Distributed Wormhole Attack Detection in Wireless Sensor Networks

Distributed Wormhole Attack Detection in Wireless Sensor
Networks
Yurong Xu 1 Guanling Chen 2 James Ford 1,3 Fillia Makedon 1,3
1 Computer Science Department, Dartmouth College
{yurong, jford, makedon}@cs.dartmouth.edu
2 Computer Science Department, UMass Lowell
{glchen}@cs.uml.edu
3 Univ. of Texas at Arlington, Dept. of Computer Science and Eng.
{Makedon,jford}@cse.uta.edu
Abstract
This paper proposes a distributed wormhole
detection algorithm for wireless sensor networks,
a potential technology for infrastructures of many
applications. Currently, most sensor networks
assume they will be deployed in a benign environment;
however, when a sensor network is deployed
in some hostile environment, attacks (especially
those like wormhole attacks that don’t need
to capture the keys used in the network) may affect
current sensor networks and may even disable
their functions. This paper proposes a distributed
wormhole detection algorithm called Wormhole
Geographic Distributed Detection (WGDD), that

is based on detecting disorder of the networks
capabilities.
This technology has the potential
which is caused by the existence of a wormhole
inside the network. Since wormhole attacks are
passive, this algorithm uses a hop-counting technique
as a probe procedure to detect wormhole attacks,
then reconstructs local maps in each node,
and after that, uses a feature called “diameter” to
detect abnormalities caused by wormholes. The
main advantage of using a distributed wormhole
detection algorithm is that such an algorithm can
provide the approximate location of a wormhole,
which may be useful information for further defense
mechanisms. Simulations show that the proposed
detection method has both a low False Toleration
Rate (FTR) and a low False Detection
Rate (FDR) in detecting wormhole attacks.
1. Introduction
Wireless Sensor Networks (WSNs) [1, 15] are
an emerging technology consisting of small, lowpower,
and low-cost devices that integrate limited
computation, sensing, and radio communication
to provide infrastructures for numerous applications,
such as surveillance, healthcare, industry
automation, and military uses.
Currently, most applications in WSNs assume
that they are deployed in a trusted environment,
but it is possible that a WSN is to be deployed
in an untrusted environments, and so dealing with
security issues will become a central requirement.
In this situation, an adversary can disable the
functionality of a WSN by interfering with packet
transmissions inside the networks with different
attacks such as wormhole attacks, sybil attacks
[12], jamming, and packet injection attacks [17].
This paper focuses on wormhole attack detection
[2, 7, 13]. A wormhole attack doesn’t require
knowing the cryptographic infrastructure of
the sensor network, and thus it puts an attacker in
a very powerful position relative to other nodes
in the network, compared to other attacks such
as sybil and packet injection attacks, which usually
utilize vulnerabilities in the infrastructure of

wireless sensor networks. An attacker can perform
a wormhole attack on a sensor network even
if the network communication infrastructure provides
confidentiality and authenticity, and the attacker
does not have any cryptographic keys.
Currently, there are many methods that have
been proposed for detecting wormhole attacks inside
of ad hoc networks and wireless sensor networks,
and encouraging results have been obtained.
However, these methods usually require
that some nodes in the network be equipped with
special hardware. Solutions such as SECTOR [2]
and “Packet Leashes” [7] need time synchronization
or highly accurate clocks to detect wormholes;
the method of Hu and Evans [5] requires
that a directional antenna is deployed in each
node; and LAD [3], SerLoc [9], and the approach
in [6] concentrate on detecting/defending
against wormholes in localization in WSNs, but
these methods also need the help of anchor nodes
(which are special nodes that already know their
location exactly), which requires manual setup
when a network is deployed.
In comparison with the above methods, in
this paper we describe a distributed method
called Wormhole Geographic Distributed Detection
(WGDD) to detect a wormhole attack without
using anchor nodes or any additional hardware.
Since a wormhole attack is passive, this
algorithm uses a simple hop-counting technique
as a probe procedure to detect wormhole attack,
then reconstructs local maps by MDS (Multidimensional
Scaling) in each node, and after that
uses a feature introduced in this papce called “diameter”
to detect distortions caused by a wormhole.
The main advantage of using a distributed
wormhole detection algorithm is that such an algorithm
can provide the approximate location of a
wormhole, which can assist further defense mechanisms.
Simulation shows that the proposed detection
method has both a low False Toleration
Rate(FTR) and a low False Detection Rate(FDR)
in detecting wormhole attacks.
In this paper, we make the following contribu-

