session 3a - school of computing & mathematical sciences
TRANSCRIPT
SESSION 3A
NETWORK SECURITY I
CIA Security Management for Wireless Sensor Network Nodes
C. O. Iwendi Electronics and Optical Engineering Research Group
University of Aberdeen Scotland, UK
A. R. Allen Electronics and Optical Engineering Research Group
University of Aberdeen Scotland, UK
Abstract—Wireless sensor networks (WSN) have become a complete solution in making use of low power implementation and embedded systems. Nevertheless, the many constraints arising from low communication range, limited computing power, lack of availability of networking protocol, programming in the absence of certainty and security lapses in the areas of confidentiality, integrity and availability (CIA), have so far reduced the full implementations of WSN. A novel security technique and its functionality for WSN nodes have been proposed. A review of past and current research, the possibility of having a secured network and proposals meant to prevent denial of service (DOS) and complexity attacks. These schemes if properly implemented, can provide an energy-efficient mechanism using pre-allocation and a re-keying of key management models with a secured routine algorithm
Keywords-WSN; Clusterhead; Judy; Blom; IPSEC; DOS
I. INTRODUCTION Wireless sensor networks (WSN) consist of a large number
of scattered very small devices that arrange themselves into a multi-hop wireless network. These nodes are equipped with one or more sensors, embedded processors and a wireless transceiver. These nodes are then deployed into a particular area to perform a desired task of gathering and processing data [1]. WSN have gradually become a solution using microelectronics and embedded systems. One of the applications for WSN is the automotive industry; new products in the areas of advanced lighting and night vision, as well as technologies that help comply with stringent fuel economy, environmental and safety standards have been implemented. Devices such as airbags, passenger restraints, anti-lock brakes, traction and stability control, and other increasing essentials like lane departure warnings, adaptive cruise control, blind spot warnings and predictive radars are critical technologies which use WSN and microcontrollers [2]. Wireless sensor networks do not differ from all other network embedded systems in the areas of confidentiality, integrity and availability of data as shown in Fig. 1.0. In this paper, we shall try to address the CIA security management of WSN with some precise methods and compare it with previous work done in this area.
Fig. 1.0 CIA Question for Wireless Sensor Networks
Wireless sensor network therefore constitutes a decentralized system that enables each sensor to support a multi-hop routing algorithm. Large numbers of sensor nodes are deployed in a remote area and are connected via wireless links with the view to forward data packets to the base station (BS) or sink node as shown in Fig. 2a and Fig. 2b, thereby monitoring the physical and/or environmental data. The WSN communication structure as shown illustrates further the scenario under which nodes or clusters send signals to the base station in the presence of an intruder. Wireless sensor network facilitates many other numerous application areas for instance, tactical observation by military unattended sensor networks, elderly and patient monitoring by body area networks (BANs) and building automation by building automation and control networks (BACnets) [3]. Researchers are still concerned if WSN can actually be secured considering that messages can be intercepted based on what was sent, whom it was sent to, when the message was sent and where the message was sent from and to. They are also considering the level of integrity of the system in terms of the actions of the intruders to insert, delete and or change the message that was sent. How accurate the final information will be with consideration of denial of service attack is currently being investigated (Fig. 1.0). Therefore, this paper suggests the best possible way to achieve effectiveness in the area of Denial-of-service attacks and countermeasures, techniques for WSN nodes deployment, key management protocols, energy reduction, formal verification method, and performance evaluation and security enhancement.
ISBN: 978-1-902560-25-0 © 2011 PGNet 123
Fig. 2a Fig. 2b
Fig. 2a Integration of IP-enabled WSN nodes Fig. 2b Integration of Non-IP enabled WSN nodes
II. OVERVIEW OF WSN SECURITY Wireless sensor network (WSN) nodes have important
security issues and the main concern lies in the ability to achieve secured communication in either mobile or fixed networks. This has become a fundamental point of concern for achieving secured communication in the network. Preservation and distribution of authenticated data in an unfriendly environment, where the sensor nodes may be compromised, destroyed or replaced with malicious nodes, has become a strong engineering standpoint. In a compromised network, detecting a real event by an intruder can disrupt, destabilize or destroy the data [4]. The end product of such attack can lead to exhaustion of network energy and bandwidth resources, triggering false alarms and undesired reactions to the nodes in the network. This section gives understanding to the wireless sensor network basics and an argument for a thorough and well placed security intention.
A. Wireless Sensor Network Synopsis WSN nodes consist of four fundamental components as
illustrated. This includes a sensing unit, a processing unit, a radio transceiver and a power unit [5]. There are also additional components in the network that includes location finding systems, mobilizer and power generators. Sensing units comprises - sensors, analog-to-digital converters (ADCs) and sometimes a mobilizer is needed to move sensor nodes when required to carry out a specific task. The processing unit receives digitise signals that was measured by the sensors, and in turn uses its associated storage capacity to manage the rest of the tasks in the network. The connection between the node and the network is done by the radio transceiver which also serves as the communication medium of the clusterhead. The power unit remains the important part of the component since as we shall discover later in this report, it determines the longevity of the sensor node. This latter component is one of the essential resources constraints of WSN nodes.
B. Need for Lightweight Security Mechnanism The practical issues ranging from resource constraints to
implementation are vital issues that are problematic to WSN applications. Sensor nodes are equipped with little energy reserves due to their size, and the inability to recharge the nodes complicates its implementation due to low power supply. It is therefore paramount that an effective procedure is needed to keep the WSN nodes transmission and routing functioning for a long duration without disturbing the network and as a consequence avoiding the loss of the message either sent or stored. Moreover, key management offers a tactical scenario for WSN implementation; this is due to high level of fault tolerance when a node is compromised or attacked. Large scale sensor deployments of nodes that heavily impact the simulation performance and scalability, and the accuracy of the messages transmitted or received from the radio sensor nodes can affect the implementation complexity of WSN. It is almost impracticable to analyse WSN model and predict the actual performance of protocols and network operation [6]. Therefore, in order to have a better WSN performance with lightweight security features there is need to provide an accurate radio model that is scaled to a large number of nodes.
III. INVESTIGATION OF PREVIOUS SECURITY PERFORMED WSN deployments are security sensitive and attacks against
them may lead to damage to health and safety of people. Denial of service are conditions for hardware failures, resource exhaustion, bugs, malicious attacks and environmental conditions that could reduce the functionality or totally eliminating a networks ability to perform as expected [7]. In this section, we have specified in a tabular format (Table 1.0) the vulnerabilities to the networks as studied by many proposed authors in the physical layer, media access control (MAC) layer, network layer, transport layer and application layer. For instance, the transport layer manages the end-to-end connections and can be attacked through flooding or desyncronization while the network layer’s attack is mostly due to the fact of neglect, greed, homing and monitoring. Collisions, unfairness and exhaustion attacks could be lunched against the data link layer of a wireless sensor network through the MAC layer while the application layer may experience re-programming attacks and Path-based denial of service attack that are overwhelming in nature. More solutions on how best to safe-guard the different networks have also been stipulated below. However, most of the defence mechanisms cannot actually be fully implemented due to constraints exhibited by the lightweight computational nodes and various other factors ranging from low power, low communication range, low memory capacity and deployment issues. All this areas are currently been look into by researchers in the field.
124
Table 1.Different Protocol layers: Attacks and Defences
Protocol Layer Attacks Defences
Physical Jamming Detect and sleep Route around
jammed regions[4],[8]
Node destruction Hide or camouflage nodes.
Tamper-proof packaging[9]
MAC Layer Denial of sleep Authentication and anti-replay protection.
Detect and sleep method
Broadcast attack protection[7], [10]
Interrogation Authentication and antireplay
protection[9] Network Spoofing, replaying or
altering clustering messages
Authentication and replay protection.
Secure cluster formation
[7], [9] Hello Floods Pairwise
authentication Geographical routing[11]
Homing Header encryption Dummy packets[9]
Sybil Radio resource testing, key
validation, position authentication[12]
Wormhole Location based routing protocols[13]
Transport Synchronise flood Synchronised cookies[4]
Desynchronised attack Packet
authentication[9] Application Overwhelming Sensors Sensor tuning
Data aggregation[4] Path-based DoS Authentication and
antireplay protection[14]
Re-programming attack
Authentication and anti replay protection.
Authentication streams[15],[16]
IV. WSN SECURITY MODEL The method stipulated in this work is a careful and
intelligent approach that tends to eliminate the weakness of some of the reviewed security protocols and at the same time suggest effective method to achieve the goal of confidentiality, integrity and availability of the wireless sensor network nodes.
A Pre-keying Analysis The Bloom’s scheme has been proposed as a pre-keying mechanism that will actually solve the lightweight security issue because it is a linear cryptography system [17] and uses a linear equation manipulation to generate the same property of the public key without actually having an experimental computation [18]. The scheme initiator pictured an application in which messages are transmitted in a network and protected by symmetric cipher with each pair having a unique key which enables them to encipher messages that are exchanged and thus tend to protect against information disclosure to other users and intruders. Therefore, key generation authority known as master keys are used to generate the session keys.
B Rekeying Security Analysis A well reprogrammed Judy array has been proposed. Judy is a high-performance, low memory usage data structure that implements an associative array [19]. Judy arrays, due to their sparse dynamic array implementation provide a declaration with a simple null pointer. The key benefits include scalability, high performance, and memory efficiency [19]. The array can be extended and can also scale up to large number of elements that are bounded only by machine memory. The size of the array is not pre-allocated but tends to grow dynamically with the population of the array, hence designed as an unbounded array. Judy tends to combine scalability with no difficulty of usage and can be used whenever a developer needs a dynamic size array or simply as interface that requires no rework for expansion or contraction [19]. Some of the reasons why Judy will do better than other arrays are as follow: in a nutshell
• Judy seldom compromises speed/space performance for simplicity (In exception at the API, Judy will never be called simple).
• Judy’s’ main design criteria is to avoid cache-line fills wherever possible.
• Judy due to its variation never needs balancing as it grows.
• There is no resulting in key compression with Judy key. In this analysis, the nounce generated by unpredictable bit string in the Bloms Analysis used in the pre-keying has been replaced by a Judy generated array, thereby creating a dynamic change to the network and its routine. This scheme is illustrated with mathematical analysis in equation 1, 2 and 3. Where A, C is the sensor nodes, ID is the sensor identifier, J is the Judy array and K denotes secret pairwise key shared between the nodes. The message identification code (MAC) computes the message received with K.
.
A → *: IDA\JA, MAC (K, IDA\JA) (1) C → *: IDC\JC, MAC (K, IDC\JC) (2)
KAC = MAC (K, JA/JC) (3)
125
C Routing Cluster-Formation Mechanism This is the phase in ensuring the routing is shorter in transmission as to reduce the energy consumption and also the risk of attack from an intruder. In LEACH [20], clusterhead using the stochastic method was proposed. The method involves separate sensor nodes determining a random number and checking whether the number is lower than the threshold, if the number is lower, it automatically becomes the new clusterhead. The clause in the scheme is that the energy distribution and consumption cannot be assured because of the different location of the clusterhead. This proposal uses a maximum fixed range to communicate with other CHs and BS. The security concern has been channelled only to the multi hop routing manoeuvre. The strength of this energy reduced security proposal is that it should minimize hop count and thus minimize energy consumption as applicable to security protocol. It also makes the routine dynamic, thereby giving hope of a security protocol in mobile wireless sensor network nodes.
V. PERFORMANCE EVALUATIONS
A. EXPERIMENT OBJECTIVES In this proposal, there is an intention to implement the
schemes that have been stipulated earlier in this report in the real environment and to prove that it is realistic. A Crossbow software kit has been analysed that supports every stage of wireless sensor network development. It is important to note here that based on the above goals; some measures will be looked into. This includes
• Defence against denial of service (DOS) attacks • Reliable end-to-end services assuming the sensor is
planted in hostile environment • Can we have a secure routing without distortions • Measures to prevent the misuse of the limited
resources. Especially against unschooled users • Measures to reduce the cost that is, computational,
memory and power consumption of security schemes. • Applying known security schemes: merits and
demerits. • Proposing a better security scheme- BROSK, SKEW
or Enhanced. Trade-offs. • Implementing the communication medium block in
C++ and network simulator 2 (NS2) so that it can be modified to be reused in any existing channel and connectivity models using Faster code generation framework, and also using the ZigBee physical and medium access control standards.
