1 / 32

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks. Issa Khalil, Saurabh Bagchi , Cristina Nita- Rotaru , Ness B. Shroff p pt. by Sanjiban Kundu, Tamal Biswas , Junfei Wang. Sensor Networks. Vulnerability of Sensor Networks.

claire
Download Presentation

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks IssaKhalil, SaurabhBagchi, Cristina Nita-Rotaru, Ness B. Shroff ppt. by Sanjiban Kundu, TamalBiswas, Junfei Wang

  2. Sensor Networks

  3. Vulnerability of Sensor Networks • Open nature of wireless communication • Lack of infrastructure • Fast deployment practices • Hostile deployment environment

  4. Attacks in Sensor Networks • Control Attack • Data Traffic Attack

  5. Wormhole Attack

  6. Sybil Attack

  7. Attacks in Sensor Networks • Contol Attack • Data Traffic Attack

  8. Attacks targeting Data traffic • Black hole • Selective Forwarding • Artificial delaying of packets

  9. Black Hole Attack

  10. Selective Forwarding

  11. Artifical Delay Forwarding

  12. Opportunity for improvement • Few protocols discuss method for removing malicious nodes • Few provide quantitative analysis on detection coverage • Authors extended their earlier work on local monitoring and detection mechanism to address these issues of control and data attacks in an unified framework

  13. DICAS - Description • Proposed to provide detection and isolation to control and data attacks • Provides two primitives: • Neighbor discovery • One-hop source authentication • Used as building blocks for two main modules • Local monitoring • Local response

  14. Attacker Model • Attacker can control an external node ( no knowledge of cryptographic keys) or an internal node • Insider node may be created by compromising a node • Malicious node can perform all attacks by itself or by colluding with other nodes • Malicious node can establish out-of-band fast channels or have high powered transmission capability

  15. System Assumptions • Communication links are bi-directional • Finite time required to from a node’s deployment to be compromised and to perform neighbor discovery protocol • Network has sufficient redundancy, so any node has some good guards • Static topology • Key management protocol

  16. Neighbor discovery protocol • Used to build data structure of first hop neighbors of each node and neighbors of each neighbor • Used in local monitoring to detect malicious nodes and in local response to isolate these nodes • Each node also has a commitment key of each one of its direct neighbors • Process performed only once in a lifetime of a node and secure in static wireless networks considering the stated assumptions

  17. Commitment key generation and update • Protocol used to generate and update commitment key used by one hop source authentication protocol • Values derived from a random seed • Subsequent values of commitment key disclosed to neighbors during subsequent transmissions

  18. One hop source authentication • Allows node to distinguish between its neighbors to prevent identity spoofing • Uses commitment key to authenticate transmitted packets to neighbors • May fail if attacker blocks transmission range of certain source from rest of network • -TESLA authentication used to countermeasure such attacks

  19. DICAS DICAS LocalResponse Module LocalMonitoring Module

  20. Local monitoring: Detection &Diagnosis • Each packet forwarder • must explicitly announce the immediate source of the packet it is forwarding • M must be a neighbor of both A and the previous hop from A, say X

  21. Local Response and Isolation • Detection and diagnosis is only the first step towards protecting the network. • The local response and isolation module is used to propagate the detection knowledge to the neighbors of the malicious node and to take appropriate response to isolate it from the network

  22. Steps in Local Response and Isolation • When the MalC(X,A) crosses a threshold, Ct , X revokes A from its neighbor list, and sends to each neighbor of A, say D, an authenticated alert message indicating A is a suspected malicious node. • Authenticated using the shared key between X and D to prevent false accusations. • D verifies its authenticity, • X is a guard to A, • A is D’s neighbor. • D stores ID_xin an alert buffer associated with A. • When D receives enough alerts, about A, it isolates A by marking A’s status as revoked in the neighbor list. • After isolation, D does not accept any packet from or forward any packet to a revoked node.

  23. LSR: Lightweight Secure Routing • LSR is an on-demand routing protocol, sharing many similarities with the AODV • LSR is resilient to a large class of control attacks such as wormhole, Sybil, and rushing attacks, as well as authentication and ID spoofing attacks. • Combined with DICAS, LSR can deterministically detect and isolate nodes involved in launching these attacks.

  24. Feature of LSR • Node-disjoint routes • have completely disjoint routes where there are no nodes or links in common

  25. Attacks and Countermeasures • We will talk about 3 attacks and their counter measures • ID Spoofing and Sybil Attacks • Wormhole Attack • Selective Forwarding

  26. ID Spoofing and Sybil Attacks • A node will not accept (forward) traffic from (to) a non-neighbor node. • The one-hop source authenticated broadcasting prevents a node from generating traffic using spoofed identity of a neighbor node • Reason: each node must authenticate its generated traffic to the neighbors. • Local monitoring detects a forwarding node when spoofing a neighbor’s identity.

  27. Wormhole Attack • Local monitoring detects the nodes involved in tunneling the route control packets • local response disables the tunnel from being established in the future by isolating the malicious nodes

  28. Selective Forwarding • Information about the incoming data packet is stored in the watch buffer of the guard node. • If the incoming packet stays in the watch buffer unmatched beyond a threshold period of time, the guard node increments the MalC value for the node being monitored. • In the case of the selective forwarding attack, the packet which is dropped by the adversary node, will remain unmatched in the guard node’s watch buffer. • The guard node monitors a fraction of the data traffic, with the packet to be monitored being chosen randomly. • The adversary node will thus be detected when the MalC value crosses the threshold.

  29. Performance Analysis • Probability of Wormhole detection

  30. Performance Analysis • Probability of False Alarm

  31. Performance Analysis • Isolation latency and Watch buffer size

  32. Conclusion • We have presented a distributed protocol, called DICAS, for detection, diagnosis, and isolation of nodes launching control attacks, such as, wormhole, Sybil, rushing, sinkhole, and replay attacks. • DICAS uses local monitoring to detect control and data traffic misbehavior, and local response to diagnose and isolate the suspect nodes. • We presented the probability of false alarm and missed detection

More Related