Energy Saving by Centralized Sleep in Early Detection of Captured Nodes

Wei Ding Department of Computer Science & IT

Austin Peay State University Clarksville, USA dingw@apsu.edu

Yingbing Yu Department of Computer Science & IT

Austin Peay State University Clarksville, USA yuy@apsu.edu

Sumanth Yenduri School of Computing

University of Southern Mississippi Long Beach, USA

Sumanth.Yenduri@usm.edu

Abstract— We have previously shown that the first stage scheme is effective in the detection of physical capture attacks in wireless sensor networks. Like most existing detection schemes, our scheme relies upon message passing. Regular message passing consumes considerable energy. In this paper the first stage scheme is integrated with a novel sleep/wakeup mechanism, which is completely pre-scheduled based upon a node’s internal clock. The scheduling tolerates minor clock alignment errors, so no frequent synchronization is needed. In addition, a sink-based dissemination technique is adopted, which replaces frequent and overlapped flooding of many regular nodes with sparse sink-triggered flooding. The adoption further saves energy expense. A LDCFSD protocol has been implemented in simulation. Simulation results have confirmed above conclusion.

Keywords- physical capture; first stage detection; sleep;

schedulig; sensor networks

I. INTRODUCTION Wireless sensor networks (WSNs) can be regarded as a

power restrained special case of wireless mesh networks. Typical sensor nodes in WSNs have very limited size, energy, memory, computational power, external storage, and communication capability. In many applications, sensor nodes operate in unattended, harsh, even hostile environments. In addition, they are usually inaccessible after deployment. Due to these targeted characteristics, many traditional security measures are not viable. Hence some unique threats are brought up against WSNs. [1]

The physical capture attack is one of these threats. In many other networks, the attack can be easily tackled with tamper-proof hardware. In WSNs, the tamper-proof hardware is not an option simply because of the low cost design objective. The capture attack consists of three stages: physical capture (including compromise), redeployment, and insider attacks.

Because of overestimation of threat [4], most previous detection techniques work at the second stage, when maliciously modified nodes are redeployed back to the WSN. [2, 3, 7, 8, 11, 13-18] Among them, majority use the location-based technique. [2, 3, 7, 11, 13, 15, 17] They detect by the location change as seen by monitor nodes. The distributed version only involves neighbor nodes. The centralized version includes the sink node. Others use the attestation technique, which uses challenge/response to verify the integrity of the code running on a target node. [8,

9, 14, 16, 18] Most attestation techniques are software-based. [8, 14, 16] Few need tamper-resistant hardware. [18]

The first stage scheme is based upon the fact that capturing of a node will interrupt the node’s normal operation, which has been carefully analyzed and proved with experiments using commercial WSN motes by Alexander Becher et al. [4] To the best of our knowledge, our FSD (First Stage Detection) protocol [6] is the first attempt in the first stage. The detection of FSD is based upon missing and malfunction of heartbeat messages. Besides being simple, reliable, easy to implement, and completely distributed, the first stage detection has following advantages over existing second stage approaches.

1. It detects captures at the earliest time and gains tremendously more time for the WSN to prepare and fight back. Like in all conflicts, early gives a defender advantage. According to [4], normal time gain from the first stage detection is at least 20 minutes more than the second stage approach.

2. It prevents all complications that results from consequences of the second stage attacks, such as spy nodes, worm hole attacks, Byzantine attacks, or imposter nodes, etc. This significantly simplifies complicated and unpredictable attack scenario.

3. It has the flexible placement in the protocol stack. It can be placed at the application layer or be merged with other cross-layer designs.

4. It can be used in most WSN applications, along with other detection schemes and other security paradigms.

Like most existing detection schemes, our scheme relies upon message passing in communication. Regular message passing consumes considerable energy. FSD’s use of flooding in alert dissemination further aggravates the problem. FSD’s key management is also not robust enough to completely prevent the redeployment of the compromised nodes. In addition, FSD fails to take the advantage of the sink.

