P 1 1dpg=ndpg , and thus the detection rate in the
case of only one replica is Pd 1P 1 . That is, with probability Pd,
two conicting location claims /IDa ,la S and /IDa0 IDa ,la0 a la S
will be received by at least one common witness, who can
immediately ood the network with the conicting pair as the
evidence to discredit a and a0 . Then each node receiving the pair can
independently verify (with the same public key) the two signatures
to conrm the revocation.
Generally, if there are L compromised nodes with the same id
in the network (that is, there are L1 replicas), we can employ the
Maclaurin Series (ex 1x) and formulate the detection rate as
2
Pd 4 1edpg =nLL1=2 . RM chooses the parameters in a special
p
manner so that dpg n and thus P d 4 1eLL1=2 . Therefore,
RM detects a single replication of node a (L 2) with probability
above 63%; if a is replicated twice (L3), the detection rate
proliferates to over 95%. This is very desirable. However, RM
poses high costs. Each node is both a claimer (each of whose dp
reporters forwards the location claim to g random witnesses) and
a witness for storing the received claims, and thus on average
p
each node needs to store 1=n dpg n n claims. Again assume
p
the average network path length is O n. Each of the n nodes
incurs dpg deliveries of its location claim. Therefore, the network
p
communication cost is O n n dpg, i.e., On2 , which is as
expensive as N2NB (Section 4.1). Actually, one can roughly regard
N2NB as an ultimate edition of RM, where the witnesses for any
claimer are present everywhere in the network (i.e., ubiquitous).
4.3.2. LSM
If we interpret RM as a randomized version of DM, LSM can
then be regarded as a less expensive version of RM to decrease the
communication cost. On a high level, when node as location
1
It is implicitly assumed that each reporter appends (in an authentic manner)
a random destination to each of the location claims (otherwise, other nodes will
have no idea where to forward a location claim). Among several side effects is
increased communication cost. Nevertheless, such appending is not necessary for
detection schemes like DM (due to the mapping function, recall Section 4.2).
1029
Fig. 2. Randomized multicast (left) and line-selected multicast (right) following the claimerreporterwitness framework, where the red hexagons stand for claimers with
the same node id, green/blue circles stand for reporters, and green/blue squares stand for witnesses. The squares with two colors (green and blue) stand for the common
witnesses that detect the conict. (For interpretation of the references to color in this gure legend, the reader is referred to the web version of this article.)
claim propagates from a reporter to a witness, all the intermediate nodes on the forwarding path also learn about the information, and can serve as additional witnesses, as shown in Fig. 2.
Hence whenever a conicting location claim by a replica a0
crosses the forwarding path for a, the intermediate node at the
intersection of the two paths can detect the conict, i.e., an
intersection corresponds to a detection of the replication attack.
This idea can be compared to the following geometric theorem:
for x randomly drawn lines within a circle, the expected number
of intersections is about 0:339xx1, and thus we only need a few
such lines to insure an intersection (e.g., with only x 3 random
lines we expect 2 collisions).
In LSM, the product dpg (inherited from RM) is xed and set to
p
a very small constant r ( 5 n). Each location claim from a node a
is forwarded to r random nodes following the claimerreporter
witness framework, but the intermediate nodes on the r forwarding paths also save a copy of the claim. Once another location
claim /IDa0 IDa ,la0 a la S is received by a witness (either
selected by a reporter, or more likely, an additional one), it oods
the network with the unforgeable evidence to exclude both a and
a0 . One may notice that LSM actually draws r line segments
(paths) that originate from reporters around a central point (the
claimer node) and radiate out in random directions (to r random
witnesses), instead of random lines (as in the aforementioned
geometric theorem). However, even so, simulations indicate that
even if there is only one replica (i.e., r random paths radiate from
a, another r paths from a0 ), setting r 2 assures that the probability for generating at least one intersection (i.e., the detection
rate Pd) is above 56%, and r 5 leads to 95%. Similar reliability
holds for realistic WSN deployment elds with irregular topologies far different from a circular domain. Compared with RM, LSM
p
has the network communication cost scaling as O n n r, i.e.,
p
p
On n, and an average node storage cost of 1=n r n n
p
location claims scaling as O n.
4.3.3. Countering counterattacks

