introduction to sensor networks
DESCRIPTION
Introduction to Sensor Networks. Rabie A. Ramadan, PhD Cairo University http://rabieramadan.org [email protected] 4. Security in WSN. Security Requirements. Availability Data Confidentiality Data Integrity Non-repudiation Authorization and Key Management. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/1.jpg)
Introduction to Sensor Networks
Rabie A. Ramadan, PhDCairo University
http://rabieramadan.org [email protected]
4
![Page 2: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/2.jpg)
Security in WSN
2
![Page 3: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/3.jpg)
3
Security Requirements Availability Data Confidentiality Data Integrity Non-repudiation Authorization and Key Management
![Page 4: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/4.jpg)
4
Security Solution Constraints Lightweight Decentralized Reactive Fault-tolerant
![Page 5: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/5.jpg)
5
Challenges in WSNs
Sensor node hardware, resource constraints
Algos must be energy- and storage-efficient
Nodes operate unattended Adversary can compromise any node
Nodes not tamper-resistant Adversary can compromise any node’s keys
No fixed infrastructure Cannot assume any special-function node in vicinity
No pre-config’ed topology Nodes don’t know neighbours in advance
Communicate in an open medium
Communications are world-readable and world-writeable by
default
Constraints Implications
![Page 6: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/6.jpg)
6
Security design principles Favour computation over communication
• Communication 1000 times more energy-consuming than computation
Favour resilience (tolerance) over absolute security
![Page 7: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/7.jpg)
7
WSN Security Research Fields Routing security Data forwarding security Link layer security Key management . .
![Page 8: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/8.jpg)
Security issues in WSN The discussed applications require communication in WSN to be
highly secure Main security threats in WSN are:
• Radio links are insecure – eavesdropping / injecting faulty information is possible
• Sensor nodes are not temper resistant – if it is compromised attacker obtains all security information
Attacker types:• Mote-class: attacker has access to some number of nodes with similar
characteristics / laptop-class: attacker has access to more powerful devices
• Outside (discussed above) / inside: attacker compromised some number of nodes in the network
![Page 9: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/9.jpg)
Attacks on WSN Main types of attacks on WSN are:
• Spoofed, altered, or replayed routing information• Selective forwarding • Sinkhole attack• Sybil attack• Wormholes• HELLO flood attacks• Acknowledgment spoofing
![Page 10: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/10.jpg)
False routing information Injecting fake routing
control packets into the network, examples: attract / repeal traffic, generate false error messages.
Consequences: routing loops, increased latency, decreased lifetime of the network, low reliability
B A1
A3A2
A4
Example: captured node attracts traffic by advertising shortest path
to sink, high battery power, etc
![Page 11: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/11.jpg)
Selective forwarding Multi hop paradigm is prevalent in WSN It is assumed that nodes faithfully forward received
messages Compromised node might refuse to forward
packets, however neighbors might start using another route
More dangerous: compromised node forwards selected packets
![Page 12: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/12.jpg)
Sinkhole and Sybil attacks Sinkhole attack:
• Idea: attacker creates metaphorical sinkhole by advertising for example high quality route to a base station
• Laptop class attacker can actually provide this kind of route connecting all nodes to real sink and then selectively drop packets
• Almost all traffic is directed to the fake sinkhole• WSN are highly susceptible to this kind of attack because of the
communication pattern: most of the traffic is directed towards sink – single point of failure.
Sybil attack:• Idea: a single node pretends to be present in different parts of the
network. • Mostly affects geographical routing protocols
![Page 13: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/13.jpg)
Wormholes Idea: tunnel packets
received on one part of the network to another
Well placed wormhole can completely disorder routing
Wormholes may convince distant nodes that they are close to sink. This may lead to sinkhole if node on the other end advertises high-quality route to sink
![Page 14: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/14.jpg)
Wormholes (cont.) Wormholes can exploit routing race conditions which
happens when node takes routing decisions based on the first route advertisement
Even encryption can not prevent this attack
Wormholes may be used in conjunction with sybil attack
![Page 15: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/15.jpg)
HELLO flood attack Many WSN routing
protocols require nodes to broadcast HELLO packets after deployment, which is a sort of neighbor discovery based on radio range of the node
Laptop class attacker can broadcast HELLO message to nodes and then advertises high-quality route to sink
![Page 16: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/16.jpg)
Acknowledgment spoofing Some routing protocols use
link layer acknowledgments Attacker may spoof acks Goals: convince that weak
link is strong or that dead node is alive.
Consequently weak link may be selected for routing; packets send through that link may be lost or corrupted
![Page 17: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/17.jpg)
Overview of Countermeasures Link layer encryption prevents majority of attacks: bogus
routing information, Sybil attacks, acknowledgment spoofing, etc.
This makes the development of an appropriate key management architecture a task of a great importance
Wormhole attack, HELLO flood attacks and some others are still possible: attacker can tunnel legitimate packets to the other part of the network or broadcast large number of HELLO packets
Multi path routing, bidirectional link verification can also be used to prevent particular types of attacks like selective forwarding, HELLO flood
![Page 18: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/18.jpg)
Part One
Secure data aggregation
![Page 19: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/19.jpg)
19
Phase 1: Query dissemination
Sample query: SELECT AVERAGE(temperature) FROM sensorsWHERE floor = 6EPOCH DURATION 30s
![Page 20: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/20.jpg)
20
Phase 2: Data aggregation
aggregate
aggregate
aggregate
Types of aggregation:(1) basic aggregation, (2) data compression, (3) parameter estimation
![Page 21: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/21.jpg)
21
Phase 3: Result verification (optional)
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
“Did you really report this?”
