Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu - PowerPoint PPT Presentation

Loading...

PPT – Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu PowerPoint presentation | free to view - id: 173142-NGNkN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu

Description:

If you disagree with any of these, speak up now or remain silent until ... Attacker forges pressure/temperature readings. Control center processes fake data ... – PowerPoint PPT presentation

Number of Views:842
Avg rating:3.0/5.0
Slides: 37
Provided by: dwal51
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu


1
Detecting Malicious Activity in Wireless Sensor
NetworksAdrian Perrigperrig_at_cmu.edu
2
Self-Evident Truths
  • If you disagree with any of these, speak up now
    or remain silent until after this talk ?
  • Sensor networks are in wide-spread use today
  • Sensor networks will soon be commonly used
  • Sensor nodes continue to be severely
    resource-constrained
  • Wireless communication is easy to attack
    (eavesdropping or packet injection)
  • Security is needed for most applications
  • User privacy is an important issue in many
    applications

3
Wired Sensor Network
  • Many critical infrastructures rely on wired
    sensors for everyday operation
  • Burglar alarm in museum
  • Semiconductor fabrication plant
  • Chemical manufacturing plant, oil refinery
  • Fire alarm in hotels

4
Drawbacks of Wired Network
  • Expensive to deploy
  • Expensive to maintain
  • Upgrade
  • Replace
  • Wires can introduce failures
  • Wires are costly
  • Wireless networks are more cost effective!

5
Wireless Sensor Network
  • Autonomous
  • Self-configuring
  • Self-calibrating
  • Self-identifying
  • Self-reorganizing
  • Low maintenance
  • Easy upgrade
  • Small, inexpensive
  • Limited
  • CPU 1 8 MHz
  • Radio 40 250 kbs
  • Memory 48 124 KB
  • Battery life
  • Radio more expensive
  • Respond to dynamic conditions
  • Operate in harsh conditions

6
Example Hotel Sensor Network
  • Every room is equipped with a sensor node
    measuring light intensity, temperature, and
    humidity
  • Applications
  • Determine occupancy to direct fire fighters
  • Detect energy drainage caused by open windows
  • Detect water leaks
  • Detect break-ins
  • Detect fire

7
Need for Security?
  • Hotel sensor network simply sends all sensed
    information over wireless network to base
    station, without using encryption
  • Security not necessary, right?
  • Wrong!

8
Private Information Disclosure
  • Much private information is leaked by
    temperature, humidity, and light measurements
  • Light intensity readings
  • Shadows can reveal information about motion of
    people
  • Coarse-grained light intensity values can reveal
    TV channel
  • Humidity readings may reveal
  • Presence of people
  • People talking

9
Example Terrorist Attacks
  • Example attack on oil refinery
  • Attacker forges pressure/temperature readings
  • Control center processes fake data
  • Control center performs incorrect operation
    (continually increase temperature, pressure)
  • Other critical infrastructures may also be
    targets (e.g., power plant, water supply)

10
Industrial Espionage
  • Foreign competitor monitors inventory
  • Detect production volume
  • Determine potential manufacturing problems
  • Threat to corporations whose livelihood depends
    on information

11
Security is Important!
  • Even for seemingly benign hotel application,
    security is crucial
  • Some may argue that same issues exist without
    sensor network
  • Can easily listen on door, try to spy through
    window
  • However, sensors make large-scale attacks
    trivial!
  • Easily obtain instant information about entire
    hotel
  • Also allows attacker to launch remote attacks
  • Listening by the door requires attacker to be
    physically present

12
Importance of Security in Sensor Applications
  • Manufacturing applications prevent competitor
    from detecting production volumes or potential
    manufacturing problems
  • Pollution monitoring prevent data tampering
  • Healthcare applications privacy!
  • Power grid surveillance prevent malicious data
    injection

13
Attacker Model Gligor
  • Standard Dolev-Yao adversary controls network
  • Man-in-the-middle read, replay, block, modify
  • Send/receive any message to/from any principal
  • New sensor network adversary
  • Principals may be malicious
  • Attacker may selectively compromise fraction of
    nodes
  • Insert replicas of nodes

14
Generic Attacks
  • Also need to defend against generic attacks
  • Denial-of-service attacks
  • Battery-drainage attacks
  • Sybil attacks
  • Node replication attacks

15
Standard Security Protocols
  • Why not simply leverage standard security
    protocols? SSL/TLS, SSH, IPsec work just fine.
  • Challenge severe resource constraints!
  • Limited battery lifetime
  • Limited processing
  • Limited memory capacity
  • Asymmetric cryptographicoperations are orders of
    magnitudeslower than symmetric operations
  • Sensor deployed in unprotectedareas without
    tamperproof hardware