2. Related Work
The wormhole attack detection in wireless adhoc
networks was introduced in [2, 6, 7]. Both
solutions are referred to as “Packet Leashes” [7],
and SECTOR [2]. They detect wormhole attacks
based upon the notion of geographical or temporal
leashes. Briefly, suppose every node in the network
already knows its exact location and each
node embeds its location and a timestamp into
each packet it sends. If the network is synchronized,
then other nodes receiving that packet can
detect a wormhole by detecting the mismatch between
the timestamp difference they calculate and
the location difference they observe. Such a solution
requires a synchronized clock and preknown
location for each node. The method we propose
here does not have these requirements.
tions. (i.) We propose a new feature which can be
used to detect wormholes in a distributed scheme.
(ii.) We propose a distributed wormhole detection
algorithm which needs only local connectivity information.
Since the detection of wormholes is
completed under a distributed scheme, it is possible
that our algorithm can provide the approximate
locations of the ends of wormholes, which
will be helpful in further defense against wormhole
attacks. (iii) We provide extensive simulation
for (i-ii) in NS-2, which shows that our methods
are effective at detecting wormhole attacks on
different network placements.
The remainder of the paper is organized as follows.
Section 2 discusses related work. Section
3 describes some basic concepts related to
wormhole attacks. Section 4 discusses the feature
which detects wormholes inside of a network
In [8], Kong et al.
study Denial of Service
and the details of the WGDD algorithm. Section
5 evaluates the algorithm in an NS-2 simulation
environment. And finally Section 6 gives our conclusions.
(DoS) attacks, including wormhole attacks, in
UWSN (Under Water Sensor Networking). Because
UWSN typically uses acoustical methods
to propagate messages under water, the methods

in UWSN can’t be directly applied into wireless
sensor networks.
In [5], Hu and Evans utilize directional antennas
to prevent wormhole links by assuming every
node of the network will be equipped with directional
antennas that all have the same orientation.
Lazos and Poovendran apply a similar idea in designing
a secure localization scheme called SeR-
Loc [9] that protects against wormhole attacks in
localization. In SeRLoc, there are about 400 anchor
nodes (designated as “beacon nodes” in the
paper) deployed in a 5000-node network. Each
anchor node has a directional antenna and already
knows its physical location. Other nodes in the
network use these anchor nodes to locate themselves.
When there is a wormhole attack in the
network, since a wormhole will shortcut the network,
directional antennas deployed in the anchor
nodes will help in detecting the attack, and
the nodes can then defend against it by discarding
incorrect localization messages. However, if
anchor nodes are compromised, especially those
anchor nodes that are close to a end of a wormhole,
SeRLoc will still have difficulty in detecting/defending
against wormhole attacks.
In more recent papers [3, 10], D. Liu et al. proposed
an anchor-based scheme which is resistant
to several attacks, including wormhole attacks.
By using a hop-counting technique, the scheme
estimates the distance between a node and an anchor
node (or “location reference” in the authors’
terminology). If there is a wormhole inside the
network, then it is possible that the distance from
a node to some anchor node will be changed, and
a simple threshold method is used to determine
whether such a distance difference is caused by
a wormhole attack or by localization error. The
main difference between our method and those of
[3] and [10] is that the latter methods rely on anchor
nodes, which need manual setup in advance,
while our method does not require any anchor
nodes to detect wormholes.
Additional work by [14] presents a useful graph
theoretic framework for modeling of wormhole

