Computer Science Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks Presented by Akshay Lal Roadmap • • • • • • • • • Official terminology. THE sensor network. What’s the problem ? A practical solution. Detection of malicious beacon nodes. Special considerations. Revocation of malicious beacon nodes. Performance review. Conclusion. Computer Science Official Terminology • Beacon node: Convey information about location. • Non-beacon nodes: The rest of the network. • Beacon signals: Signal sent out by beacon nodes. • Detecting beacon node: Node performing detection on a received signal. • Target beacon node: Node being detected. • Detecting Id: Id used by a detecting beacon node to make a target beacon node believe that a non-beacon node wants to communicate. Computer Science THE Sensor Network • Network constituting spatially distributed devices using sensors to monitor conditions (temperature, sounds, vibrations, etc.) at different locations. • These sensors are: low-cost, low-power, multi-functional and communicate within a short range. • Location of the sensor is the critical part of the network – located using geographical routing (GPSR), or some form of “location discovery”. Computer Science THE Sensor Network (contd.) • Naïve methodology for location discovery: • Step I: • Receive beacon signal from beacon nodes. • Calculate multiple location reference (distance, signal strength, time of arrival, etc.) from various beacon nodes. • Step II: • Determine ones own location using the locations of the beacon nodes, with minimum error. • Very straight forward approach – but what if a malicious node sends an incorrect beacon signal ? Computer Science And Now The Problem • A malicious beacon node can provide incorrect location reference. • Non-beacon nodes determine location incorrectly Computer Science The Problem (contd.) • Location verification techniques have been proposed which can verify relative distances between beacon nodes and non-beacon nodes. • None can ensure correct location discovery in a hostile environment (with malicious beacon nodes). • None can remove the impact of a compromised beacon node. Computer Science A Practical Solution • Detect malicious beacon nodes • Location of a beacon nodes are known - (x,y). • Location derived from the beacon signal received (using any measurement scheme such as distance) – (x’,y’). • If (x, y) ≠ (x’, y’) – malicious node caught. • Using this data filter out replayed beacon signals • Worm hole attacks - tunnel signal packets from one part of the network to another, and replay the signal packet. • Locally replayed beacon signal – beacon signal received from a neighbor node is replayed by the malicious node. • Revoke the malicious beacon nodes. Computer Science Detection of Malicious Beacon Nodes • Assumptions: • Communicating nodes share a unique pair-wise key. • A beacon node cannot distinguish between communications with a non-beacon node or another beacon node. • Communication is always bi-directional. • Beacon signals are unicasted to non-beacon nodes and all packets are authenticated using the pair wise shared key. Computer Science Detection of Malicious Beacon Nodes (contd.) • Beacon nodes use detecting IDs to perform detection on a signals it hears from another beacon node. •Detecting Node •Target Node •Request message •Reply beacon signal containing its location - (x’,y’) •Detecting node •- estimates distance between itself and target node. •- calculates distance between itself (x, y) and (x’, y’). •If difference between the two values > maximum distance error : • received signal is malicious hence, target node is malicious Computer Science Special Considerations – Thwarting Worm Hole Attack • Assumptions: • Worm hole detector installed on every node in the network. • Able to state whether two communicating nodes are neighbors or not with certain accuracy. • Methodology followed: • If signal detected to be malicious a check is made for whether it is because of a worm hole attack. • Detecting node calculates distance between itself and the location received from the target. • If calculate distance larger than radio communication range – the worm hole detector determines that a worm hole exists – beacon signal is a replayed signal and is ignored. • Drawback is that the worm hole detectors cannot ALWAYS guarantee that it can detect a worm hole. Computer Science Special Considerations – Thwarting Locally Replayed Beacon Signals • Methodology followed: • The replay of a beacon signal always induce extra delay. • This can be detected by using the Round Trip Time between two nodes. •t1 •t4 •Detecting •t1: time to finish sending first byte of request •1 •1 Node •t : time to finish receiving first byte of request •Request •Target Node •Reply 2 •t3: time to finish sending first byte of reply •1 •t2 •1 •t4: time to finish receiving first byte of reply •t3 •Detecting node calculates RTT = (t4 - t1) – (t3 - t2) Computer Science Special Considerations – Thwarting Locally Replayed Beacon Signals (contd.) • RTT is not affected by the MAC protocol or any processing delay hence, the distribution of RTT is within a narrow range •Xmax •Xmin = maximum value for X such that F(x) = 0 •Xmax = minimum value for X such that F(x) = 1 Transmission time per clock pulse = 384 clock cycles Xmin = 1,951 Xmax = 7,506 •Xmin •Detection is possible for any replayed signal if delay introduced •is longer than transmission time for 14.5 bits Computer Science The Algorithm Thus Far •Detecting Node •Target Node •Request message •Reply beacon signal containing its location - (x’,y’) •- if difference between distances > maximum distance error • Then signal is malicious – Check for worm hole attack. •- if Target node passes worm hole detector • Check for locally replayed beacon signal. •Calculate RTT based on response time from Target •if RTT ≤ Xmax Then: •Beacon signal is considered not locally replayed. •elseif RTT > Xmax Then: •Beacon signal is considered locally replayed. Computer Science Revocation of Malicious Beacon Nodes • Assumption: • The base station has a method to revoke malicious beacon nodes. • Each node shares a unique key with the beacon node. • Methodology followed: • • • • • All alerts constitute the IDs of both the detecting and target node. Base stations constitutes a table with an entry for each beacon