• Writing cryptographic algorithms on top of the ZigBee stack using the crossbow framework in order to modify the implemented security in the ZigBee stack.
B. TOOL SELECTION The choice of tools used to perform this experiment was
decided based on the experiment objectives and the generally
acceptable form used by researchers. Currently, research in wireless sensor network is lacking an effective simulation tool that comprises all network, MAC layer, transport and application layers of WSN. The tools exploited here with permission and license by the given bodies are Opnet Modeler and Crossbow professional development kit. Ns2 was also used for the routing implementation. Finally, VisualSense, a visual modeling tool for wireless sensor network was also used.
1 Opnet Modeler: OPNET Modeler allows development of sophisticated, adaptive, application-level models, as well as underlying communications protocols and links. Customized performance metrics can be computed and recorded, scripted and/or stochastic inputs can be used to drive the simulation model, and processes can dynamically monitor the state of objects in the system via formal interfaces provided by statistic wires [21]. The ZigBee model suite includes a discreet event simulation model that analyzes network performance in a ZigBee wireless personal area networks. Unfortunately the following features that is vital to this work has not been implemented in the ZigBee stack, they include security, multicast traffic indirect transmission that supports the sensor nodes, contention free operation mode. The tool was not too helpful and was discontinued. 2 Crossbow Professional Kit: Crossbow Professional kits contain a MoteView as client user interface. It enables end-users to optimize network layout and configuration, analyze sensor information interactively and then take corrective action [22]. The interface was used to remotely connect sensor nodes to the wireless network making it easier to modify the given parameters like the frequency of the sensor reading without any programming knowledge as displayed in Fig. 2c. Unfortunately the Tool is also limited because the security model uses TinyOS and is not fully supported for security improvement of the sensor nodes.
Fig. 2c MICA2 OEM edition configurations [22]
3. Network Simulator (NS): Ns2 is a discrete event simulator targeted at networking research. Ns provides substantial support for simulation of TCP, routing, and multicast protocols over wired and wireless (local and satellite)
126
networks. It was used to check the routine protocol and delay of the network. 4. VisualSense: This is a modelling and simulation framework for wireless and sensor networks that builds on and influence of Ptolemy II. The tool is designed to support a component-based construction of WSN models. It also supports actor-oriented definition of network nodes and wireless communication channel. The WSN nodes can be defined by sub-classing the base classes and defining the behaviour in Java. The modelling environment uses the director, the channel model and the sensor node model, and the graphical representation of sensor network models [23].
C. RESULT ANALYSIS 1. A preliminary experiment was first performed using Ns2
simulator on the methods for dynamic routing as a security proposal for WSN nodes. This method shows how routing strategy can be used to check denial of service (DOS) attacks. Three entities which include routing agent, route logic and classifier, controls the different routing mechanism of the network. In this initial experiment an Agent distant vector (DV) which is a function of routing agent without using route logic or classifier calls its function in network simulator (ns2) was used. This Agent routing table which is nextHopPeer for every other destination was created; at the end of the procedure nextHopPeer was updated by new nextHopPeer. In other to check for intruders, metric associated to each sink was set to be higher than infinity, therefore the network was unreachable or unpredictable.
2. The second experimentation that was performed using VisualSense simulator detailed the dynamic application of security detection in WSN nodes and the correlation between energy and responsiveness to attacks on the Network. The simulations involved the following entities: The Wireless Director, which is a discrete event (DE) director for the wireless model. It also includes two channel models (radio and sound which also represents intruders) and actors which are sensor nodes to send and receive signals via the channel. PowerLossChannel is a model of a wireless channel with a specified power propagation formula. The Transmitter and Receiver are regarded as composite actors in the wireless model. The composite actors define wireless input/output ports for communication. The transmitter triggers an event randomly every second, and the receiver detects and records the event only if it gets enough power. The power propagation is a function of the distance of the receiver from the transmitter as shown in Figure 4.0.The network is propagated with a time delay dependent on distance to the CH. When the nodes detect the intruders, they emit a radio signal via the radio channel model and turn their icons red to indicate virtually that they have done so {Fig. 3.0}. The radio signals include a time stamp for the detected intruder event. The base station (BS) receives these radio signals (if
CH is in range) and uses the time stamps to estimate the position of the intruder source. It then plots that position, resulting in the plot in Fig. 5.0.
Fig. 4.0 Energy correlation and responsiveness to attack detection
Fig. 5.0 Detected Intruder Position at range 100 meters
D. FUTURE WORKS AND CHALLENGES The challenges facing WSN are enormous as seen in this
experiment. Apart from the constraints stated earlier in this
127
paper ranging from low energy consumption to low memory capacity, the many confrontations of routing, software and hardware security compatibility, deployment challenges, tends to limit the total usefulness of wireless sensor network in a large scenario. In the near future, plans are already in motion to investigate the complete security techniques and appropriate implementation with tradeoff to energy consumption and other alternative security using Internet protocol security (IPSEC).
VI. CONCLUSION The research of an effective Wireless Sensor Networks node security idea is increasing. Without a clear perspective of the risk involved in WSN and options available to manage the risks by intruders, it is unfeasible to have a defensible network. Therefore, developing a security protocol can be quite challenging, and requires a wide range of skills manipulation as demonstrated in this research. The protocols and routings must be well-suited, flexible, energy reduced compliant, operationally appropriate and should be practicable in real sensor world. The successful implementation of security protocols demands serious attention compared to the neglects wireless sensor network nodes have had in the past in terms of deployment. It is therefore noted that irrespective of the resource constraints in WSN, it is still possible to have a WSN security scheme that maintain energy efficient data gathering and total security protection, considering the technicality of using confidentiality, integrity and availability technique to act in detecting the anomalies in the network and also to the future application of a WSN mobile nodes deployable in any environment. These schemes if properly managed and implemented can bring total significant change to the scope of WSN and increase its usefulness.
ACKNOWLEDGMENT Special thanks to Crossbow Technology Inc. for providing the professional kits as well as Opnet Technologies for granting us the Executing Program Membership which includes the electronic Master License Agreement, Software Usage Agreement, and Maintenance Agreement.
REFERENCES
[1] C. O. Iwendi, A. R. Allen, “Wireless sensor network nodes: Security and deployment in the Niger-Delta oil and gas sector,” International Journal of Network Security & Its Applications (IJNSA), vol. 3, no. 1, January 2011 pp 68–79
[2] J. Tavares, F. J. Velez, and J. M. Ferro, “Application of wireless sensor networks to the automobile,” Measurement science review, vol. 8, section 3, no 3, 2008 .
[3] E. Cayirci and C. Rong, “Security in wireless ad hoc and sensor networks,” 2009 John Wiley & Sons Ltd.
[4] D. R. Raymond and S. F. Midkiff, “Denial-of-Service in wireless sensor networks: Attacks and Defences,” IEEE Pervasive Computing Magazine, vol. 7, issue 1, Jan. – March 2008. pp. 74 – 81.
[5] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A survey on sensor networks” IEEE Communication Magazine, Aug. 2002.
[6] E. Egea-Lopez, J. Vales-Alonso, A. Martinez-Sala, P. Pavon-Mario, J. Garcia-Haro, “Simulation scalability issues in wireless sensor networks”, IEEE Communications Magazine. Volume 44, Issue 7, July 2006 pp. 64 – 73.
[7] S. Kaplantzis, “Security models for wireless sensor networks”. PhD Conversion Report March 2006 unpublished
[8] W.Xu, W. Trappe, Y. Zhang, and T. Wood, “The feasibility of launching and detecting jamming attacks in wireless networks,” Proc. 11th Annual Int’l Conf. Mobile Computing and Networking, ACM Press, 2005, pp. 46 – 57
[9] A. Wood, J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer, 35(10):54-62, October 2002.
[10] F. Stajano and R. Anderson, “The resurrecting duckling: Security issues for ad hoc wireless networks,” Proc. 7th Int’l Workshop Security Protocols, Springer, 1999, pp. 172 – 194.
[11] Y. Yu, R. Govindan, and D. Estrin, “Geographical and energy aware routing: A recursive data dissemination”, Protocol for wireless sensor networks, tech. report UCLA/CSD-tr-01-0023, Computer Science Dept., Univ. of California, Los Angeles, 2001.
[12] J. Newsome, E. Shi, D. Song, A. Perrig, “The sybil attack in sensor networks: Analysis & defenses, ”Third International Symposium on Information Processing in Sensor Networks, IPSN 26 – 27 April 2004 Page(s): 259 – 268
[13] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and Countermeasures,” Proc. 1st IEEE Int’l Workshop Sensor Network Protocols and Applications, IEEE Press, 2003, pp. 113 – 127.
[14] J. Deng, R. Han, S. Mishra,” Defending against Path-Based DoS Attacks in Wireless Sensor Networks,” Proc. 3rd ACM Workshop Security of Ad Hoc and Sensor Networks, ACM Press, 2005, pp. 89 – 96.
[15] J. W. Hui and D. Culler, “The Dynamic Behaviour of a Data Dissemination Protocol for Network Programming at Scale,” Proc. 2nd ACM Conf. Embedded Networked Sensor Systems, ACM Press, 2004, pp. 81 – 94.
[16] P. K. Dutta, J. W. Hui, D. C. Chu, and D. E. Culler, ”Securing the Deluge Network programming System,” Proc. 5th Int’l Conf. Information Processing in Sensor Networks, ACM Press, 2006, pp. 326 – 333.
[17] R. Blom, “An optimal class of symmetric key generation systems.” Proceedings of EUROSRYPT’84 pp. 335-338 1984
[18] S. Wang, Y. Tsai, and J. Chan, “A countermeasure against Frequent Attacks Based on the Blom-scheme in Ad Hoc Sensor Networks,” 2nd International Symposium on Wireless Pervasive Computing ISWPC’07, 5-7 February 2007
[19] S. Barrett, “A Performance Comparison of Judy to Hash Tables,” August 2003 unpublished
[20] W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energy-efficient communication protocol for wireless microsensor networks,” Proceedings of the 33rd Annual Hawaii International Conference on Systems Sciences Jan 4-7, 2000 pp 10 vol 2
[21] OPNET Technologies, Inc., “OPNET Modeler”, http://www.opnet.com/products/modeler/home.html, 2011
[22] CrossBow Moteview Software. http://www.xbow.com [23] VisualSense: Visual editor and simulator for wireless sensor network
systems. http://ptolemy.eecs.berkeley.edu/visualsense
128
Identity-based Attacks Against Reputation-based
Systems in MANETs
Sohail Abbas§, Madjid Merabti, and David Llewellyn-Jones
School of Computing and Mathematical Sciences
Liverpool John Moores University
Byrom St. Liverpool, L3 3AF, UK
[email protected], [email protected], [email protected]
§ The Author would like to thank University of Malakand, Pakistan, for their
financial assistance.
Abstract___ In multihop networks such as mobile ad hoc networks
selfish or misbehaving nodes can disrupt the whole network and
severely degrade network performance. Reputation, credit and
trust based schemes have been developed to enforce cooperation
and discourage node misbehaviour. These models are vulnerable
to two types of attack. First, a node having poor reputation/trust
changes its identity to start afresh as many times as he wants,
called Whitewashing. Second, when a malicious node generates
and controls a large number of logical identities on a single
physical device, it is termed as a Sybil attack. These identity based
attacks significantly affect the performance of the above
mentioned schemes. In this paper, we will discuss these attacks
and their countermeasures in the context of the reputation-based
schemes. We will also discuss how our non-monetary, entry fee
based scheme that is incorporated in a reputation system can
deter these attacks.
Keywords: Mobile ad hoc networks, Sybil attacks, whitewashing,
reputation-based scheme, cooperation enforcement schemes.