For an actual WSN, new nodes may be added over time while
old nodes may perish, and it is impossible to foresee when an
adversary would launch a replication attack. Hence it is necessary
to schedule regular detection rounds for RM and LSM (and other
schemes). If a node hears from a neighbor a that did not participate
in the previous round, it will refuse to communicate with a until a
successfully participates in one round. This precludes the adversary
from bypassing the detection, in terms of the time domain. Next we
look at the counterattacks in the space domain.
The adversary may tamper with the detection by disrupting
the routing of location claims from reporters to witnesses, but
this can be easily detected (Karlof and Wagner, 2003) and creates
tell-tale signs of the adversarys presence in the network.
Alternatively, since the witnesses for any claimer become unpredictable in RM and LSM, an adversary may turn to compromise all
the d neighbors of a replica so as to prevent a location claim from
propagating to any witness (actually, to eliminate the reporters at
all). Such a masked replication attack can be addressed with
pseudo-neighbors (Parno et al., 2005) (eventually, additional reporters). Nevertheless, as indicated in Conti et al. (2011), it is possible
for such a replica (whose neighbors have all been compromised) to
lie about its physical position (hence the location claim), which may
be a common drawback of all location-based replication detections.
4.4. Single deterministic cell (SDC) and parallel multiple probabilistic
cells (P-MPC)
Zhu et al. (2007) proposed two schemes SDC and P-MPC under
the brand localized multicast. Essentially both are variants of
DM (Section 4.2), and can be parsed as network-wide deterministic multicast, followed by in-cell broadcast and probabilistic
storage. In both schemes, the WSN deployment eld is considered
as a geographic grid of cells, and a location claim from node a is
sent by its reporters to g 1 (SDC) or g 41 (P-MPC) cells for in-cell
broadcast, the cell id(s) of which is/are deterministically mapped
from IDa ; each node in the destination cell(s) then probabilistically chooses to be a witness by saving the claim. If there is a
replica a0 , its location claim is sent to the same cell(s) for in-cell
broadcast, and thus the witnesses can spot the conict.
One may remark that the concept localized multicast advocated in Zhu et al. (2007) is not very exact. Both schemes also bear
a similar dilemma with DM (Section 4.2) that if the cell size s is
too large, they incur expensive communication cost like N2NB
(Section 4.1); if s is too small, they degenerate back to DM, and an
adversary can defeat both schemes by compromising all nodes in
the g deterministic tiny cells. Note that in the latter case (a very
small s), all prospective witnesses in one cell are deployed close to
each other within a geographically limited region instead of
sparsely spreading throughout the deployment eld, and thus it
is easy for an adversary to physically approach and compromise
them once for all. Therefore, the practicality of SDC and P-MPC
relies on careful selection of s. Unfortunately, in Zhu et al. (2007)
the critical issue of choosing an appropriate cell size s is overlooked; for all provided examples, s is set to 100 nodes without
any explanation/discussion. In practice, one needs to choose s
carefully to nd an appropriate tradeoff between efciency and
security.
Another problem omitted in Zhu et al. (2007) is what we term
the indistinguishable dilemma. Take SDC for example. Once a
location claim by node a arrives at the destination cell, it should
be ooded within the cell so that each node in the cell independently stores the claim (i.e., becomes a witness) with probability
ps. To reduce the in-cell broadcast overhead, SDC requires that the
1030
ooding be executed only when the rst copy of as location claim

arrives at the cell, and the following copies are ignored (Zhu et al.,
2007). Now, let the location claim by a replica node a0 arrive at
the same cell, since IDa IDa0 . The conundrum is that the node in
the cell that rst receives the claim can be anywhere on the cell
perimeter; if it has not become a witness for a, it is unable to
distinguish between the following two scenarios: (i) the claim is
of the following copies of node as claim or (ii) the claim is not
from node a, but from another node a0 . Although not specied in
Zhu et al. (2007), an effective solution is available as follows. A
node in the destination cell, upon the rst (and only) in-cell
broadcast, need temporarily store the received location claim for
a very short period, which corresponds to the time difference
between the arrivals of the location claims forwarded by the dp
reporters of the same a. Note that all these reporters are as
neighbors, and thus their forwarding paths may overlap signicantly and eventually converge, resulting in approximately the
same routing delays (and thus only insignicant time difference).
During this short period, the node in the destination cell simply
ignores any identical copy arriving later, addressing scenario (i).
After that the node will discard the stored claim with probability
1ps , but is still ready for addressing scenario (ii). Clearly, with
this solution, conicting location claims can be spotted no matter
they arrive at the destination cell simultaneously or not.
SDC and P-MPC have the same level of costs. The network-wide
p
communication overhead comprises Odp n n reporter-to-cell
routing and Os n in-cell ooding. The memory consumption per
node scales as Osps . A more recent version of Zhu et al. (2007) is
found in Zhu et al. (2010), where the cell size s is additionally
evaluated with respect to the node communication range.
4.5. Randomized, efcient, and distributed (RED) detection
Conti et al. (2007) proposed a randomized, efcient, and
distributed (RED) protocol, which combines both merits of DM
(Section 4.2) and RM (Section 4.3.1). The major motivation stems
from the fairness or so called quality of the detection protocol
(Conti et al., 2006): resilience to attacks can be improved by
designs that associate individual sensor nodes with equal risk
level. For example, a protocol where the likelihood for a genuine
node to serve as a witness node (known as the node appeal) is
independent of the nodes geographical position is more favorable, because such an area-oblivious protocol actually associates sensor nodes with almost even responsibility.
In RED, each of the d neighbors of a claimer a becomes a
reporter with probability p, and each reporter sends as location
claim to a set of g pseudo-randomly selected network locations
(hence to g witnesses, like RM). The point is that these pseudorandom locations are computed from IDa with a 1-to-g deterministic mapping (like DM), which is seeded with a nonce received
from centralized broadcasting (e.g., from a satellite). Once the
random seed is shared network-wide at the beginning of each
protocol iteration, the g witnesses are actually deterministic, and
the witness set selected by any reporter for a is actually the same.
Compared with RM and LSM (Section 4.3), REDs philosophy lies in
just enough witnesses, which is inherited from DM. The product
p
dpg can be merely a very small constant (5 n); it is even enough
to set g1. Clearly, the node storage is dpg location claims, and the
p
network communication is of O n n dpg. Importantly, the
incurred overheads are almost evenly balanced among sensor nodes.
The probability that a claimer has no reporter is 1pd , and thus the
detection rate is Pd 11pd 2 assuming there are only two
nodes sharing the same id.
The pseudo-random choice of witnesses leads to a uniform
witness distribution (area-oblivious). On the contrary, in LSM
(Parno et al., 2005) a very small central area (for a convex
deployment eld like a square) may accommodate a large portion

