Detecting Malicious Activity in Wireless Sensor Networks Adrian Perrig perrigcmu'edu

1
Detecting Malicious Activity in Wireless Sensor
NetworksAdrian Perrigperrig_at_cmu.edu
2
Self-Evident Truths

• If you disagree with any of these, speak up now
  or remain silent until after this talk ?
• Sensor networks are in wide-spread use today
• Sensor networks will soon be commonly used
• Sensor nodes continue to be severely
  resource-constrained
• Wireless communication is easy to attack
  (eavesdropping or packet injection)
• Security is needed for most applications
• User privacy is an important issue in many
  applications

3
Wired Sensor Network

• Many critical infrastructures rely on wired
  sensors for everyday operation
• Burglar alarm in museum
• Semiconductor fabrication plant
• Chemical manufacturing plant, oil refinery
• Fire alarm in hotels

4
Drawbacks of Wired Network

• Expensive to deploy
• Expensive to maintain
• Upgrade
• Replace
• Wires can introduce failures
• Wires are costly

• Wireless networks are more cost effective!

5
Wireless Sensor Network

• Autonomous
• Self-configuring
• Self-calibrating
• Self-identifying
• Self-reorganizing
• Low maintenance
• Easy upgrade

• Small, inexpensive
• Limited
• CPU 1 8 MHz
• Radio 40 250 kbs
• Memory 48 124 KB
• Battery life
• Radio more expensive
• Respond to dynamic conditions
• Operate in harsh conditions

6
Example Hotel Sensor Network

• Every room is equipped with a sensor node
  measuring light intensity, temperature, and
  humidity
• Applications
• Determine occupancy to direct fire fighters
• Detect energy drainage caused by open windows
• Detect water leaks
• Detect break-ins
• Detect fire

7
Need for Security?

• Hotel sensor network simply sends all sensed
  information over wireless network to base
  station, without using encryption
• Security not necessary, right?
• Wrong!

8
Private Information Disclosure

• Much private information is leaked by
  temperature, humidity, and light measurements
• Light intensity readings
• Shadows can reveal information about motion of
  people
• Coarse-grained light intensity values can reveal
  TV channel
• Humidity readings may reveal
• Presence of people
• People talking

9
Example Terrorist Attacks

• Example attack on oil refinery
• Attacker forges pressure/temperature readings
• Control center processes fake data
• Control center performs incorrect operation
  (continually increase temperature, pressure)
• Other critical infrastructures may also be
  targets (e.g., power plant, water supply)

10
Industrial Espionage

• Foreign competitor monitors inventory
• Detect production volume
• Determine potential manufacturing problems
• Threat to corporations whose livelihood depends
  on information

11
Security is Important!

• Even for seemingly benign hotel application,
  security is crucial
• Some may argue that same issues exist without
  sensor network
• Can easily listen on door, try to spy through
  window
• However, sensors make large-scale attacks
  trivial!
• Easily obtain instant information about entire
  hotel
• Also allows attacker to launch remote attacks
• Listening by the door requires attacker to be
  physically present

12
Importance of Security in Sensor Applications

• Manufacturing applications prevent competitor
  from detecting production volumes or potential
  manufacturing problems
• Pollution monitoring prevent data tampering
• Healthcare applications privacy!
• Power grid surveillance prevent malicious data
  injection

13
Attacker Model Gligor

• Standard Dolev-Yao adversary controls network
• Man-in-the-middle read, replay, block, modify
• Send/receive any message to/from any principal
• New sensor network adversary
• Principals may be malicious
• Attacker may selectively compromise fraction of
  nodes
• Insert replicas of nodes

14
Generic Attacks

• Also need to defend against generic attacks
• Denial-of-service attacks
• Battery-drainage attacks
• Sybil attacks
• Node replication attacks

15
Standard Security Protocols

• Why not simply leverage standard security
  protocols? SSL/TLS, SSH, IPsec work just fine.
• Challenge severe resource constraints!
• Limited battery lifetime
• Limited processing
• Limited memory capacity
• Asymmetric cryptographicoperations are orders of
  magnitudeslower than symmetric operations
• Sensor deployed in unprotectedareas without
  tamperproof hardware

16
Sensor Nets vs. Ad Hoc Nets

• Limited computation(slow 8- or 16-bit µC)
• Limited bandwidth
• Large size (thousands of nodes)
• Usually immobile
• One administrative domain
• Unattended, nodes may be physically compromised