16
Sensor Nets vs. Ad Hoc Nets
  • Limited computation(slow 8- or 16-bit µC)
  • Limited bandwidth
  • Large size (thousands of nodes)
  • Usually immobile
  • One administrative domain
  • Unattended, nodes may be physically compromised
  • Abundant computation (notebook/PDA nodes)
  • High bandwidth
  • Medium-sized (hundreds of nodes)
  • Usually mobile
  • Various administrative domains
  • Each node equipped with human protecting it
    (tampering not an issue)

17
Sensor Network Advantages
  • Is sensor network security much harder than ad
    hoc network security?
  • Fortunately, sensor networks have features that
    support security
  • Single deploying entity, single trust domain
  • Large-scale time-consuming to physically
    compromise large fraction of nodes
  • High redundancy tolerate small fraction of
    compromised nodes
  • Approximate results ok

18
Goal Secure Sensor Network
  • Assume commodity low-cost sensors
  • Provide simple configuration and maintenance
  • Tolerate installation errors by non-expert
    installer
  • Provide availability of application, integrity
    and secrecy of information, even against a highly
    capable attacker
  • This talk study approaches to detect and
    tolerate compromised sensor nodes

19
Roadmap
  • Brief introduction
  • ZigBee current industry standard
  • Detecting malicious nodes
  • Detecting node replication attacks
  • Secure data aggregation
  • Software-based attestation

20
Secure Communication
  • Basic security primitive secret and authentic
    node-to-node communication
  • Encrypt/authenticate every data packet

21
Secure Node-to-Node Communication
  • Goal Provide secure communication while
    minimizing energy cost
  • Assumptions
  • Trusted base station
  • Communicating nodes share secret key
  • Approaches
  • SPINS SNEP
  • TinySec
  • ZigBee

22
SPINS - SNEP
  • SPINS Secure Protocols for Inter-Networked
    Sensors, with Szewczyk, Wen, Culler, Tygar
    Mobicom 2001
  • Goal basic secure communication feasible on
    resource-constrained sensor network
  • SNEP Sensor Network Encryption Protocol
  • Base-station-centric security model
  • Each node shares secret key with base station
  • Node-to-node keys are set up through base station
  • Provides secrecy, authenticity, replay
    protection
  • Based on RC5 block cipher
  • Relies on synchronized counters (IVs)

23
SNEP Protocol Details
  • A and B share
  • Encryption keys KAB KBA
  • MAC keys K'AB K'BA
  • Counters CA CB
  • To send data D, A sends to BA ? B DltKAB ,
    CAgt MAC( K'AB , CA DltKAB, CAgt )

24
TinySec
  • By Karlof, Sastry, Wagner Sensys 2004
  • Provides secrecy and authenticity, but no replay
    protection
  • Design decision send 2-byte initialization
    vector (IV) in each packet
  • In contrast, SNEP assumes synchronized IV
  • Per-packet IV has advantage in environments with
    very high packet loss
  • Uses Skipjack block cipher

25
ZigBee
  • ZigBee security based on trust center
  • Network key is secret shared by all nodes, used
    for broadcast messages or when no link key is set
    up
  • Link key is pairwise shared secret key, used for
    node-to-node secure communication

26
ZigBee
  • Uses AES as the underlying block cipher
  • Set up node-to-node shared secret keys through
    trust center
  • Provides secrecy, authenticity, replay
    protection
  • Does not define
  • Secure initial key setup mechanism
  • Secure routing protocol
  • Not secure against compromised nodes!
  • No attempt to detect compromised nodes

27
Roadmap
  • Brief introduction
  • ZigBee current industry standard
  • Detecting malicious nodes
  • Detecting node replication attacks
  • Secure data aggregation
  • Software-based attestation

28
Detecting Node Replication Attacks
  • Goal detect cloned nodes in a distributed
    fashion
  • Distributed Detection of Node Replication
    Attacks in Sensor Networks with Bryan Parno and
    Virgil Gligor, published at IEEE Security and
    Privacy Symposium 2005.

29
Problem Definition
  • Replication Attacks
  • Capturing many nodes is hard
  • Instead, capture one node and copy it
  • Other attacks not in scope of this work
  • Introducing nodes with new IDs is readily
    preventable
  • Admin provides each node with a certificate
  • ID based on keys
  • Other Sybil defenses
  • Partitioning attacks
  • We assume legitimate nodes
  • form a connected component

30
Replication Attacks are Easy
  • Only need to capture one node
  • Offline attack to extract nodes secrets
  • Transfer secrets to generic nodes
  • Deploy clones

31
Repercussions
  • Clones know everything compromised node knew
  • Adversary can
  • Inject false data or suppress legitimate data
  • Spread blame for abnormal behavior
  • Revoke legitimate nodes using aggregated voting
  • Monitor communication