of all the witnesses that spot non-coherent location claims,
because two forwarding paths are more likely to intersect in the
central area; these nodes are just another type of hotspots (recall
Section 3.1), and may become appealing targets of attack and/or
exhausted quickly. This is termed the crowded center problem in
Zhang et al. (2009) to be reviewed in the next subsection. RED
(Conti et al., 2007) following Conti et al. (2006) solves this
problem justiably, and an updated version is in Conti et al.
(2011). We consider RED as one of the most promising replication
detections in the state of the art. Nevertheless, in Zhang et al.
(2009) it is also noted that the infrastructure for distributing
REDs random seed may not always be available. Moreover, since
for each protocol iteration the witnesses set for any node is
deterministic, there might exist a dilemma in selecting an appropriate g so as to balance between efciency and robustness
against node compromise (Zhu et al., 2010).
4.6. Memory efcient multicast: B-MEM, BC-MEM, C-MEM, and
CC-MEM
Zhang et al. (2009) proposed four replication detection protocols in the name of memory efcient multicast (MEM). The rst,
B-MEM, is an extension of LSM (Parno et al., 2005), and is the
basis of all other three schemes. It reduces the number of stored
p
location claims per node by factor n through the use of two
compact Bloom lters, which are maintained by semi-witnesses
(known as watchers) and are reset right before each detection
round. However, additional memory consumption per node has to
be incurred for storing the two lters (essentially compressed
p
location claims), and the overall node storage still scales as O n
(i.e., of the same level with LSM). Moreover, simulations show
that B-MEM may lower the detection rate of LSM due to so called
false verications (Zhang et al., 2009) (essentially the intrinsic
false positives of Bloom lters). The second, BC-MEM, employs a
technique called cell forwarding to solve the cross over problem
that unlike geometric line segments intersecting at a common
point, in LSM even when two forwarding paths cross they may
not intersect at a common node. One can indeed verify the
problem by reconsidering the geographic routing (Section 2.2).
The third, C-MEM, employs a technique called cross forwarding to
address the aforementioned crowded center problem (Section
4.5) that in LSM random forwarding paths tend to pass the central
area of the deployment eld more frequently, where the nodes
suffer far worse overheads. For each claimer, C-MEM rst selects a
random point called the cross point in the network, and forwards
the location claim to that point. From there, the claim is then
forwarded in four directions, along the horizontal and vertical
lines that pass the cross point. Last, CC-MEM integrates cell
forwarding and cross forwarding, and thus is a combination of
BC-MEM and C-MEM.
Simulation results show that the performance of C-MEM is
comparable to BC-MEM, because two sets of crossing lines have a
very high probability to intersect at one or two locations. That is,
C-MEM can also mitigate the cross over problem. However, cross
forwarding achieves a high probability for intersection only for a
convex deployment eld, particularly a rectangle (the simulations
in Zhang et al., 2009 actually employed a square). For the various
irregular topologies considered by LSM such as thin cross,
large H, etc. (Parno et al., 2005), the cross forwarding technique
employed by both C-MEM and CC-MEM may work far poorer than
in a rectangle; the detection rate may drop drastically.
As to cell forwarding in BC-MEM, the basic idea is to divide the
deployment eld into virtual cells (like SDC and P-MPC Zhu et al.,
2007). By employing a pseudo-random mapping similar to RED
(Conti et al., 2007) but seeded with the detection round number
(an increasing index), in each cell an anchor node is assigned for

