Analytical Model for Sybil Attack Phases in Internet of Things

The sybil attack in Internet of Things (IoT) commonly aims the sensing domain that may impose serious threat to the devices both in perception and communication layer. The singularity of the sybil attack is a sybil node that publish multiple identities of legitimate devices. It is highly essential to learn the behavior and predict possible actions of a sybil attacker while devising a defense mechanism for it. This paper provides a comprehensive characteristic analysis of sybil attack in IoT. Based on the nature of the task performed during this attack, it is classified into three phases as compromise, deployment, and launching phase. The compromise phase is modeled as an automaton with attacker state transition as a Markov chain model. A heuristic is also proposed for selection criteria of an attacker to compromise a node. In the deployment phase of the attack, an algorithm based on K-mean clustering is proposed to group compromised identities and deploy the sybil node for corresponding identities without violating the set of adjacent nodes. In the launching phase, the process of replacing sybil identities either over time or on detection is modeled using age replacement policy. The results depict that the proposed model effectively visualize the behavior of a sybil attacker in challenging environments of IoT.