• Abundant computation (notebook/PDA nodes)
• High bandwidth
• Medium-sized (hundreds of nodes)
• Usually mobile
• Various administrative domains
• Each node equipped with human protecting it
  (tampering not an issue)

17
Sensor Network Advantages

• Is sensor network security much harder than ad
  hoc network security?
• Fortunately, sensor networks have features that
  support security
• Single deploying entity, single trust domain
• Large-scale time-consuming to physically
  compromise large fraction of nodes
• High redundancy tolerate small fraction of
  compromised nodes
• Approximate results ok

18
Goal Secure Sensor Network

• Assume commodity low-cost sensors
• Provide simple configuration and maintenance
• Tolerate installation errors by non-expert
  installer
• Provide availability of application, integrity
  and secrecy of information, even against a highly
  capable attacker
• This talk study approaches to detect and
  tolerate compromised sensor nodes

19
Roadmap

• Brief introduction
• ZigBee current industry standard
• Detecting malicious nodes
• Detecting node replication attacks
• Secure data aggregation
• Software-based attestation

20
Secure Communication

• Basic security primitive secret and authentic
  node-to-node communication
• Encrypt/authenticate every data packet

21
Secure Node-to-Node Communication

• Goal Provide secure communication while
  minimizing energy cost
• Assumptions
• Trusted base station
• Communicating nodes share secret key
• Approaches
• SPINS SNEP
• TinySec
• ZigBee

22
SPINS - SNEP

• SPINS Secure Protocols for Inter-Networked
  Sensors, with Szewczyk, Wen, Culler, Tygar
  Mobicom 2001
• Goal basic secure communication feasible on
  resource-constrained sensor network
• SNEP Sensor Network Encryption Protocol
• Base-station-centric security model
• Each node shares secret key with base station
• Node-to-node keys are set up through base station
• Provides secrecy, authenticity, replay
  protection
• Based on RC5 block cipher
• Relies on synchronized counters (IVs)

23
SNEP Protocol Details

• A and B share
• Encryption keys KAB KBA
• MAC keys K'AB K'BA
• Counters CA CB
• To send data D, A sends to BA ? B DltKAB ,
  CAgt MAC( K'AB , CA DltKAB, CAgt )

24
TinySec

• By Karlof, Sastry, Wagner Sensys 2004
• Provides secrecy and authenticity, but no replay
  protection
• Design decision send 2-byte initialization
  vector (IV) in each packet
• In contrast, SNEP assumes synchronized IV
• Per-packet IV has advantage in environments with
  very high packet loss
• Uses Skipjack block cipher

25
ZigBee

• ZigBee security based on trust center
• Network key is secret shared by all nodes, used
  for broadcast messages or when no link key is set
  up
• Link key is pairwise shared secret key, used for
  node-to-node secure communication

26
ZigBee

• Uses AES as the underlying block cipher
• Set up node-to-node shared secret keys through
  trust center
• Provides secrecy, authenticity, replay
  protection
• Does not define
• Secure initial key setup mechanism
• Secure routing protocol
• Not secure against compromised nodes!
• No attempt to detect compromised nodes

27
Roadmap

• Brief introduction
• ZigBee current industry standard
• Detecting malicious nodes
• Detecting node replication attacks
• Secure data aggregation
• Software-based attestation

28
Detecting Node Replication Attacks

• Goal detect cloned nodes in a distributed
  fashion
• Distributed Detection of Node Replication
  Attacks in Sensor Networks with Bryan Parno and
  Virgil Gligor, published at IEEE Security and
  Privacy Symposium 2005.

29
Problem Definition

• Replication Attacks
• Capturing many nodes is hard
• Instead, capture one node and copy it
• Other attacks not in scope of this work
• Introducing nodes with new IDs is readily
  preventable
• Admin provides each node with a certificate
• ID based on keys
• Other Sybil defenses
• Partitioning attacks
• We assume legitimate nodes
• form a connected component

30
Replication Attacks are Easy

• Only need to capture one node
• Offline attack to extract nodes secrets
• Transfer secrets to generic nodes
• Deploy clones

31
Repercussions

• Clones know everything compromised node knew
• Adversary can
• Inject false data or suppress legitimate data
• Spread blame for abnormal behavior
• Revoke legitimate nodes using aggregated voting
• Monitor communication

