220 likes | 344 Views
Intrusion Detection Approach in WSN . A Resilient Packet-Forwarding Scheme against Maliciously Packet-Dropping Nodes in Sensor Networks. Suk -Bok Lee and Yoon- Hwa Choi SASN 2006 ACM, 2006. Contents. Introduction Security Threats in WSN Intrusion Detection System
E N D
Intrusion Detection Approach in WSN A Resilient Packet-Forwarding Scheme against Maliciously Packet-Dropping Nodes in Sensor Networks Suk-Bok Lee and Yoon-HwaChoi SASN 2006 ACM, 2006 Information Security Research Laboratory http://seclab.inha.ac.kr/
Contents • Introduction • Security Threats in WSN • Intrusion Detection System • How does IDS work in WSN? • Overview about insider attack. • Key-Establishment Scheme in LEAP • A resilient Packet-Forwarding Scheme • Neighbor List Verification • Simulation • Conclusion
Introduction • Def IDS: discovers violations of confidentiality, integrity, and availability of information and resources. • The main difference between MANET and WSN is: • Simpler device characteristics(Mem, Process, Energy). • Lack of mobility. • Large network size(Limit Recourses - Large NW ). • Stable communication pattern(Many to one).
Security Threats in WSN 1. Routing Threads • Spoofed, altered, or replayed routing information • Selective forwarding(black hole) • Sinkhole attacks(bogus routing path) • Sybil attacks(multi identities) • Wormholes( tunnel message) • HELLO flood attacks 2. Denial of Service (DoS) Can be classified as Layers DoS physical Layer, Data link Layer, MAC Layer.
Intrusion Detection System • Why do we need IDS in WSN? • Is cryptography not enough ? • IDS Architectures suggested. • Stand-alone/node. • Distributed and Cooperative/nodes. • Hierarchical/cluster. • Existing IDS models for WSN • Self-Organized Criticality & Stochastic Learning Based IDS. • IDS for Clustering-based Sensor Networks. • model based on authentication • Model aimed to Energy-Saving • A non-cooperative Game Approach • Decentralized IDS
How does IDS work in WSN? • These messages can be analyzed using behavioral rules.
Overview to insider attack • Each sensor node has a constant transmission range. • Aggregated data are sent from sensor over multi hop route to the base station . • The attacker try firstly to replicate the legitimate ID. • The using for localized key establishment (prevent insider attack) • Not allow a cloned node (by inside-attackers) to establish pairwise keys with any legitimate nodes . • The compromise node affect the network when: • Inject false sense Report • Advertise wrong routing information (effect routing paths) • Dropping legitimate user packets.
Compromised nodes’ dropping • Neighbor Watch System (NWS) against maliciously packet-dropping nodes in sensor networks. • single-path data forwarding. • Its use neighbor List Verification (NLV) • hop-by-hop reliable delivery • Other efforts for secure data routing use : • Multipath-Based data forwarding schemes • Diffusion-Based data forwarding schemes (Random paths). • Interleaving mesh forwarding schemes
Notation: • u, vare principals, such as communicating nodes. • Ru is a random number generated by u. • fKis a family of pseudo-random function. • MAC(K,M1|M2) is the message authentication code (MAC) of message - concatenation of M1 andM2, with MAC key K. • TestTime for a new deployed sensor to complete neighbors discovery. • Tminis the time necessary for the attacker to compromise a legitimate node . Where Tmin> Test
Key-Establishment Scheme in LEAP • Four types of keys for each sensor node. • Individual key shared with the base Station. • A pairwise key shared with its neighbor. • A cluster key shared with its surrounding neighbors. • A group key shared by all the nodes in the networks. • The Protocol for Adding new node: • 1. Assume the node has initial key KI • Master key Ku = fKI (u). • 2. Broadcast (Neighbors Discovery) 3. Pairwise Key Establishment u computes pairwise key with v 4. Key Erasure Tmin< Test Areas all the keys accept K
A resilient Packet-Forwarding Scheme Using Neighbor Watch System • The scheme is assumed to provide reliable packet forwarding hop-by-hop . • During neighbor discovery phase u gets to know not only its immediate neighbors, but also the neighbors’ neighbor lists. • During the packet forwarding : • The packet encrypted with cluster key. • When the packet send by u v the neighbor of v overhear the packet. • *listen to the v forward packet & check destination. • * If v not send in specific time the y , w resend . • * *The main-watch u listen to v,y,w traffic (if not send ). Overhear Sub-watch overhear buffer
The degree of multipath depends on the number of the sub-watch nodes.
Neighbor List Verification • How does the node prove the claimed neighbors ? • Compromised node v tell his neighbor u that x is one of his neighbor. • NLV is extension to the pairwise key establishment in LEAP. • NLV adopts three-way handshaking neighbor discovery. • There is two type of discovery : 1. Neighbor discovery between two nodes that are both still within the initial Tmin (pure nodes). 2. The neighbor discovery between new nodes (pure node) and old one(adult node).
Neighbor Discovery between Pure Nodes. u compute Tˇu=Tv+Tu v compute Tˇv =Tu+Tv
Neighbor Discovery between A Pure Node and AnAdult node • How can u approve to x the existence of neighbors v , w *x can generate any certificate with KI ; If all correct *x computes its pairwise key. *Node x also generates certificate and stores it.
*adult node u broadcasts one-time certificates to inform his neighbors about a new node x KAuis a local broadcast authentication key in u’s one-way key chain. *Prior to Tmin of x, pure node x broadcasts its neighbor list (u’s neighbors verify x).
Storage Overhead each node have to store : • 4 keys(LEAB) • store its direct neighbors’ certificates • Their respective neighbor lists . • for a network of the expected degree d and the byte size l of node ID, the additional storage requirement. for each node is d · (8 + ld) bytes O(d2)
Conclusion • We present about IDS approach in WSN • There are many attacks that related to authenticated node . • NWS is specifically designed for hop-by-hop reliable delivery for packet.