Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

Description:

Secure Routing in Wireless Sensor Networks: ... Next hop can pretend to forward the packet ... selective forwarding or wormhole attack Sybil attack A single ... – PowerPoint PPT presentation

Number of Views:478
Avg rating:3.0/5.0
Slides: 45
Provided by: 6483
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures


1
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
  • Chris Karlof and David Wagner

2
Key Contributions
  • Secure routing issues in WSNs
  • Show how they are different from ad hoc networks
  • Introduce two new classes of attacks
  • Sinkhole attack
  • Hello flood attack
  • Analyze security aspects of major routing
    protocols
  • Discuss countermeasures design considerations
    for secure routing in WSNs

3
WSNs vs. Ad Hoc Networks
  • Multi-hop wireless communications
  • Ad hoc nets communication between two arbitrary
    nodes
  • WSNs
  • Specialized communication patterns
  • Many-to-one
  • One-to-many
  • Local communication
  • More resource constrained
  • More trust needed for in-network processing,
    aggregation, duplicate elimination

4
Assumptions
  • Insecure radio links
  • Malicious nodes can collude to attack the WSN
  • Sensors are not tamper-resistant
  • Adversary can access all key material, data
    code
  • Aggregation points may not be trustworthy
  • Base station is trustworthy

5
Threat Models
  • Device capability
  • Mote class attacker
  • Laptop class attacker more energy, more powerful
    CPU, sensitive antenna, more radio power
  • Attacker type
  • Outside attacker External to the network
  • Inside attacker Authorized node in the WSN is
    compromised or malicious

6
Security Goals
  • Secure routing
  • Support integrity, authenticity, availability of
    messages in presence of attack
  • Data confidentiality

7
Potential Attacks
  • Attacks on general WSN routing
  • Attacks on specific WSN protocols

8
Attacks on General WSN Routing Protocols
  • Spoof, alter, or replay routing info.
  • Create loops, attack or repel network traffic,
    partition the network, attract or repel network
    traffic, etc.
  • Message authentication can partly handle these
    issues
  • Selective forwarding
  • Malicious node selectively drops incoming packets

9
Sinkhole attack
  • Specific to WSNs
  • All packets are directed to base station
  • A malicious node advertises a high quality link
    to the base station to attract a lot of packets
  • Enable other attacks, e.g., selective forwarding
    or wormhole attack

10
Sybil attack
  • A single node presents multiple IDs to other
    nodes
  • Affect geographic routing, distributed storage,
    multi-path routing, topology maintenance

11
Wormhole attack
  • Two colluding nodes
  • A node at one end of the wormhole advertises high
    quality link to the base station
  • Another node at the other end receives the
    attracted packets

12
Hello flood attack
  • Specific to WSNs
  • In some protocols, nodes have to periodically
    broadcast hello to advertise themselves
  • Not authenticated!
  • Laptop-class attacker can convince its a
    neighbor of distant nodes by sending high power
    hello messages

13
Acknowledge spoofing
  • Adversary spoofs ACKs to convince the sender a
    weak/dead link support good link quality

14
Attacks on Specific Routing Protocols
  • TinyOS beaconing
  • Construct a BFS tree rooted at the base station
  • Beacons are not authenticated
  • Adversary can take over the whole WSN by
    broadcasting beacons

15
Directed diffusion
  • Replay interest
  • Selective forwarding data tampering
  • Inject false data

16
Geographic routing
  • Adversary can provide false, possibly multiple,
    location info.
  • Create routing loop
  • GEAR considers energy in addition to location
  • Laptop-class attacker can exploit it

17
Countermeasures
  • Shared key link layer encryption
  • Prevent outsider attacks, e.g., Sybil attacks,
    selective forwarding, ACK spoofing
  • Cannot handle insider attacks
  • Wormhole, Hello flood, TinyOS beaconing
  • Sybil attack
  • Every node shares a unique secret key with the
    base station
  • Create pairwise shared key for msg authentication
  • Limit the number of neighbors for a node
  • Hello flood attack
  • Verify link bidirectionality
  • Doesnt work if adversary has very sensitive
    radio