attacks, but this theoretic framework is based on
the assumption that there are “guard nodes” know
their locations exactly. Thus, these nodes actually
work as anchor nodes as described in this paper.
Since in this work we assume that none of the
nodes in the network knows its physical location,
which is identified in [14], is that such a visualization
cannot be applied to networks with irregular
shapes, such as a string topology (nodes connected
in one line).
3. The Wormhole Attack
our proposed solution is for a case not covered by
this framework.
MDS-VOW [16] allows visualization of a network
to allow detection of wormholes by finding
bending distortions caused by a wormhole in
Origin end
Wormhole tunnel
Destination
end
Figure 1. A Wormhole Attack in a WSN
computed maps.
The main difference between
our approach and MDS-VOW is that MDS-VOW
can only work in a centralized scheme, so MDS-
VOW needs to have a central computer to finish
In a typical wormhole attack, an attacker receives
packets at one point in the network, forwards
them through a wireless or wired link with
much less latency than the default links used by
the network and relays those packets at another
its computation. In our paper, we extract a new
position in the network.
feature which can efficiently indicate the ends of
a wormhole based only on local bending distortions
caused by the ends of the wormhole. The
algorithm described in this paper is computed by
a distributed scheme and requires no centralized
computation. A general limitation of MDS-VOW,
In this paper we assume
that a wormhole is bidirectional, and when
considering a wormhole attack, we refer to the
end of that wormhole receiving a message as the
“origin end” of the wormhole and the end that
transmits the message as the “destination end” of
that wormhole (thus which end is which is en-

tirely context dependent). Figure 1 shows a typical
wormhole attack.
In this work we assume
wormholes with two endpoints, although in theory
multi-end wormholes are possible.
We also assume that each wormhole in a network
is (1) passive, and thus does not send out
any message without any inbound message, (2)
static, which means that such wormhole will not
move around.
similar hop-counting technique as a probe procedure
(Section 4.2) to detect wormhole attack. After
the running of the probe procedure, each node
will collect the set of hop-count from its neighbor
nodes which are in one(k) hop(s) distance to
it, then that node will run Dijkstra’s algorithm to
get the shortest path for each pair of the nodes,
after that, it will reconstruct a local map by MDS
(Multidimensional Scaling) (Section 4.3). After
4 Detecting Wormhole Attacks
In this section, at first, we will describe our algorithm
in brief, then, by observing the network
with a wormhole inside it, we discuss a feature
which can be used to detect wormhole attacks in
distributed scheme, at last, based on the previous
feature we propose how to detect wormhole attacks.
we discuss a feature called as “diameter” to detect
distortions caused by a wormhole in local
maps in Section 4.4, we will introduce the detection
procedure in Section 4.5. The overview of
this Wormhole Geographic Distributed Detection
(WGDD) algorithm can be seen in Procedure 1.
Procedure 1 Wormhole Geographic Distributed
Detection (WGDD)
1: Probe Procedure
2: Local Map Computation Procedure
3: Detection Procedure
4.1 Overview of WGDD Algorithm
4.2 Probe Procedure
Our distributed algorithm called Wormhole Geographic
Distributed Detection (WGDD) uses a
Since a wormhole attack is passive, which
means that such an attack can only happen when

there is some message being transmitted near the
wormhole area. In order to detect whether there
procedure [18] for node a is shown in Procedure
2.
is a wormhole attack inside a network, we design
a probe procedure to flood an message from
some bootstrap node to the whole networks to let
all other nodes in the network to count the hop
distance from itself to that bootstrap node. Such
probe procedure is based on hop-coordinates [18]
technique to measure the hop distance from each
node to some bootstrap node, which shares the
same idea as hop-counting, but has more accurate
measurement.
Procedure 2 Probe Procedure in node a
1: INPUT: message (hop b ) from node b ∈ N a
2: for message (hop b ) from any B ∈ N a and not
TIMEOUT do
3: if hop b < hop a then
4: hop a = hop b + 1
5: forward (message(hop a ) ) to MAC
6: else
7: drop (message(hop b ) )
8: end if
9: end for
10: if |N a | == 0 then
11: offset a = 0
12: else ∑
13: offset a =
14: end if
15: return hop a
and offset a
b∈Na (hop b −(hop a −1))+1
2(|N a|+1)
(i)In bootstrap node: A bootstrap node x creates
a probe message with (i = id x ) to flood
the network. After that, the bootstrap node will
drop any probe message that was originated by itself.
The bootstrap node has the hop-coordinate:
hop x = 0 and offset x = 0.
(ii) In all other nodes in the WSN: Suppose that
a node a is calculating its hop distance, and node
b is one of the neighbors of node a. Then the basic
probe procedure 2 is as same as hop-coordinates
Here, a is a node, hop a
is the minimum number
of hops to reach node a counting from some
bootstrap node (x), the initial value of it will be
the largest positive value in practice. the combination
of hop a
and offset a is the hop coordinate for
node a, N a is a set of nodes which can be reached
by node a in one hop, and |N a | is the number of
nodes in N a .

