A Novel Sybil Attack Detection Scheme Based on Edge Computing for Mobile IoT Environment

11/08/2019 ∙ by Zhengyu Wu, et al. ∙ 0

Internet of things (IoT) connects all items to the Internet through information-sensing devices to exchange information for intelligent identification and management. Sybil attack is a famous and crippling attack in IoT. Most of the previous methods of detecting Sybil attacks in IoT mainly focus on static IoT while there are very rare methods applicable to mobile IoT. In this paper, a novel, lightweight, and distributive detection scheme based on edge computing is proposed for detecting Sybil attacks in mobile IoT. In the proposed scheme, a detection consists of two rounds. In each round, member nodes are required to send packets to edge nodes. Edge nodes calculate a possible interval of the received signal strength indication (RSSI) from the first round and check whether the RSSI from the second round is in the interval to detect Sybil attack. Extensive experimental studies are included to show that the presented approach outperforms many existing approaches in terms of true detection and false detection rates. Moreover, experimental results show that the fault tolerance design in the proposed approach greatly enhances the detection scheme.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

A revolutionary idea, IoT, has changed all people’s routine life and plays an indispensable role in many commercial and scientific domains. IoT refers to a global network infrastructure composed of numerous connected devices that rely on sensory, communication, networking, and information processing technologies [tan2010future]. Applications of IoT include transportation, healthcare, industrial automation, and emergency response to natural and man-made disasters where human decision making is difficult [Whitmore2015]. IoT is so large-scale and costly that it needs distributed management. Edge computing provides an effective distributed management for IoT whose emergence further promises a bright future for IoT to build intelligent industrial systems and smart cities [da2014internet]

. In the early stage, IoT is composed of static sensor nodes. Wireless sensor nodes are statically distributed on a large-scale information gathering system, which provides significant data source for research and application of big data and artificial intelligence 

[chen2014big]. However, static nodes can no longer meet the increasing social demands of applications for mobility. The advancement of mobile communication technology significantly promotes the development of infrastructure and the applications of mobile devices.

Security issues are important and nonnegligible issues in IoT. A well-known malware called Mirai formed a botnet with IoT devices as an infection target, injecting about 500 thousand IoT devices. On October 21st, 2016, Mirai launched a Distributed Denial of Service (DDoS) attack on US DNS provider Dyn, destroying the popular streaming service Netflix, Twitter and Airbnb. Among cyber attacks in IoT, Sybil attack is one of the most famous and destructive attacks that affect network layers [douceur2002sybil]. Sybil attack is defined as a malicious device which takes on multiple fake identities. Since malicious nodes are able to gain legitimacy in a network, Sybil attack becomes an important auxiliary for other attacks. Sybil nodes may launch further denial of service attacks such as channel jamming attacks and message suppression attacks [parno2005challenges]. The routing of IoT may be damaged by a Sybil attack and many other problems may be caused such as data aggregation, voting and fair resource allocation [karlof2003secure].

Many researchers have realized the hazard of Sybil attacks in IoT and several countermeasures have been proposed to detect Sybil attacks including RSSI [demirbas2006rssi], neighboring information [ssu2009detecting], Time Difference Of Arrival (TDOA) [wen2008tdoa], Angle Of Arrival (AOA) [zhang2010aoa], random key pre-distribution and radio resource testing [newsome2004sybil]. However, most of these detection methods are designed based on node position or neighbour cooperation, which means these methods cannot directly be applied in mobile IoT due to the mobility of nodes. In the literature, a few methods have been proposed to detect Sybil attacks in mobile IoT. Piro et al. [piro2006detecting] introduced two methods called PASID and PASID-GD based on observer monitoring. These two methods occupy much memory overhead, which may affect the original functions of sensor nodes. Jamshidi et al. [jamshidi2017lightweight] presented a light-weight algorithm for detecting mobile Sybil nodes based on the movement behaviour of the nodes. This method is not stable and robust because of its heavy dependency on historical records.

