Security of Sensor Networks

1 / 90
About This Presentation
Title:

Security of Sensor Networks

Description:

... IEEE Security and Privacy Magazine. Security Attacks on Sensor ... Each receiver calculates its phase offset as the LS linear regression of the phase offsets ... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 91
Provided by: elitza
Learn more at: http://www.truststc.org

less

Transcript and Presenter's Notes

Title: Security of Sensor Networks


1
Security of Sensor Networks
  • Tanya Roosta
  • TRUST Seminar
  • UC Berkeley, November 9, 2006

2
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

3
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

4
Background on Sensor Network
  • Wireless networks consist of a large number of
    motes
  • self-organizing, highly integrated with changing
    environment and network
  • Highly Constrained resources
  • processing, storage, bandwidth, power
  • Facilitate large scale deployment
  • Health care
  • Surveillance
  • Critical infrastructure

5
Motivation
  • Sometimes deployed in hostile environment, and
    have random topology
  • Vision is to integrate sensors into critical
    infrastructure, such as wireless Supervisory
    Control And Data Acquisition systems (SCADA)
  • Traditional security techniques can not be
    applied because

6
Challenges Unique to Sensor Networks
  • Random Topology
  • Secure aggregation
  • Context privacy PMRSSW06
  • Scalability of trust/key management schemes
  • Power and computation efficiency

PMRBSSW06 Sameer Pai, Marci Meingast, Tanya
Roosta, Sergio Bermudez, Shankar Sastry, Stephen
Wicker. Privacy in Sensor Networks A Focus On
Transactional Information. Under submission to
IEEE Security and Privacy Magazine
7
Security Attacks on Sensor Networks
  • Need to have a comprehensive taxonomy of security
    and confidentiality attacks on sensor networks to
    describe RSS06
  • Attackers goal
  • Trust model
  • Security requirements
  • Various types of attacks
  • RSS06 Tanya Roosta, Shiuhpyng Shieh, Shankar
    Sastry. "Taxonomy of Security Attacks on Sensor
    Networks". IEEE International Conference on
    System Integration and Reliability Improvements
    2006

8
Attackers Goal
  • Eavesdropping (outsider attacker)
  • Disruption of applications (insider attacker)
  • Subverting a subset of sensor nodes (insider
    attacker)

9
Trust Model
  • There is usually a central base station that
    gathers all the data reported by the sensor nodes
  • Only trust assumption the base station is
    trustworthy
  • No other trust requirement is placed

10
Security Requirements
  • Confidentiality
  • Authentication
  • Integrity
  • Freshness
  • Secure Group Management
  • Availability
  • Graceful degradation

11
Cryptography
  • Cryptography is the first line of defense
  • Cryptography helps with message integrity,
    authentication, and confidentiality
  • TinySec symmetric key cryptographic algorithm
  • TinyECC Elliptic Curve Cryptography (ECC)
  • Cryptography can not solve all the problems of
    security in sensor networks

12
Security Attacks
  • Attacks can be categorized into RSS 06
  • Attacks on the sensor mote
  • Attacks on the protocols and applications

13
Attacks on the Sensor Mote
  • Non-invasive The embedded device is not
    physically tampered with
  • Side-channel attack
  • Invasive Reverse engineering followed by probing
    techniques
  • Extract cryptographic keys
  • Exploit software vulnerabilities
  • Memory access control

14
Attacks on Protocols/Applications
  • Denial of service
  • Traffic analysis
  • Time synchronization
  • Key management protocols
  • Data aggregation protocols
  • Comprehensive list in RSS06

DOS
15
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

16
Graphical Models
  • In probabilistic graphical models, the nodes are
    random variables, and arcs (or lack of them)
    encodes the conditional independence of these
    random variables
  • Specify a joint
    probability distribution among random variables

17
Graphical Models in Sensor Networks
  • Graphical models useful for distributed fusion in
    sensor networks CCFIMWW06
  • Well-suited for sensor network structure
  • Scalable inference algorithm, new message-passing
    algorithms
  • Parallel message-passing