50
80
144
140
144
140
90
100
120
120
60
70
100
100
30
40
80
80
0
10
20
0 10 20 30 40 50 60 70 80 90 100
60
60
40
40
20
20
0
0 20 40 60 80 100 120 140 144X
(a) The original location of a 2500node
WSN with one wormhole
0
0 20 40 60 80 100 120 140144
(b) the same 2500-node WSN with one
wormhole siting on the edges of the
WSN
Figure 2. a 2500-node WSN (r = 2m) with one wormhole
4.3 Local Map Computation
In this step, each node will compute a local map
for it’s neighbors based on the hop-coordinate
computed in the previous step. After the generation
of hop-coordinates with Procedure 2, each
node will send a request to its neighbor nodes that
are within one(k) hop(s) to send back their hop
coordinate from some bootstrap node (x).
After each node receives the hop coordinate
(|N a |+1)×(|N a |+1) shortest path matrix (here
|N a | is the number of nodes that can be reached by
node A in one (k) hop(s)) and retain the first two
(or three) largest eigenvalues and eigenvectors to
construct a 2-D (or 3-D) local map.
The total cost for this step is a computational
cost of O(|N a | 3 n) and a memory cost of O(|N a | 2 )
per node, with no communication cost in this step.
4.4 Detection Procedure
from its neighbors, that node will compute shortest
paths between all pairs of nodes one (k) hop(s)
to that node, using Dijkstra’s algorithm or other
similar algorithms.
Then, we apply MDS to the
Based on the local map from previous step,
here we will try to detect attacks. At first let us
have a look of the affection of wormhole attack
on computed map.

Fig. 2(a) and 2(b) shows the same sensor network;
each ‘x’ represents a node, and the red circles
indicate the two ends of a wormhole; in Fig.
2(a), the wormhole is siting in the center of the
network, while in Fig. 2(b), the wormhole is siting
on the edges of the network.
4.4.1 Observation of a Wormhole in a Reconstructed
Map
In order to observe a wormhole, we implemented
the probe procedure 2 and the local map computation
procedure as routing agents and the bootstrap
node for the probe procedure as a protocol
agent in NS-2 version 2.29 [11] with 802.15.4
MAC layer [19] and CMU wireless extensions
[4]. The configuration parameters used for NS-2
are RF range = 15 meters, propagation = TwoRay-
Ground, and antenna = Omni Antenna.
In our first experiment, we used 2500 nodes in a
uniform placement— total 2500 nodes are placed
on a grid with ±0.5r randomized placement error,
where r = 2 m is the width of a small square in
the grid. A wormhole is implemented as a wired
4.4.2 New Feature to Detect Wormhole Attacks
With the fact that each WSN node has limited resources
and has no possibility to store global information,
in order to detect wormholes in a distributed
scheme, each node can only use local information
to detect wormhole attacks.
Consider the two parts of the intruded network
with a wormhole with two ends in Figure 3, by selecting
two parts of the network which is close to
the ends of the wormhole in Figure 2(a). We use a
dotted circle to represent the neighbor area where
a particular node can directly reach in transmission
range R, since there are two ends, we shows
connection.
two parts of the network.
Then, after the circled
node finished local map computation for the
nodes in its local range, it will be getting a local
map as in Figure 4. From this figure, we can
see that because wormhole shortcuts the two parts
of the network, the circled node can reach more

ange than before (if we measure the longest distance
in this local map, it will equal 49m), though
that computed local map is bended by the effect
of the wormhole.
as distancde(a, b) = sqrt((x − x ′ ) 2 + (y − y ′ ) 2 )
in 2D case, here (x, y),(x ′ , y ′ ) are the coordiantes
for node a, b in the local map computed in the
previous step, respectively.
Theoretically, the diameter of the neighbor area
Figure 3. Two Parts of the Network near
Wormhole Ends.Here, parameters: r = 4,
R = 15, red circles represents the wormhole
ends.
for a node will roughly equal or less its transmission
range R, since one node only can hear
from its neighbors within the transmission range
R. But because of the shortcut of wormhole, the
computed map for that neighbor area of that node
2d =49m
Figure 4. Local Map in the Red Circled Node
in Figure 3.After probe procedure and local
map computation in that node which is red
circled.
will be distorted, and so the diameter of that computed
local map will be larger than the physical
one, as shown in 4, we can see 2d = 49m.
In order to verify whether such diameter feature
is working in detecting wormhole in the whole
From the above observation, we instead focus
on detecting wormholes by using a different
feature—the diameter of the computed local map.
We define diameter d for Node a here:
Diameter: d = max(distance(b, c))/2,
Where b, c ∈ N a , here N a is the set of neighbor
nodes of node a, distance(a, b) will be computed
network, we compute the diameter for each node
in the same 2500-node network with and without
wormhole. The results are shown in Figure 5(a),
if we examine nodes that are very near to a wormhole,
such as the area near the red circles in Figure
5(b), the diameters of the local maps for these
nodes will be noticeably increased by proximity