I. INTRODUCTION
A mobile ad hoc network is a collection of nodes forming a
network without relying on any centralized architecture or
control. Nodes can join or leave the network at any time and
they can freely roam across the network. As MANETs do not
rely on any centralized architecture, such as access points, base
stations or remote servers, all the essential network
functionalities are performed by the nodes forming the
network. Each node acts as a host as well as a router, relaying
data to extend the range by establishing connectivity between
the source and destination nodes that do not fall in the direct
range of each other. Distributing network functionalities, such
as packet forwarding, to all the nodes amplifies robustness and
avoids a single point of attack or failure. The exemption of a
centralized architecture also augments the MANETs’ ability to
support a wide variety of applications on low cost hardware
with less time required to setup an infrastructure. Due to these
flexibilities, it is tempting to use MANETs in situations where
there does not exist a pre-deployed infrastructure or where it is
expensive to deploy an infrastructure such as in disaster relief
scenario, search and rescue operations, vehicular networks,
casual meetings, robot networks and so on.
Advances in wireless technologies and the proliferation of low
cost devices based on 802.11 standards have enabled MANETs
to be deployed in civilian applications (such as vehicular
networks, casual meetings, networks at public places and
campus networks) in a fully self-organizing manner, meaning
that the whole network will solely be run by the operation of
the end users. For this type of MANET users do not belong to a
single authority; they are usually strangers without having any
pre-established security associations. They have different
interests and objectives and they are therefore sharing their
resources for the sake of global connectivity. Since data
transmission is the most expensive function in a wireless
environment as compared to other functions such as data
processing, nodes are naturally reluctant to spend their precious
resources to forward other nodes’ packets and can therefore
exhibit selfish or sometimes malicious behaviour in open
MANET environments. This could potentially lead to network
partitioning and network performance degradation.
Cooperation enforcement schemes (for example reputation and
credit based schemes) have been proposed to counteract the
issue of selfishness. Due to the distributed nature of reputation
based systems, they are deemed to be a promising solution to
enforce cooperation in MANETs. However, there are still more
work needs to be done in this area because there are potential
issues that need to be considered in the research community.
The main purpose of these schemes is to ensure that selfish
nodes bear the consequences of their misbehaviour. However,
after being quarantined, these discredited nodes apply certain
strategies in order to escape the consequences or increase their
benefits thereby promoting lack of accountability in the
network. These nodes can exploit certain weaknesses of the
MANETs, such as free identities available to them, or
weakness of the reputation system, such as they detect identity
but not distinct nodes, or take advantages of natural constraints,
such as mobility in order to escape the consequences. Due to
these issues, cooperation enforcement schemes are required to
be secured for their best results. The following are the major
issues or strategies of selfish nodes that they can maliciously
apply for their benefits.
ISBN: 978-1-902560-25-0 © 2011 PGNet 129
In every detection system, such as reputation based system,
identities are required to be distinct as well as persistent.
However, the lack of infrastructure in MANETs does not suite
any centralized identity management or any centralized Trusted
Third Party. As a result, a selfish node can easily escape the
consequences of whatever misbehaviour it has performed by
simply changing identity to clear all its bad history, known as
whitewashing. Hence, this makes it difficult to hold malicious
nodes accountable for their actions. Finally, a malicious node
can concurrently create and control more than one virtual
identity to launch an attack, called a Sybil attack. In the context
of reputation based schemes, a Sybil attacker can disrupt the
detection accuracy by defaming other good nodes, self-
promoting itself or exchanging bogus positive
recommendations about one of its quarantined identities with
the purpose to escape it from the punishment. In this paper, we
will discuss these issues and their countermeasures which have
been proposed in the literature. Finally, we will discuss our
scheme that uses the non-monetary, fee per identity. We
compare our results with the benchmark scheme, called
CONFIDANT and the simulation results show that our scheme
efficiently deters these attackers in mobile ad hoc network
thereby reducing their benefits- throughput and utility.
The rest of the document is organized as follows. In Section II
we will go through background and related work proposed for
the reputation-based schemes. In Section III we discuss the two
major identity-based attacks, whitewashing and Sybil attacks,
along with their countermeasures in Section IV. In Section V
we proposed our scheme that acts as deterrent for the above
attacks. We evaluate and compare our scheme in Section VI.
The document is concluded in Section VII along with our
future work.
II. RELATED WORK AND BACKGROUND
Reputation based models consider the past history of
interactions and based on that history they enable nodes to
recognize cooperative (trusted) or uncooperative (untrusted)
nodes. Nodes build up subjective reputations from their
interaction experiences. These histories are provided to the new
interacting nodes in the form of second hand reputation
information. However, nodes can use both direct and indirect
experience to better evaluate the interacting nodes. Visible past
histories are of significant importance in building reputation in
the network. According to Friedman et al. [1], history is very
helpful in many aspects. First, a history may illustrate the
information about the ability of an entity. Second, history
deters moral hazards in the present: each entity will perform to
the best of its ability because present actions will become
history in the future. Finally, since histories reveal information
about a node’s abilities, nodes with higher abilities are
distinguished from the nodes having lower abilities.
Reputations based systems usually gather, maintain, and
disseminate action histories or reputation information in the
network. In a MANET environment, reputation information is
locally evolved through monitoring packet forwarding
activities using passive acknowledgments (e.g. promiscuous
listening). Schemes such as CONFIDENT, Core and others [2-
4] further share this information with neighbours to
collaboratively detect and isolate these selfish nodes. On the
other hand, some schemes such as LARS [5], and OCEAN [6]
rely only on local information to detect and isolate selfish
nodes without considering second hand reputation information.
Due to the ambiguous collision and the receiver collision
problems in passive acknowledgment based monitoring, two-
hop (explicit) acknowledgment was proposed by Kejun et al.
[7] to overcome these problems at the cost of increased
communication overhead. In order to reduce overhead, Zhao
and Delgado-Frias [8] proposed a scheme that combines the
multipath routing and single path data transmission with an
end-to-end feedback mechanism; however it only detects
misbehaving paths with no punishment strategy for individual
misbehaving nodes.
III. WHITEWASHING AND SYBIL ATTACKS
Like every detection system, reputation based systems required
identities to be persistent as well as distinct. The persistence
characteristic of identity implies that identities will be for long
term use, in other words the lifetime of an identity should be
long enough and hence it would be hard for a selfish node to
use it for short-term benefits, i.e. discard identity to escape the
punishment of poor reputation.
The sole purpose of reputation based schemes is to let selfish
nodes bear the consequences of their bad actions. However, the
open nature of MANETs enables a malicious or selfish node to
change its identity and starts over again with a fresh (new)
identity; in this way a selfish node whitewashes its previous
misbehaving history. This is called a whitewashing or identity
changing attack. Non-persistent identities make it difficult to
hold malicious or selfish nodes accountable for their actions.
In whitewashing attack, an attacker abuses the system for
short-term benefits by allowing its reputation to degrade and
then escape the consequences of abusing the system by
exploiting some system vulnerability to repair its reputation
[9]. In MANET environments (like other online systems), the
easiest way for the attackers to repair their reputation is to re-
enter the system with a new identity with a fresh neutral
reputation. The whitewasher further takes advantage of the
availability of free pseudonyms to whitewash as many times as
he likes. These zero cost identities make it harder to maintain
reciprocity in the network [10]. In other words, any node must
face the consequences of its actions. However, this
accountability is based on identity (implying a network entity),
which can be easily obtained, changed or discarded in mobile
ad hoc networks given that there is no centralized identity
management.
In order to make whitewashing attacks more effective and
productive, an attacker can combine it with other types of
attacks. For example, in a reputation based system that takes
positive and negative feedbacks in to consideration, a
whitewasher can concurrently perform self-promotion attack to
130
lengthen its identity lifetime. Similarly along with other
misbehaviour, a whitewasher can increase its identity lifetime
by slandering about those nodes that produce negative
feedbacks about it, in order to make their negative feedback
less reputable; and hence their feedbacks will be considered
less trustworthy in the network.
The distinctness of identity implies that there will be only one
identity tied to a single physical device or conversely a node
may not be able to create more than one identity on a single
physical device. For example, communications in wireless
networks are usually based on a unique identity that represents
a network entity: a node. Identities are used as an address to
communicate with a network entity. This forms a one-to-one
mapping between an identity and an entity and that is usually
assumed implicitly or explicitly by many mechanisms; hence
two identities implies two distinct nodes [11]. Unfortunately
malicious nodes can illegitimately claim multiple identities and
violate this one-to-one mapping of identity and entity
philosophy. Douceur [12] termed this as a Sybil attack, in
which an attacker manages to create and control more than one
identity on a single physical device.
In the context of reputation based schemes, a Sybil attacker can
disrupt the detection accuracy by defaming other good nodes,
self-promoting itself or exchanging false positive
recommendations about one of its quarantined identities.
IV. COUNTERMEASURES
The following are some of the existing proposed solutions
developed for attackers having more than one identity. These
solutions can be applied for both whitewashers and Sybil
attackers. It is because; the only difference in between them is
that of simultaneity. Due to this reason, some of the authors,
for example Tangpong et al. [13] considers them both as Sybil
attacks with two flavours, i.e. create identities one-by-one or
simultaneously; regardless their applications, which are
different.
Levine et al. [14] surveyed countermeasures against these
attackers and categorized these techniques as follows:
Trusted Certification: Many authors suggest trusted
certification as a solution for preventing Sybil attacks. Trusted
certification uses a centralized authority which is responsible
for establishing a Sybil free domain of identities. Each entity in
the network is bound to a single (identity) certificate. Douceur
[12] has shown that trusted certification is the only approach
which is fully capable of preventing Sybil attacks. However,
there are problems in this approach for instance costly initial
setup, limited scalability, and single point of failure or attack.
Resource Testing: In this approach, various tasks are
distributed to all network nodes or identities to test the
resources of each node to determine whether each independent
node has sufficient resources to accomplish these tasks. These
tests are carried out in order to check the computational ability,
storage ability, and network bandwidth of a node. In case of a
Sybil attack, attackers will not posses sufficient resources to
perform the additional tests imposed on each Sybil node. This
approach is not effective for two reasons. First, in many
applications very few Sybil identities are required to launch an
effective Sybil attack. Second, an attacker can acquire enough
hardware resources, such as storage, memory, and network
cards to accomplish these tasks.
Recurring Costs and Fees: In this approach identities are
regularly re-validated using resource tests. Each participating
identity is further periodically charged with a fee. For example,
Margolin et al. [15] proposed the use of a recurring fee per
participating identity to deter Sybil attackers and they suggest
that such a recurring fee is more of a deterrent than a one-time
fee. They also established that recurring fees can incur a cost to
the Sybil attacker that increases linearly with the total number
of participating identities, whereas a one-time fee incurs only a
constant cost. However, fee management is generally too
costly to implement and manage in MANETs.
Trusted Devices: It is a one-to-one mapping of a hardware
device and a network entity. In other words, one hardware
device, such as a network card, is bound to one network entity.
However, there is no way of preventing an entity from
obtaining multiple hardware devices, such as an attacker can
install two network cards.
Domain Specific: Some of the schemes, the author surveyed,
are countermeasures that are application-domain specific. For
example, Cheng et al. [16] classify reputation as symmetric or
asymmetric. In symmetric reputation systems an identity’s
reputation depends solely on the topology of the trust graph
and the author has proved formally that such reputation
systems are vulnerable to Sybil attacks. Whereas in asymmetric
reputation systems, a trusted node discovers the reputation of
all other nodes and the author shows the restricted conditions
under which Sybil’s can be prevented.
The above schemes were basically developed for P2P and web
based applications, which incur a fee or micropayment on a per
identity basis. However, these are not suitable for MANETs for
two main reasons: first, monetary payments are not suitable for
MANETs; one of a reason might be that MANETs are mostly
deployed in emergency or disaster scenarios where these
payment schemes are not practical. Second, in the case of a one
time entry fee or recurring (monetary) fee per identity, the
management of these payments is too costly to implement in
MANET environments. We summarized the following
schemes that are specifically developed for ad hoc networks.
