Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu - PowerPoint PPT Presentation


PPT – Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu PowerPoint presentation | free to view - id: 173142-NGNkN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu


If you disagree with any of these, speak up now or remain silent until ... Attacker forges pressure/temperature readings. Control center processes fake data ... – PowerPoint PPT presentation

Number of Views:842
Avg rating:3.0/5.0
Slides: 37
Provided by: dwal51


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu

Detecting Malicious Activity in Wireless Sensor
Self-Evident Truths
  • If you disagree with any of these, speak up now
    or remain silent until after this talk ?
  • Sensor networks are in wide-spread use today
  • Sensor networks will soon be commonly used
  • Sensor nodes continue to be severely
  • Wireless communication is easy to attack
    (eavesdropping or packet injection)
  • Security is needed for most applications
  • User privacy is an important issue in many

Wired Sensor Network
  • Many critical infrastructures rely on wired
    sensors for everyday operation
  • Burglar alarm in museum
  • Semiconductor fabrication plant
  • Chemical manufacturing plant, oil refinery
  • Fire alarm in hotels

Drawbacks of Wired Network
  • Expensive to deploy
  • Expensive to maintain
  • Upgrade
  • Replace
  • Wires can introduce failures
  • Wires are costly
  • Wireless networks are more cost effective!

Wireless Sensor Network
  • Autonomous
  • Self-configuring
  • Self-calibrating
  • Self-identifying
  • Self-reorganizing
  • Low maintenance
  • Easy upgrade
  • Small, inexpensive
  • Limited
  • CPU 1 8 MHz
  • Radio 40 250 kbs
  • Memory 48 124 KB
  • Battery life
  • Radio more expensive
  • Respond to dynamic conditions
  • Operate in harsh conditions

Example Hotel Sensor Network
  • Every room is equipped with a sensor node
    measuring light intensity, temperature, and
  • Applications
  • Determine occupancy to direct fire fighters
  • Detect energy drainage caused by open windows
  • Detect water leaks
  • Detect break-ins
  • Detect fire

Need for Security?
  • Hotel sensor network simply sends all sensed
    information over wireless network to base
    station, without using encryption
  • Security not necessary, right?
  • Wrong!

Private Information Disclosure
  • Much private information is leaked by
    temperature, humidity, and light measurements
  • Light intensity readings
  • Shadows can reveal information about motion of
  • Coarse-grained light intensity values can reveal
    TV channel
  • Humidity readings may reveal
  • Presence of people
  • People talking

Example Terrorist Attacks
  • Example attack on oil refinery
  • Attacker forges pressure/temperature readings
  • Control center processes fake data
  • Control center performs incorrect operation
    (continually increase temperature, pressure)
  • Other critical infrastructures may also be
    targets (e.g., power plant, water supply)

Industrial Espionage
  • Foreign competitor monitors inventory
  • Detect production volume
  • Determine potential manufacturing problems
  • Threat to corporations whose livelihood depends
    on information

Security is Important!
  • Even for seemingly benign hotel application,
    security is crucial
  • Some may argue that same issues exist without
    sensor network
  • Can easily listen on door, try to spy through
  • However, sensors make large-scale attacks
  • Easily obtain instant information about entire
  • Also allows attacker to launch remote attacks
  • Listening by the door requires attacker to be
    physically present

Importance of Security in Sensor Applications
  • Manufacturing applications prevent competitor
    from detecting production volumes or potential
    manufacturing problems
  • Pollution monitoring prevent data tampering
  • Healthcare applications privacy!
  • Power grid surveillance prevent malicious data

Attacker Model Gligor
  • Standard Dolev-Yao adversary controls network
  • Man-in-the-middle read, replay, block, modify
  • Send/receive any message to/from any principal
  • New sensor network adversary
  • Principals may be malicious
  • Attacker may selectively compromise fraction of
  • Insert replicas of nodes

Generic Attacks
  • Also need to defend against generic attacks
  • Denial-of-service attacks
  • Battery-drainage attacks
  • Sybil attacks
  • Node replication attacks

Standard Security Protocols
  • Why not simply leverage standard security
    protocols? SSL/TLS, SSH, IPsec work just fine.
  • Challenge severe resource constraints!
  • Limited battery lifetime
  • Limited processing
  • Limited memory capacity
  • Asymmetric cryptographicoperations are orders of
    magnitudeslower than symmetric operations
  • Sensor deployed in unprotectedareas without
    tamperproof hardware