each claimer in the network; one anchor node as a representative
of the cell may serve different network-wide nodes. To solve the
cross over problem, BC-MEM only chooses witnesses from these
anchor nodes, which serve as denite intersections for forwarding
paths. The price is increased energy expenditure, as any location
claim is no longer forwarded along an approximately straight
path but a zigzag path. A major problem with BC-MEM is that
similar to Ho et al. (2009b), the cell division and anchor node
selection ask for highly accurate localization, which may not be
affordable for the current generation of WSNs. A less serious
problem is that an adversary may circumvent BC-MEM by
compromising certain deterministic anchor nodes, assuming the
detection only runs for a few rounds. An unaddressed problem is
the policy for cell size selection (as also observed in SDC and
P-MPC Zhu et al., 2007, recall Section 4.4), which makes fair
comparison with other schemes difcult. In all simulations the
deployment eld is always divided into 100 cells without further
explanation/discussion.
4.7. Randomly directed exploration (RDE)
In Li and Gong (2009a), a simplied version of N2NB (Section
4.1) known as randomly directed exploration (RDE) is proposed,
where a location claim along with the claimers neighbor list is
forwarded in such a manner that the each of the forwarding paths
are approximately a straight line segment. We notice such a
directed (i.e., oriented) forwarding approach is just a special
(yet simple) implementation of geographic routing (Section 2.2)
that only works for a convex deployment eld (the more regular
the better). The real interesting part lies in its motivation: RDE
tries to mimic N2NB while suppressing broadcast ood. The
underlying idea can be interpreted as follows: if the WSN is
small-scale but very densely deployed, a thin forwarding path
can become a thick belt to cover sufcient overhearing nodes.
Hence it is plausible to substitute such an anycast (as suggested
in Li and Gong, 2009a) for broadcast.
RDEs node storage cost remains the same with N2NB (i.e., Od),
while the network communication overhead is reduced from On2
p
to Od n n, at the price of decreased detection rate. Note that we
add the coefcient d to count for the cost of additionally forwarding
1031
a claimers neighbor list (which is not forwarded in N2NB), whereas

this cost is overlooked in the evaluation in Li and Gong (2009a).
p
Actually, the communication reduction from On2 to Od n n is
not very benecial. Moreover, RDE only seems feasible for an ideal
network model, and the detection rate may not be very signicant
even for a convex deployment eld.
4.8. Rethinking the claimerreporterwitness framework
4.8.1. A brief sum-up
In this section we have investigated a dozen distributed
detection protocols, all of which can be accommodated by the
claimerreporterwitness framework pioneered in Parno et al.
(2005). Following the taxonomy in Fig. 1, we depict the relationship between these various solutions in Fig. 3, which enables us to
better understand how the research in this area has evolved. It is
also easy for one to yield another but quite similar illustration
(herein omitted for space concerns) for a qualitative comparison
between the schemes. For example, one can replace the text
additional witnesses in Fig. 3 (between RM and LSM) with
trading storage for communication efciency, replace the text
cell forwarding (between B-MEM and BC-MEM) with resolving
the cross over problem, and so on.
There are also some other proposals (possibly less wellknown) under the same framework. For example, in Li and
Gong (2009b), a detection scheme based on the distributed hash
table is proposed. The main idea is to replace the geographic
routing with the index-based routing in a special upper overlay
network built upon the WSN. This actually increases the network
communication by a factor of log n, and thus is unfavorable.
In Sei and Honiden (2009), instead of developing a new
detection scheme, the problem of efcient selection of reporters
is considered. In the claimerreporterwitness framework, each
neighbor of a claimer becomes a reporter with probability p, and
thus the average number of reporters, dp, may be more than
enough; for RED (Conti et al., 2007), SDC (Zhu et al., 2007), and
P-MPC (Zhu et al., 2007), a witness only needs one reporter to
forward the location claim. The reporter determination is to
decrease the number of reporters, so that unnecessary message
forwarding can be restrained. The proposed algorithm cannot be
applied to other schemes like RM or LSM (Parno et al., 2005).
Fig. 3. Relationship between the most well-known distributed node replication detections in the state of the art accommodated by the claimerreporterwitness
framework.
1032
4.8.2. Potential deciencies