node. Associated with them is an alert counter and a report counter. Alert Counter – records suspiciousness of a beacon node. Report Counter – records number of alerts reported by a node and accepted by the base station. • For every received alert the Report Counter for the detecting node is increased. • Beacon nodes with a high Alert Degree are considered malicious. • A threshold is set for the maximum allowable alerts against a node after which the beacon node is revoked. Computer Science Revocation of Malicious Beacon Nodes – A Subtle Issue to Consider • Two thresholds exist: • Γ – maximum limit for alerts against a beacon node. • Ѓ – maximum limit for reports sent by a beacon node. • Reason for two thresholds: • Malicious beacon node tires to revoke a non-malicious beacon node. • This will cause the value of Γ to increase upto threshold - Γ. • Beacon node will revoke the beacon node but will still accept alerts from that node until report count reaches threshold - Ѓ . • Also the number of reports sent by any beacon node cannot exceed Ѓ, hence a malicious node cannot revoke ALL the non-malicious beacon nodes before getting revoked itself. Computer Science Performance Review – Notations for Node Detection • • • • • • Pd: Detection rate of the worm hole detector. Pr: Detection rate of a malicious node by a detecting node. Pn: Fraction of nodes that receive the malicious beacon signal. Pw: Fraction of the nodes that are convinced of a worm hole. Pl: Fraction of the nodes that are convinced the signal is locally replayed. P : The probability that a node receives a signal from a malicious node which is not removed by the replay detector. • m: Number of Id’s for a detecting node. Computer Science Performance Review – Node Detection • Detection Mechanism Analysis: • Computational and storage overhead is mainly due to key establishment protocols and cryptographic operations. • The probability of a beacon node reporting an alert for a non-malicious beacon node is 1-Pd, if a worm hole exits and 0 is no worm hole exists. • Probability that a non-malicious detecting node will send an alert for a malicious beacon node, considering the detecting node has m detecting Ids is: 1 – ( 1- ( 1 – Pn ) ( 1 – Pw ) ( 1 – Pl ) )m • Probability that a node receives a beacon from a malicious node which is not caught by the replay detector is: P = ( 1 – Pn ) ( 1 – Pw ) ( 1 – Pl ) . • Relationship between Pr and P: Pr = 1 – ( 1 – P )m •Conclusion I: •Cannot increase P without simultaneously •increasing Pr. Computer Science Performance Review – Notations for Node Revocation • • • • • • N: Total number of sensor nodes. Na: Total number of malicious beacon nodes. Nb: Total number of beacon nodes. Nc: Total number of nodes that send requests to a malicious beacon nodes. Nw: Number of pairs affected by a worm hole attack. N`: Average number of affected nodes. • • • • • P`: Probability of accepting a signal from a revoked node. Pd: Detection rate. Pr: Probability of reporting an error. Pa: Probability of the base station having an alert against a malicious node. P1 P2 : Probability that the report counter of a non-malicious node increases by 1 / 2 when reporting a malicious node. Computer Science Performance Review – Notations for Node Revocation • Node Revocation Analysis: • A beacon nodes only reports about other within its communication range hence the storage and communication overhead is very limited. • The detection rate or probability that a malicious beacon node will be revoked is: P 1 iτ0 P(i) d (N b N a ) * Pr Nc! Nc i i P P(i) P (1 Pa ) – Where a (Nc i)!*i! a N •m = 1 •ґ = 4 Computer Science •Conclusion II: •Detection rate increase as a node •continues to behave maliciously. •Conclusion III: •As Γ increases detection rate •decreases. •Conclusion IV: •And as m increases detection rate •Increases. Performance Review – Notations for Node Revocation (contd.) • Effect of an increase in Nc on the detection rate. •Conclusion V: •As the number of requesting nodes to a •malicious node increase, detection rate •increases due to the increase in number •of alerts sent. • Relation between P` and N`. •Conclusion VI: •As Γ increases N` and P` increase. •As m increases N` and P` decrease. Computer Science Performance Review – Notations for Node Revocation (contd.) • Effect on N` when P is chosen so that P` is maximized •Conclusion VII: Initially N` increases fast but after a point it decreases due to the increase in the number of request serviced. •Conclusion VIII: N` decreases when threshold Γ decreases. • The average number of non-malicious nodes revoked by the base 2(1 P )Nw Na ( `1) station is at most: d N f τ 1 • The reference used to define Γ and Ѓ: N j N k Na !N w !P j(1 P ) a P k (1 P ) w 1 1 2 2 P`(i) (Na j)! j!(Nw k)!k! jk i •Conclusion IX: The threshold for Ѓ and Γ can be obtained by the above analysis, which should satisfy the condition on low Nf or by chosing Ѓ and Γ that yield a minimum Nf, given Pd, Nw and Na. Computer Science Performance Review – Implementation on TinyOs • Simulation results obtained from Nido (TinyOS simulator) conform to the theoretical values; some having a small difference but in general the results are close to what was expected. • Receiver Operating Characteristic curves (ROC-curves) Conclusion X: Most of the beacon nodes are detected with small false positives however, as the network continues to get compromised, the performance degrades accordingly. Γ and Ѓ were varied and P is configured such that N` is maximized. Computer Science And in Conclusion … • Many protocols exist today, that help in location discovery such as AHLos, coarse-grained localization schemes etc. None work properly in hostile environments wherein malicious nodes jeopardize the location discovery. • SERLOC (SEcure Range-independent LOCalization for wireless sensor networks) is a secure range free localization technique, but it cannot detect and remove malicious beacon nodes. • In this paper localization is protected by detecting compromised beacon nodes. Methods adopted are very simple yet effective, and efficiency is guaranteed within the constraints of a sensor’s battery life and limited memory. • Future work can be aimed at more efficient ways of reducing the false alert rate and methods to revoke malicious nodes without using the base station. Computer Science