1.01k likes | 1.19k Views
Determining sink location through Zeroing-In attackers in wireless sensor networks Zhenhua Liu • Wenyuan Xu. Adviser: Frank,Yeong -Sung Lin Present by Chris Chang. Agenda. Introduction System model Zeroing-In attack overview Hop-count-based Zeroing-In attacks
E N D
Determining sink location through Zeroing-In attackers in wireless sensor networksZhenhua Liu • WenyuanXu Adviser: Frank,Yeong-Sung Lin Present by Chris Chang
Agenda • Introduction • System model • Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks
Agenda • Introduction • System model • Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks
Introduction • Wireless sensor networks (WSNs) have been deployed for a wide variety of applications: • Animal habitat monitoring • Critical infrastructure monitoring • Target tracking • Battle field surveillance
Introduction • Typically, those wireless sensor networks consist of : • Alarge collection of low power and resource-constrained sensor nodes that monitor the underlying physical phenomena. • A small set of base stations, aka. sinks, that collect sensor measurements in a multi-hop fashion.
Introduction • A many-to-one communication pattern lead to the fact that adversaries can easily leverage the sink location information to launch a series of attacks interrupting the network communication. • After obtaining the sink location information… • Adversary can destroy the sinks physically by human intervention, such as hammering them. • This pattern also makes sinks the ideal spots to sniff packets for off-line analysis or the initial points to launch attacks.
Introduction • In this paper , we focus on studying the sink location privacy issue. • Several attacks have been proposed to determine the locations of sinks: • trace-back attacks • traffic analysis attacks
Introduction • Most of them assume resource-intensive adversaries: • Some require the adversary to equip with special radio devices that can measure the angle of arrival • Some require the adversary to have a global view by deploying its own sensors throughout the network
Introduction • In this paper, we focus on studying the sink location privacy problem in the presence of budget adversaries. • We assume that budget adversaries do not have specialized radio devices, nor are they able to monitor the entire networks simultaneously.
Introduction • Several network metrics are two dimensional (2D) functions of locations in the network, and their values either maximize or minimize at the sink.
Introduction • From the attackers’ point of view: • A few resource-constrained attackers can launch Zeroing-In attacks, whereby each of them samples her local network metric and collectively they can derive the locations of the sinks by combining their measurements.
Introduction • From the defenders’ point of view: • The network should design a routing protocol that can break the correlation between the network metric extreme value. • Due to highly constrained resources(wireless network), we design a light-weighted routing protocol to cope with Zeroing-In attacks.
Agenda • Introduction • System model • Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks
System model • Network model • Adversary model
System model (Network model) • Many-to-one data dissemination: • The sensor network utilizing the popular many-to-one data dissemination methods, whereby the sink is connected to a large portion of the sensor nodes. • Without loss of generality, we assume that there is only one sink in the network. (our work can also be applied to networks with multiple sinks local extrema
System model (Network model) • Tree-based routing schemes: • We focus on tree-based routing schemes, a popular family of routing protocols whereby the network establishes and maintains a forwarding tree rooted at the sink. • This forwarding tree is often built with the assistance of hop counts, i.e., the number of hops from the sink.
System model (Network model) • Broadcast enabled: • We assume that the sink will flood the network with controlling commands or query requests from time to time. • Homogeneous networks: • Finally, each node uses the same type of hardware platform and sends messages at the same transmission power level. As a result, they have a similar radio range.
System model (Adversary model) • Eavesdrop-enabled: • Adversaries have the same radio devices as network nodes for eavesdropping. • Although the adversaries are unable to decipher packet contents, they are able to record the time that they witness a packet. • Resource-limited: • Adversaries are not equipped with specialized radio devices, such as spectrum analyzers or super sensitive antenna arrays. • Adversaries cannot afford to deploy their own sensor network to monitor the entire network
System model (Adversary model) • Able to collude: • Multiple adversaries are available. • They collude with each other to infer the location of the sink by sharing their local views • Location-aware: • Each adversary is able to determine its own location. • Protocol-aware: • Adversaries know the networking and privacy-related protocols used in the sensor networks.
Agenda • Introduction • System model • Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks
Zeroing-In attack overview • In this section, we overview the proposed ‘‘Zeroing-In’’ attacks. • Several metrics in a sensor network are functions of locations. Typically, moving towards the sink either increases the values of those network metrics or decreases them monotonically.
Zeroing-In attack overview • For instance : • Hop count : is the smallest number of intermediate nodes a packet has to traverse in order to reach the sink. The hop count associated with a network node decreases as the node becomes closer to the sink, and it becomes zero at the sink. • Traffic rate :is the number of packet transmissions in a unit time in a region. It increases as the distance to the sink decreases and reaches maxima at the sink.
Zeroing-In attack overview • Thus, from the attackers’ point of view, the problem of determining sink location becomes a problem of finding the extremum (maximum or minimum) of those functions. • Without loss of generality, in this paper, we focus on network metrics that minimize at the sink.
Zeroing-In attack overview • To identify the position of the sink leveraging 2D models of the network metrics, ‘‘Zeroing-In’’ attacks consist of two steps: • Sampling step. • Zeroing-In step.
Zeroing-In attack overview • Sampling step: • madversaries place themselves in an area S within which the network is deployed. • The coordinates of the i-th adversary as zi = (xi, yi), and the i-th observation as a tuple (xi, yi, hi), where hi is a network metric. • The network metric hi is either the hop count or the arrival time of a packet at (xi, yi).
