Security Issues in Distributed Sensor Networks

1
Security Issues in Distributed
Sensor Networks

• Yi Sun
• Department of Computer Science and Electrical
  Engineering
• University of Maryland, Baltimore County
• 2007. 12

2
Outline

1. Introduction
2. Security Criteria
3. Vulnerabilities
4. Attack Types
5. Security Schemes
6. Intrusion Detection Techniques
7. Secure Routing Techniques
8. Key Management Schemes

3
1. Introduction

• Explosive growth of mobile computing devices
• laptops
• personal digital assistants (PDAs)
• handheld digital devices
• Ubiquitous computing
• Individual users utilize, at the same time,
  several electronic platforms through which they
  can access all the required information whenever
  and wherever they may be

4
2. Security Criteria

• Availability
• Provide all the designed services
• Integrity
• Malicious altering, accidental altering
• Confidentiality
• Accessible to authorized nodes
• Authenticity
• Prove identities

5
2. Security Criteria

• Nonrepudiation
• Cannot disavow sent or received a message
• Authorization
• Specifies the privileges and permissions
• Anonymity
• Privacy preserving

6
3. Vulnerabilities

• Lack of secure boundaries
• No need to gain the physical access to visit the
  network
• Threats from compromised nodes inside the network
• Behavioral diversity of different nodes,
  mobility
• Lack of centralized management facility
• Benign failures, cooperative algorithm
• Restricted power supply
• Battery, DoS, selfish node
• Scalability
• Efficient routing protocol, key management
  service

7
4. Attack types

• Denial of Service (DoS)
• Radio jamming, battery exhaustion
• Impersonation
• Compromised nodes join the network as normal
  nodes
• Eavesdropping
• Obtain confidential information during
  communication
• Attacks against routing
• Attacks on routing protocols, attacks on packet
  forwarding/delivery

8
5. Security Schemes

• Intrusion Detection Techniques
• Distributed and cooperative to meet with the
  needs of sensor networks
• Secure Routing Techniques
• Defend specific attacks and general attacks
• Medium Access Control
• Guaranteed or controlled access, random access
• Key Management
• Cryptography

9
6. Intrusion Detection Techniques

• Intrusion Detection System (IDS)
• Detect unwanted manipulations to systems
• Difference with Wired Network
• No fixed infrastructure
• No traffic concentration points
• Limited radio range audit data
• Limited communication
• Local-dependent computing
• No Clear Separation of normal and abnormal
  behavior
• IDS in sensor networks should be distributed
  and
• cooperative to meet with these characteristics

10
6. Intrusion Detection Techniques

• Cooperative IDS Architecture for Sensor Networks

11
6. Intrusion Detection Techniques

• Cooperative IDS Architecture for Sensor Networks
• Every node participate in intrusion detection
  and response activities by detecting signs of
  intrusion behavior locally and independently.
• Neighboring nodes can share their investigation
  results with each other and cooperate in a
  broader range.
• Cooperation generally happens when a certain
  node detects an anomaly but does not have enough
  evidence to figure out what kind of intrusion it
  belongs to.

12
6. Intrusion Detection Techniques

• Corresponding Conceptual Model of IDS Agents

13
6. Intrusion Detection Techniques

• Local Data Collection Module
• Deal with the data gathering issue, in which the
  real-time audit data may come from various
  resources.
• Local Detection Engine
• Examine the local data collected by the local
  data
• collection module and inspect if there is any
  anomaly shown in the data.

14
6. Intrusion Detection Techniques

• Cooperative Detection Engine
• Work with other IDS agents when there are some
  needs to find more evidences for some suspicious
  anomalies detected in some certain nodes.
• Intrusion Response Module
• Deal with the response to the intrusion when it
  has been confirmed.

15
6. Intrusion Detection Techniques

• Cluster-based Intrusion Detection Technique
• All the nodes in cooperative intrusion detection
  architecture need to participate if cooperation
  needed.
• Limited power supply, selfish manner.
• Organize sensors into clusters, every node
  belongs to at least one cluster.
• In each cluster, only one node take care of
  monitoring issues during a period of time.