Friedman et al. [10] proposed work on discouraging new
participants from malicious behaviour by assigning them the
lowest possible reputation value. They argue that this promotes
identity persistence in circumstances where there exists the
ability to change identities easily. Unfortunately, the use of this
mechanism will discourage the new legitimate users; however,
by changing an identity this low reputation can still be
manipulated if there are no restrictions, we will discuss this
issue in Section V.
131
Hubaux et al. [17] use mobility to enhance security in
MANETs. Off-line certification authorities were used for the
authorization by each mobile node in order to join the network.
For fully self-organized security where there is no centralized
authority, nodes establish security associations purely by their
mutual agreement. Users can activate a point-to-point Secure
Side Channel (SSC) using infrared or wired media between
their personal devices to authenticate each other and set up
shared keys when they are in closed proximity. The author
attempted to solve the problems of impersonation and Sybil
attacks by binding face and identity using the SSCs. These
SSCs are based on the assumption that nodes are connected
through wired or infrared connections; however, infrared and
wired connections are not practical in a MANET environment.
Because of the short range and line-of-sight nature of the
infrared links and the static nature of wired media.
Signal Strength based Detection: Signal strength based
position verification seems most promising among the three
because it is lightweight and even can be used without the use
of GPS. However, these schemes sometimes require additional
hardware, such as directional antennae, or extra overhead
incurred due to periodic localization of nodes, as shown by
[18].
In position verification, network nodes verify the position of
each node and further ensure that each physical location is
bounded by only one identity at any particular time. This
cannot only detect Sybil attacks, but also prevent other attacks
such as masquerading and man-in-the-middle attacks, as shown
by [19]. Most RSSI schemes are based on the radio model that
says: the power received approximately decays with the square
of distance, i.e.
�� � ��/�� . Where Pr is the received power at the receiver node, Pt is the
transmit power at the transmitter node, and d is the distance
between the transmitter and the receiver. If the transmitted
power is known, the receiver node can deduce the distance
between them and thereby use simple geometric triangulation
to locate the transmitter.
V. OUR APPROACH: NON-MONETARY FEE PER IDENTITY
The main reason which makes whitewashing beneficial for an
attacker is the neutral reputation that is an initial reputation
allocated to each newcomer, denoted by X in Figure 1. The
amount of this initial reputation, i.e. � or α, no matter big
or small it is, can always be manipulated by an identity changer
when there are no restrictions imposed on this region. In other
words, this neutral reputation gives the opportunity for
whitewashers to utilize network services without contributing
to the network; which will further encourage them to change
their identities after they have been detected by a misbehaviour
detection scheme, such as reputation-based scheme. Some
authors suggest assigning the smallest possible neutral
reputation for newcomers; however, the smallest neutral
reputation can still be manipulated because of the zero cost of
identities. Other researchers, in order to impose restrictions on
neutral reputation, suggest an entry fee per identity. A
monetary based, entry fee per identity have some problems
which make it unsuitable for open MANETs. First, it causes
complications in fee management. Second, it requires security
mechanisms to secure fee itself, such as tamper proof
hardware. Third, fee payments or fee structure itself is an extra
burden for users and system; for example, incorporating a
charged text message into the system is an extra activity for the
users and the system itself. Due to these problems we adopt the
entry fee concept in our scheme but we use fee as a form of
work imposed on every newcomer; for detail discussion, we
refer readers to [20]. Each new entrant will spend some of its
battery to pay an entry fee in the form of cooperation in the
network before expecting the network to provide services to
them. This is the social cost incurred by newcomers due to free
identities; however it still benefits the overall network
performance. It is easily manageable in MANETs; it does not
need any tamper-proof hardware; and it uses packet forwarding
as fee payments, hence no extra entity to be incorporated into
the system.
Figure 1: Reputation levels.
In our scheme, we set the smallest permissible reputation Z (as
it is in other schemes) to be greater than the node’s initial
reputation X by the amount β; we denote this modified smallest
permissible reputation by Y (instead of Z). In our scheme the
threshold Y, the amount of reputation β and the fee threshold
are referred to be the same thing. There will always be a loss to
change its identity after gaining Y:
� , � �� �loss�, � �.
Here there will always be an amount β of loss to reputation or
the fee that has been paid, after a node changes its identity. Fee
imposition makes whitewashing costly (in terms of battery
power) for an attacker, the same is the case with Sybil
attackers; hence an attacker can perform fewer whitewashes or
identities with its battery. Furthermore, the fee enforcement
will also improve the overall system performance (i.e. network
132
throughput and utility). It is due to the fact that fee payment
implies contributing to the network by forwarding other nodes’
packets.
VI. EVALUATION
We use Network Simulator (NS-2.30) to implement and
evaluate our scheme. In this simulation study our aim is to find
out how the fee enforcement per identity evil nodes in MANET
environments. Throughout our experimentation the percentage
of selfish nodes is 10%, and these selfish nodes can use up to
five identities in total. The value of reputation β, threshold Y,
or the fee threshold, as shown in Figure 1, is set to 50 units. All
results are the average of 20 simulation runs.
The following simulation parameters were used in the
experimentation. We use a random way point movement
model, 30 mobile nodes, 1km square area, 10m/s node speed,
CBR application with 64bytes packet size and uniform node
placement. We classify the attacker nodes into two categories;
however, the number of identities available to perform a
whitewash is fixed. One class of evil nodes will misbehave
(drop others’ packets) without paying the fee. In the results we
refer to this as Attack Model I or class-I attackers. The second
class of nodes are those evil nodes that commit misbehaviour
and they do pay the fee as well. In our results we refer to this
as Attack Model II or class-II attackers. We compare our
results with the popular reputation based scheme, called
CONFIDANT [3, 21].
We simulated our scheme using the following metrics.
Throughput. The ratio between the total number of data
packets successfully received and the total number of data
packets sent by source nodes at the application layer. Evil
throughput is the throughput available to malicious or evil
nodes.
Utility. The benefit, a node can get from the network. We refer
to evil utility as the utility gained by evil nodes. Utility can be
calculated as follows:
�� � �� � �received # �$ � �sent '( � �forwarded
Where ui is the utility of a node i, br is the benefit gained when
i receives a packet (as a destination node), bs is the benefit
acquired by i when its packet successfully reaches its
destination and cf is the cost incurred by i in terms of memory,
bandwidth and CPU usage for forwarding a packet for others.
Analysis: If there is no restriction imposed on identities in a
network where users can acquire an unlimited number of new
identities at zero cost, nodes performing whitewashing can get
pretty good benefits from the network. As shown in Figure 2,
the evil throughput of nodes in CONFIDANT is significantly
higher than in our scheme because there are no restrictions
imposed on newcomers and hence evil nodes can have multi-
fold benefits (depending on the identities being used) in terms
of throughput and utility. The greater the number of identities
used, the greater the exploitation of network resources; hence
increasing the benefits for whitewashers and Sybil attackers.
Fee enforcement reduces the overall evil throughput (by about
half) in the network. The throughput of the class-II attackers is
comparatively higher than that of the class-I attackers. This is
because the class-II attackers pay the fee: they forward packets
for other evil nodes.
The average utility of evil nodes is considerably higher in
CONFIDANT as compared to our scheme, as shown in Figure
3. Because in CONFIDANT evil nodes drop 100% of others’
packets (no forwarding); however, they can still continuously
enjoy the initial/observation phase where they have not yet
been detected. Class-II nodes pay their fee and hence their
utility is lower than that of the class-I nodes.
Figure 2: Overall Average Evil Throughput vs. Mobility
Figure 3: Average Utility per Evil Node vs. Mobility.
133
VII. CONCLUSION AND FUTURE WORK
In this paper we have discussed identity-based attacks, such as
whitewashing and Sybil attacks, in the context of reputation
based schemes that, if not addressed, can make them
impractical. We discussed their various countermeasures
proposed in the research community. Finally, we discussed our
proposed scheme that use a non-monetary, entry fee per
identity to discourage whitewashers and Sybil attackers
without using any costly method, for example, PKI or a
centralized trusted third party. The drawback of our approach
is that newcomers are not welcomed due to the free identities
available in the network. Simulation results showed that our
scheme performed well in plummeting evil throughput and evil
nodes’ utility as compared to the CONFIDANT scheme in the
presence of whitewashing nodes. In our future work, we will
propose methods to ensure nodes do not lie about the fee
values.
REFERENCES
[1] E. Friedman, P. Resnick, and R. Sami, "Ch: 27- Manipulation-Resistant
Reputation Systems," in Algorithmic Game Theory, N. Nisan, et al., Eds.,
ed New York: Cambridge University Press, 2007, pp. 677-697. [2] S. Marti, T. J. Giuli, K. Lai, and M. Baker, "Mitigating routing
misbehaviour in mobile ad hoc networks," presented at the Proceedings
of the 6th annual international conference on Mobile computing and networking, Boston, Massachusetts, United States, 2000.
[3] S. Buchegger and J.-Y. L. Boudec, "Performance analysis of the
CONFIDANT protocol," presented at the Proceedings of the 3rd ACM international symposium on Mobile ad hoc networking & computing,
Lausanne, Switzerland, 2002.
[4] P. Michiardi and R. Molva, "Core: a collaborative reputation mechanism to enforce node cooperation in mobile ad hoc networks," presented at the
Proceedings of the IFIP TC6/TC11 Sixth Joint Working Conference on
Communications and Multimedia Security, 2002. [5] J. Hu and M. Burmester, "LARS: a locally aware reputation system for
mobile ad hoc networks," presented at the Proceedings of the 44th annual
Southeast regional conference, Melbourne, Florida, 2006. [6] S. Bansal and M. Baker. Observation-based Cooperation Enforcement in
Ad Hoc Networks, Stanford University Technical Report, July 2003.
Available at:http://arxiv.org/pdf/cs.NI/0307012. [7] L. Kejun, D. Jing, K. V. Pramod, and B. Kashyap, "An
Acknowledgment-Based Approach for the Detection of Routing
Misbehavior in MANETs," IEEE Transactions on Mobile Computing, vol. 6, pp. 488-502, 2007.
[8] L. Zhao and J. G. Delgado-Frias, "MARS: Misbehavior Detection in Ad
Hoc Networks," presented at the IEEE Global Telecommunications Conference (GLOBECOM) 2007.
[9] K. Hoffman, D. Zage, and C. Nita-Rotaru, "A Survey of Attack and
Defense Techniques for Reputation Systems," ACM Computing Surveys, vol. 42, pp. 1-31, 2009.
[10] E. Friedman and P. Resnick, "The Social Cost of Cheap Pseudonyms,"
Journal of Economics & Management Strategy, vol. 10, pp. 173-199, 2001.
[11] L. Shaohe, W. F. Xiaodong, Z. Xin, and Z. Xingming, "Detecting the
Sybil Attack Cooperatively in Wireless Sensor Networks," presented at the International Conference on Computational Intelligence and Security,
CIS '08, 2008.
[12] J. R. Douceur, "The Sybil Attack," presented at the Revised Papers from the First International Workshop on Peer-to-Peer Systems, 2002.
[13] A. Tangpong, G. Kesidis, H. Hung-yuan, and A. Hurson, "Robust Sybil Detection for MANETs," in Proceedings of 18th Internatonal Conference
on Computer Communications and Networks ICCCN 2009, pp. 1-6.
[14] B. N. Levine, C. Shields, and N. B. Margolin, "A Survey of Solutions to the Sybil Attack," Technical Report 2006-052, University of
Massachusetts Amherst, Amherst, MAOctober 2006.
[15] N. B. Margolin and B. N. Levine, "Quantifying Resistance to the Sybil Attack," presented at the Financial Cryptography and Data Security,
2008.
