1 / 32

Distributed Detection of Node Replication Attacks in Sensor Networks

Distributed Detection of Node Replication Attacks in Sensor Networks. Bryan Parno, Adrian Perrig Virgil Gligor. Carnegie Mellon University. University of Maryland. Sensor Networks.

lynne
Download Presentation

Distributed Detection of Node Replication Attacks in Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Distributed Detection of Node Replication Attacksin Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon University University of Maryland

  2. Sensor Networks • Thousands of nodes, each with a CPU, ~4 KB of RAM, a radio and one or more sensors (e.g., temperature, motion, sound) • Applications: burglar alarms, emergency response, military uses • Node Characteristics: • Low cost • No tamper resistance • Limited battery life • Easy to deploy

  3. Attacks on Sensor Networks • Replication Attacks • Capturing many nodes is hard • Instead, capture one node and copy it • Other attacks not in scope of this work • Introducing nodes with new IDs - this is readily preventable: • Admin provides each node with a certificate • ID based on keys • Other Sybil defenses [Newsome04] • Jamming attacks • Partitioning attacks • We assume legitimate nodes form a connected component

  4. Replication is Easy • Only need to capture one node • Offline attack to extract node’s secrets • Transfer secrets to generic nodes • Deploy clones

  5. Repercussions • Clones know everything compromised node knew • Adversary can … • Inject false data or suppress legitimate data • Spread blame for abnormal behavior • Revoke legitimate nodes using aggregated voting • Monitor communication

  6. Our Contributions • Thwart replication attacks using entirely distributed mechanisms • First use of emergent algorithms to provide robust security properties in sensor networks • Resilient even against an adaptive adversary (i.e. adversary knows the protocol and can selectively compromise additional sensors) • Relies on the Birthday Paradox and the network topology • No central points of failure • Efficient Solutions • Comparable to centralized detection

  7. Outline • Introduction • Problem Statement & Previous Work • Our Solution • Evaluation • Discussion

  8. Assumptions • Public key infrastructure • Occasional elliptic curve cryptography is reasonable [Malan04] • Can be replaced with symmetric mechanisms • Network employs geographic routing • Does not require GPS! [Doherty01] • Works with synthetic coordinates [Rao03, Newsome03] • Nodes are primarily stationary

  9. Goals • Detect replication with high probability • After protocol concludes, legitimate nodes have revoked replicas • Secure against adaptive adversary • Unpredictable to adversary • No central points of failure • Minimize communication overhead

  10. Previous Approaches Insufficient • Central Detection [EscGli02] • Each node sends neighbor list to a central base station • Base station searches lists for duplicates • Disadvantages • Some applications may not use base stations • Single point of failure • Exhausts nodes near base station (and makes them attack targets)

  11. Previous Approaches Insufficient • Localized Detection [ChPeSo03] • Neighborhoods use local voting protocols to detect replicas • Disadvantage • Replication is a global event that cannot be detected in a purely local fashion

  12. Outline • Introduction • Problem Statement & Previous Work • Our Solution • Overview • Randomized Multicast Protocol • Line-Selected Multicast Protocol • Evaluation • Discussion

  13. Emergent Properties • Properties that only emerge through collective action of multiple nodes • Highly robust • No central point of failure • Difficult for adversary to attack • Emergent behavior is an attractive approach for thwarting an unpredictable and adaptive adversary

  14. Approach Overview • Step 1: Announce locations • Each node signs and broadcasts its location to neighbors • Location = (x,y), virtual coordinates, or neighbor list • Nodes must participate or neighbors will blacklist them • Step 2: Detect replicas • Uses emergent protocol • Ensures at least one “witness” node receives two conflicting location claims • Step 3:Revoke replicas • Witness floods network with conflicting location claims • Signatures prevent spoofing or framing

  15. Randomized Multicast Protocol • Each node signs and broadcasts its location to neighbors • Each neighbor forwards location to “witness” nodes • Witness chosen at random by selecting random geographic point and forwarding message to node closest to the point • Each neighbor selects ~ witnesses for a total of • Birthday Paradox implies location claims from a cloned node and its clone will collide with high probability • Conflicting location claims are evidence for revoking clones • Signatures prevent forgery of location claims

  16. Randomized Multicast Detection Conflict Detected!

  17. PDetect > 1 – e -R Randomized Multicast Analysis • High probability of detection • 2 replicas (R=2), w = n, PDetect ≥ 95%, • Decentralized and randomized • Moderate communication overhead • Each node’s location sent to n witnesses • Path between two random points in the network is O( n ) hops on average • Results in O(n) message hops per node

  18. Line-Selected Multicast Protocol • In a sensor network, nodes route data as well as collect it • Again, neighbors forward location claim to “witness” nodes • Each intermediate node checks for a conflict and forwards the location claim • If any two “lines” intersect, the conflicting location claims provide evidence for revoking clones

  19. Line-Selected Multicast Detection Conflict Detected!

  20. Line-Selected Multicast Analysis • High probability of intersection for two randomly drawn lines in the plane • Only need a constant number of lines (e.g. for 5 lines/node, PDetect ≥ 95%) • Decentralized and randomized • Minimal communication • Line segments O( n) on average • Only requires O( n) message hops per node

  21. Theoretical Communication Overhead

  22. Outline • Introduction • Problem Statement & Previous Work • Our Solution • Evaluation • Discussion

  23. Evaluation Setup • Simulated network of sensor nodes deployed uniformly at random • Measured average communication per node and maximum communication of any node • Varied # of nodes from 1,000 to 10,000 • Varied density of nodes so average # neighbors varied from 10-70, with little effect

  24. Communication Overhead

  25. Detection in Irregular Topologies • Line-selected Multicast relies on topology to detect replicas, so we ran simulations on irregular topologies

  26. Probability of Detection in Irregular Topologies 2500 nodes, 1 duplicate 5 witnesses/node

  27. Probability of Detection in Irregular Topologies 2500 nodes, 1 duplicate 10witnesses/node

  28. Probability of Detection in Irregular Topologies 2500 nodes, 2 duplicates 5 witnesses/node

  29. Outline • Introduction • Problem Statement & Previous Work • Our Solution • Evaluation • Discussion

  30. Timing Issues • Admin can select frequency of protocol activation • Between runs, nodes only remember results • Time Slots • Divide protocol run into slots and assign each a range of IDs • During each slot, nodes with IDs in the specified range announce their location IDs: 0-9 10-19 20-29 30-39 0 t 2t 3t T Time

  31. Conclusion • Node replication attacks pose a serious threat • We address inherent limitations of centralized and localized solutions • Our algorithms use emergent properties to detect global events in a distributed fashion • High probability of detection and revocation • Resilient to adaptive adversary • Minimal communication overhead • Emergent solutions well adapted to provide security in sensor networks • Algorithms generally applicable to other settings

  32. Thank you! parno@cmu.edu

More Related