16
6. Intrusion Detection Techniques

• Finite State Machine of the Cluster Formation
  Protocol

17
6. Intrusion Detection Techniques

• Cluster-based Intrusion Detection Technique
• All the nodes in the network will be in the
  initial state at first, they will monitor their
  own traffic and detect intrusion behaviors
  independently.
• Use clique computation and clusterhead
  computation to get the clusterhead of the
  network.
• Use Cluster Valid Assertion Protocol to check if
  the connection between the clusterhead and itself
  is maintained or not.
• After timeout for the clusterhead, all the nodes
  begin a new round of clusterhead election.
• Cluster Recovery Protocol is used when a node
  loses its connection with previous clusterhead.

18
6. Intrusion Detection Techniques

• Clusterhead Computation Protocol
• 1. Generate a random integer Ri.
• 2. Broadcast a message ELECTION_START(IDi,
  HASH(IDi,Ri)) to CL'i. HASH is a common hash
  function. A corresponding timer T1 is setup.
• 3. On Receiving all ELECTION_START from CL'i,
  broadcast the message ELECTION(IDi,Ri) to clique
  CL'i.
• 4. If T1 is timeout, every node for whom
  ELECTION_START has not be received is excluded
  from CLi.
• 5. On Receiving ELECTION from node j, verify its
  hash value matches the value in the
  ELECTION_START message from j. Store Rj locally.

19
6. Intrusion Detection Techniques

• 6. If all Rj from CL'i have arrived, compute
  HSEL(R0,R1,R2,,Rsc-1) where SEL is the
  selection function. Determine the cluster head H
  as the h-th node in the clique since all IDs are
  ordered.
• 7. If H ? i (i.e., as a citizen), do the
  following.
• (a) Send ELECTION_DONE to H.
• (b) Wait for ELECTION_REPLY from H, then enter
  DONE state.
• 8. Otherwise, as a cluster head, H performs
  following.
• (a) Setup a timer T2.
• (b) On Receiving ELECTION_DONE, verify it is
  from CL'i.
• (c) If T2 is timeout, citizens from whom
  ELECTION_DONE has not be received are excluded
  from CLi. Broadcast ELECTION_REPLY to CL'i and
  enter DONE state.

20
6. Intrusion Detection Techniques

• Cluster Valid Assertion Protocol
• 1. Since the network topology tends to change in
  sensor networks, connections between the elected
  cluster head and some citizens nodes may be
  broken from time to time. If a link between a
  citizen Z and a cluster head H has been broken, Z
  will check if it is in another cluster. If not,
  it enters LOST state and activates the Cluster
  Recovery Protocol. Also, Z is removed from H's
  citizen list CTC. If there is no more citizens in
  cluster C, H becomes a citizen if it belongs to
  another cluster. Otherwise, H enters LOST state
  and activates the Cluster Recovery Protocol.

21
6. Intrusion Detection Techniques

• 2. Even if no membership change has occurred,
  the cluster head cannot function forever because
  it is neither fair in terms of service and unsafe
  in terms of the long time single-point control
  and monitoring. So enforce a mandatory
  re-election timeout, Tr. Once the Tr expires, all
  nodes in the cluster enters the INITIAL state and
  start a new cluster head setup round. If the
  clique property still holds, the Clique
  Computation step can be skipped.

22
6. Intrusion Detection Techniques

• Cluster Recovery Protocol
• 1. A request message ADD REQUEST(IDi) is
  broadcast with a timer T3.
• 2. A clusterhead H receives the request and
  replies ADD REPLY(IDH) only after a short delay
  Td. The delay is introduced in hope that a
  connection has been stable for Td can remain to
  be stable for a fairly long time.
• 3. Node i replies the rst ADD REPLY it received.
  And enters DONE state. Additional ADD REPLYs are
  ignored.
• 4. On Receiving ADD ACK, H adds i into its CTC.
• 5. If T3 is timeout and no ADD REPLY is
  received, there is no active clusterhead nearby.
  Node i enters INITIAL state to wait for other
  lost citizens to form new cliques and elect their
  new clusterheads.

23
6. Intrusion Detection Techniques

• Cross-Layer Integrated Intrusion Detection
• Simultaneously exploit several vulnerabilities
  at multiple layers.
• Keep the attack to each of the vulnerabilities
  stay below the detection threshold so as to
  escape from capture by the single-layer
  misbehavior detector.
• Easily skipped by the single-layer misbehavior
  detector. Cross-layer misbehavior detector,
  inputs from all layers of the network stack are
  combined and analyzed.