To overcome above problems, we developed a low duty cycle FSD (LDCFSD) protocol that has following new features. (1) It adopts lower duty cycles, which is essentially a sleep/wakeup mechanism for energy saving. (2) It replaces neighbor-initiated flooding, which suffers from overlapped flooding among neighbors of a common monitored node, with unicast to sink plus integrated sink-

978-1-4244-7148-5/10/$26.00 ©2010 IEEE

initiated flooding with much lower frequency. (3) It provides more sophisticated key management.

II. FIRST STAGE DETECTION

A. Assumptions 1. WSNs are static. No node moves. 2. All nodes have a unique built-in node ID. 3. Every node has a universal clock synchronized at the

manufacture. The synchronization is performed in a long interval, for example, every 24 hours. This is a realistic substitute of the stringent requirement that all nodes should power up at exactly same time.

4. A strict cryptography is used, such that all messages, including Hello messages are coded and a decoding is

5. A WSN is connected. If a network is not actually connected, it could be decomposed into several disjoint connected components. Each then could be regarded as a complete WSN.

B. Hello Message-Based Detection Almost all detection techniques use message passing as

underlying premise. For implementations of our first stage scheme like FSD and LDCFSD, a very short message called Hello message [10], or heartbeat message in other literatures, is used. The scheme is very simple and easy to implement. Periodical Hello messages are exchanged among direct neighbors. [6] If a node does not receive three consecutive Hello messages from a monitored neighbor, it sends out two successive probing AYT (Are You There) messages with a fixed interval. If no response, which is a IMF (I aM Fine) message, is received, this node will be regarded as captured and a Captured message with the node ID of the suspected node will be disseminated to the network. Ways of dissemination are different on FSD and LDCFSD.

To save the battery, Hello messages should be transmitted at the least possible radio power. However, for simplicity, they are normally transmitted at the same radio power as regular data packets. The message should be very limited in size. It usually only contains the sender’s node ID. The message will be encrypted with the first key in a pre-installed key list. Every node should have the same key list installed by the manufacturer. The node ID is assigned prior to the deployment. After powering up, a node starts sending Hello messages with uniform intervals. A neighbor node will extract the node ID from the Hello message and store it in its neighbor table. Every node maintains a one hop neighbor table. In FSD, the Hello interval is the primary parameter and it is set to 3 seconds such that three successive intervals is still less than the half time of the minimum attack time, 20 seconds, as reported in [4].

Possible causes of falsely reported missed Hello messages could be problems in radio propagation, such as reflection, refraction, diffraction, absorption and scattering, or temporary software or hardware failure. In these cases, if a monitee receives an AYT message, an IMF message will be broadcasted to all one hop neighbors.

C. Message Types As shown in the following list, there are seven types of messages in LDCFSD protocol. First five types has been used in FSD, last two, i.e. Setup and MyPath, are only used in LDCFSD.

• Hello • AYT (Are you there?) • IMF (I am fine) • Captured • IMC (I am captured) • Setup: used to set up paths to and from the sink.

The sink node floods this message to entire network.

• MyPath: response message to the Setup message. It contains the path from sink to the current node.

Following data fields may be used in above messages. • type: Type of the message. • originator: Node ID of the first generator of the

message. • sender: Node ID of direct sender of this message. • receiver: Node ID of direct receiver of this

message. It is set to ALL if the message is broadcasted.

• captured: Node ID of the captured node, used only by IMC and Captured messages. It is set to -1 in all other messages.

• flooding: Boolean type, indicate if the receiver floods this message.

• path: The path from the sink to current node. It is the series of node IDs in the order of traversal.

• Sequence: The sequence number to

III. FSD PROTOCOL FSD protocol has all features described in Section II.

Here we recount its defects, particularly in the viewpoint of overhead. First, FSD protocol has considerable energy expense, in flooding of the Captured message, and in periodical broadcasting of Hello messages to immediate neighbors. Every node in the WSN has to forward a Captured message. With frequent suspicious activities, frequent flooding is unavoidable in FSD. This will considerably reduce the life time of nodes and eventually the life time of the WSN.

Another defect of FSD protocol is its failure in taking the advantage of the sink node. The sink node normally has abundant power supply, and much more capacity in computing and communication.

