1 Introduction

As the global environment deteriorates, the smart grid has developed at a high speed. AMI is an important part of the smart grid, it needs to realize the functions of measurement, acquisition, storage, analysis and control of power consumption information[1]. Due to the wide distribution and complex structure of AMI system equipment, WSNs are widely used to realize data transmission[2, 3]. The AMI system communication system is huge and data sensitive, making the data transmission of WSNs more vulnerable[4]. Attacks can be classified into external node attacks and internal node attacks based on the source of the attack. At present, a large number of scholars conduct in-depth, meticulous and comprehensive research on internal node attacks[5, 6], but external node attacks often adopt passive authentication such as identity authentication and encryption. They did not detect external node attacks. Due to the structure and function of the AMI system, there are often problems such as stealing electricity, malicious interference, and falsifying data. If only passive defense is used, the security state of the node cannot be known[7].

This paper proposes an external node intrusion detection scheme based on trust management mechanism for the cluster-tree wireless sensor network applied in AMI system. In this scheme, the digital signature and message authentication have been used to identify the abnormal message in the communication process. According to the number of communication messages normal-abnormal statistics, the Beta distribution theory is used for calculating the node trust value[8]. In order to make the trust value accurately express the security status of the node, this paper improve the node trust value calculation method to make node trust value changes steady, conform the change trend of the trust value and consider regular abnormal communication in the communication process. In this paper, the over-limit detection method and fast update of trust value is used to judge whether the node has been invaded by the size of the trust value[9, 10].

2 Abnormal Message Recognition Method 2.1 Abnormal Message Recognition Method Based on Digital Signature and Authentication Technology

In order to detect the attack from the external node effectively, this paper adopts Elliptic Curve Cryptography (ECC) combined with digital signature technology and message authentication technology. Through the combination and reasonable application of technologies above-mentioned, it realizes the effective recognition function of abnormal messages and ensures the security of the communication system. The specific algorithm implementation process is as follows:

(1) After the communication parties exchange the public keys with each other, the data sender encrypts the random key sequence K using the ECC algorithm, so that the random key K can be sent to the message receiver via the public channel in the form of ciphertext K′. Both sides of the communication have got a the key;

(2) Using the random key sequence K as the key for calculating the message digest, a message digest is calculated by using a Hash-based Message Authentication Code (HMAC);

(3) Sign the message digest based on the improved Elliptic Curve Digital Signature Algorithm (ECDSA) and construct an abnormal message identification code C′ which is appended to the message and sent to the receiver of the message along with the message;

(4) After receiving the message, the receiver reconstructs the abnormal message identification code C″ according to the content of the message and the random key sequence K. It is detected whether the message is an abnormal message by judging whether C′ and C″ are equal. If C′ is the same as C″, it is a normal message; if C′ and C″ are different, it is an illegal message. The entire process flow is shown in Fig. 1.

2.2 Key Generation and Distribution

E is an elliptic curve defined on Fq, G is a basic point on the elliptic curve, n is the step of G, h is the cofactor of #E(Fq)/n, a, b ∈ Fq. Select a random number d, d ∈ [1, n-1], calculate Q = dG. (d, Q) is a key pair, where d is the private key and Q is the public key. To ensure the security of the ECC, the initial key applied in this paper is calculated on other machine and stored in the device in advance.

When the key is updated, apply the above method to calculate private key d' and public key Q'. The device itself retains the private key d', and uses the public key of the receiver to perform ECC encryption on its public key Q' and send a receiver.

The ECC algorithm in this paper is mainly responsible for the transmission of random key sequences K and digital signature technology. The random key K uses a generation principle of a stream cipher key and a software method to generate a pseudo random number sequence. It is used as the key of the HMAC algorithm to obtain the abnormal message identification code, which is used to determine the normal or abnormal situation of the message.

3 Node Trust Value Calculation

In trust management, the Beta distribution has simple, flexible and excellent statistical capabilities, which is suitable for the calculation of node trust values in the WSNs system.

The expected value of the Beta distribution function can be expressed by (1).

$ E\left( p \right) = \frac{\alpha }{{\alpha + \beta }} $

(1)

In the middle, the parameters α and β can be calculated by α = s+ 1, β = l+ 1, where s and l respectively represent statistical records of cooperation and non-cooperation for an event. The expected value can represent the trust value of the evaluated entity for the event[11].