While the prospect of the claimerreporterwitness framework seems promising, so far little work has been done to inspect
possible defects of the location-based framework. One exception
is in Conti et al. (2011), where Conti et al. found that a replica can
circumvent detections by lying about its position. As previously
mentioned in Section 4.3.3, if all the neighbors of this cheating
node are corrupted, they will not identify it as a cheater. The
security breakage is posed as a common drawback of both LSM
and RED in Conti et al. (2011), where no countermeasure is given.
Another but more sophisticated circumvention is described in
Zhou et al. (2008), where Zhou et al. introduced a novel asynchronous node replication attack as a variant of the classical one. The
inventive attack does not violate the assumption that all deployed
sensor nodes are physically xed and immobile, but can avoid the
detection by major protocols like RM and LSM (Parno et al., 2005). A
competitive scenario is conceived, where two rival WSNs exist in the
same deployment eld. Both are stationary. Assume the gray
network attacks the blue network employing c captured nodes.
The main idea is to have the credentials of the c captured nodes
utilized by different nodes of the gray network during each detection
round. Although the number of nodes actively mounting the attack
at any instant is limited by c, over a period of time the total number
of nodes actively participating in the asynchronous attack is far
greater than c. Note that this is indeed a dedicated replication attack,
though the terminology of dual id nodes in Zhou et al. (2008)
might remind one of the (actually irrelevant) Sybil attack (Newsome
et al., 2004) (recall Section 2.1). To confront such an asynchronous
attack, a hybrid approach consisting of both distributed detection
and centralized monitoring is proposed.
4.8.3. Formalized design goals
In Zhou et al. (2008) the challenge in detecting mobile replicas
was already implied, and in Zhu et al. (2011) we concentrate on
detecting node replication attacks in mobile WSNs. While the
solutions proposed there are purely for mobile WSNs, some principles developed there are generally applicable to static WSNs, too. For
example, we contend that the design goals of a replication detection
scheme can be set according to different information requirement
levels (informally, whether, who, and how many) (Zhu et al.,
2011). Assume the adversary has captured and compromised one
sensor node with id IDc , from which she has created r clones and
then places all these 1 r malicious nodes back into the network. For
any detection protocol:
1. The basic goal is to tell whether there is a replication attack or
not (i.e., r Z1 or r 0?).
2. If r Z1, it is often necessary for the scheme to identify the
compromised id (i.e., IDc ?).
3. Furthermore, it is preferable (though not always necessary) for
the scheme to infer the number of malicious nodes (equivalently, r ?).
In the above, the goal of a higher level implies more understanding of the security status of the WSN than the goal of a
lower level. For example, only achieving goal level 1 (but not level
2) means detection without identication. In this case, the network owner is passively aware of the situation that an attack is
ongoing, but is unable to undertake active responses like
revocation and/or emergency recovery; all she could do might
be only discard the data received from the sensor nodes.
4.9. Other related work
Ho et al. (2009a) assume nodes are organized in groups, each
of which is deployed towards a predetermined geographic
location called the group deployment point. Since each group of

nodes exhibit similar geographic relations, replication detection
becomes almost a trivial task. The proposed schemes partially
follow (Parno et al., 2005), but can be made arbitrarily efcient
by increasing the accuracy of deployment knowledge (Ho et al.,
2009a). This reminds us of that the predetermined node placement sounds more like replication prevention than replication
detection.
Another work that goes further towards prevention (but is still
entitled detection) is found in Bekara and Laurent-Maknavicius
(2007), which exploits the apparent fact that excluding new
nodes from joining the WSN can trivially prevent replication
attacks. The main idea is to enforce a strict generation- (or batch)based node deployment policy, and to tie every node to its
generation when establishing pairwise keys. Although it does not
involve asymmetric cryptosystem, the work (Bekara and LaurentMaknavicius, 2007) seems to be inspired by Zhang et al. (2006),
where the private keys of individual sensor nodes are bound to
both their ids and geographic locations.
For the completeness of this survey, we have also checked
some replication detections proposed recently (Kim et al.,
2009a,b; Ko et al., 2009; Meng et al., 2010); unfortunately, the
underlying ideas are all found to be awed (Zhu, 2011a,b).
5. Concluding remarks
In this paper, we addressed a unique yet application-independent problem in WSN security known as the node replication
attack. As depicted in Fig. 1, we classied mainstream detection
protocols as centralized and distributed, and reviewed the literature with a focus on the latter category. For distributed solutions,
the detection overheads are summarized in Table 2 for a quick
comparison. Note that B-MEM (Zhang et al., 2009) is selected as a
representative of the MEM family (Section 4.6). In Table 2 we do
not compare the detection rates because different detections
assume quite different scenarios (regarding deployment eld
topology, grid division, ability for network-wide spontaneous
change of a random seed, etc.). Moreover, the detection rates
sometimes may be analytically inferred (e.g., for RED Conti et al.,
2007), but often may not (i.e., can only be obtained heuristically
with simulations, like for LSM Parno et al., 2005 and the MEM
family Zhang et al., 2009).
Due to quite different motivations and assumptions behind
these research efforts as well as their respective strengths and
weaknesses, it may be inappropriate to make general and denite
remarks that which is the most promising or which are better
than the others. For example, even the relatively naive N2NB
(which obviously incurs the highest communication overhead
among all schemes, recall Section 4.1) may be preferable for a
very small WSN due to its simplicity and intuitiveness, while
more sophisticated schemes are found in the three protocols
pioneered in Parno et al. (2005) (i.e., DM, RM, and LSM) and their
various derivatives (see Fig. 3). Nevertheless, we summarize in
Table 3 the different scenarios considered in all the solutions that
have been included in Fig. 3. This helps us better understand the
emphases and tradeoffs of respective proposals, though a comparison like this has generally been overlooked in the literature.
The recent research has so far been striving for solutions that
incur less communication and occupy less memory, and this trend
will continue towards more efcient detection schemes. Moreover, we notice one factor that has received relatively less
attention in replication detection is the computational cost
involved. It is reasonable to count on this additional metric when
evaluating various detection schemes besides network communication and node storage overheads. Adding more generic
Table 3
Comparison between the scenarios in replica detections under the claimer
reporterwitness framework.
Protocol
Assumed deployment model
N2NB (Parno et al., 2005)