Third, FSD does not provide a mechanism to prevent the redeployment of the compromised nodes or cloned nodes. FSD can detect most captured nodes; however, no detection protocol could stop the capture attack. So the handling of second stage attack is inevitable, even for the first stage detection approach.

Last, the key management in FSD is not robust. If the compromised node cannot detect its own capture, it will not delete the key list. Even it could detect the danger of

physical capture; it may not have enough time to delete. Furthermore, for low end sensors, the low cost limitation will not allow fancy functions like rewriting flash memory, or NVRAM.

IV. LDCFSD PROTOCOL Besides more sophisticated key management, two

enhancements are added to LDCFSD to minimize the overhead: a sleep/wakeup mechanism, a sink-relayed dissemination. Both of them share a tree setup procedure.

A. Setup of Component Tree First is the network setup phase, in which neighbors,

children, parent are located and paths to parent, to children, and to sink are established. It lasts from the node power-up to NODE_SETUP_TIME. At the setup phase, all sensor nodes keep awake. Four messages are used in the setup phase.

First, Hello messages are used to find out neighbors. Only sensor nodes send Hello messages, but both sensor nodes and the sink receive them. After power-up of all nodes and a waiting time NEIGHBOR_SETUP_TIME, the sink floods a TreeSetup message to all its neighbors. This message goes down the tree to set up top-down paths through the parent pointer.

When the TreeSetup message reaches leaf nodes, leaf nodes send back MyPath messages to their parent nodes, and then parent nodes send these messages to their parents, and so on, all the way to the sink. Note that these MyPath messages cannot be merged. Besides path to the sink, each node’s children and depth are also set up. So the sink gets the depth of the tree. To ensure that all MyPath messages have adequate time to reach the sink, the sink waits till the SINK_SETUP_TIME before it floods the depth of the tree in a MaxLevel message.

B. Scheduling Sleep/Wakeup All nodes at the same level follow the identical duty

cycle. That is, they get into sleep and the exactly same time and wake up at the same time. The sleep durations for all levels are equal. Suppose the depth of the network is d. The network duty cycle C, which is the time period all levels get into one and only one sleep, is equally split into d shares. Each share is the duration in which all nodes in one level keep awake. Nodes at the lowest level get into sleep first. Then the level directly above, i.e. parent level, gets into sleep, then the grandparent level gets into sleep, and so on, till the level just below the sink. Note that the sink does not sleep. Suppose the sink is at level 0, and the lowest level is d. Every node shares the same duty cycle. The duration of each part is )4( dC . All nodes at level i get into sleep at time 2/)))(/(( iddC − .

After the tree is set up, all nodes start the scheduling of sleep. Timing or synchronization is illustrated in Figure 1. Here Rx means receiving, Tx means transmitting. For any node, the first half of the wake cycle is used for communication with children, while the second half is for

communication with the parent. In each half, time is evenly split. For children half, the first part is used for reception of messages, the second is for transmission. For parent half, the first part is used for transmission, the second is for reception.

Figure 1. Figure1 Timing of Sleep

No synchronization message is needed. All synchronization is implemented with the clock built in every sensor node.

C. Captured Messages Sent to Sink In LDCFSD, instead of being flooded to entire network,

Captured and IMC messages are unicasted to the sink in the multihop manner. The paths of the data aggregation tree are used to transfer these messages to the sink. This way, expensive flooding is eliminated. The resulted system is not exactly same as that we get by flooding in FSD. In LDCFSD, at beginning, only the sink gets the knowledge about which nodes have been suspected as captured. In FSD, all nodes have this information after one round of flooding. LDCFSD floods its set of suspected nodes to entire network at a rather longer interval. This slower and collective flooding saves the messages and energy dramatically. In addition, no new node is allowed to join the network after the bootstrapping to stop the redeployment of captured nodes. This will keep the network safe even when the set captured nodes have not been updated before next flooding from the sink.

Due to the limit of pages, detailed pseudocode algorithms are skipped in this paper. Interested reader may contact the corresponding author for the algorithms.

