vulnerability analysis wireless sensor networks ... · sensor networks using sequential...
TRANSCRIPT
Vulnerability Analysis Wireless Sensor
Networks: Challenges and Solutions
Sajal K. Das
National Science Foundation, CISE/CNS
Center for Research in Wireless Mobility and Networking (CReWMaN)
E-mail: [email protected] http://crewman.uta.edu
S. K. Das
Acknowledgements: NSF, AFOSR
Wi l S N k (WSN )
OutlineOutline
Wireless Sensor Networks (WSNs)
Security Challenges: Need for Multi-level Approachy g pp
Modeling Node Compromises: Epidemic Theory
Secure Data Aggregation: Reputation and Trust Model
N d R li ti S ti l H th i T tiNode Replication: Sequential Hypothesis Testing
Revoking Compromised Nodes: Key Managementg p y g
Self-Correction: Digital Watermarking
S. K. DasConclusions
Wireless Sensor Network (WSN)Wireless Sensor Network (WSN)We live in a cyber-physical world that weWe live in a cyber physical world that we need to understand, serve, and control
Communication(Wireless)
Broadcast sensory data
ComputationSensory Data: A/D conversion, Broadcast sensory data,
Dissemination, RoutingCompression, Filtering, Aggregation, Analysis
Control(Sensing / Actuation)Sensing the physical world:
temperature, humidity, pressure, light, velocity, sound, image
S. K. Das
g t, e oc ty, sou d, age
WSN ApplicationsWSN ApplicationsMonitoring and Control- Habitat- Environment
Ecos stem- Ecosystem- Agricultural- Structural- Traffic- Manufacturing
H l h- Health
Security and Surveillance- Infrastructure Security- Border and Perimeter Control
Target Tracking
S. K. Das
- Target Tracking- Intrusion Detection
WSN ApplicationsWSN Applications
Sensor networks are deployed in unmonitored t i i hi h d it d l lterrain in high density and large scale
Post-deployment access and control is an issue
Micaz Tmote SunSPOT
Multi-modal functioning which require reprogramming/data dissemination
Change applicationsTroubleshootTroubleshoot
Security is critical in many applications
Wireless Sensing Devices embedded in our environment gathering data on physicalphenomena !
S. K. Das
p
Acknowledgment : http://www.eecs.harvard.edu/~mdw/proj/volcano/
Security Challenges in WSNsSecurity Challenges in WSNs
Limited resources Limited defense capability
– Energy (battery power), wireless bandwidth, computational power, storage, radio communication range (connectivity), sensing range (coverage)
– Public key too costly to authenticate packets with digital signatures and to disclose key with each packet
– Storing one-way chain of keys requires more memory d t ti f t dand computation for message en-route nodes
S. K. Das
Security Challenges in WSNsSecurity Challenges in WSNs
Uncertain, unattended / hostile environment– Uncertainty in sensing accuracy, wireless links,
mobility, topology control, deployment (density), . . .
– Faulty prone nature vs. compromises (insider attacks)Faulty prone nature vs. compromises (insider attacks)
Distributed control No global knowledge
In-network processing: data fusion to exploit spatio-temporal redundancy Loss of integrity, confidentiality
Multiple-attacking anglesSingle level defense mechanism highly vulnerable
S. K. Das
– Cryptographic technique is not the panacea
Node Compromises / Replications and Intrusions
Threats to WSNsThreats to WSNsNode Compromises / Replications and Intrusions– Physical capture– Sophisticated analysis: differential timing / energy analysis
Revealed Secrets– Cryptographic keys, codes, commands, etc.