24
7. Secure Routing Techniques

• Defense Method against Wormhole Attacks
• Attacker receives packets at one point in the
  network, tunnels them to another point in the
  network, and then replays them into the network
  from that point.
• For tunneled distances longer than the normal
  wireless transmission range of a single hop, it
  is simple for the attacker to make the tunneled
  packet arrive sooner than other packets
  transmitted over a normal multi-hop route.

25
7. Secure Routing Techniques

• Packet Leash
• Any information that is added to a packet
  designed to restrict the packets maximum allowed
  transmission distance. There are two main
  leashes.
• Geographical Leash
• Ensure the recipient of the packet is within a
  certain distance from the sender.
• Temporal Leash
• Ensure the packet has an upper bound on its
  lifetime, which restricts the maximum travel
  distance, since the packet can travel at most at
  the speed-of-light.

26
7. Secure Routing Techniques

• Mechanism Against Rushing Attacks
• Result in denial of service.
• Prevent routing protocols to find routes longer
  than two-hops.

27
7. Secure Routing Techniques

• Mechanism Against Rushing Attacks
• Initiator node initiates a Route Discovery for
  the target node. If the ROUTE REQUESTs for this
  Discovery forwarded by the attacker are the first
  to reach each neighbor of the target, then any
  route discovered by this Route Discovery will
  include a hop through the attacker.
• That is, when a neighbor of the target receives
  the rushed REQUEST from the attacker, it forwards
  that REQUEST, and will not forward any further
  REQUESTs from this Route Discovery.
• When non-attacking REQUESTs arrive later at
  these nodes, they will discard those legitimate
  REQUESTs.
• As a result, the initiator will be unable to
  discover any usable routes.

28
7. Secure Routing Techniques

• Combined Mechanisms against Rushing Attack
• Secure Neighbor Detection
• Secure route delegation
• Randomized ROUTE REQUEST forwarding

29
7. Secure Routing Techniques

• Secure Neighbor Detection
• Allow each neighbor to verify the other is
  within a given maximum transmission range.
• Once a node A forwarding a ROUTE REQUEST
  determines that node B is a neighbor, it signs a
  Route Delegation message, allowing node B to
  forward the ROUTE REQUEST.
• When node B determines that node A is within the
  allowable range, it signs an Accept Delegation
  message. In this way, the neighborhood
  relationships between nodes can be verified and
  guaranteed to be genuine.

30
7. Secure Routing Techniques

• Watchdog
• Watchdog method detects misbehaving nodes.
• Suppose there exists a path from node S to D
  through intermediate nodes A, B, and C.
• Node A cannot transmit all the way to node C,
  but it can listen in on node B's traffic.
• When A transmits a packet for B to forward to C,
  A can often tell if B transmits the packet.
• If encryption is not performed separately for
  each link, which can be expensive, then A can
  also tell if B has tampered with the payload or
  the header.

31
7. Secure Routing Techniques

• Pathrater
• Combine knowledge of misbehaving nodes with link
  reliability data to pick the route most likely to
  be reliable. Each node maintains a rating for
  every other node it knows about in the network.
• It calculates a path metric by averaging the
  node ratings in the path.

32
8. Key Management Schemes

• Features of Key Management Schemes
• Applicability
• Scalability
• Security
• Robustness
• Simple
• Classification of Key Management Schemes
• Public Key Schemes
• Identity Based, Certificate Based
• Symmetric Schemes
• MANET Schemes, WSN Schemes

33
8. Key Management Schemes

• Threshold Cryptography
• (k, n) threshold cryptography scheme
• Share secret scheme.
• n parties share the ability of performing a
  cryptographic
• operation or information and k threshold value.
• Any k-1 (or less) parties cannot handle.
• Any k of those n parties can handle jointly
  Classification of
• Key Management Schemes.

34
8. Key Management Schemes

• Ubiquitous Security Support
• It relies on a threshold signature system with a
  (k, n) secret sharing of the private
  certification authority (CA) key.
• All nodes get a share of the private CA key.
• The nodes earn trust in the entire network when
  they receive a valid certificate.
• A new secret share is calculated by adding
  partial shares received from a coalition of k
  neighbors.