[16] A. Cheng and E. Friedman, "Sybilproof reputation mechanisms," presented at the Proceedings of the 2005 ACM SIGCOMM workshop on
Economics of peer-to-peer systems, Philadelphia, Pennsylvania, USA,
2005. [17] S. Capkun, J. P. Hubaux, and L. Buttyan, "Mobility helps peer-to-peer
security," IEEE Transactions on Mobile Computing, vol. 5, pp. 43-51,
2006. [18] S. Abbas, M. Merabti, , and D. Llewellyn-Jones, "Signal Strength Based
Sybil Attack Detection in Wireless Ad Hoc Networks," in Second
International Conference on Developments in eSystems Engineering (DESE), 2009 2009, pp. 190-195.
[19] T. Suen and A. Yasinsac, "Ad hoc network security: peer identification
and authentication using signal properties," presented at the Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop (IAW
'05) New York, 2005.
[20] S. Abbas, M. Merabti, and D. Llewellyn-Jones, "Deterring Whitewashing Attacks in Reputation based Schemes for Mobile Ad hoc Networks," in
Wireless Days (WD), IFIP, 2010, pp. 1-6.
[21] S. Buchegger and J.-Y. L. Boudec, "A robust reputation system for P2P and mobile ad-hoc networks," in Proceedings of P2PEcon, Harvard
University, USA, 2004.
134
A Symmetric Key Generation and Pre-DistributionScheme for WSN Using MRD Codes
Eraj Khan1, Ernst M. Gabidulin2, Bahram Honary1 and Hassan Ahmed1
1School of Computing and CommunicationInfolab 21. Lancaster University, UK
Email: {e.khan, b.honary, h.ahmed}@lancaster.ac.uk
2Department of Radio EngineeringMoscow Institute of Physics and Technology,
141700 Dolgoprudny, RussiaEmail: [email protected]
Abstract—This paper addresses the problem of secure pathkey establishment in WSN using a key pre-distribution scheme.In this paper first we have proposed a symmetric key generationscheme using Maximum Rank Distance(MRD) codes and thenwe have proposed a path establishment algorithm. Our schemenot only substantially improves the memory usage requirementsbut also reduces the communication overhead to setup a commonlink key, it only requires 2 messages to setup a link key betweentwo nodes(One from each node). It is shown with example andsimulation results that our scheme provides high level of networkconnectivity and scalability.
I. INTRODUCTION
Secure communication is one of the important requirementsin some of the Wireless Sensor Network applications. Ascommunication among the sensor nodes and from nodes tobase stations uses wireless medium therefore it is very difficultto protect WSN from adversaries and interceptors. Anotherchallenge to secure communication in WSN is the insecurephysical environment of the nodes themselves. Adversariescan physically capture and alter the nodes. The use of au-thentication and encryption among the sensor nodes requiresa key distribution and establishment mechanism which mustsatisfy the need for low battery power and less processingcapabilities. In this paper, we have proposed a simple pairwisekey pre-distribution scheme based on the Maximum RankDistance (MRD) codes [1]. The motivation for using MRDcodes instead of MDS codes as used in [2] is that, In MRDcodes the (k×n) generator matrix G has n linearly independentcolumns whereas in MDS codes the (k× n) generator matrixG has k linearly independent columns where (k ≤ n) andthis affects the security of the system because using MDS,in order to compromise the whole network, an adversary hasto only compromise k nodes but if we use MRD codes thenan adversary has to capture n nodes to compromise wholenetwork. So the use of MRD codes instead of MDS codesraises the security parameter from k to n where k < n.Our scheme not only requires less memory consumption andlow processing power for key establishment but also provides100% node connectivity. The idea is to generate keys for every
node in the network by storing minimum secret informationon each node. Each node can generate a shared key for anynode in the network. As all keys in the system are generatedby a small amount of information, so dependencies among thekeys may exist. The paper is organized as follows: Section IIdiscusses related work. Introduction and background of Rankcodes is described in Section III. In Section IV we will proposeour key distribution scheme. Finally we will conclude ourpaper and propose our future work in Section V.
II. BACKGROUND AND RELATED WORK
Several researchers have proposed different techniques forkey pre-distribution. Our scheme is similar to the Blom scheme[2] which we will briefly explain separately in the next section.
A. Overview of Blom Scheme
In [2], Blom proposed a symmetric key generation systemthat allows any pair of nodes to derive a pairwise secret key.This scheme has a security threshold property which meansthat the communication among the uncompromised nodes issecured as long as less than k nodes are compromised but ifan adversary compromises k or more nodes then all pairwisekeys of the entire network are compromised. According tothis scheme we have a (k × N) matrix G of MDS codesover a finite field GF(q), where N is the size of the networkand q > N . This matrix G is the public matrix and it hask linearly independent columns. During the key generationphase, we randomly chose another (k × k) symmetric matrixD over GF(q) and compute an (N×k) matrix A such that A =(D.G)T . The matrix D must be kept secret. The key space canbe calculated as K = (A.G). Since D is a symmetric matrixit can be shown that K is symmetric as well. We can assigneach row of the matrix A to each node along with its rowid.Suppose we have two nodes Si and Sj that want to establish acommon key between them. First we assign ith row of matrixA to node Si and jth row to node Sj . These nodes will getpublic information, columni and columnj of matrix G. Thenode Si will generate key as Kij = rowi × columnj and
ISBN: 978-1-902560-25-0 © 2011 PGNet 135
node Sj will generate key as Kji = rowj × columni. SinceK is a symmetric matrix so it means Kij = Kji. This schemeprovides optimal resilience but for this, the security parametermust be kept higher which could have a high memory overheadfor a large network.
B. Other Schemes
The first key pre-distribution scheme was proposed byEschenauer and Gligor in [3]. In this scheme a large poolof keys called the key pool is generated offline before thedeployment of sensor nodes and then each node is randomlyassigned a set of keys called a key ring from this pool. Twosensor nodes that have one or more common keys in theirkey ring can establish a secure link between them using oneof those shared keys. Those who do not share a commonkey need to execute a path key discovery procedure and willtransfer the secret key to the destination node via links whichare not compromised. The capture of one node along thatpath may lead to compromising of the link between two non-compromised nodes. To strengthen the link keys in [3], amodification called the ”q-composite scheme” was proposed[4]. In this scheme two nodes can only establish a link betweenthem if they share at least q common keys in their key rings.The secret link key will be the hash of these q shared keys.To ensure connectivity, the key ring size is also increased.In [5], a multi-map matrix based random key pre-distributionscheme is proposed. In this scheme the nodes are assignedkeys on the basis of their positions. In [7], a modified formof [2] is proposed. The idea is to use multiple D matrices togenerate ω key spaces and then out of these ω key spaces, τkey spaces are assigned to each node. Those nodes that sharecommon key spaces can establish a direct link between them.Another scheme based on the idea proposed by Blom in [2]is proposed in [6]. In this scheme, In order to break the directrelation between the matrix D and matrix A, certain randomnoise is added using constrained random perturbation. Thisscheme requires high computation overhead.
III. RANK CODES
A. Rank of a Vector
Let Fq be a finite field of q elements and let FNq be an
extension field of degree N. Let x = (x1, x2, . . . , xn) bea vector with coordinates in FN
q . The Rank norm of x isdenoted as Rk(x|Fq) and is defined as the maximal numberof xi, which is linearly independent over the base field Fq .Similarly, for a matrix M with entries in FN
q the columnrank is defined as the maximal number of columns, whichare linearly independent over the base field Fq , and is denotedRk(M |Fq).The column rank of the matrix depends on thefield. As rank over the base field is greater than or equal torank over the extension field. i.e. Rk(M |Fq) ≥ Rk(M |FN
q
B. Maximum Rank Distance Codes
In MRD codes for n ≤ N , for a linear (n,k,d) code a (k×n)generator matrix G is defined as.
Gk =
g1 g2 · · · gn
g[1]1 g
[1]2 · · · g
[1]n
g[2]1 g
[2]2 · · · g
[2]n
......
. . ....
g[k−1]1 g
[k−1]2 · · · g
[k−1]n
(1)
where g1, g2, . . . , gn are any set of elements from extensionfield FN
q which are linearly independent over the base fieldFq . The notation g[i] := gq
i mod n
means the ith Frobeniuspower of g.The detail of rank codes is described in [1].
IV. SYMMETRIC KEY GENERATION SCHEME BASED ONMRD CODES
We divide our scheme into three phases. The first twophases are offline and while the third phase which is KeyEstablishment will commence after the node deployment.
A. Key Generation
In this phase we will generate the key spaces for each nodein the network. This phases is composed of the following foursteps.
Step 1 Nodes Division. We evenly divide all sensor nodesinto n × t groups where t is the total number of groups andn is total number of sensors in each group.
Step 2 Generate a Symmetric matrix D. In this step, wewill generate a (k × k) symmetric matrix D.
Step 3 Generating G matrices. In this step we will generatet number of times G matrices but first we will generate a(k×n), generator matrix G1 for first group. In this matrix theelements of the first row are from extension field FN
q and mustbe linearly independent over the base field Fq as mentionedin (1). After generating G1 matrix, we need to generate Gi
matrices for remaining (t − 1) groups where i = 2, 3, . . . t.The criteria for generating Gi is that
Gi = βi . g (2)
where i = 2, 3, . . . t. and β is any randomly chosen elementfrom the extension field and g is the generating vector forthe matrix G1 which is the first row of the matrix G1. So itmeans we are generating all the Gi matrices from the samegenerating vector. We will keep the all the generating vectorsgi and multiplying coeffients βi secret where i = 1, 2, . . . , t .
Step 4 Generating Key Spaces. In this step, we will gener-ate Ai matrices for each of the group as
Ai = (D.Gi)T (3)
where i = 1, 2 · · · t. Each of the Ai matrix will be an n × kmatrix. We assign a unique row id to each of the row generatedin this matrix.
136
B. Key Assignment
This is an offline phase as well. In this phase we randomlyassign each row of the matrix Ai to each of the sensor nodein the ith group where i = 1, 2, . . . t. We also store some ofthe information about the G matrix on each sensor node. It isshown in (1) that we can generate any column of generatormatrix G if we have the first element of that column. So wewill store the seed of each column of Gi matrix on each nodein the ith group where i = 1, 2, . . . t. It will be the samecolumn as the row ID of the Ai, For example, if we have anode Si in the ith group and we have assigned a pth row fromAi matrix then we will assign it the first element of the pth
column of the Gi as well. In order to generate the link key,each sensor from ith group will have one row from the matrixAi and one element of the matrix Gi which means we needk+1 memory spaces at each sensor node to generate key forany node in the network.
C. Key Establishment
Once the nodes are deployed in the field the first thing theyneed to do is to establish the link keys with each of theirneighbours or wherever it is required. Two nodes can find alink key using these steps.
Step 1 Information Exchange. Each node will broadcast itsnode id and its seed for the column from G matrix. Asexchange of this information before the establishment of thekey does not reveal any part of the secret matrix D, it is safeto transmit this information as a plain text.
Step 2 Generating Column from Seed. Once a node has re-ceived the broadcast packet, it will generate column of the Gmatrix from the seed it received by raising it to kth element.Each element is just the square of the previous element.
Step 3 Calculating Link Key. After generating the column,a node will multiply this column with its own row from matrixA. The result will be the link key between sender and receiver.Similarly the other node do the same thing to calculate thecommon link key.
Suppose we have two nodes Si and Sj that want to establisha common key between them. Node Si has rowi, an ith rowof matrix Ai and columni, a seed of the ith column fromthe matrix Gi stored on it and node Sj has rowj , jth row ofmatrix Aj and columnj , a seed of the jth column from thematrix Gj stored on it. These nodes will first exchange theirnodeID and their seed for the column from G matrix witheach other. The Node Si will first raise the columnj to kthelement and then will calculate the link key Kij = rowi ×columnj . Similarly the node Sj will raise the columni to kthelement and then will calculate the link key Kji = rowj ×columni. As D is a symmetric matrix so the K matrix will besymmetric as well, therefore Kij = Kji. In this way any twonodes in the network, irrespective of their group can generatethe common link key between them by just exchanging onemessage containing their NodeID and seed for column fromG matrix.