DM, RM, LSM (Parno et al., 2005)
SDC, P-MPC (Zhu et al., 2007)
RED (Conti et al., 2007)
B-MEM (Zhang et al., 2009)
BC-MEM (Zhang et al., 2009)
C-MEM (Zhang et al., 2009)
CC-MEM (Zhang et al., 2009)
RDE (Li and Gong, 2009a)
Arbitrary network very small in size

Arbitrary network
A (preferably rectangle) grid of cells
Arbitrary network, preferably rectangle
Arbitrary network
A (preferably rectangle) grid of cells
Rectangle network
A Rectangle grid of cells
Convex, small-scale, and dense network
evaluation dimensions also allows protocol designers to balance

between various expenditures in an in-depth and more comprehensive manner.
For future development, one can rst reect on the thoughtprovoking discoveries summarized in Section 4.8.2. One can also
borrow some ideas from closely related research topics in WSN
security, like detection of captured nodes (Conti et al., 2008, 2009)
or detection of general compromised nodes (Song et al., 2007;
Zhang et al., 2008). These explorations (Conti et al., 2008, 2009; Song
et al., 2007; Zhang et al., 2008) address application-independent
intrusion detection in sensor networks from different prospects, but
bear intriguing similarities with replica detection (for example, our
latest research efforts on detecting node replication attacks in
mobile WSNs Zhu et al., 2011 are partially inspired by Conti et al.,
2008). We envision that these relevant security solutions (Conti
et al., 2008, 2009; Song et al., 2007; Zhang et al., 2008) will hopefully
serve as complementary mechanisms in detecting node replication
attacks, and application-independent intrusion detections will signicantly help defend the security for wireless sensor networks.
Acknowledgments
We would like to thank the anonymous reviewers for their
constructive comments. This work was supported by the National
Natural Science Foundation of China under Grant 60970138.
References
Bekara C, Laurent-Maknavicius M. A new protocol for securing wireless sensor
networks against nodes replication attacks. In: Proceedings of the 3rd IEEE
international conference on wireless and mobile computing, networking and
communications (WiMob07); 2007. October.
Bonaci T, Bushnell L, Poovendran R. Node capture attacks in wireless sensor
networks: a system theoretic approach. In: Proceedings of the 49th IEEE
conference on decision and control (CDC10); 2010. p. 676572, December.
Boukerche A, Oliveira HABF, Nakamura EF, Loureiro AAF. Localization systems for
wireless sensor networks. IEEE Wireless Communications 2007;14(December):
612.
Brooks R, Govindaraju PY, Pirretti M, Vijaykrishnan N, Kandemir MT. On the
detection of clones in sensor networks using random key predistribution. IEEE
Transactions on Systems, Man, and Cybernetics, Part C: Applications and
Reviews 2007;37(November):124658.
Chan H, Perrig A. Security and privacy in sensor networks. Computer
2003;36(October):1035.
Choi H, Zhu S, La porta TF. SET: detecting node clones in sensor networks. In:
Proceedings of the 3rd international conference on security and privacy in
communications networks and the workshops (SecureComm07); 2007.
p. 34150, December.
Conti M, Di Pietro R, Mancini LV, Mei A. Requirements and open issues in
distributed detection of node identity replicas in WSN. In: Proceedings of
the 2006 IEEE international conference on systems, man, and cybernetics
(SMC06); 2006. p. 146873, October.
Conti M, Di Pietro R, Mancini LV, Mei A. A randomized, efcient, distributed
protocol for the detection of node replication attacks in wireless sensor
network. In: Proceedings of the 8th ACM international symposium on mobile
Ad Hoc networking and computing (MobiHoc07); 2007. p. 809, September.
1033
Conti M, Di Pietro R, MAncini LV, Mei A. Emergent properties: detection of the