26
24
17
22
Diameter
16
15
14
13
Diameter
20
18
16
0
20
80
100
14
40
60
80
(a) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) without Wormhole
0100
20
40
60
12
100
80
60
X
40
20
(b) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) with a Wormhole
100
80
60
40
Y
20
0
Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),
the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless there
is a wormhole attack, in which case the diameter of a local map will become longer as the position
draws closer and closer to the wormhole.
to the wormhole, comparing the diameters in the
same nodes in the network without wormhole in
Figure 5(a). But if the nodes are a little farther
away, or in a distant part of the network, such as
the middle area in Figure 5(b), the diameters of
the local maps for these nodes, will be almost as
normal as these in the same area in Figure 5(a),
which is without wormhole.
In Figure 5(b), the diameter of a local map will
roughly be R (from 14 to 18, while R = 15 meters)
unless there is a wormhole attack, in which
case the diameter of a local map will become
longer as the position draws closer and closer to
the wormhole. The diameter reaches the highest
(about 25 m) at the nodes at about 7 m to the ends
of wormhole, then the diameter is decreased, because
the nodes are approaching to the edges of
the network, but still above 22 m.
The ‘diameter’ feature is also good at detect
wormhole attack in networks with irregular
shapes, and in networks with multiple wormholes
inside them. We did some experiments of ‘diameter’
in a network with string topology, and a network
with two wormholes inside it.

diameter
16.8
16.6
16.4
16.2
16
15.8
15.6
15.4
15.2
0 20 40 60 80 100
X
(a) Diameter Measurement in the 50-
node WSN in String Placement without
a Wormhole
Diameter
26
24
22
20
18
16
14
12
0 20 40 60 80 100
X
(b) Diameter Measurement in the 50-
node WSN in String Placement with a
Wormhole
Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole
In a string topology experiment, we tested a
50-node network, inside of which, each node are
uniformally distributed in a 100 meter string in
one dimension. First we measure the diameter for
each node without any wormhole in the network,
the result is in Figure 6(a). The diameter is at most
16.8 m in Figure 6(a). Then, we add a wormhole
into the network with the two ends of that wormhole
at the two ends of the string. We can see that
right now, the diameters of nodes which are close
to the ends of the wormhole are larger than 22 m,
shown in Figure 6(b).
In order to test the feature of ‘diameter’ in detecting
multiple wormholes in a network, we deployed
two wormholes in the network of Figure
2.a. The measurement of diameter for all nodes
as shown in Figure 7. The locations of the ends
of these two wormholes are represented as red
circles in the same figure. From the figure, we
can see that even two wormholes are very close
to each other, the peaks of diameter are still appeared
in the nodes which are close to the ends of
the wormholes, from our measurement, four peak
values are 24.8, 25.2, 22.2, 22.6 m respectively.
So, by computing the diameter d for local map,
such detection algorithm can runs independently
in each node, in conjunction with the computation
of a local map for the neighboring area. Since
all nodes in this area are within one(k) hop(s) of
the calculating node, the detection algorithm can