V. SIMULATION

A. Simulation Setup If density remains as a constant, the size of network is

not important. The simulated WSN covers a 100 feet by 100 feet square. As in [2, 6], two networks are tested. The one with 100 nodes and another with 25 nodes represent regular and sparse WSNs respectively. In both layouts, sensor nodes are randomly distributed in the square.

To make the comparison of LDCFSD and FSD realistic, same random seed is used such that an identical set of random coordinates of all sensor nodes was generated. Two protocols are running with identically deployed WSNs.

R

Rx

Rx Rx

Rx Rx

Rx Tx Tx

Tx Tx

Tx Tx

Level i+1

Level i

Level i-1

Time

Level

1) Bootstrapping of Nodes In both FSD and LDCFSD, the first step is a short

bootstrapping, in which every node broadcasts Hello messages to its one hop neighbors without flooding, such that every node could identify its one hop neighbors.

2) Node Capture Simulation Then certain percent nodes are randomly chosen as

captured. In both FSD [6] and LDCFSD, the simulation of node capture starts with marking a set of nodes as captured. The selection of captured nodes is completely random. Captured nodes are simulated by stopping sending any message. But they are still allowed to receive messages. In both FSD [6] and LDCFSD, number of nodes marked as captured is decided by a user entered percentage of all nodes. With these disabled nodes, both simulators run for a fixed time t as calculated by

)3(5 UTAYT_TIME_OALAYT_INTERVRVALHELLO_INTEt ++××=

Here, all three constants are set far greater than the average message duration. The average message duration is defined as the time needed to transmit an average size message from one node to one of its one hop neighbors. The message duration is also the discrete time interval of the major loop body in FSD and LDCFSD.

3) Tree Building in LDCFSD LDCFSD is adapted from FSD. A tree and path builder

is added to set up the component tree, as described in Section IV.A. It is after the bootstrapping, but before the simulation of detection. The builder floods a Setup messages to entire network and received corresponding MyPath messages. Normally this path building only needs round trip time for a message to traverse the longest path of the network and back. Usually for a WSN, or other regular ad-hoc network, the diameter of the network is normally far less than 15. If we replace all three constants in above equation with 1, then t becomes 25, which is much greater than 25 average inter-neighbor message durations. In present sensor networks, the network diameter is often less than 10. If we use constants values that are much greater than one average message duration, which is just the case in real world, than t is certainly long enough for LDCFSD to finish the path building.

This is essential since all paths to the sink are built this way. With these paths, sensor nodes do not need flood entire WSN to distribute a Captured message. They simply send the Captured message to sink.

4) Sleep/Wakeup Implementation There is actually very limited disturbance due to the

node sleep. Nodes in a same level are certainly not affected. For nodes in adjacent levels, a simple mechanism is employed and it minimizes the effect of sleep to a point that can be safely ignored. The mechanism uses special timer for counting absence of Hello messages and IMF messages. The counter is stopped when its host node

sleeps. Nothing else need to be changed in the original FSD detection algorithm.

5) Detection of Captured Nodes Next, the primary detection algorithm in LDCFSD or

FSD is executed. The detection is basically implemented through message passing.

Alternatively, the dissemination time of the Captured message may also be included as the second part of the detection time. In LDCFSD, the dissemination is sending the Captured message to the sink node. In FSD, the dissemination is done by flooding the Captured message to every node in the network. Certainly the time in LDCFSD is shorter than in FSD, since the path to the sink from the detecting node (actually the argument applies to any node) may not always be the longest path among all the paths from the detecting node to all other nodes.

B. Detection Performance Parameters Traditional performance parameters for node capture

simulation include false positive ratio and false negative ratio. [2, 9] The former is the error rate in marking nodes as captured. The simulation shows that comparing to FSD, false positive ratio and false negative ratio, have not suffered any loss in LDCFSD. Actually their performance is almost same. The simulation result of Song et al is also listed. [2]