CCFIMWW06 M. Cetin, L. Chen, J. W. Fisher, A.
T. Ihler, R. L. Moses, M. J. Wainwright, A.
Willsky. Distributed Fusion in Sensor
Networks. IEEE Signal Processing Magazine, July
2006.
18
Inference on Graphical Models
  • Calculating posterior marginals is NP-hard
  • Junction Tree algorithm finds exact marginals,
    but is computationally expensive
  • Standard Belief Propagation (BP) is used as an
    approximate inference algorithm

BP Equation
19
Tree-Reweighted Sum-Product Algorithm
  • TRW is a broader class of approximate inference
    algorithms
  • Message adjusted by edge-based weights
  • The weights are ?ts20,1
  • Computational complexity identical to BP
  • ? 1 recovers the standard BP

WJW05 M. J. Wainwright and T. S. Jaakkola and
A. S. Willsky. "A new class of upper bounds on
the log partition function"IEEE Trans. Info.
Theory, 2005.
20
Advantages of TRW
  • For suitable choices of ?, TRW, in sharp contrast
    to BP, always has a unique fixed point for any
    graph and any dependency strength
  • Additional benefit
  • Message-passing updates tend to be more stable
  • Faster convergence rate

21
TRW in Sensor Networks
  • TRW can be used in sensor networks CWCW03
  • TRW and security
  • Compromised nodes give faulty updates
  • Need to understand
  • How much of an effect the faulty updates will
    have on the estimation
  • How the characteristics of the fixed points of
    TRW are changed

CWCW03 L. Chen, M. J. Wainwright, M. Cetin, A.
S. Willsky. Multitarget-Multisensor Data
Association Using Tree-Reweighted Max-Product
Algorithm. SPIE AeroSense Conference, 2003.
22
Convergence Analysis of TRW RW06
  • The objective is to analyze the convergence of
    the family of reweighted sum-product algorithms
  • We assume that the true messages are fixed
    points of the algorithm
  • The messages are perturbed by some amount

RW06 Tanya Roosta, Martin J. Wainwright.
"Convergence Analysis of Reweighted Sum-Product
Algorithms. Submitted to IEEE International
Conference on Acoustics, Speech, and Signal
Processing (ICASSP)
23
Convergence Analysis RW06
  • W.L.O.G restrict attention to the case of
    pair-wise cliques

?st
  • The distribution defined on this graph is
  • Analyze homogeneous and non-homogeneous models

24
Homogeneous Model
  • ?st ?, ?s ? for all edges and all nodes
  • Let ddegree of the nodes
  • If ?d-1 ? 1, then we are guaranteed uniqueness
    and convergence of the updates
  • If ?d-1 1 , the update equation may have more
    than one fixed point, depending on the choice of
    ? and ?
  • Proof

25
d4
?critical
?
?
  • Plot of the appearance of multiple fixed points
    versus ? and ?

26
Non-Homogeneous Model
  • In the general model, convergence analysis is
    based on establishing, under suitable conditions,
    the updates specify a contractive mapping in the
    l1 norm, i.e.

27
Simulation Results
  • ? uniform from 0.05,0.5, edge potentials ?st,
    uniform from 0.01,1, and different values for ?
  • Number of nodes between 49-169
  • Plot of log zm-z1 vs. the number of iterations
    (m)

28
More figures
29
Ongoing and Future Work
  • The convergence condition is somewhat
    conservative
  • Requires the message updates be contractive at
    every node of the graph
  • We like to have an average-case analysis
  • Require that updates be attractive in an average
    sense

30
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

31
Why Need Time Sync.?
  • Sources of error in time are
  • Clock skew the difference in the frequencies of
    the clock and the perfect clock
  • Clock offset the difference between the time
    reported by a clock and the real time

Time sync.
32
Effect of Time Sync. Attacks
  • Time sync. protocols are vulnerable to security
    attacks
  • Effect on applications/services MRS05
  • Shooter Localization
  • TDMA-based Channel Sharing
  • Flexible Power Scheduling
  • TDMA-based MAC protocol
  • Estimation
  • Authenticated Broadcast (?Tesla)

