Title: Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks
1Detecting Malicious Beacon Nodes for Secure
Location Discovery in Wireless Sensor Networks
2Roadmap
- Official terminology.
- THE sensor network.
- Whats the problem ?
- A practical solution.
- Detection of malicious beacon nodes.
- Special considerations.
- Revocation of malicious beacon nodes.
- Performance review.
- Conclusion.
3Official Terminology
- Beacon node Convey information about location.
- Non-beacon nodes The rest of the network.
- Beacon signals Signal sent out by beacon nodes.
- Detecting beacon node Node performing detection
on a received signal. - Target beacon node Node being detected.
- Detecting Id Id used by a detecting beacon node
to make a target beacon node believe that a
non-beacon node wants to communicate.
4THE Sensor Network
- Network constituting spatially distributed
devices using sensors to monitor conditions
(temperature, sounds, vibrations, etc.) at
different locations. - These sensors are low-cost, low-power,
multi-functional and communicate within a short
range. - Location of the sensor is the critical part of
the network located using geographical routing
(GPSR), or some form of location discovery.
5THE Sensor Network (contd.)
- Naïve methodology for location discovery
- Step I
- Receive beacon signal from beacon nodes.
- Calculate multiple location reference (distance,
signal strength, time of arrival, etc.) from
various beacon nodes. - Step II
- Determine ones own location using the locations
of the beacon nodes, with minimum error. - Very straight forward approach but what if a
malicious node sends an incorrect beacon signal ?
6And Now The Problem
- A malicious beacon node can provide incorrect
location reference. - Non-beacon nodes determine location incorrectly
7The Problem (contd.)
- Location verification techniques have been
proposed which can verify relative distances
between beacon nodes and non-beacon nodes. - None can ensure correct location discovery in a
hostile environment (with malicious beacon
nodes). - None can remove the impact of a compromised
beacon node.
8A Practical Solution
- Detect malicious beacon nodes
- Location of a beacon nodes are known - (x,y).
- Location derived from the beacon signal received
(using any measurement scheme such as distance)
(x,y). - If (x, y) ? (x, y) malicious node caught.
- Using this data filter out replayed beacon
signals - Worm hole attacks - tunnel signal packets from
one part of the network to another, and replay
the signal packet. - Locally replayed beacon signal beacon signal
received from a neighbor node is replayed by the
malicious node. - Revoke the malicious beacon nodes.
9Detection of Malicious Beacon Nodes
- Assumptions
- Communicating nodes share a unique pair-wise key.
- A beacon node cannot distinguish between
communications with a non-beacon node or another
beacon node. - Communication is always bi-directional.
- Beacon signals are unicasted to non-beacon nodes
and all packets are authenticated using the pair
wise shared key.
10Detection of Malicious Beacon Nodes (contd.)
- Beacon nodes use detecting IDs to perform
detection on a signals it hears from another
beacon node.
- Detecting node
- - estimates distance between itself and target
node. - - calculates distance between itself (x, y) and
(x, y). -
- If difference between the two values gt maximum
distance error - received signal is malicious hence, target node
is malicious
11Special Considerations Thwarting Worm Hole
Attack
- Assumptions
- Worm hole detector installed on every node in the
network. - Able to state whether two communicating nodes are
neighbors or not with certain accuracy. - Methodology followed
- If signal detected to be malicious a check is
made for whether it is because of a worm hole
attack. - Detecting node calculates distance between itself
and the location received from the target. - If calculate distance larger than radio
communication range the worm hole detector
determines that a worm hole exists beacon
signal is a replayed signal and is ignored. - Drawback is that the worm hole detectors cannot
ALWAYS guarantee that it can detect a worm hole.
12Special Considerations Thwarting Locally
Replayed Beacon Signals
- Methodology followed
- The replay of a beacon signal always induce extra
delay. - This can be detected by using the Round Trip Time
between two nodes.
- Detecting node calculates RTT (t4 - t1) (t3 -
t2)
13Special Considerations Thwarting Locally
Replayed Beacon Signals (contd.)
- RTT is not affected by the MAC protocol or any
processing delay hence, the distribution of RTT
is within a narrow range
- Xmin maximum value for X such that F(x) 0
- Xmax minimum value for X such that F(x) 1
Transmission time per clock pulse 384 clock
cycles Xmin 1,951 Xmax 7,506
- Detection is possible for any replayed signal if
delay introduced - is longer than transmission time for 14.5 bits
14The Algorithm Thus Far
- - if difference between distances gt maximum
distance error - Then signal is malicious Check for worm
hole attack. - - if Target node passes worm hole detector
- Check for locally replayed beacon signal.
- Calculate RTT based on response time from Target
- if RTT Xmax Then
- Beacon signal is considered not locally replayed.
- elseif RTT gt Xmax Then
- Beacon signal is considered locally replayed.
15Revocation of Malicious Beacon Nodes
- Assumption
- The base station has a method to revoke malicious
beacon nodes. - Each node shares a unique key with the beacon
node. - Methodology followed
- All alerts constitute the IDs of both the
detecting and target node. - Base stations constitutes a table with an entry
for each beacon node. - Associated with them is an alert counter and a
report counter. - Alert Counter records suspiciousness of a
beacon node. - Report Counter records number of alerts
reported by a node and accepted by the base
station. - For every received alert the Report Counter for
the detecting node is increased. - Beacon nodes with a high Alert Degree are
considered malicious. - A threshold is set for the maximum allowable
alerts against a node after which the beacon node
is revoked.