Figure 7. Diameter Measurement in the 2500-
node WSN in Figure 2.(a) with Two Wormholes.Here,
red cycles are the ends of wormholes,
the dashed lines are the tunnels of the
wormholes. A ’X’ is represented as a node.
The 50X50 mesh is only for visualization
purpose. Color bar represents the value of
diameter.
compute the diameter of each local map after determining
each neighbor node’s location.
4.4.3 Detection Procedure
Thus, we propose to use the diameter to determine
whether there is a wormhole attack present
or not. From the experiment in Figure 5(a) and
5(b), we can see that usually the diameters for local
maps will be around R, but if there is a wormhole
in the network, then the diameters of the local
maps which are computed by the nodes close
to the ends of the wormhole will be higher to over
22m. So, we can define a threshold for the diameter
to detect wormholes in the network. Since, the
lower the value we assign to such threshold, the
higher possibility it is that nodes send the error
alarms of wormhole. So, based on the above experiments,
we define a threshold as 1.4R (in our
configuration 1.4R = 1.4 ∗ 15 = 21 m) to determine
whether there is a wormhole attack present
or not. In order to adjust the sensitivity of detection
procedure we introduce a constant parameter
λ:
Suppose the diameter of a local relative map is
d; if d > (1+λ)1.4R (here λ is a constant parameter
which is less than 1 and larger than 0), then we
can say there is a wormhole in the network, and
if not, we can say that the error probably comes
from localization error. The details of the detection
algorithm follow.
Suppose node a is an arbitrary node in the
WSN. At first, we propose a distributed detection
Procedure 3, which is used to compute the

diameter after running the probe procedure 2 and
local map computation in Section 4.3, and detect
whether there is a wormhole in the network.
Procedure 3 Wormhole Detection Procedure in
node a
1: INPUT: local map G in node a for N a ∪ {a}
2: diameter d = 0
3: for each b ∈ N a ∪ {a} do
4: for each node c ∈ N a ∪ {a} − {b} do
5: if 2d < distance(b, c) in local map G
then
6: 2d = distance(a, b) in local map G
7: end if
8: end for
9: end for
10: if d > (1 + λ) × 1.4R then
11: return “FOUND WORMHOLE” to sink
node.
12: end if
[11] with 802.15.4 MAC layer [19] and CMU
wireless [4] extensions. The configuration used
for NS-2 is RF range = 15 meters, propagation =
TwoRayGround, antenna = Omni Antenna. We
implemented a wormhole as a wired connection
with smaller latency that forwards packets from
one node to another node.
120
100
80
60
40
20
0
0 20 40 60 80 100 120
The total cost for this step is a computational
cost of O(|N a | 2 n) and a memory cost of O(|N a |)
per node, with no communication cost in this
Figure 8. A typical placement for simulation
(Constructed with n = 400, r = 4. green
dashed ovals are holes and small blue circles
are islands.)
step.
In our all experiments,
we used uniform
5. Simulations Results
5.1 Simulation Environment Setup
Same as to the experiment setup in the previous
section, we implemented our whole detection algorithm
as a routing agent in NS-2 version 2.29
placement—n nodes are placed on a grid with
±0.5r randomized placement error. Here r is the
width of a small square in the grid. We constructed
a total of 60 placements with n = 400,
900, 1600 and 2500, and with r = 2, 4,6, 8, 10
and 12 meters, respectively. The reason we use

uniform placement with ±0.5r error is that usually
such placement produces both node holes and
islands in one placement, as demonstrated in Figure
8. The place of the wormhole is totally randomized
inside of the network.
5.2 Detection Simulation Result
5.2.1 Metrics
As we decrease the value of λ, we can increase
the accuracy of detecting wormhole attack, but
the possibility of fault alarm will be increased. In
order to evaluate the accuracy of our wormhole
attack detection under different λ values, we introduce
the following concepts:
False Detection Rate (FDR): the frequency
with which the detection system falsely recognizes
identical characteristics as being different,
thus failing to tolerate, for example, a normal localization
error.
FDR = (number of normal localization errors
flagged as detected wormholes) / (total number of
trials).
In practice, we count the number of the nodes,
which send out “FOUND WORMHOLE” messages
but are far away from the ends of a wormhole
(We define that if a node is R = 15m away
from all ends of a wormhole, then this node obviously
has few impact of wormhole, and so we
say that such node is far away from the wormhole.),
into the “number of normal localization errors
flagged as detected wormholes”. When FDR
= 0, it means that there is no wrong alarm in detecting
wormholes.
False Toleration Rate (FTR): the frequency
with which the detection system falsely recognizes
different characteristics as identical, thus
failing to detect a wormhole attack.
FTR = (number of wormhole attacks not detected)
/ (total number of trials).
If there is a wormhole in a experiment, but there
is no node to send out “FOUND WORMHOLE”
messages, we will count this as “wormhole attacks
not detects”. So, if FTR = 0, it means that
our detection algorithm is successful in detecting