Enemy’s Puppeteers– Trojans in the network with full trust
Discredit normal nodes
Compromised NodeReport false data
Infect other nodesForge command
Selective packet dump
S. K. Das
False routing infoForge command
Att k t lti l ibl l l t b d f d d
Need for MultiNeed for Multi--level Solutionlevel Solution
Attacks at multiple possible levels to be defended
– Model the propagation of node compromisesE t j i di M d liE.g., trojan virus spreading
– Detect compromised nodes & forged data
Modeling
DetectionE.g., abnormal reports
– Revoke revealed secrets Revocation
E.g., broadcast confidentiality
– Self-correct and purge false dataSelf-correction
E.g., average temperature calculation Purge
S. K. Das
MultiMulti--Level, Integrative FrameworkLevel, Integrative Framework
Highly AssuredNetwork Operation
Compromise ProcessModeling Contain Outbreak
Epidemic Theory Architectural Components
Theoretical Foundations
Topology Control
Revoke Revealed Secrets
Detect CompromiseInformation Theory
Cryptography
Trust / Belief ModelKey Management
Topology Control
Self-Correct Tampered Data
P
Digital Watermarking
Secure Aggregation
Secure Routing
Node Compromise Purge Tampered Data
Uncertainty CharacterizedResource Limited Environment
pDoS Defense
Intrusion Detection
Game Theory
S. K. Das
Resource Limited Environment
• W Zhang S K Das and Y Liu “A Trust Based Framework for Secure Data Aggregation in
Relevant PublicationsRelevant Publications• W. Zhang, S. K. Das, and Y. Liu, A Trust Based Framework for Secure Data Aggregation in
Wireless Sensor Networks,” IEEE SECON 2006.
• J.-W. Ho, M. Wright, and S. K. Das, “ZoneTrust: Fast Zone-Based Node Compromise Detection and Revocation in Sensor Networks Using Sequential Analysis," IEEE SRDS 2009.
• J.-W. Ho, M. Wright and S. K. Das, “Fast Detection of Replica Node Attacks in Mobile Sensor Networks Using Sequential Analysis,” IEEE INFOCOM 2009.
• P. De, Y. Liu, and S. K. Das, “An Epidemic Theoretic Framework for Vulnerability Analysis of Broadcast Protocols in Wireless Sensor Networks ” IEEE Transactions on MobileBroadcast Protocols in Wireless Sensor Networks, IEEE Transactions on Mobile Computing, Vol. 8, No. 3, pp. 413-425, Mar 2009.
• P. De, Y. Liu and S. K. Das, “Deployment Aware Modeling of Compromise Spread in Wireless Sensor Networks,” ACM Transactions on Sensor Networks, 2009.
• J.-W. Ho, M. Wright, D. Liu, and S. K. Das, “Distributed Detection of Replicas with Deployment Knowledge in Wireless Sensor Networks,” Ad Hoc Networks, Aug 2009.
• P. De, Y. Liu and S. K. Das, “Energy Efficient Reprogramming of a Swarm of Mobile Sensors,” IEEE Transactions on Mobile Computing, 2009.p g,
• W. Zhang, S. K. Das, Y. Liu, “Secure Aggregation in Wireless Sensor Networks: A Digital Watermarking Approach,” Pervasive and Mobile Computing, 2008.
S. K. Das
Modeling Compromises: Epidemic DefenseModeling Compromises: Epidemic Defense
Premise: Node compromises in WSN broadcast protocols– Capture node deployment, key distribution, topology
Research Objectives:
M d l d l di f d i– Model and analyze spreading process of node compromises
– Characterize network-wide propagation rate and outbreak transition point of compromise processtransition point of compromise process
– Study impact of infectivity duration of compromised nodes
– Capture time dynamics of the spread