16Revocation of Malicious Beacon Nodes A Subtle
Issue to Consider
- Two thresholds exist
- G maximum limit for alerts against a beacon
node. - ? maximum limit for reports sent by a beacon
node. - Reason for two thresholds
- Malicious beacon node tires to revoke a
non-malicious beacon node. - This will cause the value of G to increase upto
threshold - G. - Beacon node will revoke the beacon node but will
still accept alerts from that node until report
count reaches threshold - ? . - Also the number of reports sent by any beacon
node cannot exceed ?, hence a malicious node
cannot revoke ALL the non-malicious beacon nodes
before getting revoked itself.
17Performance Review Notations for Node Detection
- Pd Detection rate of the worm hole detector.
- Pr Detection rate of a malicious node by a
detecting node. - Pn Fraction of nodes that receive the malicious
beacon signal. - Pw Fraction of the nodes that are convinced of a
worm hole. - Pl Fraction of the nodes that are convinced the
signal is locally replayed. - P The probability that a node receives a signal
from a malicious node which is not removed by the
replay detector. - m Number of Ids for a detecting node.
18Performance Review Node Detection
- Detection Mechanism Analysis
- Computational and storage overhead is mainly due
to key establishment protocols and cryptographic
operations. - The probability of a beacon node reporting an
alert for a non-malicious beacon node is 1-Pd, if
a worm hole exits and 0 is no worm hole exists. - Probability that a non-malicious detecting node
will send an alert for a malicious beacon node,
considering the detecting node has m detecting
Ids is 1 ( 1- ( 1 Pn ) ( 1 Pw ) ( 1 Pl )
)m - Probability that a node receives a beacon from a
malicious node which is not caught by the replay
detector is P ( 1 Pn ) ( 1 Pw ) ( 1 Pl )
. - Relationship between Pr and P Pr 1 ( 1 P )m
- Conclusion I
- Cannot increase P without simultaneously
- increasing Pr.
19Performance Review Notations for Node Revocation
- N Total number of sensor nodes.
- Na Total number of malicious beacon nodes.
- Nb Total number of beacon nodes.
- Nc Total number of nodes that send requests to a
malicious beacon nodes. - Nw Number of pairs affected by a worm hole
attack. - N Average number of affected nodes.
- P Probability of accepting a signal from a
revoked node. - Pd Detection rate.
- Pr Probability of reporting an error.
- Pa Probability of the base station having an
alert against a malicious node. - P1 P2 Probability that the report counter of a
non-malicious node increases by 1 / 2 when
reporting a malicious node.
20Performance Review Notations for Node Revocation
- Node Revocation Analysis
- A beacon nodes only reports about other within
its communication range hence the storage and
communication overhead is very limited. - The detection rate or probability that a
malicious beacon node will be revoked is - Where
- Conclusion II
- Detection rate increase as a node
- continues to behave maliciously.
- Conclusion III
- As G increases detection rate
- decreases.
- Conclusion IV
- And as m increases detection rate
- Increases.
21Performance Review Notations for Node
Revocation (contd.)
- Effect of an increase in Nc on the detection
rate. - Relation between P and N.
- Conclusion V
- As the number of requesting nodes to a
- malicious node increase, detection rate
- increases due to the increase in number
- of alerts sent.
- Conclusion VI
- As G increases N and P increase.
- As m increases N and P decrease.
22Performance Review Notations for Node
Revocation (contd.)
- Effect on N when P is chosen so that P is
maximized - The average number of non-malicious nodes revoked
by the base station is at most - The reference used to define G and ?
- Conclusion VII
- Initially N increases fast but after a point it
decreases due to the increase in the number of
request serviced. - Conclusion VIII
- N decreases when threshold G decreases.
- Conclusion IX
- The threshold for ? and G can be obtained by the
above analysis, which should satisfy the
condition on low Nf or by chosing ? and G that
yield a minimum Nf, given Pd, Nw and Na.
23Performance Review Implementation on TinyOs
- Simulation results obtained from Nido (TinyOS
simulator) conform to the theoretical values
some having a small difference but in general the
results are close to what was expected. - Receiver Operating Characteristic curves
(ROC-curves)
Conclusion X Most of the beacon nodes are
detected with small false positives however, as
the network continues to get compromised, the
performance degrades accordingly.
G and ? were varied and P is configured such that
N is maximized.
24And in Conclusion
- Many protocols exist today, that help in location
discovery such as AHLos, coarse-grained
localization schemes etc. None work properly in
hostile environments wherein malicious nodes
jeopardize the location discovery. - SERLOC (SEcure Range-independent LOCalization for
wireless sensor networks) is a secure range free
localization technique, but it cannot detect and
remove malicious beacon nodes. - In this paper localization is protected by
detecting compromised beacon nodes. Methods
adopted are very simple yet effective, and
efficiency is guaranteed within the constraints
of a sensors battery life and limited memory. - Future work can be aimed at more efficient ways
of reducing the false alert rate and methods to
revoke malicious nodes without using the base
station.