Figure 2. False positive comparison among LDCFSD, FSD, and Song’s

in WSN with 30 feet radio range and 100 nodes

Figure 3. False positive comparison among LDCFSD, FSD and Song’s

in WSN with 30 feet radio range and 25 nodes

0

1

2

3

4

5

6

7

1 2 3 4

Fals

e Po

siti

ve P

erce

ntag

e

Number of Captured Node

LDCFSD

FSD

Song

0

2

4

6

8

10

1 2 3 4

Fals

e Po

siti

ve P

erce

ntag

e

Number of Captured Node

LDCFSD

FSD

Figure 4. False negative comparison among LDCFSD, FSD and Song’s

in WSN with 30 feet radio range and 100 nodes

False positive is the ratio of the number of incorrectly marked as captured nodes to the number of captured nodes. Figures 1 and 2 show false positive ratios of two WSNs. One has 100 nodes; another has 25 nodes. Both use 30 feet radio range. False negative is the error rate the ratio of the number of undetected captured nodes to the total number of captured nodes. Figures 3 and 4 show the false negative ratios for these two WSNs.

Figure 5. False negative comparison among LDCFSD, FSD, and Song’s

in a WSN with 30 feet radio range and 25 nodes

C. Energy Saving Parameters Besides performance parameters, total messages sent

and total messages received, are used to compare the communication overhead between FSD and LDCFSD. In WSNs, communication is the primary consumption of battery energy.

Figure 6. Comparison of messages sent in LDCFSD and FSD upon a

WSN with 30 feet radio range and 100 nodes

Figure 7. Comparison of messages sent in LDCFSD and FSD upon a

WSN with 30 feet radio range and 25 nodes

Figure 8. Comparison of messages received in LDCFSD and FSD upon a

WSN with 30 feet radio range and 100 nodes

Figure 9. Comparison of messages received in LDCFSD and FSD upon a

WSN with 30 feet radio range and 25 nodes

Cutting down transferred messages considerably lowers node power consumption. Hence the life time the WSN as a whole are prolonged. The simulation shows that the message overhead has decreased remarkably. Figures 5 and 6 compare the messages sent in LDCFSD and FSD for above two WSNs. Figures 7 and 8 illustrate the messages received.

VI. CONCLUSION In this paper, we propose a new implementation of our

first stage scheme for detection of physical node capture attack. In a previous paper [6], an initial implementation FSD is presented. Though effective in detection, FSD

0

1

2

3

4

5

6

7

1 2 3 4

Fals

e N

egat

ive

Perc

enta

ge

Number of Captured Node

LDCFSD

FSD

Song

0

20

40

60

80

100

1 2 3 4

Fals

e N

egat

ive

Perc

enta

ge

Number of Captured Node

LDCFSD

FSD

Song

0

10000

20000

30000

40000

50000

60000

70000

80000

2 3 4 5 6 7 8

Mes

sage

s Se

nt

Captured Nodes

FSD

LDCFSD

0

2000

4000

6000

8000

10000

12000

2 3 4 5 6 7 8

Mes

sage

s Se

nt

Captured Nodes

FSD

LDCFSD

0

20000

40000

60000

80000

100000

120000

140000

160000

2 3 4 5 6 7 8

Mes

sage

s Re

ceiv

ed

Captured Nodes

FSD

LDCFSD

0

2000

4000

6000

8000

10000

12000

14000

2 3 4 5 6 7 8

Mes

sage

s Re

ceiv

ed

Captured Nodes

FSD

LDCFSD

suffers from the common problem of most existing detection techniques. Almost all of them use message passing as underlying technique, which leads to significant energy consumption. In LDCFSD the first stage scheme is implemented along with a timing-based sleep mechanism. In addition, a sink-based centralized dissemination technique is adopted. The old dissemination technique used in FSD, which requires frequent and overlapped flooding, is discontinued. The abstract simulation has shown that, without loss of performance in detection, for identical deployed WSNs, more than 70 percent reduction in number of messages is seen in LDCFSD. This can translated into proportional energy saving, That is, comparing in FSD, more than 70 percent energy is save in LDCFSD for doing exactly same detection.

REFERENCES 1 Adrian Perrig, John Stankovic, and David Wagner, Security in

Wireless Sensor Networks, Communications of the ACM, Volume 47, Issue 6, Pages: 53 - 57, June 2000.

2 Hui Song, Liang Xie, Sencun Zhu, and Guohong Cao, “Sensor Node Compromise Detection: The Location Perspective,” IWCMC 2007, Honolulu, Hawaii, USA, August 2007.