– Identify critical parameters to prevent outbreaks
S. K. Das
System ModelSystem Model
Random Pair-wise Key Pre-distribution–A set of keys randomly chosen from a key pool
Physical Topology Virtual Key-Sharing Topology
S. K. Das
Sensor Network ModelModeled as undirected geometric random graphModeled as undirected geometric random graph
– N nodes uniformly randomly distributed
– Unit Disk Model with transmission radius
– is the probability of existence of an edge between nodes d t di t)( uvdα
d
cR
u and v at distance
Node density
uvd
N=σ cR– Node density
A = area of the terrain
A=σ c
u vA = area of the terrain
uvd
S. K. Das
Sensor Topology ModelSensor Topology ModelN
denotes the node density of the network
N = total number of nodes R = sensing radius
2RN
=ρ
N = total number of nodes, R = sensing radius
p = probability of existence of a physical link
Nrp ρ2
=
r = average communication range between nodes
Probabilit for l nodes ithin comm nication range
N
Probability for l nodes within communication range
( ) lNlNl −)1()(S. K. Das
( ) lNlNl pplp −−= )1()(
Sensor Topology ModelSensor Topology Modelq = prob of sharing pair wise key between neighboring nodesq = prob. of sharing pair-wise key between neighboring nodes
Probability of sharing at least one key with exactly kneighbors given l nodes within its range:
( ) klklk qqlkp −−= )1()(
Probability of having k neighbors sharing at least one key:
( )k qqp )()(
∑∞
=kl
lkplpkp )()()(=kl
( ) ( )∑∞
−− −−= klklk
lNlNl qqppkp )1()1()(
S. K. Das
( ) ( )∑=kl
kl qqppkp )1()1()(
Infection Spread Model
cR
Source Node
S. K. Das
Inoperative R(t) Infective I(t) Susceptible S(t)
Epidemic Theoretic FrameworkEpidemic Theoretic Framework
Model infection spread in a population of susceptibles
- Random graph based spatial modelDiff i l i b d l d l- Differential equation based temporal model
Design spread model using network characteristicsg p g
- Local interactions based on transmission range- Number of contacts determined by degree distribution of the
key sharing network
Estimate the rate of infection (β) based on cR(β)
- Rate of communication paradigm of the broadcast protocol- Infectivity potential (ρ) of the data
c
S. K. Das
Epidemic AnalysisEpidemic Analysis
When nodes do not recover, transmissibility (T) is expressed only in terms of the infection probability, \beta
N d i t d b i t i ibilitNode recovery is captured by expressing transmissibility as a function of average duration of infectivity, τ
tδ
Average cluster size as epidemic attains outbreak proportions
βτeT −= 1t
ttT δτ
δβδ )1(lim1
0−=−
→
Average cluster size as epidemic attains outbreak proportions
)1(1)1(1 '
1
'0
TGTGs−
+=
Average Epidemic size after outbreak results
)(1
)(1 0 uGS −=
S. K. Das)(
)(1
1
0
uGuuGS
=
Epidemic Size with infection probabilityEpidemic Size with infection probabilityq = prob. of sharing pair-wise key between neighboring nodes
1
q p g p y g g
p = probability of existence of physical link
0.8
0.9
1
ed
0.6
0.7
rk C
ompr
omis
ed
0.3
0.4
0.5
tion
of N
etw
ork
N = 1000
0.1
0.2
0.3
Frac
tio
q=0.01q=0.02q=0.04
N = 1000p = 0.25
S. K. Das0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
0
0.1
Transmissibility (T)
q=0.04q=0.1
Epidemic Size with infectivity durationEpidemic Size with infectivity durationq = prob. of sharing pair-wise key between neighboring nodes
1
q p g p y g g