![Page 22: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/22.jpg)
22
Security goals of data aggregation Robustness: Byzantine
corruption of data would not make aggregation result totally meaningless
Confidentiality: To ensure that other than the sink and the sources, no intermediate node should have knowledge of the raw data or the aggregation result
perform averaging1
23
1000
So the average is 251.5… Oh wait a
minute
sources
sinkWhat
the hell am I
aggregating?
What the hell
am I forwardi
ng?
![Page 23: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/23.jpg)
23
Voting
Resource-intensive, only good for mission-critical, small-scale networks
1
1
2
3 300
malicious
malicious
No
No
No
No Yes
“is mean = 61.4 reasonable?”
malicious
Alright, 61.4 is not
reasonable!
![Page 24: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/24.jpg)
24
Interactive proof algo By [Przydatek et al. 2003], algo for proving probabilistically a
given figure is indeed the median of the samples Example for the sake of intuition:
1 2 3 4 5 6
1 Prover must have the samples sorted first
2 Prover tells the verifier median is 3.5 and the no. of samples is 6
3 Verifier asks for the 3rd sample, prover tells the 3rd sample is 3 < 3.5, verifier is happy but still suspicious
4 Verifier asks for the 4th sample, prover tells the 4th sample is 4 > 3.5, verifier is happy but still suspicious
5 Verifier asks for the 1st and 6th sample, prover tells 1st is 1 < 3.5 and 6th is 6 > 3.5, verifier says: “Alright, I’ve sampled enough, median should be 3.5 at high probability”.
Relies on the trustworthiness of thesamples, but how do we make sure?
![Page 25: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/25.jpg)
Key Management Techniques
Eng. Ahmed Ezz
![Page 26: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/26.jpg)
Location verification – SerLoc (Secure Range-independent
localization)
26
![Page 27: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/27.jpg)
What is location verification? Different assumptions from general localization
• What if some malicious nodes lie about their location?• Sample attack scenario
• Claim to be very close to the sink• Attract many packets• Drop some or all of them• Very easy DoS attack especially for geographic routing protocols
![Page 28: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/28.jpg)
28
• Secure Verification of Location Claims[Sastry et al. WISE 2002].
• Location Privacy Privacy-aware Location Sensor Networks [Gruteser et al.
USENIX 2003].• Secure Localization: Ensure robust location estimation
even in the presence of adversaries.SeRLoc: [Lazos and Poovendran, WISE 2004].S-GPS: [Kuhn 2004].SPINE: [Capkun & Hubeaux, Infocom 2005].
Secure Location Services
![Page 29: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/29.jpg)
29
• SeRLoc: SEcure Range-independent LOCalization.
• SeRLoc features• No ranging hardware required.• Decentralized Implementation, Scalable.• Robust against attacks - Lightweight
security.
SeRLoc
![Page 30: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/30.jpg)
30
Locators: Randomly deployed Known Location, OrientationDirectional Antennas
(X1, Y1)(X3, Y3)
(X4, Y4)
(X5, Y5)
(X2, Y2)
N
S
EW
Two-tier network architectureSensors: Randomly deployed, unknown location r
R
Locator range R
Beamwidth θ
θ
Omnidirectional AntennasSensor range r
Locator Sensor
![Page 31: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/31.jpg)
31
Locator Sensor
L1
L4
L3
(0, 0)
s
L3
ROI
The Idea of SeRLoc
• Each locator Li transmits information that defines the sector Si, covered by each transmission.
• Sensor defines the region of intersection (ROI) from all locators it hears.
sLH
iiSROI
1
![Page 32: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/32.jpg)
How SerLoc works Node i claims its location is (x, y) Node i needs to send (x, y) a location verification request
msg to a nearby verifier• A verifier can be a normal sensor node
The verifier sends a random nonce to node i and start the clock
Node i has to immediately return the challenge through both radio and ultrasonic channels
The verifier measures the time for node i returning the challenge and take the difference between the radio & ultrasonic signal propagation. Based on this observation, verify the claimed location
![Page 33: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/33.jpg)
Weakness of SerLoc Requires extra hardware, i.e., ultrasonic channel Innocent victims may respond late due to backlog Not location verification but range verification
Verifier
M’s RealLocation
M’s claimedLocation
sink
Oops... Verifier cannot tellthe difference! Big trouble...
![Page 34: Introduction to Sensor Networks](https://reader035.vdocuments.net/reader035/viewer/2022062521/568166fa550346895ddb5c7e/html5/thumbnails/34.jpg)
Possible Research Issues Most localization work is mathematical and
evaluated via (high level) simulations• More realistic work is needed
Indoor localization is harder• Look at CodeBlue project at Harvard
Location verification• Can’t trust sensors
Secure localization• Can’t trust anchors