Fig. 1. Sample Network
AN EXAMPLE
Consider a sensor network of 9 nodes as shown in figure1. Let n=N=6 and k=4. Consider the field GF (26) generatedby an irreducible polynomial x6+x+1. Let α be a primitiveelement of GF (26).
α6 + α+ 1 = 0 (4)
Key Generation Phase
Step 1 Nodes Division. In this step we will divide all sensornodes into 2 groups. Suppose Group I contains Nodes A, B,C, D and E and Group II contains Nodes F, G, H and I.
Step 2 Generate a Symmetric matrix D. In this step, wewill generate a k × k symmetric matrix D. Let say it is
D =
α11 α45 α16 α21
α45 α17 α54 α
α16 α54 α37 α52
α21 α α52 α39
(5)
Step 3 Generating G matrices. In this step we will generate2, k×n, G matrices. Suppose the generating vector for G1 isg1 = [α12α13α14α9α16α11]. So our G1 will be
G1 =
α12 α13 α14 α9 α16 α11
α24 α26 α28 α18 α32 α22
α48 α52 α56 α36 α α44
α33 α41 α49 α9 α2 α25
(6)
Now we randomly choose one element from the extension fieldto generate G2. Let suppose we choose α48 which means thatg2 = α48× g1 where g1 is generating vector for G1 and g2 isgenerating vector for G2. So G2 is
G2 =
α60 α61 α62 α57 α α59
α57 α59 α61 α51 α2 α55
α51 α55 α59 α39 α4 α47
α39 α47 α55 α15 α8 α31
(7)
Step 4 Generating Key Spaces. In this step, we will gener-ate two A matrices for each of the group by multiplying Dwith Gi where i = 1, 2. and then taking their transpose.
137
A1 =
α58 α61 α50 α2
α28 α12 α53 α24
α8 α43 α12 α3
α38 α25 α21 α
α52 α48 α37 α32
α55 α31 α56 α10
(8)
A2 =
α16 α8 α60 α43
α23 α α27 α11
α3 α55 α α22
α13 α39 α4 α39
α17 α35 α41 α12
α57 α54 α10 α23
(9)
Key Assignment
In this phase we randomly assign one row of the matrixA1 and the first element of a column from G1 to each of thesensor nodes in the Group I and one row of the matrix A2 andthe seed for a column from G2 to each of the sensor nodes inthe Group II. Suppose we store following information at thenodes
Node A → [α28 α12 α53 α24] and [α13]Node B → [α52 α48 α37 α32] and [α16]Node C → [α8 α43 α12 α3 ] and [α14]Node D → [α58 α61 α50 α2 ] and [α12]Node E → [α55 α31 α56 α10] and [α11]Node F → [α17 α35 α41 α12] and [α]Node G → [α3 α55 α α22] and [α62]Node H → [α16 α8 α60 α43] and [α60]Node I → [α57 α54 α10 α23] and [α59]
Key Establishment
Case 1: Both Nodes belong to same group: Suppose NodeA and Node B want to establish a common link key.
Step 1 Information Exchange. Both the nodes will exchangetheir seed for the column from matrix G. In this case Node Awill transmit α13 and Node B will transmit α16.
Step 2 Generating Column from Seed. After receiving α16,Node A will generate a column by raising the seed to kth
element. In this example it will be [α16 α32 α α2]. SimilarlyNode B will generate [α13 α26 α52 α41].
Step 3 Calculating Link Key. After generating the column,node A will multiply this column with its own row. So
KAB =[α28 α12 α53 α24
]×
α16
α32
α
α2
= α4 (10)
Similarly Node B will multiply its row with the column it
generated from the seed it received from Node A.
KBA =[α52 α48 α37 α32
]×
α13
α26
α52
α41
= α4 (11)
it is shown in (10) and (11) that both the nodes A and B havecalculated α4 as their common key for the link between them.
Case 2: Both Nodes belong to different groups: SupposeNode E and Node G want to establish a common link key.
Step 1 Information Exchange. Both the nodes will exchangetheir seed for a column from matrix G. In this case Node Ewill transmit α11 and Node G will transmit α62.
Step 2 Generating Column from Seed. After receiving α62,Node E will generate a column by raising the seed to kth
element. In this example it will be [α62α61α59α55]. SimilarlyNode G will generate [α11 α22 α44 α25].
Step 3 Calculating Link Key. After generating the column,node E will multiply this column with its own row. So
KEG =[α55 α31 α56 α10
]×
α62
α61
α59
α55
= α57 (12)
Similarly Node G will multiply its row with column itgenerated from the seed it received from Node E.
KGE =[α3 α55 α α22
]×
α11
α22
α44
α25
= α57 (13)
it is shown in (12) and (13) that both the nodes E and Ghave calculated α57 for the shared link between them.
Hence it is proved that whenever two nodes want to es-tablish a common link key between them, they only need toexchange one packet containing their seed for the column frommatrix G irrespective of their groups.
V. ANALYSIS AND DISCUSSION
A. Memory AnalysisOne of the major issues with most of the matrix based pair-
wise key establishment schemes is the size of the informationneeded to be stored at each node to generate the link keys.Compared to a full pair-wise scheme, our scheme is efficientin terms of memory consumption. We are storing one row froma n× k matrix A at each node and one element of G matrixto generate a full pair-wise keys across the whole network. Soour scheme needs (k + 1) × τ bits on each node to generatea full pairwise key among all the nodes in the network whereτ is number of bits required to store one element of matrixA. We have compared our result with [5], [6] and [7]. Wehave compared our scheme with these scheme because [5] isa matrix based key pre-distribution scheme, [6] and [7] are alsobased on the idea of [2]. The results shows that out schemerequires less memory as compared to other schemes.
138
B. Security Analysis
One of the major problem with Blom scheme [2] is thatcommunication among the uncompromised nodes is onlysecure when less than k nodes are compromised. When atleastk nodes are compromised then whole network is compro-mised because each node carries a row from (n × k) matrixA = (D.G)T and matrix G is public as well. When k nodes arecompromised then an adversary may construct a new (k× k),Aadv matrix and then multiply it with (k × n) public matrixG to get a (k × n) matrix Kadv . Since K is a symmetricmatrix an adversary can easily get (n × n) K matrix fromthe (k × n),Kadv matrix. However in our scheme we arestoring the seed for the column of G matrix on the nodeto get two advantages. First, storing this information on thenode will reduce the communication overhead during the keyestablishment phase and second, we do not want to giveprior information about our G matrix to an adversary. Nowif an adversary compromised k nodes and he/she is fortunateenough to compromise all nodes from same group then stillhe will have only k columns of matrix G and he/she will beable to get only a (k×k) matrix K, so communication amongthe rest of the n − k nodes in that particular group is stilluncompromised. To compromise a whole group an adversarywould need to compromise all n nodes. Even if an adversaryhas compromised one whole group and recovered the gener-ating factor for matrix G, the first step he/she needs to do isto re-order the elements of generating vector because we haverandomly assigned the rows from matrix A and seeds from thematrix G to each node and there are N ! different ways withwhich we can choose n linearly independent columns fromthe FN
q . Furthermore in order to find other G matrices he/sheneeds to find the t multiplying coefficients from extensionfield FN
q consisting of 2N − 1 elements which is difficultfor a large N. Suppose an adversary knows g1, g2, · · · , gn.Let another unknown generator be x · (g1, g2, . . . , gn). He/Shechooses randomly x̃. The probability that x̃ = x is .
Pr(x̃ = x) = 1/(qN − 1) (14)
C. Network Scalability
Sensor nodes are often deployed in hostile environmentsso they may either run out of battery power or be destroyedby the severe weather conditions.At that stage adding newnodes to the network is a normal response and this could leadto network topological changes. A good key pre-distributionscheme has to be scalable and adaptive to these changes. Themost critical aspect here is that we can not change the keygeneration data on the previously deployed nodes but at thesame time we want these nodes to work flawlessly with newnodes, Thus a key pre-distribution scheme must perform wellas the network grows larger or as the workload increases.All the previously deployed nodes must be able to generatekeys for the new nodes and vice versa. Our scheme is capableof generating keys for the new nodes without changing any
Fig. 2. Memory Used at Each Node
information on the previously deployed nodes. whenever newnodes are added to the network, they need to be loaded withthe information generated with new G matrix. This new Gmatrix should be generated using the same generating vectormultiplied with the a new element β from FN
q .
VI. CONCLUSION AND FUTURE WORK
We have proposed a symmetric key generation and pre-distribution scheme based on MRD codes. The key advantageof our scheme is the less memory overhead without com-promising on the network connectivity. Our scheme provideshigh network resilience and permits network scalability; newnodes can be added at any point of time with out changingany key generating information on the previously deployednodes. Our scheme only requires two messages (one fromeach side) to setup a pairwise key but we have not comparedthis advantage with other schemes yet but in future we willdo some comparative study of this advantage with otherscheme and also some of the other aspects like computationaloverhead, complexity and energy consumption during the keyestablishment phase. In this paper we have only compared ourscheme with schemes which are matrix based or based on theBlom idea but in future we will do more detail comparisonswith other schemes as well.
REFERENCES
[1] E. M. Gabidulin, ”The theory of codes with maximum rank distance”,Problems Inform. Transmission 21 (1), pp. 1-12, 1985.
[2] R. Blom, ”An optimal class of symmetric key generation system”,Advances in cryptology: In the Proceedings of EUROCRYPT 84 (T. Beth,N. Cot and I. Ingemarsson, Eds), Lecture Notes in Computer Science,Springer-Verlog 209, pp. 335-338, 1985.
[3] L. Eschenauer and V. Gligor, ”A key management scheme for distributedsensor networks,” In proceedings of 9th ACM conference on Computerand Communication Security (CCS), New York, USA, 2002, pp 41-47,2002.
[4] H. Chan, A. Perrig, and D. Song, ”Random key pre-distribution schemesfor sensor networks,”In IEEE Symposium on Research in Security andPrivac, 2003.
[5] T. Yuan, S. Zhang,Y. Zhong, ”A Matrix-based Random Key Pre-distribution Scheme for Wireless Sensor Networks”,In the proceedingsof 7th IEEE International Conference on Computer and InformationTechnology, 16-19 October,991-996(2007).
139
[6] C.M. Yu, C.S. Lu,S. Kuo, ”A Simple Non-Iterative Pairwise Key Estab-lishment Scheme in Sensor Networks”,IEEE trasaction on InformationForensics and Security, September 2010, vol-5, issue-3,556-569(2010).
[7] W. Du, J. Deng, Y.S. Han, P.K Varshney, ”A pairwise key pre-distributionscheme for wireless sensor networks”,ACM Transactions on Informationand System Security (TISSEC) TISSEC,Volume 8 Issue 2, May 2005, pp228-258
140
A Framework for Providing a Secure System of
Systems Composition
Michael Kennedy
School of Computing and Mathematical Sciences
Liverpool John Moores University
Liverpool, UK
David Llewellyn-Jones, Qi Shi, Madjid Merabti
School of Computing and Mathematical Sciences
Liverpool John Moores University
Liverpool, UK
{D.Llewellyn-Jones, Q.Shi, M.Merabti}@ljmu.ac.uk
Abstract — the area of System of Systems research is focused on
using multiple complex and disparate systems to provide goal
orientated solution that provides functionality greater than its
component parts. The paper highlights some of our research into
the area of System of Systems (SoS) and their security and
composition approaches. We further examine some of the recent
research into security metrics, looking at attack graphs and
attack surfaces. The paper also describes our proposed
framework that we intend to implement to provide a method of
analysing a SoS composition and provide information about the
security available within the composition.
Keywords-System of Systems, Security, Security Metrics Web
Services
I. INTRODUCTION
Computer security is a hard undertaking; this is regularly highlighted in online news websites. Rarely a week goes by without some high profile attack or vulnerability being reported, for example the recent news that Morgan Stanley was attacked by the same hackers who attacked Google in 2009 [1]. Considering the difficulties encountered while attempting to provide security for today’s systems, there are many questions about the security for those systems that will be available in the future. One of the approaches to those future systems within research fields is a focus on System of Systems (SoS). The SoS concepts are focused on improving efficiency by utilising multiple systems and combining them to present a complex system that offers emergent behaviours that no single system could offer in isolation. This provides the means to address complicated issues that arise through the increased complexity in the Information Technology (IT) environment.