MRS05 Mike Manzo, Tanya Roosta, Shankar Sastry.
Time Synchronization Attacks in Sensor
Networks. The Third ACM Workshop on Security of
Ad Hoc and Sensor Networks 2005
33
Time Sync. Protocols in Sensor Network
  • Three general categories
  • Reference Broadcast Synchronization (RBS)
  • TPSN
  • Flooding Time Synchronization Protocol (FTSP)
  • In MRS05 attacks and possible countermeasures
    for each time sync. protocols was explained

Description
34
FTSP
  • FTSP uses reference points for synchronization
  • Reference point (globalTime, localTime)
  • globalTime time of the transmitting node
  • localTime time of the receiving node
  • The receiving node uses linear regression on 8
    reference points to find offset and skew

Detail
35
Attacks on FTSP RS06
  • A compromised node can claim to be the root node
  • The compromised root sends false updates, which
    will get propagated in the network
  • Every node accepting the false updates calculates
    false offset and skew

RS06 Tanya Roosta, Shankar Sastry. Securing
Flooding Time Synchronization Protocol in Sensor
Networks". Workshop of 6th ACM IEEE Conference
on Embedded Software
36
Proposed Countermeasures RS06
  • Secure leader election mechanism
  • distributed coin-flipping algorithms (use
    cryptographic commitments)
  • Using redundancy
  • Instead of LS on one neighbor, run LS on multiple
    neighbors and take the median
  • Run LS on multiple random subsets of data
  • Using robust estimators Least Median of Squares
    (LMS)

37
Future work
  • Experiments
  • Implementing the attacks
  • Analyze the effect on the tracking application
  • Implement some of the countermeasures
  • Time line 6 months

38
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

39
Reputation System
  • Reputation systems have been used in online
    ranking systems
  • They have proven useful as a self-policing
    mechanism
  • In GS04 the authors propose extending this
    framework to sensor networks

GS04 Saurahb Ganeriwal, Mani Srivastava.
 Reputation-based framework for high integrity
sensor Networks. Proceedings of the 2nd ACM
workshop on Security of ad hoc and sensor
networks, 2004.
40
Reputation System in Sensor Network
  • No unifying way to design the watchdog
    mechanism
  • Application dependent

GS04
41
Reputation System for Tracking RMS06
  • We designed a reputation system for the tracking
    application
  • Tracking is fundamental in sensor networks
  • Surveillance
  • Pursuit Evasion Games
  • Focused on Hierarchical Multi-Object Tracking
    Algorithm (MCMCDA)

RMS06 Tanya Roosta, Marci Meingast, Shankar
Sastry. "Distributed Reputation System for
Tracking Applications in Sensor Networks". In
proc. of International Workshop on Advances in
Sensor Networks 2006
42
MCMCDA
  • The input
  • a set of data indexed by time
  • The output
  • the association of the observed data with object
    tracks
  • The tracking algorithm has two phases
  • Data Fusion
  • Data Association

ORS04 S. Oh, S. Russell, and S. Sastry.
Markov Chain Monte Carlo Data Association for
General Multiple-Target Tracking Problems. IEEE
International Conference on Decision and Control
(CDC), 2004.
43
Example
ORS04
  • Figure (a) shows the observed data indexed by
    time,
  • Figure (b) shows the tracks that were formed
    based on the maximum likelihood function

44
MCMCDA ORS04
  • Nodes equipped with motion detection sensors
  • Sensor model

45
Data Fusion
  • In each local neighborhood, the node with the
    highest signal strength declares itself to be the
    leader
  • All the other nodes in the neighborhood send
    their observations to this leader
  • The leader aggregates the data

46
Data Association
  • Each leader sends the fused observation to the
    closest super-node
  • Super-node send their gathered fused observations
    to the base station
  • Base station uses Markov Chain Monte Carlo (MCMC)
    to associate the fused data by maximizing the
    posterior of the track, given the observations

Formula
47
Possible Attacks RMS06
  • Adversary physically captures a subset of the
    sensor nodes
  • Compromised nodes send faulty observations to the
    leader
  • Results in wrong fused observations and formation
    of non-existent tracks for the moving objects

48
Attacks Not Considered
  • We did not allow the compromised nodes to claim
    to be the leader
  • This problem could be solved using standard
    distributed coin-flipping algorithms using
    cryptographic commitments
  • At the central level, we need to use statistical
    methods that would filter out the faulty
    observations coming from the compromised leaders

