Distributed Detection of Node Replication Attacks in Sensor Networks

1. Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian perrig, Virgil Gligor IEEE Symposium on Security and Privacy 2005 Xia Wang CS610, Fall 2005

2. Outline • Introduction • Preliminary protocols • Randomized multicast • Line-selected multicast • Simulations • Conclusions and Future work

3. Introduction • Sensor nodes are small, low-cost and usually hardware unprotected. • Unshielded sensor nodes are easily to be captured, replicated in hostile environments. • Node replication attacks: A legitimate node is captured and compromised by an adversary, then the adversary can replicate the node with the same ID and insert those nodes in the network. • Using replicated nodes the adversary could subvert the whole network.

4. Existing Approaches • Centralized monitoring: all nodes transfer a list of their neighbors’ claimed locations to a central base station that examines location conflicts. Single Point Failure • Localized voting systems: nodes can revoke their neighbors. Can not detect distributed node replication.

5. Some assumptions and Goals Assumptions: • The adversary cannot create new IDs for nodes or simply guess a new ID. • The percentage of nodes captured are limited. • Any cloned node has at least one legitimate node as a neighbor. (can be removed) • Each node knows its geographic position. Goal: • Provide schemes to detect node replication attack without centralized monitoring and revoke the replicated nodes. • Lower memory consumptions and communication costs

6. Preliminary approaches • Node-To-Network Broadcasting • Deterministic Multicast

7. Node-To-Network Broadcasting(1) • Each node uses an authenticated broadcast message to flood the network with its location information. • Each node stores the location information for its neighbors. • If conflicting claim is detected, the offending node is revoked.

8. Node-To-Network Broadcasting(2) • Simple and achieve 100% detection rate • Each node stores location information for its d neighbors. • Total communication cost is O(n2)

9. Deterministic Multicast • Each node broadcasts its location to its neighbors. • Neighbors forward location claim to a subset of the nodes “witnesses” F(α) = W1, W2, …, Wg • Once the witness detects a location conflict, it revokes αby flooding. • If each node selects (glng)/d random destination from the set of witnesses. • Average path length is O( ), then communication cost is • F is a deterministic function, an adversary can also determine all witness nodes.

10. Randomized Multicast(1) • Each nodeαbroadcasts its location to its neighbors β1 β2 ...βd with the format <IDα, lα, {H(IDα, lα)} > • Each neighbor verifies α’s signature and location lα • With probability p, each neighbor selects g random locations as witnesses. • Use geographic routing to forward α’s location. • Upon receiving a location claim, each witness verifies the signature, and check location conflicts. • If a node replication attack is detected, it floods through the network with the two conflicting locations. What’s the probability of a collision?

11. Security Analysis of Randomized Multicast (1) • Suppose malicious nodeαis replicated at location l1, l2, …, lL • At each location li, p.d nodes randomly select g witnesses. p – Probability a neighbor will replicate location information d - Average degree of each node g - Number of witnesses selected by each neighbor • The probability that two conflicting location reports collide at some witness node. • Birthday paradox predicts at least one collision with high probability. (In a room with 23 persons, there is a chance of more than 50% that two persons have the same birthday). • Perfectly, α‘s location will be saved at p.d.g locations.

12. Pnc1 is the probability that the p.d.g recipients of claim l1 do not receive any of the p.d.gcopies of claim l2 Pnc is the probability of no collision at all. N = 10,000, g =100, d=20, p = 0.05, Probability to detect single replication is greater than 63%, Probability to detect two replication is greater than 95% Not efficient, communication cost is O(n2)

13. Line-Selected Multicast • When a location claim travels from one node to another node, all the intermediate nodes store the location and virtually form a line across the network. • If a conflicting location claim ever crosses the line, then the node at the intersection will detect the conflict.

14. Analysis of Line-Selected Multicast • The probability that two line-segments intersect • Use the solution to Sylvester’s Four-Point Problem. • The probability that four randomly selected points in a convex domain will form a re-entrant quadrilateral is

15. Advanced Analysis of Line-Selected Multicast • With only 2 random segments per point, the probability is >56% • 5 segments per point, the probability is 95%

16. Simulations Communication Overhead

17. Simulation(2) The average probability of detecting a single node replication using Line-Selected Multicast in a variety of topologies.

19. Conclusions and Future Work • Conclusions • Proposed randomized multicast scheme and line-selected multicast scheme to detect distributed node replication attack • Line-selected multicast provides excellent resiliency while achieving near optimal communication overhead. • Both primary protocols illustrate the power of emergent properties in sensor networks. • Future work • Consider misbehavior malicious nodes • Critique • Once one location claim conflicting is detected, the revocation activity of the replicated nodes will be flooded through the whole network. As the node replication attack happens during certain time slot, the malicious node may get other nodes’ ID information before a detection starts. In that case, this malicious node can fabricate a location conflicting information and flood it into the network. The malicious node exhaust the energy of the network by flooding those conflicting information.