p = probability of existence of physical link
0.8
0.9
ised
0.5
0.6
0.7
ork
Com
prom
is
0.3
0.4
0.5
actio
n of
Net
wor
β = 0.01
N = 1000q = 0.04p = 0.25
0.1
0.2
0.3
Frac β = 0.02
β = 0.04β = 0.08β = 0.2
S. K. Das0 50 100 150 200 250 300 3500
Infectivity Duration τ
Deluge : Data Propagation RateDeluge : Data Propagation Rate
Analytical Simulation
S. K. Das
Model captures rate of data propagation over dissemination protocols
Simulation StudySimulation Study
Capture the time dynamics of the spread of compromise
Observe duration and nature of gradual recovery processObserve duration and nature of gradual recovery process
Observe effects of various network parameters
– Average node degree of key sharing network– Average infection rate– Average duration of infectivity
S. K. Das
Simulation ResultsSimulation ResultsUnder both scenarios – no node recovery and node recovery
1
1.2Dynamics of the Infected, Susceptible and Revoked nodes
1
1.2Dynamics of the Infected, Susceptible and Revoked nodes
10=τ30=τ
0.2
0.4
0.6
0.8
Frac
tion
of N
etw
ork
S(t)I(t)R(t)
z = 3β = 0.6
0.2
0.4
0.6
0.8
Frac
tion
of N
etw
ork
S(t)I(t)
z = 3β = 0.9
0 100 200 300 400 500 600 700−0.2
0
0.2
Time(t)
R(t)
0 100 200 300 400 500 600 700−0.2
0
0.2
Time(t)
I(t)R(t)
Dynamics of the Infected, Susceptible and Revoked nodes1.2
Dynamics of the Infected, Susceptible and Revoked nodes
0.8
1
1.2
wor
k
Dynamics of the Infected, Susceptible and Revoked nodes
S(t)I(t)R(t)
0.8
1
1.2
twor
k
0.2
0.4
0.6
Frac
tion
of N
etw
o R(t)
z = 5β = 0.35
0.2
0.4
0.6Fr
actio
n of
Net
w
S(t)I(t)R(t)
β = 0.5z = 5
S. K. Das0 100 200 300 400 500 600 700
−0.2
0
Time(t)
0 100 200 300 400 500 600 700−0.2
0
Time(t)
10=τ 10=τ
Developing Belief / Trust ModelDeveloping Belief / Trust ModelPremise: False data injection from compromised nodesPremise: False data injection from compromised nodes–Cryptographic techniques ineffective
Objectives: Trust model to identify and purge false dataObjectives: Trust model to identify and purge false data. Reduce uncertainty in data aggregation / fusion.
Solution:Solution:–Information theoretic (relative entropy) measure to quantify
reputation / opinion of data, leading to higher confidenceBelief, disbelief, uncertainty, relative atomicity
–Josang’s belief model to define and manage trust propagation through intermediate nodes along the routepropagation through intermediate nodes along the route
–Identify malicious nodes by learning and outlier classification– purge false data to achieve secure aggregation
S. K. Das
p g gg g
W. Zhang, S. K. Das and Y. Liu, “A Trust Based Framework for Secure Data Aggregation in Wireless Sensor Networks, IEEE SECON, Oct 2006.
Sensor Network ModelSensor Network Model
Base Station (Sink)
cluster headaggregatorsensor nods(cluster member)
S. K. Das
Josang’s Belief ModelJosang’s Belief ModelOpinion: ω = (b, d, u, a), b + d + u = 1Opinion: ω (b, d, u, a), b d u 1
b: beliefd: disbelief u: uncertainu: uncertain a: relative atomicityb, d, u, a ∈ [0,1]
Expected Opinion: O = E(ω) = b + au
Cluster head’s opinion about aggregator:HAωA
)5.0,02.0,03.0,95.0(1=H
Aω
96.002.0*5.095.01
=+=HAO
Aggregator’s opinion about its report X:AXω
)9.0,312.0,0,688.0(1 =AXω
S. K. Das
969.0312.0*9.0688.01 =+=AXO
Belief Propagation: Subjective LogicBelief Propagation: Subjective LogicBelief discounting (recommendation)Belief discounting (recommendation)Cluster head’s opinion about X as a result of aggregator’s opinion:
),,,( ::::: AHX
AHX
AHX
AHX
AX
HA
AHX audb=⊗= ωωω ),,,( XXXXXAX audb⊗ωωω
AX
HA
AHX
AX
HA
AHX
dddbbb
∗=
∗=:
:
AX
AHX
AX
HA
HA
HA
AHX
aaubudu
=
++=:
:
65406880*950:AHb
)9.0,312.0,0,688.0();5.0,02.0,03.0,95.0( 11
== AX
HA ωω
364.0312.0*95.002.003.0
0
654.0688.0*95.0
1
1
1
:
:
:
=++=
=
==
AHX
AHX
AHX
u
d
b
)9.0,364.0,0,654.0(
9.01
1
:
:
=
=AH
X
AHXa
ω
S. K. Das
Belief decreases, uncertainty increases
Belief ConsensusBelief ConsensusCluster head’s opinion about X via A1: ),,,( 1:1:1:1:1: AH
XAH
XAH
XAH
XAH
X audb=ωC us e ead s op o abou a 1
Cluster head’s opinion about X via A2:Cluster head’s consensus opinion about X:
),,,( XXXXX audbω
),,,( 2:2:2:2:2: AHX
AHX
AHX
AHX
AHX audb=ω
),,,( 2:,1:2:,1:2:,1:2:,1:2:1:2:,1: AHAHX
AHAHX
AHAHX
AHAHX
AHX
AHX
AHAHX audb=⊕= ωωω
)7.0,632.0,0,368.0();9.0,346.0,0,654.0( 21 :: == AHX
AHX ωω )7.0,632.0,0,368.0();9.0,346.0,0,654.0( XX ωω
0
712.021
21
:,:632.0*346.0632.0346.0346.0*368.0632.0*654.0:,: == −+
+
AHAH
AHAHX
d
b
850
288.0
0
21
21
21
63.0*35.0)*9.07.0(63.0*9.0346.0*7.0:,:
632.0*346.0632.0346.0632.0*346.0:,:
:,:
==
==
=
+−+
−+
AHAH
AHAHX
AHAHX
a
u
d
)85.0,288.0,0,712.0(
85.021 :,:
63.0*35.0*263.035.0
=
== −+
AHAHX
Xa
ω
S. K. Das
More evidences, belief in the result increases
Aggregator: Compute Sensor ReputationOutlier exclusion: Too far from median outlierOutlier exclusion: Too far from median outlierHigh density Normal distribution N(µ, σ)
Red: 68% of data within [ σ +σ]Red: 68% of data within [µ- σ, µ+σ]Green: 95% of data within [µ- 2σ, µ+2σ]Yellow: 99.7% of data within [µ- 3σ, µ+3σ]
Each sampling independent
Id l d f i l 680])[|P (
N(µ, σ)
– Ideal node frequency: in long run,– Actual node frequency: learn from observation
– Measure difference in ideal and actual frequencies: Kullback Leibler distance
68.0]),[|Pr( =+−∈ σσ xxxp ii
]),,[|Pr( σσ +−∈ xxxq ii
Reputation:
;)()(log)()||( ∑=
xqxpxpqpD p(x), q(x) prob. mass function for ideal/actual node freq.
D(.) also called relative entropy measure
r = 1
S. K. Das
pD
r+
=1The shorter the distance, more trustworthy, higher reputation
Sensor Node’s Reputation: Example
Two sensors s and sTwo sensors, s1 and s2
– Time t1: 63.0,65.0 12
11
== ts
ts ff
0029.068.065.0log*65.0
)68.01()65.01(log*)65.01()||( 11
1=+
−−
−=tideal
ts ffD
949.0002901
1)( 11 =
+=tsr
– Time t2:0029.01 +
30.0,68.0 22
21
== ts
ts ff
Time Sensor node
Actual freq.
Ideal freq. KL-distance
Reputation
t1 s1 0.65 0.68 0.0029 0.9490 63 0 68 0 0081 0 918s2 0.63 0.68 0.0081 0.918
t2 s1 0.68 0.68 0 1s2 0.30 0.68 0.436 0.602
S. K. DasReputation changes with time based on behavior
Aggregator: Reputation Classification
Classify reputation to identify malicious nodes– Traditional system: threshold based classification– Online unsupervised learning, K-mean algorithm– No prior K available, how to dynamically decide K?
K=1 K=2 K=3 K=4
Determining K
Time Sensor node ReputationEx:1 groupTime Sensor node Reputation
t1 s1 0.949s2 0.918
t s 1
1 group
2
S. K. Das
t2 s1 1s2 0.602
2 groups
Aggregator: Opinion Formulation
Degree of trust in aggregation resultTrustworthy
),,,( AX
AX
AX
AX
AX audb=ω
TrustworthyNodes whose data close to mean
UncertainN d h d t t l tNodes whose data not close to meanUncertain nodes’ reputation- how much contribution to expected opinion?
How much to trust?
