Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks

1
Detecting Malicious Beacon Nodes for Secure
Location Discovery in Wireless Sensor Networks

• Presented by
• Akshay Lal

2
Roadmap

• Official terminology.
• THE sensor network.
• Whats the problem ?
• A practical solution.
• Detection of malicious beacon nodes.
• Special considerations.
• Revocation of malicious beacon nodes.
• Performance review.
• Conclusion.

3
Official Terminology

• Beacon node Convey information about location.
• Non-beacon nodes The rest of the network.
• Beacon signals Signal sent out by beacon nodes.
• Detecting beacon node Node performing detection
  on a received signal.
• Target beacon node Node being detected.
• Detecting Id Id used by a detecting beacon node
  to make a target beacon node believe that a
  non-beacon node wants to communicate.

4
THE Sensor Network

• Network constituting spatially distributed
  devices using sensors to monitor conditions
  (temperature, sounds, vibrations, etc.) at
  different locations.
• These sensors are low-cost, low-power,
  multi-functional and communicate within a short
  range.
• Location of the sensor is the critical part of
  the network located using geographical routing
  (GPSR), or some form of location discovery.

5
THE Sensor Network (contd.)

• Naïve methodology for location discovery
• Step I
• Receive beacon signal from beacon nodes.
• Calculate multiple location reference (distance,
  signal strength, time of arrival, etc.) from
  various beacon nodes.
• Step II
• Determine ones own location using the locations
  of the beacon nodes, with minimum error.
• Very straight forward approach but what if a
  malicious node sends an incorrect beacon signal ?

6
And Now The Problem

• A malicious beacon node can provide incorrect
  location reference.
• Non-beacon nodes determine location incorrectly

7
The Problem (contd.)

• Location verification techniques have been
  proposed which can verify relative distances
  between beacon nodes and non-beacon nodes.
• None can ensure correct location discovery in a
  hostile environment (with malicious beacon
  nodes).
• None can remove the impact of a compromised
  beacon node.

8
A Practical Solution

• Detect malicious beacon nodes
• Location of a beacon nodes are known - (x,y).
• Location derived from the beacon signal received
  (using any measurement scheme such as distance)
  (x,y).
• If (x, y) ? (x, y) malicious node caught.
• Using this data filter out replayed beacon
  signals
• Worm hole attacks - tunnel signal packets from
  one part of the network to another, and replay
  the signal packet.
• Locally replayed beacon signal beacon signal
  received from a neighbor node is replayed by the
  malicious node.
• Revoke the malicious beacon nodes.

9
Detection of Malicious Beacon Nodes

• Assumptions
• Communicating nodes share a unique pair-wise key.
• A beacon node cannot distinguish between
  communications with a non-beacon node or another
  beacon node.
• Communication is always bi-directional.
• Beacon signals are unicasted to non-beacon nodes
  and all packets are authenticated using the pair
  wise shared key.

10
Detection of Malicious Beacon Nodes (contd.)

• Beacon nodes use detecting IDs to perform
  detection on a signals it hears from another
  beacon node.

• Detecting Node

• Target Node

• Detecting node
• - estimates distance between itself and target
  node.
• - calculates distance between itself (x, y) and
  (x, y).

• If difference between the two values gt maximum
  distance error
• received signal is malicious hence, target node
  is malicious

11
Special Considerations Thwarting Worm Hole
Attack

• Assumptions
• Worm hole detector installed on every node in the
  network.
• Able to state whether two communicating nodes are
  neighbors or not with certain accuracy.
• Methodology followed
• If signal detected to be malicious a check is
  made for whether it is because of a worm hole
  attack.
• Detecting node calculates distance between itself
  and the location received from the target.
• If calculate distance larger than radio
  communication range the worm hole detector
  determines that a worm hole exists beacon
  signal is a replayed signal and is ignored.
• Drawback is that the worm hole detectors cannot
  ALWAYS guarantee that it can detect a worm hole.

12
Special Considerations Thwarting Locally
Replayed Beacon Signals

• Methodology followed
• The replay of a beacon signal always induce extra
  delay.
• This can be detected by using the Round Trip Time
  between two nodes.

• Detecting Node

• Target Node

• Detecting node calculates RTT (t4 - t1) (t3 -
  t2)

13
Special Considerations Thwarting Locally
Replayed Beacon Signals (contd.)

• RTT is not affected by the MAC protocol or any
  processing delay hence, the distribution of RTT
  is within a narrow range

• Xmin maximum value for X such that F(x) 0

• Xmax minimum value for X such that F(x) 1

• Xmax

Transmission time per clock pulse 384 clock
cycles Xmin 1,951 Xmax 7,506

• Xmin

• Detection is possible for any replayed signal if
  delay introduced
• is longer than transmission time for 14.5 bits

14
The Algorithm Thus Far

• Detecting Node

• Target Node

• - if difference between distances gt maximum
  distance error
• Then signal is malicious Check for worm
  hole attack.
• - if Target node passes worm hole detector
• Check for locally replayed beacon signal.
• Calculate RTT based on response time from Target

• if RTT Xmax Then
• Beacon signal is considered not locally replayed.
• elseif RTT gt Xmax Then
• Beacon signal is considered locally replayed.

15
Revocation of Malicious Beacon Nodes

• Assumption
• The base station has a method to revoke malicious
  beacon nodes.
• Each node shares a unique key with the beacon
  node.
• Methodology followed
• All alerts constitute the IDs of both the
  detecting and target node.
• Base stations constitutes a table with an entry
  for each beacon node.
• Associated with them is an alert counter and a
  report counter.
• Alert Counter records suspiciousness of a
  beacon node.
• Report Counter records number of alerts
  reported by a node and accepted by the base
  station.
• For every received alert the Report Counter for
  the detecting node is increased.
• Beacon nodes with a high Alert Degree are
  considered malicious.
• A threshold is set for the maximum allowable
  alerts against a node after which the beacon node
  is revoked.