To overcome the shortcomings of the methods in mobile IoT, we propose a novel Sybil attack detection scheme based on edge computing. Sybil attack detection needs storing and analysing quantities of feature data, which is difficult for normal member nodes. With strong computation ability and large storage space, edge nodes are suitable for our problem, which can collect, compute and analyse the status information of member nodes. Since the distance between an edge node and a member node is short, it enables edge nodes to directly manage member nodes and consequently the communication latency is reduced. Compared with cloud-based IoT systems, the distributed management of member nodes through the edge nodes further improves the scalability of IoT networks. In our approach, most of the data stored in sensor nodes will be cleared each time a detection is completed in order to eliminate the dependency on historical records. As to the accuracy issue, we select the RSSI values that are related to the distances between edge nodes and member nodes as the identifier to distinguish normal member nodes and malicious nodes. Specifically, RSSI values keep changing when member nodes move in mobile IoT. Therefore, figuring out the theoretical range of numerical fluctuations of RSSI is a vital part in this paper.

The contributions of this paper are summarized as follows.

  • A novel Sybil attack detection scheme is designed for mobile IoT. The information of member nodes including RSSI is utilized to form a distinctive identifier of different member nodes, which can be further analyzed to detect malicious nodes. The feature of the fluctuation of RSSI value when member nodes move is studied in this paper, and the theoretical range of RSSI during a period of time is given. The proposed detection scheme performs well in detection accuracy, which is verified with experimental studies.

  • Edge computing is applied to reduce memory overhead and computation overhead of member nodes. Due to the limited storage space, memory and electricity power, it is not supposed to make member nodes take on too much responsibility in the detection as it may affect their original function. Edge nodes which have better property without other tasks bear the responsibility for computing in the detection process. Independence from historical data makes our method outperform other detection solutions in memory overhead.

  • A fault tolerance algorithm is proposed to enhance the robustness of Sybil attack detection. Edge nodes probably fail due to a harsh natural environment or human behavior. As a result, the ongoing detection is likely to make mistakes. The basic idea in our fault tolerance algorithm is that each edge node has a substitute with which it shares all the received information by applying heart beat technology. Experiments verify that proposed algorithm remarkably eliminates the consequence cased by the failure of edge nodes.

The rest of this paper is organized as follows. In Section 2, related work is reviewed. In Section 3, basic models are discussed. In Section 4, our proposed detection scheme is described in detail. Section 5 introduces our augmented design for fault tolerance. Section 6 presents simulation results. Finally, Section 7 concludes this paper.

2 Related Work

In this section, we introduce several typical approaches to detecting Sybil attacks in static IoT. We also present some detection methods in mobile IoT along with the drawbacks of these methods.

2.1 Methods in static IoT

The Sybil attack problem was first introduced by [douceur2002sybil] for peer-to-peer distributed systems. Work [karlof2003secure] proved that a Sybil attack is likely to affect the routing protocol in a wireless sensor network (WSN). Several methods were proposed in [newsome2004sybil] to defend against Sybil attacks, including Radio Resource Test (RRT), Code Attestation (CA), Random Key Pre-distribution (RKP), Identity Registration (IR), and Position Verification (PV). Some other methods focus on the information of nodes such as location, distance and angel. The TDOA-based mechanism [wen2008tdoa] associates the TDOA ratio with the sender’s identity. Once there are two different identities with the same TDOA ratio, a Sybil attack is detected. In [shao2014efficient], an AOA based algorithm is proposed by taking advantage of the fact that the multi-identities created by a malicious node have the same physical position. A beacon node identifies Sybil identities with signal phase difference below a trusted threshold for adjacent sensor nodes. An RSSI based algorithm is introduced in [zhong2004privacy]

to estimate the location of each node. As all Sybil nodes belong to a single malicious node, their values of RSSI are the same. Jakes channel model is used in the RSSI-based method. Work 

[demirbas2006rssi] also used this mechanism by employing four detector nodes to pinpoint sensor nodes in the environment. A new detection method is proposed in [wang2007sybil] based on both RSSI and the status messages of member nodes which are accumulated in head nodes synthetically. However, all the methods discussed above are designed for Sybil attack detection in static IoT rather than mobile IoT.