18
Countermeasures
  • Wormhole, sinkhole attack
  • Cryptography may not help directly
  • Good routing protocol design
  • Geographic routing
  • Geographic routing
  • Location verification
  • Use fixed topology, e.g., grid structure
  • Selective forwarding
  • Multi-path routing
  • Route messages over disjoint or Braided paths
  • Dynamically pick next hop from a set of
    candidates
  • Measure the trustworthiness of neighbors

19
Countermeasures
  • Authenticated broadcast
  • uTESLA
  • Base station floods blacklist
  • Should be authenticated
  • Adversaries must not be able to spoof

20
Towards Resilient Geographic Routing in WSNs
  • Ke Liu, Nael Abu-Ghazaleh, KD Kang
  • Computer Science Dept.
  • State University of New York at Binghamton

21
Outline
  • Background Geographic Forwarding
  • Security Threats and Threat Model
  • Localization and Location Verification
  • Secure Trust-based Multi-path Routing
  • Conclusions

22
Geographic Forwarding
  • Keep track of neighbors locations
  • Forwarding set is set of neighbors closer to
    destination than self
  • Pick next hop as a member of the forwarding set
  • Greedy forwarding pick closest to destination

23
Geographical Forwarding (2)
  • Local interactions only no local state
    maintained
  • Can get stuck in voids void traversal algorithm
    needed (e.g., perimeter routing)
  • We dont consider this aspect of operation

24
Threat Model/Assumptions
  • Two types of nodes
  • Anchors
  • Know their location (e.g., using GPS)
  • Act as reference points for localization
  • Sufficient density to enable localization
  • First assume they are trusted later relax the
    assumption
  • Sensor Nodes
  • Can be compromised
  • Key pre-distribution to provide cryptographic
    keys
  • Confidentiality, authentication, message
    integrity, can be supported if needed

25
Threat Models/Assumptions (2)
  • GF is different from traditional topology based
    routing protocols
  • We do not consider MAC/physical level attacks
  • Orthogonal techniques apply there
  • Sybil attack (node claiming multiple locations)
    are possible
  • Blackhole, wormhole and selective forwarding
    attacks are possible

26
Location Verification
  • First contribution of this paper
  • Each node is responsible for reporting its
    location information
  • Trusted to provide the correct information no
    mechanism to verify using traditional
    localization approaches
  • If nodes can falsify their location GF breaks
    down
  • Sybil attacks, blackholes, and other attacks
    easily possible
  • Location Verification prevent nodes from lying
    about their location

27
Existing Solution (Sastry et al 2004)
  • Echo Protocol Location challenged by verifier
  • Node responds instantly with ultrasonic pulse
  • Speed of sound allows estimate of distance
  • Includes a nonce sent by the verifier
  • Prevents early response to appear closer
  • Argue that delaying response not possible because
    it moves node into another verifiers region
  • Coarse-grained verification (within region)
  • Requires ultrasound channel

28
Localization via Triangulation
  • Lateration is the calculation of position
    information based on distance measurements from
    three known points (anchors)
  • 2D position requires three distance measurements.
  • Signal Strength, Time of Arrival, Time Difference
    of Arrival, etc.. used to estimate distance
  • Triangulation measures angle
  • of arrival

d1
d2
d3
29
Proposed Solution Anchors Localize
d1
d2
  • Protocol
  • Node transmits localization packet
  • Anchors receive it concurrently each anchor
    estimates distance to node
  • Anchors exchange estimates to calculate location
  • Localization responsibility moved to trusted
    anchors
  • Location passed to node with certificate or
    supplied by anchors
  • Limitation range based localization range free
    localization requires extension

d3
30
Possible Attacks (1)
  • Nodes cheat by manipulating the localization
    transmission
  • E.g., in signal power based ranging
  • transmit at higher power to appear closer
  • or lower power to appear farther
  • In TDOA
  • Send ultrasonic pulse before RF pulse to appear
    closer
  • Send RF pulse before ultrasonic to appear further

31
Defense
d1dx
d1-dx
d1
d2dx
d2-dx
d2
d3
d3dx
d3-dx
  • Key observation node will appear closer to, or
    further, from all anchors concurrently
  • Detectable when anchors exchange ranges
  • Leads to Non-feasible location in all non-trivial
    anchor placements