16
Revocation of Malicious Beacon Nodes A Subtle
Issue to Consider

• Two thresholds exist
• G maximum limit for alerts against a beacon
  node.
• ? maximum limit for reports sent by a beacon
  node.
• Reason for two thresholds
• Malicious beacon node tires to revoke a
  non-malicious beacon node.
• This will cause the value of G to increase upto
  threshold - G.
• Beacon node will revoke the beacon node but will
  still accept alerts from that node until report
  count reaches threshold - ? .
• Also the number of reports sent by any beacon
  node cannot exceed ?, hence a malicious node
  cannot revoke ALL the non-malicious beacon nodes
  before getting revoked itself.

17
Performance Review Notations for Node Detection

• Pd Detection rate of the worm hole detector.
• Pr Detection rate of a malicious node by a
  detecting node.
• Pn Fraction of nodes that receive the malicious
  beacon signal.
• Pw Fraction of the nodes that are convinced of a
  worm hole.
• Pl Fraction of the nodes that are convinced the
  signal is locally replayed.
• P The probability that a node receives a signal
  from a malicious node which is not removed by the
  replay detector.
• m Number of Ids for a detecting node.

18
Performance Review Node Detection

• Detection Mechanism Analysis
• Computational and storage overhead is mainly due
  to key establishment protocols and cryptographic
  operations.
• The probability of a beacon node reporting an
  alert for a non-malicious beacon node is 1-Pd, if
  a worm hole exits and 0 is no worm hole exists.
• Probability that a non-malicious detecting node
  will send an alert for a malicious beacon node,
  considering the detecting node has m detecting
  Ids is 1 ( 1- ( 1 Pn ) ( 1 Pw ) ( 1 Pl )
  )m
• Probability that a node receives a beacon from a
  malicious node which is not caught by the replay
  detector is P ( 1 Pn ) ( 1 Pw ) ( 1 Pl )
  .
• Relationship between Pr and P Pr 1 ( 1 P )m

• Conclusion I
• Cannot increase P without simultaneously
• increasing Pr.

19
Performance Review Notations for Node Revocation

• N Total number of sensor nodes.
• Na Total number of malicious beacon nodes.
• Nb Total number of beacon nodes.
• Nc Total number of nodes that send requests to a
  malicious beacon nodes.
• Nw Number of pairs affected by a worm hole
  attack.
• N Average number of affected nodes.
• P Probability of accepting a signal from a
  revoked node.
• Pd Detection rate.
• Pr Probability of reporting an error.
• Pa Probability of the base station having an
  alert against a malicious node.
• P1 P2 Probability that the report counter of a
  non-malicious node increases by 1 / 2 when
  reporting a malicious node.

20
Performance Review Notations for Node Revocation

• Node Revocation Analysis
• A beacon nodes only reports about other within
  its communication range hence the storage and
  communication overhead is very limited.
• The detection rate or probability that a
  malicious beacon node will be revoked is
• Where

• Conclusion II
• Detection rate increase as a node
• continues to behave maliciously.
• Conclusion III
• As G increases detection rate
• decreases.
• Conclusion IV
• And as m increases detection rate
• Increases.

21
Performance Review Notations for Node
Revocation (contd.)

• Effect of an increase in Nc on the detection
  rate.
• Relation between P and N.

• Conclusion V
• As the number of requesting nodes to a
• malicious node increase, detection rate
• increases due to the increase in number
• of alerts sent.

• Conclusion VI
• As G increases N and P increase.
• As m increases N and P decrease.

22
Performance Review Notations for Node
Revocation (contd.)

• Effect on N when P is chosen so that P is
  maximized
• The average number of non-malicious nodes revoked
  by the base station is at most
• The reference used to define G and ?

• Conclusion VII
• Initially N increases fast but after a point it
  decreases due to the increase in the number of
  request serviced.
• Conclusion VIII
• N decreases when threshold G decreases.

• Conclusion IX
• The threshold for ? and G can be obtained by the
  above analysis, which should satisfy the
  condition on low Nf or by chosing ? and G that
  yield a minimum Nf, given Pd, Nw and Na.

23
Performance Review Implementation on TinyOs

• Simulation results obtained from Nido (TinyOS
  simulator) conform to the theoretical values
  some having a small difference but in general the
  results are close to what was expected.
• Receiver Operating Characteristic curves
  (ROC-curves)

Conclusion X Most of the beacon nodes are
detected with small false positives however, as
the network continues to get compromised, the
performance degrades accordingly.
G and ? were varied and P is configured such that
N is maximized.
24
And in Conclusion

• Many protocols exist today, that help in location
  discovery such as AHLos, coarse-grained
  localization schemes etc. None work properly in
  hostile environments wherein malicious nodes
  jeopardize the location discovery.
• SERLOC (SEcure Range-independent LOCalization for
  wireless sensor networks) is a secure range free
  localization technique, but it cannot detect and
  remove malicious beacon nodes.
• In this paper localization is protected by
  detecting compromised beacon nodes. Methods
  adopted are very simple yet effective, and
  efficiency is guaranteed within the constraints
  of a sensors battery life and limited memory.
• Future work can be aimed at more efficient ways
  of reducing the false alert rate and methods to
  revoke malicious nodes without using the base
  station.