This paper applies the expected value of the Beta distribution theory to calculate the trust value. Statistics on the normal or abnormal of communication messages between nodes in the WSNs system in Δt time. S_ij is used to indicate the number of normal messages of communication nodes i and j, while L_ij is used to indicate the number of abnormal messages in the time period. Equation (1) is available as follow:

$ T{R_{ij}}\left( {\Delta t} \right) = \frac{{{S_{ij}}\left( {\Delta t} \right) + 1}}{{{S_{ij}}\left( {\Delta t} \right) + {L_{ij}}\left( {\Delta t} \right) + 2}} $

(2)

3.1 Improved of Trust Value Calculation Scheme

In the calculation method of the existing Beta distribution theory, there are many problems such as the rapid change fast of the trust value of the node, do not consider the change trend of the trust value and analyze the abnormal communication behavior during the communication process. This paper introduces historical trust value to weaken the dramatic change of trust value. Analyze the behavior of abnormal communication, this paper introduces a penalty factor, which makes it better to represent the node state[12]. In practice, the nearer the communication situation is, the better the current communication status of the node will be, and the influence of the previous communication situation will become smaller with time. In this paper, we use the method of weighted message sequence to calculate the trust value in Δt time. Assume that the total number of communication messages in time Δt is N. The sequence of messages is W_N(Δt) = {M₁(M'₁), M₂(M'₂), M₃(M'₃), ..., M_N(M'_N)}, where M_N is the normal communication message and M'_N is the abnormal communication message. Then the corresponding monotonically increasing sequence ρ is ρ = { ρ₁, ρ₂, ..., ρ_N}, and ρ₁ + ρ₂ + ··· + ρ_N = N.

To solve the above problems, the improved formula for calculating trust value is shown in formula (3).

$ TR_{ij}^{\rm{*}}\left( {\Delta t} \right) = \left( {1 - \delta } \right)T{R_{ij}}\left( {\Delta t} \right) + \delta TR_{ij}^{\rm{*}}\left( {\Delta t - 1} \right) $

(3)

In formula, TR_ij^* (Δt) is the trust value updated in the time Δt. δTR_ij^*(Δt - 1) is the trust value updated in the last time Δt. δ is a time attenuation factor, which indicates the influence of the updated trust value in the previous period on the updated trust value.

$ T{R_{ij}}\left( {\Delta t} \right) = \frac{{S{'_{ij}}\left( {\Delta t} \right) + 1}}{{S{'_{ij}}\left( {\Delta t} \right) + L{'_{ij}}\left( {\Delta t} \right) + 2}}f\left( {N, x} \right) $

(4)

In formula (4), S'_ij(Δt) is the number of normal messages and L'_ij(Δt) is the number of abnormal messages. The two methods of calculation are as follows:

$ \left\{ \begin{array}{l} S{'_{ij}}\left( {\Delta t} \right) = \sum\limits_{n = 1}^N {{M_n}{\rho _n}} \\ L{'_{ij}}\left( {\Delta t} \right) = \sum\limits_{n = 1}^N {M{'_n}{\rho _n}} \end{array} \right. $

(5)

In formula (4), f (N, x) is the regulating function of abnormal behavior in trust value calculation and the result is used as the adjustment coefficient of abnormal behavior which stands for the severity of abnormal behavior. The smaller the result is, the more serious the communication abnormal behavior is, and the smaller the updated trust value is. The method of calculation is:

$ f\left( {N, x} \right) = \omega {\log _N}\left( {N - x} \right) $

(6)

In formula (6), N—The total number of communications in time Δt.

x—The total number of continuous abnormal communication in time Δt.

ω—Repeat factor. It indicates that the number of the normal and abnormal communication messages are converted during the time Δt. 0 < ω < 1.

When the number of positive-abnormal alternations in Δt time is greater than the preset threshold, the magnitude of the value decreases as the number of positive-abnormal alternations increases.