Zeroing-In attack overview • Zeroing-In step: • Goal : Identify the position of the sink. • Adversaries first determine the 2D network metric function h = f(x, y) by analyzing m observations: • Find the sink location zs = (xs, ys) as the point where f(x, y) reaches the minimum :
Agenda • Introduction • System model • Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks
Hop-count-based Zeroing-In attacks • Assumption: • We consider the adversaries that can acquire the hop count of any node in the network but is limited to acquiring the hop count at one location once. • We assume that adversaries can inject broadcast packets to the network to estimate the hop count between them.
Hop-count-based Zeroing-In attacks • To illustrate the attacks, we start by providing a brief description on the tree-based routing protocol that is implemented in TinyOS 1.x, an operating system for sensor networks.
Hop-count-based Zeroing-In attacks • Tree-based routing protocol : • Eventually a shortest-path-based routing tree is formed with the sink node serving as the root of the tree. • To build the routing tree, each node selects its routing parent as the neighbor that contains the smallest hop count, and then it announces its hop count, which is one greater than its parent’s. • To make the underlying routing tree adaptive to topology changes, nodes periodically broadcast routing announcements, which include the ID of the origin and the hop count in plaintext.
Hop-count-based Zeroing-In attacks • Model hop counts and hop sizes • Distribution of α • Determine the sink location • Adversary placement • Least squares without flooding
Hop-count-based Zeroing-In attacks • Model hop counts and hop sizes • In this section, we analyze hop counts as a function of locations, e.g., h = f(x, y). • A node’s hop count h depends on many factors, including its own location, the sink location, the positions of other nodes located towards the sink, the irregular radio range of each node, etc.
Hop-count-based Zeroing-In attacks • Model hop counts and hop sizes • Grid-based coverage model for WSNs. • In particular, the network deployment region S is divided into equal-sized small grids, and each grid contains at least one randomly positioned network node.
Hop-count-based Zeroing-In attacks • Thus, we can model hop counts as : • αis hop size, a coefficient describing the relationship between hop counts and distances. • If αis a known constant, then we can find (xs, ys) by searching for the root of the following questions :
Hop-count-based Zeroing-In attacks • Most contours are roughly concentric, but some small contours exist between two neighboring ones.
Hop-count-based Zeroing-In attacks • As a result, it takes an extra hop for the node within that fading dip region to reach the sink, and its hop size to the sink is smaller than its neighbors’. Therefore, hop sizes exhibit irregularity, as well.
Hop-count-based Zeroing-In attacks • Model hop counts and hop sizes • Being a variable, the distribution of αdetermines the accuracy of estimating hop counts using Eq. 1 and affects the feasibility of the Zeroing-In attacks. • If αhas a small variance and can be estimated, then the sink location can be considered as the point that minimizes the estimation errors using the estimation â :
Hop-count-based Zeroing-In attacks • Distribution of α • We denote the hop size between nodes i and j as, • hijis the hop count between them. • αis= αi (omit the subindexswhenone of the nodesis the sink)
Hop-count-based Zeroing-In attacks • Distribution of α • LetLij be the line segmentthatconnectsnode i and nodej • letpk be the projection of the k-th link ontoLij. • For a random pair of nodes i and j : • θkis the angle betweenthe line Lkk+1 and Lij, θk • Ikis the ID of the k-thnode on the shortestpath from nodes i to j
Hop-count-based Zeroing-In attacks • Distribution of α • We can predict the distribution of a as a normal distribution according to the Central Limit Theorem (CLT) • We carried out experiments using Castalia. We studied the hop size distribution in two node densities, e.g., 400 and 900 nodes in a 200 X 200 m square, respectively. • For each node density, we created 25 network topologies, and chose several random pairs in each topology to calculate the hop sizes.
Hop-count-based Zeroing-In attacks • In total, we calculated hop sizes between more than 10,000 pairs and displayed the experiment results : • Bell-like shape • Approximate normal distributions • The variance of the estimated hop sizes decreases when the hop count between the random node pair increases.
Hop-count-based Zeroing-In attacks • Determine the sink location • To launch the hop- count-based Zeroing-In attack in two steps: • Sampling step. • Zeroing-In step.
Hop-count-based Zeroing-In attacks • Determine the sink location • 1.Sampling step – • obtain , where hi is the hop count and â is the estimated hop size between the i-th adversary and the sink. • To estimate â ; each adversary floods a message to all other adversaries and get the hop counts between them. The â is calculated as the average hop size between i-th adversary and all other adversaries:
Hop-count-based Zeroing-In attacks • Determine the sink location • 2.Zeroing-In step –After obtaining m observations • We determine the position (xs, ys) of the sink by searching for minimizing the estimation error :
Hop-count-based Zeroing-In attacks • Determine the sink location • We use least squares (LS) to solve Eq. 4. • We start with m equations:
Hop-count-based Zeroing-In attacks • Determine the sink location • Assume that , subtractequation from both sides of the first m - 1 equations, we can write the derived set of linear equations in the form of Az = b with :
Hop-count-based Zeroing-In attacks • Determine the sink location • The least squares solution of for Eq. 5 can be calculated by • b^ is the estimation.
Hop-count-based Zeroing-In attacks • Adversary placement • (1) Whether their sample locations have impacts on the estimation errors of the sink location • (2) What the best strategies is to position the attackers so that the estimation errors can be reduced. • We assume that the attackers are aware of the deployment region without knowing the sink location.
Hop-count-based Zeroing-In attacks • Adversary placement • Based on Eq. 6, the sink location estimation error is bounded by • Matrix A+is the Moore-Penrose pseudo-inverse of A • eb = - b.(b is the true distance vector, and b^ is the estimated distance vector. ) • Thus, two factors affect the sink location estimation errors: A+and eb. We now examine each factor.