2.2 Methods in mobile IoT

In [piro2006detecting, jamshidi2017lightweight, jamshidi2018sybil, gandino2017key, 10.1007/978-3-642-31513-8_36, muraleedharan2008prediction, sharmila2012detection, Reddy2017SybilAD, yao2018multi, garip2017interloc], algorithms are proposed to detect Sybil attacks in mobile IoT. Work [piro2006detecting] proposed two Sybil attack detection methods called PASID and PASID-GD based on observer monitoring. In PASID and PASID-GD, individual nodes monitor all transmissions that they receive over many time intervals. They analyze the data to find the suspicious nodes which often appear together and rarely apart. These two methods are short of memory overhead because a large quantity of data needs to be stored. If the detection process used too much memory overhead of a node, it might influence the normal function of the node. In [jamshidi2017lightweight] and [jamshidi2018sybil], two algorithms are proposed proposed two algorithms for detecting mobile Sybil nodes. Work [jamshidi2017lightweight] uses Watchdog Nodes first to label nodes based on their movement behaviors, and then detects Sybil nodes according to these labels. In [jamshidi2018sybil]

, observer nodes store the occurrences of other nodes in a vector called history. The two algorithms rely on historical records, thus they are unreliable over long time. In 

[10.1007/978-3-642-31513-8_36], a centralized method based on geographic location is proposed for detecting Sybil attack in mobile sensor networks including three phases of clustering, selecting nodes nearby Sybil nodes, and routing procedures. Obviously, the method is not proper. In [muraleedharan2008prediction], another centralized algorithm is proposed based on nodes’ registration in a base station, which has scalability issue. Work [sharmila2012detection] proposed an algorithm using watchdog nodes, which suffers from high communication overhead and high power consumption. In [Reddy2017SybilAD, yao2018multi, garip2017interloc], three Sybil attack detection techniques in vehicular ad hoc networks (VANET) are proposed. These three methods apply to VANET cooperating with Road Side Units (RSU) and VANET server, which are not applicable to a more general context.

3 Problem Statement and System Model

In this section, the problem considered in this paper is presented. Necessary notations and models are given for later discussion of our Sybil attack detection algorithm.

a normal member node or a malicious node
the -th edge node
the set of all nodes
normal nodes set
malicious nodes set
edge nodes set
distance between node and edge node
RSSI value from to in the -th round, =1, 2
the ratio got in the -th round, =1, 2
the speed of
Table 1: Notations for problem statement

3.1 Problem Statement

As shown in Figure 1, there are several normal nodes and malicious nodes distributed in an area, which form a one-hop wireless network111In this paper, a packet transfer between an edge node and a member node finishes within one hop.. These nodes gather information and compute to accomplish some specific assignments such as monitoring the environment. All these nodes are mobile within this area. Besides, there are several high-energy nodes served as edge nodes. All the edge nodes are less mobile. It is assumed that each node knows its own position exactly by using GPS or the algorithm in [savvides2001dynamic]. Each node has the ability to adjust its transmission power to reach a far distant node [akkaya2005survey].

Figure 1: Schematic diagram of Sybil attack

Edge nodes are linked with each other and sensor nodes may communicate with edge nodes. The topology of the linked nodes is determined by the communication pattern of the nodes. For the convenience of problem statement, we view and treat all nodes as a graph. A set of linked nodes is denoted by a graph , , , , . Here, represents the set of all nodes, and , , represent the normal node set, the malicious node set and the edge node set, respectively. is the number of nodes in . The notations adopted in this paper are summarized in Table 1.

An adversary captures a number of normal nodes and reprograms them as malicious ones, such that each malicious node forges many Sybil nodes. A Sybil node can influence not only its neighbours but also the other nodes, and it could even perish the whole network. Sybil attack detection aims to kick out those malicious nodes without disturbing the normal operation of the networks. True positive rate (TPR) and false negative rate (FNR) are significant indices of evaluating a detection method. TPR is the percentage of normal nodes classified as normal nodes, while FNR is the percentage of normal nodes mistaken as Sybil nodes. It is a typical trade-off problem. Due to the limitation of energy and computing capacity, approaches to this problem are supposed to be concerned about energy consumption, memory overhead and computation overhead of sensor nodes.

3.2 Network space channel model

In this paper, we adopt the Jakes model as network space channel model. Communications between nodes are related with network space channel model. Jakes model is mostly used in wireless communication [jakes1994microwave, lo1991adaptive]. William Jakes found that Rayleigh fading process could be described by the sum of a series of complex sinusoid signals [li2002simulation]. This finding turned out to be a technology of simulating fading mobile wireless channel. In Jakes model, RSSI between and is defined as


Here, is the transmitted power, is a constant, and is the Euclidean distance between and , which is determined by


is distance-power descending ramp which depends on the deployed environment. According to [burbank2011introduction], the principle of choosing is as follows: = 2 for free space; [1.6, 1.8] for buildings with line of sight connection; and [2.7, 3.5] for urban area. In Jakes channel space, the signal strength is the function of the distance between two nodes which communicate with each other. RSSI plays a significant role in our scheme because RSSI is only related to the sending-receiving distance between two nodes. Our scheme is based on this characteristic of RSSI.