0.1
0.1
0.1
0.1
0.09
0.08
0.07
FDR
FTR
0.09
0.08
0.07
0.09
0.08
0.07
0.09
0.08
0.07
FDR(%)
0.06
0.05
0.04
0.06
0.05
0.04
FTR(%)
FDR(%)
0.06
0.05
0.04
0.06
0.05
0.04
FTR(%)
0.03
0.03
0.03
0.03
0.02
0.01
0.02
0.01
0.02
0.01
FDR
FTR
0.02
0.01
0
0 2 4 6 8 10 12 15
r (m)
0
0
0 2 4 6 8 10 12 15
r (m)
0
(a) when λ = 0 (b) when λ = 0.1
Figure 9. False Detection Rate (FDR) and False Toleration Rate (FTR) for various node spacings.
wormholes in all experiments.
1
0.9
0.8
0.7
FDR
FTR
1
0.9
0.8
0.7
5.2.2 Simulation Result
FDR(%)
0.6
0.5
0.4
0.6
0.5
0.4
FTR(%)
0.3
0.3
0.2
0.2
We use the same experimental setup as in section
5.1, with one wormhole in each placement, again
0.1
0
2 7 12 17 22 27 32 37
Hop Distance Between Two Ends of a
Wormhole
0.1
0
implemented in NS-2 as a wired connection with
a latency far less than the latency of the wireless
Figure 10. FTR/FDR vs Hop Distance Between
Two Ends of a Wormhole (λ = 0)
connections. Results in terms of FTR and FDR
are shown in Figure 9. Our detection algorithm
has a low FTR with FDR=0 when λ = 0.0as in
Figure 9.a; when λ = 0.1as in Figure 9.b, our
detection algorithm can achieve a low FDR with
FTR=0.
In order to consider about the performance of
our algorithm to detect smaller wormholes (such
as two to three hops long), we plot the all FTR and
FDR experiment data( when λ = 0) on Figure 10
based on the number of hops between two ends of
a wormhole in one experiment. We can see that
if it is a long wormhole such as ≥ 3 hops long,

our detection algorithm archives almost 100% detection
rate (shown as FTR = 0). Even when facing
shorter wormhols which are less than 3 hops
long, our algorithm can still make more than 80%
detection rate (shown as FTR < 20%).
6. Summary and Discussion
In this paper, we discuss how to detect wormhole
attacks in distributed scheme. By assuming
that wormhole attacks are passive, we provide a
probe procedure to let some bootstrap node flood
a probe message to detect some possible wormholes
in the network, the probe procedure produces
a hop-coordinates to each node which represents
the hop distance from that node to the
bootstrap node. Then each node will compute a
local map for its neighbors and itself with the hopcoordinates
collected in the previous step. Since
if there is a wormhole in the network, it causes
some distortions in some local maps of the nodes
which are close to the ends of the wormhole, so
we find a feature called “diameter” to detect such
distortion in distributed scheme, with the help of
that feature– “diameter”, we propose a wormhole
detection procedure.
We test our Wormhole Geographic Distributed
Detection (WGDD) algorithm in simulation environment
under different placements of networks.
The extensive simulation result shows that our detection
algorithm can archive almost 100% overall
detection rate (shown as FTR is around zero,
when λ = 0 in Figure 10.a). Even considering
about the cases of shorter wormholes which
are less than 3 hops long, our algorithm can still
make more than 80% detection rate (shown as
FTR < 20% in Figure 10). We can run our detection
algorithm in stricter model by setuping
λ = 0.1, it this case, we can archive almost zero
wrong alarm rate (shown as FDR = 0 in Figure
10.b).
Since our algorithm is running under distributed
scheme, it means that if there is a wormhole,
then some nodes close to the wormhole will
detect the wormhole attacks, so such advantage