32
Our Contributions
  • Thwart replication attacks using entirely
    distributed mechanisms
  • First use of emergent algorithms to provide
    robust security properties in sensor networks
  • Resilient even against an adaptive adversary
  • (i.e., adversary knows the protocol and can
    selectively compromise additional sensors)
  • Relies on Birthday Paradox and network topology
  • No central points of failure
  • Efficient Solutions
  • Comparable to centralized detection

33
Assumptions
  • Public key infrastructure
  • Occasional elliptic curve cryptography is
    reasonable Sizzle, Malan04
  • Can be replaced with symmetric mechanisms
  • Network employs geographic routing
  • Does not require GPS! Doherty01
  • Works with synthetic coordinates Rao03,
    Newsome03
  • Nodes are primarily stationary

34
Goals
  • Detect replication with high probability
  • After protocol concludes, legitimate nodes
    revoked replicas
  • Secure against adaptive adversary
  • Unpredictable to adversary
  • No central points of failure
  • Minimize communication overhead

35
Previous Approaches Insufficient
  • Central Detection EscGli02
  • Each node sends neighbor list to a central base
    station
  • Base station searches lists for duplicates
  • Disadvantages
  • Some applications may not use base stations
  • Single point of failure
  • Exhausts nodes near base station (and makes them
    attack targets)

36
Previous Approaches Insufficient
  • Localized Detection ChPeSo03
  • Neighborhoods use local voting protocols to
    detect replicas
  • Disadvantage
  • Replication is a global event that cannot be
    detected in a purely local fashion

37
Emergent Properties
  • Properties that only emerge through collective
    action of multiple nodes
  • Highly robust
  • No central point of failure
  • Difficult for adversary to attack
  • Emergent behavior is an attractive approach for
    thwarting an unpredictable and adaptive adversary

38
Approach Overview
  • Step 1 Announce locations
  • Each node signs and broadcasts its location to
    neighbors
  • Location (x,y), virtual coordinates, or
    neighbor list
  • Nodes must participate or neighbors will
    blacklist them
  • Step 2 Detect replicas
  • Uses emergent protocol
  • Ensures at least one witness node receives two
    conflicting location claims
  • Step 3 Revoke replicas
  • Witness floods network with conflicting location
    claims
  • Signatures prevent spoofing or framing

39
Randomized Multicast Protocol
  • Each node signs and broadcasts its location to
    neighbors
  • Each neighbor forwards location to witness
    nodes
  • Witness chosen at random by selecting random
    geographic point and forwarding message to node
    closest to the point
  • Each neighbor selects witnesses for a
    total of
  • Birthday Paradox implies location claims from a
    cloned node and its clone will collide with high
    probability
  • Conflicting location claims are evidence for
    revoking clones
  • Signatures prevent forgery of location claims

40
Randomized Multicast Detection
Conflict Detected!
41
Randomized Multicast Analysis
PDetect gt 1 e -R
  • High probability of detection
  • 2 replicas (R2), w n, PDetect 95,
  • Decentralized and randomized
  • Moderate communication overhead
  • Each nodes location sent to n witnesses
  • Path between two random points in the network is
    O( n ) hops on average
  • Results in O(n) message hops per node

42
Line-Selected Multicast Protocol
  • In a sensor network, nodes route data as well as
    collect it
  • Again, neighbors forward location claim to
    witness nodes
  • Each intermediate node checks for a conflict and
    forwards location claim
  • If any two lines intersect, the conflicting
    location claims provide evidence for revoking
    clones

43
Line-Selected Multicast Detection
Conflict Detected!
44
Line-Selected Multicast Analysis
  • High probability of intersection for two randomly
    drawn lines in square area
  • Only need a constant number of lines
  • (e.g., for 5 lines/node, PDetect 95)
  • Decentralized and randomized
  • Minimal communication
  • Line segments O( n) on average
  • Only requires O( n) message hops per node

45
Theoretical Overhead
46
Evaluation Setup
  • Simulated network of sensor nodes deployed
    uniformly at random
  • Measured average communication per node and
    maximum communication of any node
  • Varied of nodes from 1,000 to 10,000
  • Varied density of nodes so average of neighbors
    varied from 10-70, with little impact

47
Communication Overhead
48
Detection in Irregular Topologies
  • Line-selected Multicast relies on topology to
    detect replicas, so we ran simulations on
    irregular topologies

49
Probability of Detection in Irregular Topologies
  • 2500 nodes, 1 duplicate
  • 5 witnesses/node

50
Probability of Detection in Irregular Topologies
  • 2500 nodes, 1 duplicate
  • 10 witnesses/node

51
Probability of Detection in Irregular Topologies
  • 2500 nodes, 2 duplicates
  • 5 witnesses/node
About PowerShow.com