Formulationbelief: percentage in ( )disbelief: 0 (after excluding outlier)
σ±x
uncertain: percentage out of above rangerelative atomicity: reputation of nodes fall out the range
S. K. Das
Trust FrameworkTrust Framework
Josang’s trust model:Represent belief in result
Cryptography not enough Reputation-basedtrust model
atio
n
Trust propagation
Statistical analysis:Robust estimation
classification analysis
Intrusion detection:Compromised nodes
Information theoryre
puta
O li i d l i
High redundancy
Online unsupervised learning:Identify compromised nodes
Purge false dataRelative entropy: reputationShannon’s entropy: Kulback-Leibler distance
Result: Robustness and Reliability under Attack
S. K. Das
Simulation Results: ReputationSimulation Results: Reputation
Case No.
Misbehaving time (%)
False data type
1 0 N/A
2 100 Obvious0.8
1
2 100 Obvious
3 100 Tricky
4 66 Obvious
5 66 Tricky
0.4
0.6
Rep
utat
ion
0.2
0.4Re
Case 1Case 2Case 3Case 4
00 5 10 15 20 25 30
Node ID
Case 4Case 5
No malicious nodes, all nodes’ reputation close to 1
Reputation of malicious nodes significantly lower than legitimate ones
S. K. Das
Reputation of malicious nodes proportional to amount of true data they send
Test case1
Simulation Result: OpinionSimulation Result: Opinion
Case No.
Misbehaving time (%)
False data type
1 0 N/A
Test case
0.97
0.98
0.99
n 2 100 Obvious
3 100 Tricky
4 66 Obvious
5 66 Tricky0.95
0.96
0.97
Opi
nion
Case 1 5 66 Tricky
0.93
0.94
0 5 10 15 20 25 30 35 40
Case 1Case 2Case 3Case 4Case 5
False data sneaking into aggregation (Cases 2, 4) may affect result “pollute” legitimate node’s reputation
0 5 10 15 20 25 30 35 40
Time
pollute legitimate node s reputation
Low opinion or polluted reputation result from low reputation nodes
Detection/blocking malicious nodes opinion / confidence increases
S. K. Das
g p
Opinion correctly represents the belief in the result
Cooperative Malicious Nodes (10%)Cooperative Malicious Nodes (10%)Scenario: Malicious nodes behave “good” at first 1/3Scenario: Malicious nodes behave good at first 1/3 experiment, then they all send same data each time
Evolution of Reputation Aggregation Result
30
32all
goodcluster
0.9
0.95
1
24
26
28
Dat
a
0.7
0.75
0.8
0.85
0.9
Rep
utat
ion
20
22
24
0.5
0.55
0.6
0.65
0.7Re
malicious nodesgood nodes
0 10 20 30 40 50 60
Time
0.50 5 10 15 20 25 30 35 40
Time
Malicious nodes can be identified as long as they misbehave.
S. K. Das
Aggregation result robust to cooperative malicious nodes of different fractions
- Integrated multi-level security framework in wireless
ConclusionsConclusionsIntegrated multi level security framework in wireless
sensor networks.
- Epidemic theory modeling to control spread of infectedEpidemic theory modeling to control spread of infected nodes and outbreak.
- Information theory based reputation to detect intrusion- Information theory-based reputation to detect intrusion of malicious nodes.
- Belief / trust model to ensure secure information- Belief / trust model to ensure secure information aggregation by effectively filtering false data.
Distributed key sharing and collaboration to revoke- Distributed key sharing and collaboration to revoke reveals secrets.
Digital watermarking technique to self correct
S. K. Das
- Digital watermarking technique to self-correct compromised data.
“A t h t l t h l h i
EpilogueEpilogue
“A teacher can never truly teach unless he is still learning himself. A lamp can never light another lamp unless it continues to burn its own flame. The teacher who has come to the end of his subject, who has no living traffic with his knowledge but merely repeats hiswith his knowledge but merely repeats his lesson to his students, can only load their minds he cannot quicken them”minds, he cannot quicken them”.
Rabindranath Tagore (1861Rabindranath Tagore (1861--1941)1941)
S. K. Das
Rabindranath Tagore (1861Rabindranath Tagore (1861 1941)1941)
(Indian Poet, Nobel Laureate,1913)(Indian Poet, Nobel Laureate,1913)
S. K. Das
http://crewman.uta.edu