of our algorithm may help in defending against
nodes receive such message will clean the hopcoordinate
inside itself.
Such process will be
wormholes. We may propose the idea of freezing
nodes that have detected wormhole attacks in
their vicinity, along with their neighbor nodes, in
order to isolate and negate the effect of a wormhole.
Suppose that the wireless range for a wormhole
attack equals k times the transmission range R of
a normal node; if this is the case, then it is possi-
ended until there is no node detects any wormhole
attack.
Right now, we are basing experiment to decide
the threshold and λ in deciding whether a diameter
measurement triggers an alarm for wormhole.
One future work may need to improve our algorithm
is how to decide such threshold and λ automatically.
ble that we can stop the transmission of a wormhole
attack by freezing the nodes within k times
References
transmission range R of one detecting location.
Procedure 4 Defending against wormhole attacks
Require: triggered by DetectionProcedure
1: send message(freezing)to all neighbor nodes
in 1(k) hop(s)
2: Broadcast message(relocalization) to the
bootstrap node and other nodes.
[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and
E. Cayirci. A survey on sensor networks. Communications
Magazine, IEEE, 40(8):102–114,
2002.
[2] S. Čapkun, L. Buttyán, and J. Hubaux. SEC-
From a node (or nodes), which detects wormhole
attack, a special message will flood out
TOR: secure tracking of node encounters in
multi-hop wireless networks. Proceedings of the
to freeze neighboring nodes.
If the bootstrap
1st ACM workshop on Security of ad hoc and
node (x) receives this message, it will restart the
wormhole detection algorithm again, while other
sensor networks, pages 21–32, 2003.
[3] W. Du, L. Fang, and N. Peng. LAD: Localization
anomaly detection for wireless sensor networks.

Journal of Parallel and Distributed Computing,
66(7):874–886, 2006.
[9] L. Lazos and R. Poovendran. SeRLoc: secure
range-independent localization for wireless sensor
networks.
Proceedings of the 2004 ACM
[4] T. C. M. Group. Wireless and Mobility
Extensions to ns-2. obtain from
http://www.monarch.cs.cmu.edu/cmu-ns.html.
[5] L. Hu and D. Evans. Using Directional Antennas
to Prevent Wormhole Attacks. Proceedings
of the 11th Network and Distributed System Security
Symposium, pages 131–141, 2004.
[6] Y. Hu, A. Perrig, and D. Johnson. Wormhole detection
in wireless ad hoc networks. Department
of Computer Science, Rice University, Tech. Rep.
TR01-384, June, 2002.
[7] Y. Hu, A. Perrig, and D. Johnson. Packet
workshop on Wireless security, pages 21–30,
2004.
[10] D. Liu, P. Ning, and W. Du. Attack-resistant location
estimation in sensor networks. Information
Processing in Sensor Networks, 2005. IPSN
2005. Fourth International Symposium on, pages
99–106, 2005.
[11] S. McCanne and S. Floyd. ns-2 Network Simulator.
Obtain via: http://www. isi. edu/nsnam/ns.
[12] J. Newsome, E. Shi, D. Song, and A. Perrig. The
sybil attack in sensor networks: analysis & defenses.
Proceedings of the third international
Leashes: A Defense against Wormhole Attacks
in Wireless Ad Hoc Networks. Proceedings of
INFOCOM, 2003, 2003.
[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagrodia,
and B. Bhargava. Low-cost attacks against
packet delivery, localization and time synchronization
services in under-water sensor networks.
Proceedings of the 4th ACM workshop
on Wireless security, pages 87–96, 2005.
symposium on Information processing in sensor
networks, pages 259–268, 2004.
[13] P. Papadimitratos and Z. Haas. Secure routing
for mobile ad hoc networks. SCS Communication
Networks and Distributed Systems Modeling
and Simulation Conference (CNDS 2002),
2002.
[14] R. Poovendran and L. Lazos. A Graph Theoretic
Framework for Preventing the Wormhole Attack

in Wireless Ad Hoc Networks. ACM Wireless
Networks (WINET).
[15] M. Vieira, C. Coelho Jr, D. da Silva Jr, and
J. da Mata. Survey on wireless sensor network
devices. IEEE Emerging Technologies and Factory
Automation, pages 537–544, 2003.
[16] W. Wang and B. Bhargava. Visualization of
wormholes in sensor networks. Proceedings of
the 2004 ACM workshop on Wireless security,
pages 51–60, 2004.
[17] A. Wood and J. Stankovic. Denial of service
in sensor networks. Computer, 35(10):54–62,
2002.
[18] Y. Xu, J. Ford, and F. S. Makedon. A Variation
on Hop-counting for Geographic Routing.
Embedded Networked Sensors, 2006. EmNetS-
III. The third IEEE Workshop on, 2006.
[19] J. Zheng and et.al. 802.15.4 extension
to NS-2. Obtain via: http://wwwee.ccny.cuny.edu/zheng/pub.