Current research attempts to address the many issues surrounding these multifaceted developments with the current focus on the creation of frameworks, methods and classifications. There are many challenges within the domain of SoS research and its related areas; one of these is that of the security available within the SoS. Due to the composition of these complex structures, in that they’re created from working independent systems, they are subject to the usual security concerns and threats that affect all systems. However their increased complexity, dynamic nature, unique configuration and operation lead to additional security considerations those systems in isolation rarely have to consider. For example there is the consideration of multiple security domains, emergent
behaviours, decentralisation of structure and control as well as a lack of trust.
We intend to examine the means to provide a secure SoS by performing security assessments of the complete SoS and those individual systems that make up the SoS, then using this information to generate a view of the security available within the SoS. This can then be used by the owners of systems who are either part of the SoS or wish to join to discern whether the system will adhere to any security policies they wish to enforce.
The goal of this paper is to examine and discuss some of the security mechanisms and approaches that have been proposed for SoS and describe our intended approach to attempt to provide the means to deploy a secure SoS. The following section will introduce the reader to the concept of a SoS and discuss some of their properties and characteristics. Section III highlights some of the relevant research for SoS security and composition, and also examines some approaches to security metrics. Section IV provides a summary of the research undertaken; this is followed by a description of our proposed framework to provide information on the security available from a SoS within section V. The paper is concluded in section VI.
II. SYSTEM OF SYSTEMS
To understand the distinction between systems and those compositions of systems that exhibit the characteristics to be classified as a SoS, it is first necessary to provide a brief introduction.
There are numerous definitions available that can be applied to the term SoS depending on the domain that the definition has been used in [1, 2, and 3]. Geddes et al. [4] use the phrase “A system of systems is a collection of interacting systems embedded in a dynamic environment”, which we feel is a neat encapsulation of the idea of the SoS using existing systems in a changing environment.
Jamshidi [5] uses a number of examples to describe a SoS, offering the practical definition that “a SoS is a “super system” comprised of other elements which themselves are independent complex operational systems and interact among themselves to achieve a common goal”. There are many definitions that vary in semantics based on the context they’ve been formulated from. Currently there is no one agreed upon definition within
ISBN: 978-1-902560-25-0 © 2011 PGNet 141
the research fields exploring this domain. Due to this a number of researchers have attempted to use characteristics to distinguish between a traditional system and a SoS. Some leading ideas are those of Maier [6], who was one of the first to attempt this approach. The original criteria have been updated more recently by Boardman and Sauser [7] who propose similar properties based on a review of the literature containing attempts to characterise a SoS. The criteria are as follows
• Autonomy: The reason a system exists is to be free to pursue its purpose; this applies to both the whole SoS and constituent systems.
• Belonging: The component systems can choose to belong to the SoS based on their needs and enhance the value of the system’s purpose.
• Connectivity: There has to be the means provided for the systems to communicate with each other for the exchange of information.
• Diversity: The SoS should be diverse and exhibit a variety of functions as a system compared to the limited functionality of the constituent systems.
• Emergence: The formation of new behaviours due to development or evolutionary processes.
Further to these criteria there are a number of examples presented within the literature to assist with understanding these systems. One example which appears in Boardman and Sauser, and Khosravi et al. [7, 8] is that of the aviation industry and the collaboration of all the different systems that are available within an airport such as check in desks, baggage handling, air traffic control, airplanes, and customs. Jamshidi [4] also presents a number of examples of systems that could be classified as SoS. Some of the examples listed include critical infrastructure systems that provide essential services such as energy, communications and transport. The example of a wireless sensor network is also provided as well as that of healthcare systems and Web Services.
These examples demonstrate the diversity and complexity of SoS, and highlight the many differences that can be available between those systems classified as SoS.
One of the main challenges faced by the SoS approach is the ability to construct a working efficient system from existing systems. This challenge is further increased when security is considered within this area. For example there are numerous approaches to creating a secure system; some common approaches are post release methods that involve putting policies and systems in place to protect the assets in the system, such as password and authorised access policies, virus scanning software, Intrusion Detection Systems and firewalls [10]. There are also approaches to ensure security is built in from the creation of the system involving numerous stages of risk assessment, threat modelling, code reviews and multiple rounds of security testing that occur through the Software Development Life Cycle [11]. However in the area of SoS where they’re constructed from working systems these approaches may not be sufficient to provide the required security during complex interactions with other systems.
III. RELATED WORK
Due to the previously highlighted heterogeneity and variety in a SoS, the current research efforts are focused on identifying the differences between typical systems and SoS, while examining the different aspects that will affect their creation, management and maintenance. Within the body of research, the majority of the work is largely theoretical and rarely offers practical solutions or means of deploying a secure SoS. However, a number of papers do consider their security and ensure that this area is considered within their approaches, but this work also remains largely theoretical in nature.
One example is a security engineering process as defined by Bodeau [12] that can be used to provide security for all aspects of SoS. This approach is planned to be integrated into the process of SoS engineering, referred to as S² engineering. The goal of S² engineering is to ensure that the SoS can function as a single integrated system to support its mission. This approach is primarily focused on military applications. The security issues highlighted within the paper are those of: how to identify and mitigate risks associated with connectivity, how to integrate security into the target architecture, how to approach constraints associated with legacy systems, and ensuring that there isn’t an increased vulnerability to threats caused by transition to the target architecture. The process is underpinned by some basic principles that suggest focus should be placed on the end-to-end flow of information and control, the boundaries between security policy domains and the system interfaces.
A framework for the management of SoS is presented by Gorod et al. [13], based on the characteristics presented by Boardman and Sauser [7]. The framework is built on the International Organisation for Standardisation (ISO) Network Management model [14]. They highlight the numerous comparisons within research papers of a SoS with a network, and postulate that a SoS can benefit from being represented as a network. Agrawal [15] examines security in the SoS domain and offers a new approach to providing a security schema. Moreover the paper hypothesises that the traditional security approach of forward static security is insufficient for the dynamic uncertain environment that is associated with SoS. They suggest the use of macroscopic schemata, meaning security schemas are created for collections of systems rather than the individual systems. This can result in security that will allow the system to monitor the environment and feed the results back into the system to allow it to adapt and alter its security position. The schemata must account for local risks within the systems and the aggregated global risks to the SoS as a whole. These two papers’ offerings are largely theoretical and offer no practical application of their ideas.
When approaching the composition of a SoS there have been few papers looking specifically at SoS composition, however there are numerous papers that examine composition in Service Orientated Architectures (SOA) and the approaches taken to ensure a secure composition.
By looking at the SOA equivalent areas Simanta et al. [16] examine some of the key issues surrounding the engineering of a SoS such as architecture, modelling and design, assurance and governance. The modelling looks at quality attributes
142
models; this includes the individual system’s capabilities that are members of the SoS. However according to the author the technologies for analysing the models in real time are not mature and their recommendation is to identify critical operational threads and provide mechanisms to protect them. They briefly look at the dynamic nature of SoS suggesting that failover mechanisms used within SOA can be transferred to SoS. One interesting aspect within their work is that of assurance which covers testing and service monitoring. For testing they highlight how its decentralised nature means that testing in SOA requires a joint effort on the part of the various system owners and while there is no real solution to this within SOA yet, the issues that need addressing have been understood. The same issues exist within the SoS and the same approaches will be transferable, requiring that the SoS is engineered for resilience and self-protection rather than correctness. Furthermore they highlight the importance of service monitoring for SoS as the functional testing of the SoS will be incomplete and monitoring provides a means to address those issues unaddressed prior to deployment. Their work is largely theoretical with regards to SoS however it highlights some key issues within SoS engineering and provides a starting point for how some of the SoS concerns could be addressed.
Tolk, Turnitsa and Diallo [17] examine the composition of SoS within the US department of Homeland Security. They highlight the fact that there are multiple organisations, services and nations within the domain that all have their own methodologies, technologies and processes. Their view is that the processes are organised and aligned from a top down approach, and the supporting IT is migrated into a homeland security SoS from a bottom up approach. The paper highlights how the loose coupling approach of web services allows the auto configuration of data mediation layers, with consistent data engineering techniques applied. This is performed by considering the solutions and their models (top-down approach) firstly and then the application of data engineering to align the models (bottom-up approach). The paper describes the challenges that face collaborative systems due to the differing mindsets and capabilities of the parties involved. They present a model based approach that will lead to a set of data engineering processes to facilitate composition of these disparate systems. The paper recommends the modelling of the system from a top down approach to derive the conceptual model of the operational goals and reveal the important data concepts. This will then generate a goal for the bottom up approach, which is concerned with the describing of the information exchange that needs to be supported between the systems.
To analyse the systems that compose a SoS and the SoS itself, it will require methods to capture data about them that can be used in a meaningful way. One possible way is to look at the field of security metrics. Within the examined body of research there is limited consideration given to where the data that will be used to model the systems and control are gathered from. A few papers [18-20] recommend the use of domain and system experts to perform the analysis of the systems, but this approach is likely to be a slow process in a SoS that consists of many systems with numerous experts spending time performing the analysis. There is a lot of work on metrics
within computer security and this is one area we feel could be leveraged to assist with the analysis of the systems and speed up the experts access to information of the systems.
Schneidewind [21] examines metrics for cyber security threats to networks. While not specifically targeted at SoS the paper uses a critical infrastructure case study, in this case the US power grid. Schneidewind suggests that while it would be ideal to have a single metric it isn’t practical as cyber security is a multivariable problem. His proposed vulnerability metrics are then divided into categories in line with the Common Vulnerability Scoring System (CVSS). The suggestion is that a metric approach will lead to creation of forecasting equations with an objective to predict each vulnerability’s future impact. He also suggests that metrics are expensive to implement and difficult to learn and manage.
Hecker [22] examines the area of information security metrics; he highlights how the term is being misused and can be viewed as a buzzword because everything can be called a metric. Upon examining the research into information security metrics he notes how the research often avoids the “what” question and instead discusses the properties of the metrics and how they can be used. He also highlights how the research is generally case specific and the proposals relate closely to the systems they’re constructed within. The author also looks into possible metrics approaches calling those measurements that are made directly on subsystems and systems components low level metrics and highlights how these are easy to define. Furthermore there are also high level metrics which are more complicated to define, being constructs of several low level metrics and more abstract system level measurement. Low level metrics can become complicated when numerous subsystem report differing values for the same metric; high level metrics on the other hand suffer from being abstract and their derived nature means that, to provide a meaningful representation, a system expert is often required to interpret them. Hecker also looks at some alternatives for metrics generation such as attack graphs and attack surface methodologies.
An attack graph is a representation of actions that end in a state where an intruder has achieved their goal [23]. It can be depicted as a formalised representation of the attack paths representing the exploits used to reach the target position. Ghosh and Ghosh [24] have used this method to mathematically assess a network configuration for security. They use a probabilistic security metric and an attack resistance metric to construct attack graphs for different network configurations and compare them to ascertain where one configuration offers more security. The probabilistic security metric measures the likelihood that a system may be compromised based on known vulnerabilities and an attack resistance metric is used to quantify the resistance to attack that a network configuration offers from multi-stage attacks.
An attack surface measurement [25] is the term used to describe a way of representing the security of a system’s software. The approach involves identifying the set of ways a system can be accessed by an attacker leading to possible damage, which is then used to highlight that a smaller attack surface leads to a more secure system. This approach is useful
143
for comparing two versions of the same system to discern whether one version could be more insecure than the other. This metric is a relative rather than absolute measure of the security offered.