3.3 Mobility model

Since edge nodes are less mobile compared with member nodes, we assume that edge nodes keep static in a quite short time interval. In reality, laptops can served as edge nodes and cellphones can served as member nodes. To verify the correctness of our algorithm, we adopt way-point model as the mobility model in our paper.

4 Detection scheme of Sybil attack in a mobile environment

In this section, we provide a detailed explanation of our proposed scheme. Our detection process consists of two rounds. In the first and the second round, edge nodes collect certain information from member nodes. In the judgment stage, edge nodes analyze the information and decide the classification of member nodes.

4.1 Description of the detection scheme

In the first round at time , each member node is required to send a control packet to two closest edge nodes, e.g., and . The control packet includes the identity of and the identity of another closest edge node. Upon receiving the control packet, and respectively calculate the values of and using Eq. (1). Simultaneously, the control packet to which is appended is sent from to . Define the ratio between and in the -th round as


Upon receiving the control packet from , calculates the ratio by Eq. (3). At the same time, figures out interval which shows the theoretical interval of feasible value.

In the second round at time , edge nodes launch the requirement again. Therefore, all member nodes, including normal nodes and malicious nodes, repeat the procedure again. calculates the real ratio by Eq. (3). Note that as moves, the value of does not equal to .

Figure 2: Flow chart of the proposed algorithm

In the judgement stage, compares identities claimed in the two batches of control packages from the above two rounds to check whether they have the same ids. We classify possible scenarios when judging the identities of several nodes. The possible scenarios are classified into three cases as follows. Let and represent the sets of the identities in the packets gathered in the first round and in the second round respectively. We give the following example to illustrate the three scenarios.

  • = {1, 2, 3, 4}   = {1, 2, 3, 4}
    The four nodes are all normal nodes. Each node has the same id in both and and each node is judged as a normal node.

  • = {1, 2, 3, 4}   = {1, 2, 3, 5}
    The first three nodes are normal nodes and the last one is a Sybil node. The first three nodes has the same id in both and while the fourth node changed its id from 4 to 5.

  • = {1, 2, 3, 4}   = {1, 2, 3, 5}
    The first two nodes are normal nodes and the last two nodes are Sybil nodes. Id 3 in and id 5 in are for the same node while id 4 in and id 3 in are for the same node.

There should be a large number of pairwise ids that are the same since the number of malicious nodes is relatively smaller than that of normal nodes. This means that nodes with several different ids from two batches are likely to be Sybil nodes. Figure 2 shows how a single node’s identity is judged as Sybil or normal in the detection. One possibility is that a Sybil node claims an id at time , and claims another different id at time . In this situation, which is calculated using Eq. (3) is supposed to belong to interval in theory because it is actually the same node. Therefore, this node is judged as a Sybil node when belongs to interval . Otherwise, it needs base station to further check whether it is a new member. In the case that an id in the first batch and another in the second batch are the same while does not belong to interval , it is classified as a Sybil node.

4.2 Discussion of Interval

Interval is a critical important parameter in our detection process. It refers to a precise range between which the value of should be in during the detection process on a normal occasion. The strict mathematical verification is shown as follows.

Our detection method can be extracted as a mathematical model as shown in Figure 3. In this two-dimension rectangular coordinate system, point represents a member node . Points and represent edge nodes and respectively. and are static while point moves. All their positions at time are marked in the figure. The circle with a radius centered on point represents a possible scope where may move between time and , labeled as .

Figure 3: Mathematical model for explaining the detection process

The circle centered in point in Figure 3 represents an apollonian circle, labeled as . According to Eq. (3), to figure out interval we just need to work out the range of . changes as point moves in the circle with a radius . We denote


We assume the position of point in motion as (x, y). Now we just need to figure out the range of . For every positive number , there exists an apollonian circle because points and are fixed while point moves. Apollonian circle refers to the trace of a point which has a specified ratio of distances to two fixed points known as foci. We have the orbit


Point has to move in the scope of circle . Meanwhile, point ’s trace is apollonian circle . For a fixed positive number , point only moves in the arc of apollonian circle in the scope of circle .