3 Heesook Choi, Sencun Zhu, and Thomas F. La Porta, SET: Detecting node clones in Sensor Networks, Proceeding of SecureComm 2007, Pages: 341 - 350, September 2007.

4 Alexander Becher, Zinaida Benenson, and Maximillian Dornseif, Tampering with motes: real-world physical attacks on wireless sensor networks, Third International Conference on Security in Pervasive Computing, SPC 2006, York, UK, April 2006.

5 Chin-Tser Huang and Mohamed G. Gouda, Hop Integrity in the Internet, Springer US, 2006.

6 Wei Ding, Bireswar Laha, and Sumanth Yenduri, First Stage Detection of Compromised Nodes in Sensor Networks, Proceeding of 2010 IEEE Sensors Applications Symposium (SAS 2010), Limerick, Ireland, February 23-25, 2010.

7 Qing Zhang, Ting Yu, Peng Ning, “A Framework for Identifying Compromised Nodes in Wireless Sensor Networks”, ACM Transactions on Information and System Security, Volume 11 Issue 3, March 2008.

8 Taejoon Park, Kang G. Shin, Soft Tamper-Proofing via Program Integrity Verification in Wireless Sensor Networks, IEEE

Transactions on Mobile Computing, Volume 4, Issue 3, Pages: 297 – 309, May 2005.

9 Arvind Seshadri, Adrian Perrig, Leendert van Doorn, Pradeep Khosla, “SWATT: SoftWare-based ATTestation for Embedded Devices, In IEEE Symposium on Security and Privacy”, Vol.0, pages 272-282, May9-12, 2004.

10 Ian D. Chakeres and Elizabeth M. Belding-Royer, “The Utility of Hello Messages for Determining Link Connectivity,” Proceedings of the 5th International Symposium on Wireless Personal Multimedia Communications (WPMC) 2002, pp. 504-508, Honolulu, Hawaii, October 2002,.

11 Yong-Sik Choi, and Seoung Ho Shin, “A Study on Sensor Node Capture Defense Protocol for Ubiquitous Sensor Network”, Proceedings of the 2007 International Conference on Convergence Information Technology, Pages: 400-405, Gyeongui, Korea, November 21-23, 2007.

12 Carl Hartung, James Balasalle, and Richard Han, “Node Compromise in Sensor Networks: The Need for Secure Systems”, Technical Report CU-CS-990-05 (2005).

13 Mauro Conti, Roberto Di Pietro, Luigi Vincenzo Mancini, and Alessandro Mei, “Emergent properties: detection of the node-capture attack in mobile wireless sensor networks,” Proceedings of the first ACM conference on Wireless network security, Pages: 214-219, Alexandria, VA, USA, 2008.

14 Xiaojiang Du, Detection of Compromised Sensor Nodes in Heterogeneous Sensor Networks, IEEE International Conference on Communications 2008, Beijing, China, May 19-23, 2008.

15 Mauro Conti, Roberto Di Pietro, Luigi Vincenzo Mancini, and Alessandro Mei, “A randomized, efficient, and distributed protocol for the detection of node replication attacks in wireless sensor networks,” Proceedings of the 8th ACM international symposium on Mobile ad hoc networking and computing, Montreal, Quebec, Canada, September 9-14, 2007.

16 Yi Yang, Xinran Wang, Sencun Zhu, and Guohong Cao, “Distributed Software-based Attestation for Node Compromise Detection in Sensor Networks,” Proceedings of 26th IEEE International Symposium on Reliable Distributed Systems, Beijing, China, 2007.

17 Bryan Parno, Adrian Perrig and Virgil Gligor, “Distributed Detection of Node Replication Attacks in Sensor Networks,” Proceedings of the IEEE Symposium on Security and Privacy, May 8-11, 2005, Oakland, CA.

18 Christoph Krauß, Frederic Stumpf, and Claudia Eckert, “Detecting node compromise in hybrid wireless sensor networks using attestation techniques,” Proceedings of 4th European Workshop on Security and Privacy in Ad-hoc and Sensor Networks, Cambridge, UK, 200