Sensor Nets vs. Ad Hoc Nets
  • Limited computation(slow 8- or 16-bit µC)
  • Limited bandwidth
  • Large size (thousands of nodes)
  • Usually immobile
  • One administrative domain
  • Unattended, nodes may be physically compromised
  • Abundant computation (notebook/PDA nodes)
  • High bandwidth
  • Medium-sized (hundreds of nodes)
  • Usually mobile
  • Various administrative domains
  • Each node equipped with human protecting it
    (tampering not an issue)

Sensor Network Advantages
  • Is sensor network security much harder than ad
    hoc network security?
  • Fortunately, sensor networks have features that
    support security
  • Single deploying entity, single trust domain
  • Large-scale time-consuming to physically
    compromise large fraction of nodes
  • High redundancy tolerate small fraction of
    compromised nodes
  • Approximate results ok

Goal Secure Sensor Network
  • Assume commodity low-cost sensors
  • Provide simple configuration and maintenance
  • Tolerate installation errors by non-expert
  • Provide availability of application, integrity
    and secrecy of information, even against a highly
    capable attacker
  • This talk study approaches to detect and
    tolerate compromised sensor nodes

  • Brief introduction
  • ZigBee current industry standard
  • Detecting malicious nodes
  • Detecting node replication attacks
  • Secure data aggregation
  • Software-based attestation

Secure Communication
  • Basic security primitive secret and authentic
    node-to-node communication
  • Encrypt/authenticate every data packet

Secure Node-to-Node Communication
  • Goal Provide secure communication while
    minimizing energy cost
  • Assumptions
  • Trusted base station
  • Communicating nodes share secret key
  • Approaches
  • TinySec
  • ZigBee

  • SPINS Secure Protocols for Inter-Networked
    Sensors, with Szewczyk, Wen, Culler, Tygar
    Mobicom 2001
  • Goal basic secure communication feasible on
    resource-constrained sensor network
  • SNEP Sensor Network Encryption Protocol
  • Base-station-centric security model
  • Each node shares secret key with base station
  • Node-to-node keys are set up through base station
  • Provides secrecy, authenticity, replay
  • Based on RC5 block cipher
  • Relies on synchronized counters (IVs)

SNEP Protocol Details
  • A and B share
  • Encryption keys KAB KBA
  • MAC keys K'AB K'BA
  • Counters CA CB
  • To send data D, A sends to BA ? B DltKAB ,
    CAgt MAC( K'AB , CA DltKAB, CAgt )

  • By Karlof, Sastry, Wagner Sensys 2004
  • Provides secrecy and authenticity, but no replay
  • Design decision send 2-byte initialization
    vector (IV) in each packet
  • In contrast, SNEP assumes synchronized IV
  • Per-packet IV has advantage in environments with
    very high packet loss
  • Uses Skipjack block cipher

  • ZigBee security based on trust center
  • Network key is secret shared by all nodes, used
    for broadcast messages or when no link key is set
  • Link key is pairwise shared secret key, used for
    node-to-node secure communication

  • Uses AES as the underlying block cipher
  • Set up node-to-node shared secret keys through
    trust center
  • Provides secrecy, authenticity, replay
  • Does not define
  • Secure initial key setup mechanism
  • Secure routing protocol
  • Not secure against compromised nodes!
  • No attempt to detect compromised nodes

  • Brief introduction
  • ZigBee current industry standard
  • Detecting malicious nodes
  • Detecting node replication attacks
  • Secure data aggregation
  • Software-based attestation

Detecting Node Replication Attacks
  • Goal detect cloned nodes in a distributed
  • Distributed Detection of Node Replication
    Attacks in Sensor Networks with Bryan Parno and
    Virgil Gligor, published at IEEE Security and
    Privacy Symposium 2005.

Problem Definition
  • Replication Attacks
  • Capturing many nodes is hard
  • Instead, capture one node and copy it
  • Other attacks not in scope of this work
  • Introducing nodes with new IDs is readily
  • Admin provides each node with a certificate
  • ID based on keys
  • Other Sybil defenses
  • Partitioning attacks
  • We assume legitimate nodes
  • form a connected component

Replication Attacks are Easy
  • Only need to capture one node
  • Offline attack to extract nodes secrets
  • Transfer secrets to generic nodes
  • Deploy clones

  • Clones know everything compromised node knew
  • Adversary can
  • Inject false data or suppress legitimate data
  • Spread blame for abnormal behavior
  • Revoke legitimate nodes using aggregated voting
  • Monitor communication