Considering the symmetry of and , we assume that the length of is greater than that of , which means 1. Eq. (5) shows that the center of apollonian circle is on the axis. We find that the radius of apollonian circle decreases as increases and the length between the two intersections of apollonian circle and axis decreases as increases. It means that apollonian circle shrinks and it is wrapped by previous apollonian circles completely as increases. Therefore, reaches the maximum value when circles and are tangent, as shown by the red circle centered in point in Figure 3.

For simplification, we let


When circle and circle are tangent, reaches the minimum value and we get


Eq. (8) can be expressed as


From Eq. (9), we can derive the following properties


Then we get the minimum value of and the maximum value of as


Consider the case that 1, the length of is less than that of . has the minimum value when reaches the maximum value. The maximum value of equals to using Eq. (15). Therefore, the minimum value of is


Finally we have the interval as

1:  for <i in [1,n]> do
2:     for <j in [1,m]> do
3:        Calculate Euclidean distance d between and using Eq. (2)
4:        Find out two edge nodes which is nearest, i.e., and
5:     end for
6:     At time
7:      sends a control package to to respectively
8:      calculates R using Eq. (1)
9:      calculates R using Eq. (1)
10:      send a package including R to
11:      calculates using Eq. (3)
12:     At time , repeat line 7-10
13:      calculates using Eq. (3)
14:      calculates interval using Eq. (17)
15:     while not all packages have been handled do
16:        if  received two same ids then
17:           if  in  then
18:              Return normal node
19:           else
20:              Return Sybil node
21:           end if
22:        else
23:           if  in  then
24:              Return Sybil node
25:           else
26:              Return normal node
27:           end if
28:        end if
29:     end while
30:  end for
Algorithm 1 Sybil attack detection algorithm

5 Augmented design for fault tolerance

In addition to the accuracy, the stability of the scheme is a key issue. Our detection scheme is based on the premise that all edge nodes are safe and can work steadily all over the time. Some edge nodes may fail during the detection process due to power failure or unexpected interference. To enhance the robustness and stability of our scheme, we add an augmented design for fault tolerance.

To ensure all edge nodes are safe and legitimate, edge nodes that are responsible for detecting Sybil nodes are chosen and set ahead of the detection. Given a complex natural environment, it is possible for these edge nodes to fail and lose efficacy during the detection process. As a result, work that should have done by the invalid edge nodes is undertaken by the rest of the edge nodes. Furthermore, the efficiency and the TPR of the detection system will decrease. One or more Sybil nodes even may sneak through the detection process.

Our solution is to prepare a substitute for each edge node. Each original edge node is supposed to have a substitute edge node. The substitute is set at a fixed place nearby its original edge node. Each substitute uses heartbeat technique to check whether the original edge node is dead. Only when an original edge node fails, its substitute replaces it to work.

Figure 4: Diagram of fault tolerance algorithm

Figure 4 gives the diagram of fault tolerance algorithm for a wireless sensor network. Point denotes a node point while and denote edge nodes. has a substitute, denoted by , with which always shares all the received information timely. In the first round of a detection process, sends a packet to and respectively. According to the nature of the radio wave, can also calculate the distance away from and records the distance. After a time interval, moves to another place (, ) within a certain circle, denoted by

. At this moment,

loses effect for some reason such as charge failure before the beginning of the second round in this detection process. applies the heartbeat technique finding dead and replaces at the same time. informs and that the original edge node is replaced immediately. In the second round of the detection process, and communicate with instead of and finish this round of detection, as shown as the dotted lines in Figure 4.

Our fault tolerance algorithm is shown in Algorithm 2. If no edge nodes die in the detection process, we perform Algorithm 1 as normal. If there are edge nodes dead found by their substitutes, we immediately abort this round of detection. Then we clear the dead edge nodes and replace them with their substitutes. Finally we perform Algorithm 1 as usual. The fault tolerance algorithm is quite easy to understand and it indeed improves the performance in the experiments that we carry out in the next section.

1:  if no edge nodes die then
2:     Perform Algorithm 1
3:  else
4:     Return normal node
5:     Abort this round
6:     Clear dead edge nodes
7:     Perform Algorithm 1
8:  end if
Algorithm 2 Fault-tolerant algorithm

6 Performance evaluation and simulation results

In this section, we first evaluate the overhead of our proposed algorithm in terms of memory, communication and computation. Then we test our proposed algorithm and evaluate its performance through experiments.