49
Reputation System RMS06
  • The nodes do not share their reputation table
  • At this point, we only use first hand
    observations for updating the reputation
  • Each node updates the reputation of its neighbors
    only when it becomes the leader
  • The reputation is a value in 0,1

50
The Algorithm RMS06
  • Leader node gathers all the observations from its
    neighbors
  • It chooses m subsets of the observations
  • The members of each subset are chosen randomly
    from among all the neighbors
  • The leader computes the fused observation for
    each subset ( )

51
The Algorithm (cont.)
  • is the accumulated reputation of the jth
  • neighbor at node i up to time t-1
  • The leader finds the median of
    where i 2 1,,m

52
Reputation Assignment RMS06
  • The median value of the estimated location is the
    trusted value (mtrust) and the nodes in the
    corresponding subset are trusted nodes (Strsut)
  • There are two counters (?ij , ?ij) for
    instantaneous reputation
  • ?ij positive reputation
  • ?ij negative reputation

53
Reputation Assignment (cont.)
  • Nodes in Strust receive an instantaneous
    reputation of (1,0)
  • For the rest of the neighbors, the leader picks
    one node, sij, at a time and add it to the subset
    Strust and recalculates the location estimation
  • Call the result of this calculation

54
Reputation Update RMS06
  • T is a threshold to determine how far can
    be pulled away from the median mtrue
  • T has to take the normal level of observation
    noise into account

55
Reputation Aggregation RMS06
  • Instantaneous reputations are aggregated to
    calculate the cumulative positive and negative
    reputation (rijt, sijt)
  • Discounting factor, ?, is used to guarantees old
    reputations will be gradually forgotten
  • The reputation is aggregated using

Beta function
56
Simulation
  • The surveillance region is a square grid of size
    50m x 50m
  • There is one node placed at each corner of each
    square
  • The number of objects we want to track is ni
  • The sensing range Rs is set to 1.5m

57
Simulation (cont.)
  • The noise represented by a Gaussian standard
    distribution N(0,1)
  • Tested different scenarios
  • Example the number of compromised nodes is fixed
    and the sensing radius is varied from 1.5m to 3m
  • T 0.4, m4, and s3
  • Metric the average error in the number of tracks
    estimated by the algorithm compared to the actual
    number of tracks

58
250 compromised nodes, varying sensing radius
59
Qualitative Comparison
60
Future Work
  • Extend the observation model to include
    probability of compromised nodes using mixture
    models RMG06

RMG06 Tanya Roosta, Mubaraq Mishra, Ali
Ghazizadeh. Robust Detection and Estimation in
Ad-Hoc and Sensor Networks. IEEE International
Conference on Mobile Ad-hoc and Sensor Systems,
2006
61
Overview
  • Taxonomy of attacks on sensor networks
  • Convergence analysis of Reweighted-Tree
    sum-product algorithms
  • Time synchronization security
  • Reputation system for tracking
  • Game theory

62
Clustering Game
  • Setup
  • There are a number of clusters K
  • The adversary knows what is being observed
  • The adversary can not observe what the other
    adversaries are doing (no collusion)
  • The nodes are monitoring temperature (example)
  • What is the optimal compromised node placement
    within the clusters to cause the most amount of
    damage?

63
Good node
Compromised node
Which distribution of the compromised nodes has
the most affect on the final estimation at the
center?
More Game Theory
64
Conclusion
  • Security in sensor networks is crucial to
    successful deployment
  • In this talk
  • proposed a taxonomy of security attacks
  • Gave convergence results for TRW
  • Described attacks on time sync. Protocols and the
    effect on different application
  • Developed a decentralized reputation system for
    tracking
  • Use of game theory to formulate security attacks

65
Thank you!
66
Effect on Estimation (Example)
  • state of a discrete-time controlled process
  • Given the measurement
  • Back

67
Reputation and Beta Function
  • The sequence of observations can be considered as
    a sample from a binomial distribution, i.e. a
    sequence of independent coin tosses, with a bias
    parameter P
  • To be clear, the head corresponds to an honest
    node and the tail corresponds to a compromised
    node, and the bias is the overall reputation of
    the node
  • We can estimate the rating of a node using
    Bayesian parameter estimation of the binomial
    distribution
  • Back

