240 likes | 559 Views
Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks. Presented by Akshay Lal. Roadmap. Official terminology. THE sensor network. What’s the problem ? A practical solution. Detection of malicious beacon nodes. Special considerations.
E N D
Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks Presented by Akshay Lal
Roadmap • Official terminology. • THE sensor network. • What’s the problem ? • A practical solution. • Detection of malicious beacon nodes. • Special considerations. • Revocation of malicious beacon nodes. • Performance review. • Conclusion.
Official Terminology • Beacon node: Convey information about location. • Non-beacon nodes: The rest of the network. • Beacon signals: Signal sent out by beacon nodes. • Detecting beacon node: Node performing detection on a received signal. • Target beacon node: Node being detected. • Detecting Id: Id used by a detecting beacon node to make a target beacon node believe that a non-beacon node wants to communicate.
THE Sensor Network • Network constituting spatially distributed devices using sensors to monitor conditions (temperature, sounds, vibrations, etc.) at different locations. • These sensors are: low-cost, low-power, multi-functional and communicate within a short range. • Location of the sensor is the critical part of the network – located using geographical routing (GPSR), or some form of “location discovery”.
THE Sensor Network (contd.) • Naïve methodology for location discovery: • Step I: • Receive beacon signal from beacon nodes. • Calculate multiple location reference (distance, signal strength, time of arrival, etc.) from various beacon nodes. • Step II: • Determine ones own location using the locations of the beacon nodes, with minimum error. • Very straight forward approach – but what if a malicious node sends an incorrect beacon signal ?
And Now The Problem • A malicious beacon node can provide incorrect location reference. • Non-beacon nodes determine location incorrectly
The Problem (contd.) • Location verification techniques have been proposed which can verify relative distances between beacon nodes and non-beacon nodes. • None can ensure correct location discovery in a hostile environment (with malicious beacon nodes). • None can remove the impact of a compromised beacon node.
A Practical Solution • Detect malicious beacon nodes • Location of a beacon nodes are known - (x,y). • Location derived from the beacon signal received (using any measurement scheme such as distance) – (x’,y’). • If (x, y) ≠ (x’, y’) – malicious node caught. • Using this data filter out replayed beacon signals • Worm hole attacks - tunnel signal packets from one part of the network to another, and replay the signal packet. • Locally replayed beacon signal – beacon signal received from a neighbor node is replayed by the malicious node. • Revoke the malicious beacon nodes.
Detection of Malicious Beacon Nodes • Assumptions: • Communicating nodes share a unique pair-wise key. • A beacon node cannot distinguish between communications with a non-beacon node or another beacon node. • Communication is always bi-directional. • Beacon signals are unicasted to non-beacon nodes and all packets are authenticated using the pair wise shared key.
Request message Reply beacon signal containing its location - (x’,y’) Detection of Malicious Beacon Nodes (contd.) • Beacon nodes use detecting IDs to perform detection on a signals it hears from another beacon node. Detecting Node Target Node • Detecting node • - estimates distance between itself and target node. • - calculates distance between itself (x, y) and (x’, y’). If difference between the two values > maximum distance error : received signal is malicious hence, target node is malicious
Special Considerations – Thwarting Worm Hole Attack • Assumptions: • Worm hole detector installed on every node in the network. • Able to state whether two communicating nodes are neighbors or not with certain accuracy. • Methodology followed: • If signal detected to be malicious a check is made for whether it is because of a worm hole attack. • Detecting node calculates distance between itself and the location received from the target. • If calculate distance larger than radio communication range – the worm hole detector determines that a worm hole exists – beacon signal is a replayed signal and is ignored. • Drawback is that the worm hole detectors cannot ALWAYS guarantee that it can detect a worm hole.
t1 t4 t1: time to finish sending first byte of request 1 1 t2: time to finish receiving first byte of request Request Reply t3: time to finish sending first byte of reply t4: time to finish receiving first byte of reply 1 1 t2 t3 Special Considerations – Thwarting Locally Replayed Beacon Signals • Methodology followed: • The replay of a beacon signal always induce extra delay. • This can be detected by using the Round Trip Time between two nodes. Detecting Node Target Node Detecting node calculates RTT = (t4 - t1) – (t3 - t2)
Special Considerations – Thwarting Locally Replayed Beacon Signals (contd.) • RTT is not affected by the MAC protocol or any processing delay hence, the distribution of RTT is within a narrow range Xmin = maximum value for X such that F(x) = 0 Xmax = minimum value for X such that F(x) = 1 Xmax Transmission time per clock pulse = 384 clock cycles Xmin = 1,951 Xmax = 7,506 Xmin Detection is possible for any replayed signal if delay introduced is longer than transmission time for 14.5 bits
Request message Reply beacon signal containing its location - (x’,y’) The Algorithm Thus Far Detecting Node Target Node • - if difference between distances > maximum distance error • Then signal is malicious – Check for worm hole attack. • - if Target node passes worm hole detector • Check for locally replayed beacon signal. • Calculate RTT based on response time from Target • if RTT ≤ Xmax Then: • Beacon signal is considered not locally replayed. • elseif RTT > Xmax Then: • Beacon signal is considered locally replayed.