6.1 Performance evaluation

Memory overhead of our method is analyzed as follows. In the first round of our detection process, each node sends a control packet to two different edge nodes. The second round repeats this step. Each edge node needs to allocate part of its memory to store all information in all the received control packets from the two rounds. After these two rounds, each edge node clears all the information stored in this part of memory because the next rounds have nothing to do with this information. Thus, no matter how many rounds there are in total, each edge node only needs to allocate memory for two rounds. After p rounds, the memory overhead of all edge nodes is 4 bits, where is the number of all nodes including normal nodes and Sybil nodes, and is the size of each packet in terms of bit. Therefore, the imposed memory overhead for each edge node equals , where is the number of edge nodes. Accordingly, if increases, the imposed memory overhead for each edge node decreases. There is no memory overhead for each node including normal nodes and Sybil nodes. In general, little memory overhead is generated in our algorithm.

Communication overhead of our method is also evaluated. Energy consumption of a detection method in IoT is a big issue due to the limitation of sensor nodes’ energy. For a sensor node, sending and receiving packets consume much more energy than other operations such as computation. The number of transmitted packets imposed during the detection process is considered in our algorithm. In each detection process, all nodes send packets 4 times in total and edge nodes send 2 packets in total. After rounds, the number of transmitted packets is . From the perspective of reception, energy consumed when receiving a packet is proportional to the packet size. Communication overhead depends on the number of all nodes and the number of rounds performed.

Computation overhead has influence on the performance of our method. Since only edge nodes need to compute, there is no node which suffers from computation overhead. Computation is executed to process information in packets from two rounds and to judge whether the identity of a node is fake. Time complexity for performing our algorithm in a detection process is , where is the number of steps on judging the identity of a node, and it can be viewed as a constant value. After rounds, the computation overhead for each edge node equals . Accordingly, if increases, the computation overhead for each edge node decreases.

6.2 Experiment results

A series of experiments are carried out in this section to evaluate the performance of our algorithm. We simulate the detecting process with C++ language. Two metrics including TPR and FNR are considered in our experiments.

Several parameters effected our experiment results, such as the number of normal nodes and monitoring rounds. All the parameters are shown in Table 4. Therefore, we evaluated these effects independently in five experiments. In the five experiments, the network is comprised of normal nodes and Sybil nodes randomly distributed in a 100 x 100 area. edge nodes are set at some certain places in this sensing field. Each Sybil node can forge multiple identities as many as the number of normal nodes. Radio range covers the whole area where nodes and edge nodes can communicate with each other directly. Each experiment result was repeated 50 times to obtain an average value as the final value.

Parameters Values
Network size 100 100
Number of normal nodes = 100, 200, 300, 400, 500
Number of edge nodes = 2, 4, 8
Number of Sybil nodes = 5, 10, 15, 20
Number of monitoring rounds = 20, 40, 60, 80, 100
Speed of a member node [0, 0.5]
Communication range between member nodes [0, 50]
Table 2: Experimental parameters

In the first experiment, we study the effect of the number of normal nodes on both the TPR and the FNR. Here the parameters are = 20, = 4. The parameter varies from 100 to 500 by the increment step of 100. The influence of executive rounds is also studied. The parameter varies from 20 to 100 by the increment step of 20. The results of the first experiment is as shown in Figure 5. The first experiment demonstrates that as the number of normal nodes increases, the TPR still remains at a high level. After several rounds, the TPR still exceeds 92%. As it was discussed before, edge nodes will have recourse to the base station if there are id collisions found in the first round of a detection. Base station can truly check the identity of a node which is an effective item for the TPR. In our algorithm, belonging to interval I is an essential hypothesis for a node to be judged as a normal node. Therefore, the TPR is very high. Results also show that the number of normal nodes have a significant effect on the FNR. As the number of normal nodes increases, the FNR decreases a little. When normal nodes is few in the network, mistaking a node as a Sybil node increases the FNR dramatically.

Moreover, performance of the proposed algorithm is compared with other latest algorithms in terms of TPR. As demonstrated in Table 3, TPR in the algorithms proposed by Jamshidi et al. [jamshidi2018sybil] and Gandino et al. [gandino2017key] is approximately 99%. In the algorithms proposed by Jamshidi et al. [jamshidi2017lightweight], TPR is about 94%. TPR in the algorithms proposed by [yao2018multi] and [garip2017interloc] is 90% and 87% respectively. Some algorithms outperform the proposed algorithm, whereas the proposed algorithm has lower memory overhead, communication overhead, and computation overhead. Therefore, the results verify the desired performance of the proposed algorithm.