35
8. Key Management Schemes

• Ubiquitous Security Support
• When network starts,
• Have dealer
• The first nodes receive their certificates from a
  dealer
• before joining the network.
• After k nodes have been initialized, the dealer
  is
• removed.
• No dealer
• Localized self initialization.

36
8. Key Management Schemes

• Identity-Based Signature
• To verify a signature, it is enough to know the
  ID of the sender with the public system
  parameters.
• The public system parameters defined by the
  private key generator (PKG) during system set up.
• The PKG also generates the private signature
  keys corresponding to the user IDs.

37
8. Key Management Schemes

• Identity-Based Public Key
• An identity-based public key (IBC-K) for sensor
  networks combining identity-based cryptography
  with threshold cryptography.
• The nodes that initialize the sensor networks
  form a threshold PKG, spreading the PKG private
  master key over the initial set of nodes by a (k,
  n) threshold scheme.

38
8. Key Management Schemes

• Symmetric schemes
• SKiMPy is designed for MANETs in emergency and
  rescue operations.
• SKiMPy seeks to establish a MANET-wide
  symmetric key for protection of network-layer
  routing information or application-layer user
  data.
• Steps
• 1. Generate a random symmetric key.
• 2. Transfer it to one-hop neighborhoods.
• 3. The best key is chosen as the local group
  key.
• 4. Transfer it to the nodes with worse keys
  through a secure channel, and until the best
  key has been shared with all nodes in the MANET.

39
8. Key Management Schemes

• Key Infection (INF)
• The scheme assumes static sensor nodes and mass
  deployment.
• INF sets up symmetric keys between the nodes and
  their one-hop neighbors.
• At bootstrap time, every node simply generates a
  symmetric key and sends it to its neighbors.
• A key whispering approach is used, that is, the
  key is initially transmitted at a low power level.

40

• Thanks!

41
References

• Y. Zhang and W. Lee, Intrusion Detection in
  Wireless Ad-hoc Networks, in Proceedings of the
  6th International Conference on Mobile Computing
  and Networking (MobiCom 2000), pages 275283,
  Boston, Massachusetts, August 2000.
• Jim Parker, Anand Patwardhan, and Anupam Joshi,
  Detecting Wireless Misbehavior through
  Cross-layer Analysis, in Proceedings of the IEEE
  Consumer Communications and Networking Conference
  Special Sessions (CCNC2006), Las Vegas, Nevada,
  2006.
• Y. Hu, A. Perrig and D. Johnson, Rushing Attacks
  and Defense in Wireless Ad Hoc Network Routing
  Protocols, in Proceedings of ACM MobiCom Workshop
  - WiSe03, 2003.
• Yi-an Huang and Wenke Lee, A Cooperative
  Intrusion Detection System for Ad Hoc Networks,
  in Proceedings of the 1st ACM Workshop on
  Security of Ad hoc and Sensor Networks, Fairfax,
  Virginia, 2003, pp. 135 147.
• Panagiotis Papadimitraos and Zygmunt J. Hass,
  Securing Mobile Ad Hoc Networks, in Book The
  Handbook of Ad Hoc Wireless Networks (Chapter
  31), CRC Press LLC, 2003.

42
References

• Y. Hu, A. Perrig and D. Johnson, Packet Leashes
  A Defense against Wormhole Attacks in Wireless Ad
  Hoc Networks, in Proceedings of IEEE INFOCOM03,
  2003.
• Wenjia Li and Anupam Joshi, Security Issues in
  Mobile Ad Hoc Networks A Survey, Technical
  report, 2006.
• Y. Hu, A. Perrig and D. Johnson, Wormhole Attacks
  in Wireless Networks, IEEE Journal on Selected
  Areas in Communications, Vol. 24, No. 2, February
  2006.
• A. Khalili, J. Katz, and W. A. Arbaugh, Towards
  Secure Key Distribution in Truly Ad-Hoc Networks,
  in IEEE Workshop on Security and Assurance in
  Ad-Hoc Networks, 2003.
• Sergio Marti, T. J. Giuli, Kevin Lai and Mary
  Baker, Mitigating routing misbehavior in mobile
  ad hoc networks, in Proceedings of the 6th annual
  international conference on Mobile computing and
  networking (MobiCom00), pages 255265, Boston,
  MA, 2000.