IV. SUMMARY
Research into security within the SoS domain, as highlighted earlier, is approached in a largely theoretical manner and in a number of cases considered within the greater scope of the management frameworks. While this is an advantageous approach to ensure that the security concerns are addressed from the beginning of the SoS, the approaches are mainly manual in nature. These theoretical approaches could also encounter issues with scalability and maintenance. If the number of systems collaborating increases, the processes explored above could become prohibitive in terms of time and financial costs. Moreover any changes in the environment or systems could invalidate or reduce the effectiveness of any procedures that have been incorporated into the frameworks. As highlighted by Tervo and Wiander [26], some of the big IT issues come from changes to systems or operating environments. This is due to the rigidity in these methods and a need for them to be performed before the system is in use.
One thing to note about metrics is that they generally only provide a relative value or meaning, i.e. their importance or weight is relative to the user’s requirement for the particular metric to be of a certain value. For example if encryption was a requirement within a system then a system registering a high encryption measurement would be more appealing than one with a lower measurement. However if this was pitched with a requirement that the system performs within a certain time frame the encryption metric may be of a lesser importance as the overheads of this would slow the system down. Also they can be misleading and give a false view of the entity measured if they’re interpreted incorrectly or give an unrealistic value for comparison against another similar system. Capturing metrics is an issue with regard to overheads such as time, frequency, load etc. and the framework for the assessment has to ensure it can be aware of these issues and not negatively impact the system being assessed. However those areas that require the combination of several tests must be able to produce results that correctly evaluate the distance between equal measurements arrived at by different values from the same tests. Similar to an I.Q test that has different competencies, two people can achieve the same score overall while having different values for the measured competencies, such as better logical and mathematical skills versus better comprehension and language skills. To put it another way, equal combinational scores from different sources does not imply these scores can be necessarily compared.
V. SECURE SERVICE COMPOSITION AND VALIDATION
FRAMEWORK
Our goal is when given a system that is part of a SoS or a complete SoS we aim to provide the ability to decompose and perform a number of computational assessments that will provide a view of some of the related security aspects of the SoS. This will allow the participating system owners to have a
view of how their system’s security requirements are adhered to within the composition and assist with making informed decisions on risk assessments within the SoS. This will involve the following stages.
• Provide methods to measure the security within a SoS.
• Build up a security model of the composed SoS.
• Evaluation of the security within the SoS.
Given a composition it will provide information on adherence to security requirements based on the systems involved in the composition and the relationships identified between them. This will be performed using a combination of a bottom up approach, where the systems are examined individually, and a top down approach where the entire available composition is examined and relationships considered.
The initial work undertaken has involved an examination of the current research surrounding security within SoS and security metrics involving the approaches taken to gather them, and how they’re used to inform about security of systems. Some methods that could be used to perform the analysis stages have also been briefly examined and these could be used within our planned framework to gather data about the systems. This will be transformed into relevant information to gain insight into the current security performance of the system.
We created an initial design for our framework that is shown in Fig. 1; the intention is that, given a SoS composition or an individual service, the framework will examine the system.
The system will be examined by independent modules performing various tasks to gather data on the system(s); this data will be transformed into information about the system(s). This information will then be used to obtain a view of the security of the individual services and an aggregated view of the security for the composition. This information will be presented to the user - envisaged to be a domain or system expert - who will be able to use it to compare against any security policies that must be adhered to.
For example given the situation of a SoS being constructed, suppose a new system will join the SoS, however this joining system requires that all communications are encrypted between itself and any service it communicates with. The system owner could submit the composition to the S²CVF interface module, which will decompose the SoS to identify the involved systems and utilise the S²CVF module’s controller to invoke the required System Investigation Modules to examine if encryption is used across all the systems. The results of these tests will be returned to the S²CVF manager which presents the information to the user and allows them to examine the composite results and individual results. This will allow the user to make an informed decision on whether their policy would be adhered to during the system’s operation and ultimately provide information to the system owner to assist with the decision whether their system can participate in the SoS.
144
A. Framework components
Service – This is the service that is part of the composition and will be the target for data gathering and investigation.
S² internal profile – This is an optional item of information and will be a representation of the system security that can be presented by the system. This will enable the system to speed up tests or omit them altogether in the case where they may cause issues, such as load on processing or network availability.
System Interface Module – This is an optional component that can be used to interact with the system to obtain a view of the security from an internal viewpoint, if the system makes this information available.
S²CVF Interface Module – This is the interface to the system where the SoS security requirements can be input. These will take the form of policies that the systems within the SoS require to be met, e.g. every communication will require encryption of at least 128 bits. Also required is either the complete composition map if it is available or the location of an individual service to be examined. This is external to the framework to allow it to be extensible in an attempt to ensure the framework remains lightweight and transferable across domains.
S²CVF Manager Module – This receives the inputs from the interface module, and performs the task of sorting the input ready for the analysis stages. The inputs will affect the tasks required, in the case of a single service this will require examining the service using the information from the security policy and informing the S²CVF Modules controller of the required System Investigation Modules from an available set. In the case of a composition it will involve decomposing the composition, discovering the relationships, and then inform the S²CVF modules controller of the required checks. Once the checks of the services are complete, the resulting information is returned to be processed.
S²CVF Modules Controller – This will maintain a list of the set of system investigation modules that are available and can be invoked; it will be responsible for informing the S²CVF manager module of these. It will also perform the tasks of invoking the system investigation modules and gathering the results from them and relaying it to S²CVF manager module.
System Investigation Modules – These are the data gathering modules that perform the examination of the system from an external view. The current plan is to create them externally from the system so the modules can be scaled and only those checks that are required based on the security requirements or as a result of discovered information are invoked. This will also allow the utilisation of externally developed modules or extensions for when new methods are available for data collection. These interact with the service directly interfacing with the system boundary as a consumer of the service would access it.
S²CVF Internal Properties Handler – This module will be responsible for attaching to any system provided interfaces that allow the gathering of information on the security available from within the system. This internal view can be verified with
the external view to ensure that it is correct and be used within the SM module. For example this may be a list of installed programs and their versions which could be checked for known vulnerabilities, or the services running on the system so the framework is aware of what ports will be open.
Data store – This is a record of previous services encountered and the results from previous investigations. This will enable the system to speed up future investigations on known services by querying the data store and only performing a subset of tests and verifying that the results are comparable to the last set of results. Over time this data store will grow to allow the system to build knowledge of the known systems and be used to provide recommendations on services that offer similar functionality but maybe more suited to the provided security requirements.
This framework is designed to be outside of the composition and will provide only information to a user/owner of a system wishing to join a composition or invoke a service. The initial plan is to only provide information about the systems within the composition and rely on system experts to make the decisions regarding the steps to take based on the information presented.
Figure 1. Secure Service Composition and Validation Framework
During our initial investigation we located a number of publicly accessible Web Services and performed some early rounds of data gathering. The data returned and that can be extracted from a WSDL file proved to be useful and provides
145
information that can be used for further tests and investigations. We performed some manual analysis on the information gathered and encountered a number of systems exhibiting issues with their configuration and deployment. There were a large number that exposed default values and had information available that exposed system paths. Of greater concern was that a number of these systems had default username and password combinations. This effectively grants anyone access to the system and control of the configuration including the deployment of code on that system.
VI. CONCLUSION
In conclusion from the research conducted and our initial investigations there are no schemes that we’re aware of that can provide information automatically on the security provisions of the systems in use, and present this to a potential user of the system. Moreover there are currently no implemented systems that can provide security information for multiple connected and collaborating systems. We aim to develop a framework that can perform these tasks and present a view of the overall security of a composition. This will be achieved through the use of data gathering techniques and novel approaches to the data interpretation and analysis of the SoS.
REFERENCES
[1] M. Riley, “Morgan Stanley Leak Shows Attack by China-Based Hackers Who Took On Google,” [Online]. Available at: http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html.
[2] V. Kotov, “Systems of systems as communicating structures,” Hewlett Packard Computer Systems Laboratory Paper, 1997.
[3] A.P. Sage and C.D. Cuppan, “On the systems engineering and management of systems of systems and federations of systems,” Information, Knowledge, Systems Management, vol. 2, 2001, p. 325–345.
[4] N.D. Geddes, D.M. Smith, and C.S. Lizza, “Fostering collaboration in systems of systems,” SMC 98 Conference Proceedings. 1998 IEEE International Conference on Systems, Man, and Cybernetics (Cat. No.98CH36218), 1998, pp. 950-954.
[5] M. Jamshidi, “System of Systems-Innovations for 21st Century,” IEEE Region 10 and the Third international Conference on Industrial and Information Systems, 2008. ICIIS 2008, 2008, p. 6–7.
[6] M.W. Maier, “Architecting principles for systems-of-systems,” Systems Engineering, vol. 1, 1998, pp. 267-284.
[7] J. Boardman and B. Sauser, “System of Systems - the meaning of of,” 2006 IEEE/SMC International Conference on System of Systems Engineering, 2006, pp. 118-123.
[8] A. Khosravi, S. Nahavandi, and D. Creighton, “Interpreting and modeling baggage handling system as a System of Systems,” 2009 IEEE International Conference on Industrial Technology, Feb. 2009, pp. 1-6.
[9] M. Hosking and F. Sahin, “An XML based system of systems agent-in-the-loop simulation framework using discrete event simulation,” 2009 IEEE International Conference on Systems, Man and Cybernetics, Oct. 2009, pp. 3293-3298.
[10] C.P. Pfleeger and S.L. Pfleeger, Security in Computing, 4th Edition, Prentice Hall, 2006.
[11] G. McGraw, Software Security: Building Security In, Addison Wesley, 2006.
[12] D. Bodeau, “System-of-systems security engineering,” Computer Security Applications Conference, 1994. Proceedings., 10th Annual, 1994, p. 228–235.
[13] A. Gorod, R. Gove, B. Sauser, and J. Boardman, “System of Systems Management: A Network Management Approach,” 2007 IEEE International Conference on System of Systems Engineering, Apr. 2007, pp. 1-5.
[14] “Network management model - Wikipedia, the free encyclopedia,” [Online]. Available at: http://en.wikipedia.org/wiki/Network_management_model.
[15] D. Agrawal, “A new schema for security in dynamic uncertain environments,” 2009 IEEE Sarnoff Symposium, Mar. 2009, pp. 1-5.
[16] S. Simanta, E. Morris, G.A. Lewis, and D.B. Smith, Engineering lessons for systems of systems learned from service-oriented systems, IEEE, 2010.
[17] A. Tolk, C. Turnitsa, and S. Diallo, Model-based alignment and orchestration of heterogeneous homeland security applications enabling composition of system of systems, IEEE, 2007.
[18] G. Despotou, R. Alexander, and T. Kelly, Addressing challenges of hazard analysis in systems of systems, IEEE, 2009.
[19] A. Banks, N. Bowman, and P. Caseley, “A framework of requirements for the design and management of dependable network enabled capability system of systems,” System of Systems, 2010.
[20] P. Grace, G. Blair, C. Flores Cortes, and N. Bencomo, “Engineering Complex Adaptations in Highly Heterogeneous Distributed Systems,” Proceedings of the Second International ICST Conference on Autonomic Computing and Communication Systems, 2008.
[21] N. Schneidewind, “Metrics for mitigating cybersecurity threats to networks,” IEEE Internet Computing, vol. 14, Jan. 2010, pp. 64-71.
[22] A. Hecker, “On System Security Metrics and the Definition Approaches,” 2008 Second International Conference on Emerging Security Information, Systems and Technologies, Aug. 2008, pp. 412-419.
[23] J. Magott and M. Woda, “Evaluation of SOA Security Metrics Using Attack Graphs,” 2008 Third International Conference on Dependability of Computer Systems DepCoS-RELCOMEX, Jun. 2008, pp. 277-284.
[24] N. Ghosh and S.K. Ghosh, “An Approach for Security Assessment of Network Configurations Using Attack Graph,” 2009 First International Conference on Networks & Communications, Dec. 2009, pp. 283-288.
[25] P.K. Manadhata and J.M. Wing, “An Attack Surface Metric,” IEEE Transactions on Software Engineering, 2010, pp. 1-1.
[26] H. Tervo and T. Wiander, “Sweet Dreams and Rude Awakening - Critical Infrastructure’s Focal IT-Related Incidents,” 2010 43rd Hawaii International Conference on System Sciences, 2010, pp. 1-8.
146