node-capture attack in mobile wireless sensor networks. In: Proceedings of
the 1st ACM conference on wireless network security (WiSec08); 2008.
p. 21419, March.
Conti M, Di Pietro R, Mancini LV, Mei A. Mobility and cooperation to thwart node
capture attacks in MANETs. EURASIP Journal on Wireless Communications and
Networking 2009: 13 (Article ID 945943).
Conti M, Di Pietro R, Mancini LV, Mei A. Distributed detection of clone attacks in
wireless sensor networks. IEEE Transactions on Dependable and Secure
Computing 2011(September/October):68598.
Cormen TH, Leiserson CE, Rivest RL, Stein C. Introduction to algorithms. MIT Press;
2001.
Deng J, Hartung C, Han R, Mishra S. A practical study of transitory master key
establishment for wireless sensor networks. In: Proceedings of the 1st
international conference on security and privacy for emerging areas in
communication networks (SecureComm05); 2005. p. 28999. September.
Dolev D, Yao AC. On the security of public key protocols. IEEE Transactions on
Information Theory 1983;29(March):198208.
Duan M-J, Xu J. An efcient location-based compromise-tolerant key management
scheme for sensor networks. Information Processing Letters 2011;111(May):
5037.
Gligor V. Security of emergent properties in ad-hoc networks. In: Proceedings of
the 12th international workshop on security protocols; 2004. p. 25666. April.
He W, Liu X, Nguyen H, Nahrstedt K, Abdelzaher T. PDA: privacy-preserving data
aggregation in wireless sensor networks. In: Proceedings of the 26th IEEE
conference on computer communications (INFOCOM07); 2007. p. 204553
May.
Ho J-W, Liu D, Wright M, Das SK. Distributed detection of replica node attacks with
group deployment knowledge in wireless sensor networks. Ad Hoc Networks
2009;7(November):147688.
Ho J-W, Wright M, Das SK. Fast detection of replica node attacks in mobile sensor
networks using sequential analysis. In: Proceedings of the 28th IEEE conference
on computer communications (INFOCOM09); 2009b. p. 177381. April.
Hussain S, Rahman MS. Using received signal strength indicator to detect node
replacement and replication attacks in wireless sensor networks. In: SPIE
Proceedings of the data mining, intrusion detection, information assurance,
and data networks security; 2009. April.
Karlof C, Wagner D. Secure routing in wireless sensor networks: attacks and
countermeasures. Ad Hoc Networks 2003;1(September):293315.
Karp B, Kung HT. GPSR: greedy perimeter stateless routing for wireless networks.
In: Proceedings of the 6th international conference on mobile computing and
networking (MobiCom00); 2000. p. 24354. August.
Kim C, Park C, Hur J, Lee H, Yoon H. A distributed deterministic and resilient
replication attack detection protocol in wireless sensor networks. Communications in Computer and Information Science 2009a;56(December):40512.
Kim C, Shin S, Park C, Yoon H. A resilient and efcient replication attack detection
scheme for wireless sensor networks. IEICE Transactions on Information and
Systems 2009b;E92-D(July):147983.
Ko L-C, Chen H-Y, Lin G-R. A neighbor-based detection scheme for wireless sensor
networks against node replication attacks. In: Proceedings of the 2009
international conference on ultra modern telecommunications and workshops
(ICUMT09); 2009. October.
Li Z, Gong G. Randomly directed exploration: an efcient node clone detection
protocol in wireless sensor networks. In: Proceedings of the 6th IEEE international conference on mobile adhoc and sensor systems (MASS09); 2009a.
p. 10305. October.
Li Z, Gong G. DHT-based detection of node clone in wireless sensor networks. In:
Proceedings of the 1st international conference on ad hoc networks (ADHOCNETS09); 2009b. p. 24055. September.
Liu J, Baek J, Zhou J, Yang Y, Wong J-W. Efcient online/ofine identity-based
signature for wireless sensor network. International Journal of Information
Security 2010;9(August):28796.
Mathur S, Reznik A, Ye C, Mukherjee R, Rahman A, Shah Y, et al. Exploiting the
physical layer for enhanced security. IEEE Wireless Communications
2010;17(October):6370.
Meng X, Lin K, Li K. A note-based randomized and distributed protocol for
detecting node replication attacks in wireless sensor networks. In: Proceedings
of the 10th international conference on algorithms and architectures for
parallel processing (ICA3PP10); 2010. p. 55970. May.
Newsome J, Shi E, Song D, Perrig A. The Sybil attack in sensor networks: analysis &
defenses. In: Proceedings of the 3rd international symposium on information
processing in sensor networks (IPSN04); 2004. p. 25968. April.
Parno B, Perrig A, Gligor V. Distributed detection of node replication attacks in
sensor networks. In: Proceedings of the 26th IEEE symposium on security and
privacy (S&P05); 2005. p. 4963. May.
Perrig A, Szewczyk R, Tygar JD, Wen V, Culler DE. SPINS: security protocols for
sensor networks. Wireless Networks 2002;8(September):52134.
Poovendran R, Wang C, Roy S. Secure localization and time synchronization
for wireless sensor and ad hoc networks.New York Inc: Springer-Verlag; 2007.
Ruhrup
S. Theory and practice of geographic routing. In: Liu H, Leung Y-W, Chu X,
editors. Ad hoc and sensor wireless networks: architectures, algorithms and
protocols. Bentham Science Publishers; 2009.
Sei Y, Honiden S. Reporter node determination of replicated node detection in
wireless sensor networks. In: Proceedings of the 3rd international conference
on ubiquitous information management and communication (ICUIMC09);
2009. p. 56673. January.
1034
Song H, Xie L, Zhu S, Cao G. Sensor node compromise detection: the location
perspective. In: Proceedings of the 3rd international conference on wireless
communications and mobile computing (IWCMC07); 2007. p. 2427. August.
Sun B, Osborne L, Xiao Y, Guizani S. Intrusion detection techniques in mobile ad
hoc and wireless sensor networks. IEEE Wireless Communications
2007;14(October):5663.
Xie M, Han S, Tian B, Parvin S. Anomaly detection in wireless sensor networks: a
survey. Journal of Network and Computer Applications 2011;34(July):
130225.
Xing K, Cheng X. From time domain to space domain: detecting replica attacks in
mobile ad hoc networks. In: Proceedings of the 29th IEEE conference on
computer communications (INFOCOM10); 2010. March.
Xing K, Liu F, Cheng X, Du DHC. Real-time detection of clone attacks in wireless
sensor networks. In: Proceedings of the 28th international conference on
distributed computing systems (ICDCS08); 2008. p. 310. June.
Yu C-M, Lu C-S, Kuo S-Y. Mobile sensor network resilient against node replication
attacks. In: Proceedings of the 5th IEEE communications society conference on
sensor, mesh and ad hoc communications and networks (SECON08); 2008.
p. 5979. June.
Yu C-M, Lu C-S, Kuo S-Y. Efcient and distributed detection of node replication
attacks in mobile sensor networks. In: Proceedings of the 70th IEEE vehicular
technology conference (VTC09-Fall); 2009. September.
Zeng K, Govindan K, Mohapatra P. Non-cryptographic authentication and identication in wireless networks. IEEE Wireless Communications 2010;17(October):
5662.
Zhang Y, Liu W, Lou W, Fang Y. Location-based compromise-tolerant security
mechanisms for wireless sensor networks. IEEE Journal on Selected Areas in
Communications 2006;24(February):24760.
Zhang Q, Yu T, Ning P. A framework for identifying compromised nodes in wireless
sensor networks. ACM Transactions on Information and Systems Security
2008;11(March):12:137.
Zhang M, Khanapure V, Chen S, Xiao X. Memory efcient protocols for detecting