32
Our Contributions

• Thwart replication attacks using entirely
  distributed mechanisms
• First use of emergent algorithms to provide
  robust security properties in sensor networks
• Resilient even against an adaptive adversary
• (i.e., adversary knows the protocol and can
  selectively compromise additional sensors)
• Relies on Birthday Paradox and network topology
• No central points of failure
• Efficient Solutions
• Comparable to centralized detection

33
Assumptions

• Public key infrastructure
• Occasional elliptic curve cryptography is
  reasonable Sizzle, Malan04
• Can be replaced with symmetric mechanisms
• Network employs geographic routing
• Does not require GPS! Doherty01
• Works with synthetic coordinates Rao03,
  Newsome03
• Nodes are primarily stationary

34
Goals

• Detect replication with high probability
• After protocol concludes, legitimate nodes
  revoked replicas
• Secure against adaptive adversary
• Unpredictable to adversary
• No central points of failure
• Minimize communication overhead

35
Previous Approaches Insufficient

• Central Detection EscGli02
• Each node sends neighbor list to a central base
  station
• Base station searches lists for duplicates
• Disadvantages
• Some applications may not use base stations
• Single point of failure
• Exhausts nodes near base station (and makes them
  attack targets)

36
Previous Approaches Insufficient

• Localized Detection ChPeSo03
• Neighborhoods use local voting protocols to
  detect replicas
• Disadvantage
• Replication is a global event that cannot be
  detected in a purely local fashion

37
Emergent Properties

• Properties that only emerge through collective
  action of multiple nodes
• Highly robust
• No central point of failure
• Difficult for adversary to attack
• Emergent behavior is an attractive approach for
  thwarting an unpredictable and adaptive adversary

38
Approach Overview

• Step 1 Announce locations
• Each node signs and broadcasts its location to
  neighbors
• Location (x,y), virtual coordinates, or
  neighbor list
• Nodes must participate or neighbors will
  blacklist them
• Step 2 Detect replicas
• Uses emergent protocol
• Ensures at least one witness node receives two
  conflicting location claims
• Step 3 Revoke replicas
• Witness floods network with conflicting location
  claims
• Signatures prevent spoofing or framing

39
Randomized Multicast Protocol

• Each node signs and broadcasts its location to
  neighbors
• Each neighbor forwards location to witness
  nodes
• Witness chosen at random by selecting random
  geographic point and forwarding message to node
  closest to the point
• Each neighbor selects witnesses for a
  total of
• Birthday Paradox implies location claims from a
  cloned node and its clone will collide with high
  probability
• Conflicting location claims are evidence for
  revoking clones
• Signatures prevent forgery of location claims

40
Randomized Multicast Detection
Conflict Detected!
41
Randomized Multicast Analysis
PDetect gt 1 e -R

• High probability of detection
• 2 replicas (R2), w n, PDetect 95,
• Decentralized and randomized
• Moderate communication overhead
• Each nodes location sent to n witnesses
• Path between two random points in the network is
  O( n ) hops on average
• Results in O(n) message hops per node

42
Line-Selected Multicast Protocol

• In a sensor network, nodes route data as well as
  collect it
• Again, neighbors forward location claim to
  witness nodes
• Each intermediate node checks for a conflict and
  forwards location claim
• If any two lines intersect, the conflicting
  location claims provide evidence for revoking
  clones

43
Line-Selected Multicast Detection
Conflict Detected!
44
Line-Selected Multicast Analysis

• High probability of intersection for two randomly
  drawn lines in square area
• Only need a constant number of lines
• (e.g., for 5 lines/node, PDetect 95)
• Decentralized and randomized
• Minimal communication
• Line segments O( n) on average
• Only requires O( n) message hops per node

45
Theoretical Overhead
46
Evaluation Setup

• Simulated network of sensor nodes deployed
  uniformly at random
• Measured average communication per node and
  maximum communication of any node
• Varied of nodes from 1,000 to 10,000
• Varied density of nodes so average of neighbors
  varied from 10-70, with little impact

47
Communication Overhead
48
Detection in Irregular Topologies

• Line-selected Multicast relies on topology to
  detect replicas, so we ran simulations on
  irregular topologies

49
Probability of Detection in Irregular Topologies

• 2500 nodes, 1 duplicate
• 5 witnesses/node

50
Probability of Detection in Irregular Topologies

• 2500 nodes, 1 duplicate
• 10 witnesses/node

51
Probability of Detection in Irregular Topologies

• 2500 nodes, 2 duplicates
• 5 witnesses/node