68
Reputation and Beta Function (cont.)
  • The posterior probability of binary events is
    most accurately represented by the Beta
    distribution
  • Beta distribution is a two parameter distribution
    with parameters a and b
  • Parameter a measures the number of successes
    (rijt) and b measures the number of failures
    (sijt)
  • The overall reputation is modeled as the expected
    value of the Beta distribution

Back
69
Proof
  • Message updates are characterized by
  • Taking the derivative of F(z,?, ?, ?) will give
    the rate of convergence

70
Proof (cont.)
?
Back
71
Robust Detection
  • The goal is to detect compromised/faulty nodes
  • The lying behavior could be
  • Static unchanging behavior
  • Dynamic changing liars
  • Dynamic colluding liars
  • We can model each one of these cases using a
    Hidden Markov Model

72
Problem Formulation
  • The nodes make an observation according to
  • No notion of time in our problem setup, i.e. the
    nodes collect all their observations, and then
    the detection is performed

73
Problem Formulation
  • Expectation Maximization (EM) framework is used
    to find the parameters (probability of a the node
    lying and the detection value)
  • We maximize the log likelihood based on the lying
    behavior we are considering (which affects the
    hidden parameters)

Back
74
RBS
In RBS a reference message is broadcast to two
receivers and the receivers synchronize their
respective local clocks to each other
  • A transmitter broadcasts m reference messages
  • Each of the n receivers record their local
    received time
  • Receivers exchange their local times.
  • Each receiver calculates its phase offset as the
    LS linear regression of the phase offsets

Back
75
TPSN
  • TPSN creates a spanning tree of the sensor
    network
  • Each node finds the clock drift and propagation
    delay, using

Back
76
(No Transcript)
77
Back
78
Denial of Service Attacks
  • Denial of service attack concerns any attack that
    diminishes the networks capacity to perform its
    function
  • Denial of service attacks can be carried out at
    any of the layers of the communication stack

Back
79
Denial of Service Attacks
Back
WS02 A. Woods, J. StankovicDenial of Service
Attacks in Sensor Networks. IEEE Computer,
35(10)54-62, October 2002
80
Ordinary Belief Propagation
  • Message and belief updates

Back
81
LMS
Back
82
Time Synchronization
  • Time synchronization protocols provide a
    mechanism for synchronizing the local clocks of
    the nodes in a sensor network
  • Two ways to synchronize the clocks
  • Synchronization to accurate real time
  • Relative synchronization for ordering of the
    events
  • Clock model

Back
83
FTSP (cont.)
  • Offset
  • Skew

Back
84
Example
Back
85
Data Association (cont.)
  • Maximizing the posterior of the track, given the
    observations, Y

Back
zt number of objects terminated at time t, at
number of new objects at time t, dt the number of
detections, ft the probability of false alarms,
?f the false alarm rate, ?b the birth rate of a
new object, pz the probability of an object
disappearing, and pd the probability of detection.
86
Attack Trees
  • Attack trees provide a formal, methodical way of
    describing the security of systems, based on
    varying attacks
  • The tree can also be used to determine where a
    system is vulnerable, and weigh the benefits of
    different countermeasures against one another
  • We want to develop an efficient attack tree for
    sensor networks
  • An example based on the taxonomy paper

87
(No Transcript)
88
Routing Game1
  • The power consumption in routing has been modeled
    as a dynamic Bayesian game among the N nodes of
    the network
  • Uses action history hi(tk)(si(t0), , si(tk-1)
    )
  • This Bayesian game has a Nash equilibrium
    solution, but the solution strategy has not been
    explicitly found

1-Petteri Nurmi. Modelling Routing in Wireless
Ad Hoc Networks with Dynamic Bayesian Games.
IEEE SECON, 2004
89
Future Work
  • What are the actual solutions to this Bayesian
    game (if we can explicitly solve for the
    equilibrium)?
  • Affect of memory/action history length on the
    outcome of the Bayesian game
  • Learning the reputations of nodes dynamically
    using the solution to the Bayesian game
  • Time line 1 year

90
TRW Message Update
Back
Write a Comment
User Comments (0)