Algorithm TPR
Jamshidi et al. [jamshidi2017lightweight] 94%
Jamshidi et al. [jamshidi2018sybil] 99%
Yao et al. [yao2018multi] 90%
Garip et al. [garip2017interloc] 87%
Proposed algorithm 92%
Table 3: Comparison of performance of the proposed algorithm and other latest algorithms in terms of TPR
Figure 5: Effects of the number of normal nodes N on detection performance
Figure 6: Effects of the number of Sybil nodes S on detection performance

In the second experiment, we study the effect of the number of Sybil nodes on both the TPR and the FNR. Here the parameters are = 100, = 4. The parameter varies from 5 to 20 by the increment step of 5. The influence of executive rounds is also studied. The parameter varies from 20 to 100 by the increment step of 20. Results from the second experiment is similar to that of the first experiment. As the number of Sybil nodes increases, the TPR still remains a high level and the FNR decreases accordingly. The results of this experiment is visualized in Figure 6.

In the third experiment, we study the effect of the number of edge nodes on both the TPR and the FNR. Here the parameters are = 100, = 20. The parameter takes three values, which are 2, 4, 8. The influence of executive rounds is also studied. The parameter R varies from 20 to 100 by the increment step of 20. As illustrated in Figure 7, results are very similar when equals to 4 or 8. Performance is a little bit worse when equals to 2. One explanation is that all packets are processed only by the two edge nodes, which may cause errors.

Figure 7: Effects of the number of edge nodes C on detection performance

6.3 Fault-tolerant experiments

Figure 8: Fault tolerance experiment with 8 edge nodes

In the fourth and fifth experiments, we study the performance of our fault-tolerant design. In the fourth experiment, parameters are = 100, = 20. The parameter is set as 8. The influence of executive rounds is also studied. The parameter varies from 20 to 100 by the increment step of 20. During this experiment, some of the edge nodes died and their substitutes replaced them to continue the detection process. The performance of our algorithm is satisfying on both the TPR and the FNR. This experiment demonstrates that the whole system works well even if some of the edge nodes died. The polylines of this experiment as shown in Figure 8 are very similar to some polylines in Figure 7 in that parameter is proved to have little effect on the experiment results unless is less than 4.

Figure 9: Fault tolerance experiment with 4 edge nodes

In the fifth experiment, parameters are = 100, = 20. The parameter is set as 4. The influence of executive rounds is also studied. The parameter varies from 20 to 100 by the increment step of 20. During this experiment, some of the edge nodes died and their substitutes replaced them to continue the detection process. The result of the fifth experiment is a little different from that of the fourth experiment. The false negative rate as shown in Figure 9 decreases firstly and then increases. Reasonable explanation for this result is that the number of edge nodes is cut down to 2, which affects the FNR of the experiment. The third experiment has proved this conclusion.

6.4 Summary of the experiments

Our proposed algorithm achieves more than 90% TPR and less than 10% FNR. Some conclusions in terms of parameters in the experiments are summarized as follows.

Parameter True positive rate False negative rate
Table 4: Summary of experimental results
  • Decreasing the number of normal nodes decreases the FNR and has nearly no influence on the TPR.

  • Increasing the number of Sybil nodes decreases the FNR and has nearly no influence on the TPR.

  • Increasing the number of edge nodes has nearly no influence on the TPR when the number of edge nodes is greater than 2. But it affects the performance significantly when the number of the edge nodes equals to 2.

  • Fault tolerance design for edge nodes works well when the number of edge nodes is less than 4.

7 Conclusion

In this paper, we have proposed a novel light-weight approach based on edge computing for detecting Sybil nodes in mobile IoT. Edge nodes are utilized to collect, compute, analyze and store feature data of member nodes to detect possible Sybil attack. A significant contribution of this paper is that we have figured out the feasible fluctuation interval of member nodes’ feature data through strict mathematical verification. Moreover, we have designed a fault-tolerant algorithm to adapt a severe environment. In theory, our algorithm has little memory overhead, communication overhead, and computation overhead. Experimental results indicate that our algorithm performs well in mobile IoT. One drawback of our algorithm is that the FNR of our method is a little susceptible, which can be resolved in future work by improving the algorithm.