node replication attacks in wireless sensor networks. In: Proceedings of the
17th IEEE international conference on network protocols (ICNP09); 2009.
p. 28493. October.
Zhou J, Das TK, Lopez J. An asynchronous node replication attack in wireless sensor
networks. In: Proceedings of the 23rd international information security
conference (SEC08); 2008. p. 12539. September.
Zhu WT. Analysis of a replication attack detection protocol for wireless sensor
networks. In: Proceedings of the 3rd international conference on networks
security, wireless communications and trusted computing (NSWCTC11);
2011a. p. 5936. April.
Zhu WT. Node replication attacks in wireless sensor networks: bypassing the
neighbor-based detection scheme. In: Proceedings of the international conference on network computing and information security (NCIS); 2011b.
p. 15660. May.
Zhu S, Setia S, Jajodia S, Ning P. An interleaved hop-by-hop authentication scheme
for ltering of injected false data in sensor networks. In: Proceedings of the
25th IEEE symposium on security and privacy (S&P04); 2004. p. 25971. May.
Zhu B, Addada VGK, Setia S, Jajodia S, Roy S. Efcient distributed detection of node
replication attacks in sensor networks. In: Proceedings of the 23rd annual computer security applications conference (ACSAC07); 2007. p. 25766. December.
Zhu B, Setia S, Jajodia S, Roy S, Wang L. Localized multicast: efcient and
distributed replica detection in large-scale sensor networks. IEEE Transactions
on Mobile Computing 2010;9(July):91326.
Zhu WT, Zhou J, Deng R, Bao F. Detecting node replication attacks in mobile sensor
networks: theory and approaches. Security and Communication Networks,
available online May 2011.
Znaidi W, Minier M, Ubeda S. Hierarchical node replication attacks detection in
wireless sensors networks. In: Proceedings of the 20th IEEE international
symposium on personal, indoor and mobile radio communications (PIMRC09);
2009. p. 826. September.

Detecting Node Replication Attacks in WSN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detecting Node Replication Attacks in WSN

Uploaded by

Copyright:

Available Formats

Journal of Network and Computer Applications 35 (2012) 10221034

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications

Detecting node replication attacks in wireless sensor networks: A survey

Corresponding author. Tel.: 86 10 88256432x411; fax: 86 10 88255549.

Randomized, efcient, and distributed (RED) detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1030

The above intrusion scenario is unique to sensor networks.

article presentation. Specically, two indispensable building

2.2. Network-related discussions

is a geographic routing scheme (Ruhrup,

network-based IDS eavesdropping the trafc exchanged over a

Misuse detection encodes known attack patterns; if a deployed

IDS nds a match between current activities and pre-dened

For node replication detection, since it is to identify a known and

proposals in the literature are reviewed basically following the

category of anomaly detection (Xie et al., 2011). The basic idea is

3.3. Detecting cloned keys

While all the above research efforts against replication attacks

its temporary neighbors from time to time, and essentially its

N2NB (Parno et al., 2005)

better understanding of subsequent proposals in the literature, we

4.3.3. Countering counterattacks

ooding be executed only when the rst copy of as location claim

deployment eld like a square) may accommodate a large portion

(an increasing index), in each cell an anchor node is assigned for

a claimers neighbor list (which is not forwarded in N2NB), whereas

4.8.2. Potential deciencies

location called the group deployment point. Since each group of

Assumed deployment model

N2NB (Parno et al., 2005)

Arbitrary network very small in size

evaluation dimensions also allows protocol designers to balance

Conti M, Di Pietro R, MAncini LV, Mei A. Emergent properties: detection of the

Zhang M, Khanapure V, Chen S, Xiao X. Memory efcient protocols for detecting

You might also like