Revocation of Malicious Beacon Nodes • Assumption: • The base station has a method to revoke malicious beacon nodes. • Each node shares a unique key with the beacon node. • Methodology followed: • All alerts constitute the IDs of both the detecting and target node. • Base stations constitutes a table with an entry for each beacon node. • Associated with them is an alert counter and a report counter. • Alert Counter – records suspiciousness of a beacon node. • Report Counter – records number of alerts reported by a node and accepted by the base station. • For every received alert the Report Counter for the detecting node is increased. • Beacon nodes with a high Alert Degree are considered malicious. • A threshold is set for the maximum allowable alerts against a node after which the beacon node is revoked.
Revocation of Malicious Beacon Nodes – A Subtle Issue to Consider • Two thresholds exist: • Γ – maximum limit for alerts against a beacon node. • Ѓ – maximum limit for reports sent by a beacon node. • Reason for two thresholds: • Malicious beacon node tires to revoke a non-malicious beacon node. • This will cause the value of Γ to increase upto threshold - Γ. • Beacon node will revoke the beacon node but will still accept alerts from that node until report count reaches threshold - Ѓ . • Also the number of reports sent by any beacon node cannot exceed Ѓ, hence a malicious node cannot revoke ALL the non-malicious beacon nodes before getting revoked itself.
Performance Review – Notations for Node Detection • Pd: Detection rate of the worm hole detector. • Pr: Detection rate of a malicious node by a detecting node. • Pn: Fraction of nodes that receive the malicious beacon signal. • Pw: Fraction of the nodes that are convinced of a worm hole. • Pl: Fraction of the nodes that are convinced the signal is locally replayed. • P : The probability that a node receives a signal from a malicious node which is not removed by the replay detector. • m: Number of Id’s for a detecting node.
Performance Review – Node Detection • Detection Mechanism Analysis: • Computational and storage overhead is mainly due to key establishment protocols and cryptographic operations. • The probability of a beacon node reporting an alert for a non-malicious beacon node is 1-Pd, if a worm hole exits and 0 is no worm hole exists. • Probability that a non-malicious detecting node will send an alert for a malicious beacon node, considering the detecting node has m detecting Ids is: 1 – ( 1- ( 1 – Pn ) ( 1 – Pw ) ( 1 – Pl ) )m • Probability that a node receives a beacon from a malicious node which is not caught by the replay detector is: P = ( 1 – Pn ) ( 1 – Pw ) ( 1 – Pl ) . • Relationship between Pr and P: Pr = 1 – ( 1 – P )m Conclusion I: Cannot increase P without simultaneously increasing Pr.
Performance Review – Notations for Node Revocation • N: Total number of sensor nodes. • Na: Total number of malicious beacon nodes. • Nb: Total number of beacon nodes. • Nc: Total number of nodes that send requests to a malicious beacon nodes. • Nw: Number of pairs affected by a worm hole attack. • N`: Average number of affected nodes. • P`: Probability of accepting a signal from a revoked node. • Pd: Detection rate. • Pr: Probability of reporting an error. • Pa: Probability of the base station having an alert against a malicious node. • P1 P2 : Probability that the report counter of a non-malicious node increases by 1 / 2 when reporting a malicious node.
m = 1 ґ = 4 Performance Review – Notations for Node Revocation • Node Revocation Analysis: • A beacon nodes only reports about other within its communication range hence the storage and communication overhead is very limited. • The detection rate or probability that a malicious beacon node will be revoked is: • Where Conclusion II: Detection rate increase as a node continues to behave maliciously. Conclusion III: As Γincreases detection rate decreases. Conclusion IV: And as m increases detection rate Increases.
Performance Review – Notations for Node Revocation (contd.) • Effect of an increase in Nc on the detection rate. • Relation between P` and N`. Conclusion V: As the number of requesting nodes to a malicious node increase, detection rate increases due to the increase in number of alerts sent. Conclusion VI: As Γ increases N` and P` increase. As m increases N` and P` decrease.
Performance Review – Notations for Node Revocation (contd.) • Effect on N` when P is chosen so that P` is maximized • The average number of non-malicious nodes revoked by the base station is at most: • The reference used to define Γ and Ѓ: • Conclusion VII: Initially N` increases fast but after a point it decreases due to the increase in the number of request serviced. • Conclusion VIII: N` decreases when threshold Γ decreases. • Conclusion IX: The threshold for Ѓ and Γ can be obtained by the above analysis, which should satisfy the condition on low Nf or by chosing Ѓ and Γ that yield a minimum Nf, given Pd, Nw and Na.
Performance Review – Implementation on TinyOs • Simulation results obtained from Nido (TinyOS simulator) conform to the theoretical values; some having a small difference but in general the results are close to what was expected. • Receiver Operating Characteristic curves (ROC-curves) Conclusion X: Most of the beacon nodes are detected with small false positives however, as the network continues to get compromised, the performance degrades accordingly. Γ and Ѓ were varied and P is configured such that N` is maximized.
And in Conclusion … • Many protocols exist today, that help in location discovery such as AHLos, coarse-grained localization schemes etc. None work properly in hostile environments wherein malicious nodes jeopardize the location discovery. • SERLOC (SEcure Range-independent LOCalization for wireless sensor networks) is a secure range free localization technique, but it cannot detect and remove malicious beacon nodes. • In this paper localization is protected by detecting compromised beacon nodes. Methods adopted are very simple yet effective, and efficiency is guaranteed within the constraints of a sensor’s battery life and limited memory. • Future work can be aimed at more efficient ways of reducing the false alert rate and methods to revoke malicious nodes without using the base station.