32
Possible Attacks (2)
  • Directional antenna version of previous attack
  • Use directional antenna to send different
    localization beacons to each anchor
  • Other anchors cannot hear the directional packet
  • Falsifying distance to each anchor separately can
    allow undetectable (consistent) forgery
  • Two versions
  • Sequential attacker sends the beacons
    sequentially to the different anchors
  • Concurrent attacker has multiple radios and can
    concurrently forge distances

33
Defense
  • Sequential version can be defended by having
    anchors be loosely synchronized
  • Can detect the different time stamps on the
    packets received by the different anchors
  • Concurrent version challenging
  • A sophisticated attacker with expensive H/W
  • MAC level authentication?
  • Moving anchors?
  • Other sensors detecting inconsistency?

34
Compromising Anchors
  • So far, assumed anchors are trusted
  • If they are compromised
  • they can assist nodes in falsifying their
    location
  • Cause errors in the localization of legitimate
    nodes
  • Correctly evaluating location under byzantine
    failure is a variant of byzantine quorum
  • However, unlike classical byzantine quorum,
    consensus is on an indirect value (location)
  • With n anchors in range, can localize correctly
    if
  • 3ceiling((n-3)/2) anchors are not compromised
  • Can use threshold cryptography or similar
    approaches to ensure that a rogue anchor doesnt
    bypass localization process

35
Possible Attacks
  • Mobility attack
  • Localize and obtain a valid localization
    certificate
  • Move to a new location and use the invalid (but
    certified) location to do mischief
  • Or send the certificate to a proxy node that can
    use it
  • Defense
  • Have anchors in an area responsible for supplying
    certified location
  • Place time bounds on location validity
    (energy-security tradeoff)

36
Secure Multi-path Routing
37
Forwarding Misbehavior
  • Misbehaving nodes can mis-route or selectively
    forward packets
  • Can have valid location estimates
  • Since GF is completely localized, problem is
    difficult to detect
  • A node has no idea where the packet should be
    sent beyond its current next hop

38
Proposed Solution
  • Multi-path routing
  • Select next hop probabilistically among
    forwarding set
  • Probability proportional to trust (aka
    reputation)
  • Trust estimate is adapted over time
  • Based on observed behavior of the nodes
  • How to detect misbehavior?

39
Detecting Misbehavior/Updating Trust
  • Trust updated up or down depending on observed
    behavior of neighbors
  • Rebroadcast check
  • A sending node hears if the next hop forwards it
    again
  • Drop reputation if not
  • Not fool proof
  • Can miss rebroadcast due to collision or fading
  • Next hop can pretend to forward the packet to a
    non-existing next hop neighbor
  • (securely building 2-hop neighbor cliques can
    help here)
  • Trust consensus
  • Exchange trust estimates with neighbors among
    neighbors that are trustworthy

40
Summary
  • Sybil, blackhole and wormhole attacks require
    location falsification in GF
  • Prevented using location verification mechanism
  • Forwarding misbehavior does not depend on
    location falsification
  • Multi-path routing helps avoid bad paths even
    when misbehaving nodes are not known
  • Building and tracking reputation helps ostracize
    misbehaving nodes

41
Conclusions
  • Presented a verified localization algorithm for
    use in GF in WSNs
  • Specific to range-based localization
  • Outlined a number of attacks and their defense
  • Derived limit for anchor byzantine quorum on
    location
  • Presented a preliminary secure routing protocol
  • Use probabilistically multi-path routing
  • Track trust estimate to discover and avoid bad
    paths

42
Future/Ongoing Work
  • Extend to range-free localization
  • Extended to the case with compromised anchors
  • Extend to void avoidance/face routing
  • Virtual Coordinate routing
  • Initialize node coordinates and use them as
    identifiers and for routing
  • Similar to GF, but some unique and more difficult
    attacks
  • Explore interaction with localization errors
  • Evaluate trust-based multi-path routing on motes

43
Conclusion
  • WSN security is challenging, relatively new area
    of research
  • Problems gtgt Solutions
  • Any ideas to address challenges?

44
Thank you Any questions?
About PowerShow.com