Our Contributions
  • Thwart replication attacks using entirely
    distributed mechanisms
  • First use of emergent algorithms to provide
    robust security properties in sensor networks
  • Resilient even against an adaptive adversary
  • (i.e., adversary knows the protocol and can
    selectively compromise additional sensors)
  • Relies on Birthday Paradox and network topology
  • No central points of failure
  • Efficient Solutions
  • Comparable to centralized detection

  • Public key infrastructure
  • Occasional elliptic curve cryptography is
    reasonable Sizzle, Malan04
  • Can be replaced with symmetric mechanisms
  • Network employs geographic routing
  • Does not require GPS! Doherty01
  • Works with synthetic coordinates Rao03,
  • Nodes are primarily stationary

  • Detect replication with high probability
  • After protocol concludes, legitimate nodes
    revoked replicas
  • Secure against adaptive adversary
  • Unpredictable to adversary
  • No central points of failure
  • Minimize communication overhead

Previous Approaches Insufficient
  • Central Detection EscGli02
  • Each node sends neighbor list to a central base
  • Base station searches lists for duplicates
  • Disadvantages
  • Some applications may not use base stations
  • Single point of failure
  • Exhausts nodes near base station (and makes them
    attack targets)

Previous Approaches Insufficient
  • Localized Detection ChPeSo03
  • Neighborhoods use local voting protocols to
    detect replicas
  • Disadvantage
  • Replication is a global event that cannot be
    detected in a purely local fashion

Emergent Properties
  • Properties that only emerge through collective
    action of multiple nodes
  • Highly robust
  • No central point of failure
  • Difficult for adversary to attack
  • Emergent behavior is an attractive approach for
    thwarting an unpredictable and adaptive adversary

Approach Overview
  • Step 1 Announce locations
  • Each node signs and broadcasts its location to
  • Location (x,y), virtual coordinates, or
    neighbor list
  • Nodes must participate or neighbors will
    blacklist them
  • Step 2 Detect replicas
  • Uses emergent protocol
  • Ensures at least one witness node receives two
    conflicting location claims
  • Step 3 Revoke replicas
  • Witness floods network with conflicting location
  • Signatures prevent spoofing or framing

Randomized Multicast Protocol
  • Each node signs and broadcasts its location to
  • Each neighbor forwards location to witness
  • Witness chosen at random by selecting random
    geographic point and forwarding message to node
    closest to the point
  • Each neighbor selects witnesses for a
    total of
  • Birthday Paradox implies location claims from a
    cloned node and its clone will collide with high
  • Conflicting location claims are evidence for
    revoking clones
  • Signatures prevent forgery of location claims

Randomized Multicast Detection
Conflict Detected!
Randomized Multicast Analysis
PDetect gt 1 e -R
  • High probability of detection
  • 2 replicas (R2), w n, PDetect 95,
  • Decentralized and randomized
  • Moderate communication overhead
  • Each nodes location sent to n witnesses
  • Path between two random points in the network is
    O( n ) hops on average
  • Results in O(n) message hops per node

Line-Selected Multicast Protocol
  • In a sensor network, nodes route data as well as
    collect it
  • Again, neighbors forward location claim to
    witness nodes
  • Each intermediate node checks for a conflict and
    forwards location claim
  • If any two lines intersect, the conflicting
    location claims provide evidence for revoking

Line-Selected Multicast Detection
Conflict Detected!
Line-Selected Multicast Analysis
  • High probability of intersection for two randomly
    drawn lines in square area
  • Only need a constant number of lines
  • (e.g., for 5 lines/node, PDetect 95)
  • Decentralized and randomized
  • Minimal communication
  • Line segments O( n) on average
  • Only requires O( n) message hops per node

Theoretical Overhead
Evaluation Setup
  • Simulated network of sensor nodes deployed
    uniformly at random
  • Measured average communication per node and
    maximum communication of any node
  • Varied of nodes from 1,000 to 10,000
  • Varied density of nodes so average of neighbors
    varied from 10-70, with little impact

Communication Overhead
Detection in Irregular Topologies
  • Line-selected Multicast relies on topology to
    detect replicas, so we ran simulations on
    irregular topologies

Probability of Detection in Irregular Topologies
  • 2500 nodes, 1 duplicate
  • 5 witnesses/node

Probability of Detection in Irregular Topologies
  • 2500 nodes, 1 duplicate
  • 10 witnesses/node

Probability of Detection in Irregular Topologies
  • 2500 nodes, 2 duplicates
  • 5 witnesses/node