4 Intrusion Judgment Based on Fast Update of Trust Value

In order to enable this method to be applied in resource-constrained embedded systems, this paper uses conventional cross-limit detection method and fast update method of trust value to carry out intrusion detection. The communication message sequence is constructed. Then a window is added to the communication message sequence of the nodes. The window slides after each communication. The trust value is calculated in the window after each communication. This process is shown in Fig. 2. Assuming that the current communication message of the node is m_N and the communication messages of the node in a window, which width is W_j(N). It can be expressed as:

$ {W_j}\left( N \right) = \left\{ {{m_1}, {m_2}, {m_3}, ..., {m_N}} \right\} $

(7)

5 Algorithm Performance Analysis and Simulation 5.1 Algorithm Performance Analysis

Abnormal message recognition is critical factors of this scheme. Whether this method can reliably identify abnormal message or not is the key to the whole detection scheme. In this paper, digital signature and message authentication are used to effectively distinguish between normal and abnormal messages.

Beta distribution algorithm is not only simple and easy to implement, but also mature and reliable technology. Therefore, it is suitable for the trust value calculation of resource-constrained WSNs. Based on the original Beta distribution theory, this paper improves the calculation of trust value, so that the trust value can express the security status of nodes and then make the method of using trust value to judge intrusion more accurately[13].

5.2 Simulation

In this paper, OPNET14.5 network simulation software is used as the simulation tool. The intelligent power community is taken as an example to build a tree network simulation model[14, 15]. There is two units and one data concentrator in a building which have 6 floors and 3 households on each floor in the community. Each floor has one sink node. Set the node to transmit data every 6 s and use the real-time update of the trust value to detect the intrusion. Bluetooth communication and Wifi communication are used as common environmental interferences. The simulation models and parameters are shown in Fig. 3 and Table 1.

5.2.1 Comparison of Communication Trust Values Between Normal Communication and Abnormal Communication

The change in the trust value of the normal communication and abnormal communication is shown in Fig. 4. It can be seen from the figure that the trust value of the normal node is greater than 0.9 and the trust value of the attacked node changes with the severity of the attack behavior. The more serious the behavior, the lower the trust value.

5.2.2 Performance Comparison of Detection Methods

This paper analyzes the detection rate and false detection rate of the intrusion detection method. The detection rate refers to the ratio of the external node attack to the total attack node when there are external node attacks. The false detection rate refers to the proportion of the detected nodes to the total attack nodes. The detection method in this paper shows that it is related to the detection threshold and the attack time interval of external nodes. As can be seen from Fig. 4, the trust value of normal nodes is greater than 0.9, and when there is an abnormal behavior, the trust value is about 0.79. The probability of anomalies caused by environmental impact is small, random and not appear continuously while the anomalies generated by external node attacks are more frequent. Therefore, in order to eliminate the influence of environmental factors, the trust threshold should be lower than 0.79 and higher than 0.7. In order to make the method more real-time and differentiable, this paper sets the threshold to 0.78. In simulation, this paper introduces Bluetooth communication device and Wifi device to interfere with detection. Then the detection rate and false detection rate of the improved method and the pre-improved method are shown in Figs. 5 and 6 with the change of attack time interval of external nodes.

As can be seen from Figs. 5 and 6, with the extension of the attack time interval, the detection rate decreases and the false detection rate increases before and after the improvement of the method, but the detection rate and false detection rate of the scheme in this paper are better than the results before the improvement. When the attack time interval is very large, the attack behavior is not obvious at this time. This method can not quickly and effectively judge whether the node is invaded or not.

6 Conclusion

This paper proposes an intrusion detection scheme for external nodes based on trust management mechanism for hierarchical cluster WSNs applied in AMI system. The scheme has the advantages of simple calculation and easy embedded implementation. Its characteristics are as follows. Firstly, it combines digital signature and message authentication technology to identify and count abnormal messages in the communication process, which makes the calculation of trust value more suitable for embedded devices. Secondly, it improves the existing problems in trust value calculation, so that the trust value can more accurately represent the security status of the node. Lastly, it uses fast update of trust value to calculate trust value and intrusion detection, which improves the real-time performance of detection. Follow-up work can identify the network traffic changes and the data content transmitted for the external nodes attack, and then improve the detection scheme, so that it has better detection effect and larger application space. This scheme can be combined with other detection methods to improve the performance of other detection methods.