Protocol Exchange Meeting Feb 1-2, Naval Postgraduate School
SeRLoc: Secure Range-Independent
Localization for Wireless Sensor
Networks
Radha Poovendran
Network Security Lab
University of Washington
Graduate Student: Loukas Lazos
Outline
•
•
•
•
•
•
Motivation
Secure Localization Problem
SeRLoc
Threats and defenses
Performance Evaluation
Conclusions
Radha Poovendran Seattle, Washington
2
Why do we need location in WSN?
Location-dependent
services
Network
Access
functions
Control
Monitoring Apps
Radha Poovendran Seattle, Washington
3
Localization Problem
Localization: Sensor Location Estimation
• How do sensors become aware of their
position under non-deterministic
deployment?
• Choice of localization algorithm is based on:
• Resolution required
• Region of deployment
• Resource constraints of the devices
Radha Poovendran Seattle, Washington
7
Classification of Loc. Schemes
• Indoors vs. Outdoors:
• GPS, Centroid (outdoors).
• RADAR, Active Bat, AhLos (indoors).
• Infrastructureless (I-L) vs. Infrastructure based (IB):
• AhLos, Amorphous, DV-Hop (I-L).
• RADAR, Active Bat, AVL (I-B).
• Range-based (R-B) vs. Range-Independent (R-I):
• RADAR, Ahlos, GPS, Active Bat (R-B).
• APIT, DV-Hop, Amorphous, Centroid (R-I).
• Active vs. Passive
• Dv-hop, APIT (Active).
• RADAR (Passive).
Radha Poovendran Seattle, Washington
8
Localization in un-trusted environment
• WSN may be deployed in hostile
environments.
• Threats in sensor localization:
• External
• Replay attacks.
• Node Impersonation attacks.
• Internal
• Compromise of network entities.
• False location claims.
Radha Poovendran Seattle, Washington
9
Secure Location Services
• Secure Verification of Location Claims
[Sastry et al. WISE 2002].
• Location Privacy
Privacy-aware Location Sensor Networks
[Gruteser et al. USENIX 2003].
• Secure Localization: Ensure robust location
estimation even in the presence of
adversaries.
SeRLoc: [Lazos and Poovendran, WISE
2004].
S-GPS: [Kuhn 2004].
SPINE: [Capkun & Hubeaux, Infocom 2005].
Radha Poovendran Seattle, Washington
10
Outline
•
•
•
•
•
•
Motivation
Problem Description
SeRLoc
Threats and defense
Performance
Conclusions
Radha Poovendran Seattle, Washington
11
Our Approach: SeRLoc
• SeRLoc: SEcure Range-independent
LOCalization.
• SeRLoc features
• Passive Localization.
• No ranging hardware required.
• Decentralized Implementation,
Scalable.
• Robust against attacks - Lightweight
security.
Radha Poovendran Seattle, Washington
12
Network Model Assumptions (1)
Two-tier network architecture
Sensor range r
Directional
Locators:
Known
Location,
Randomly
deployed
Orientation
Antennas
(X2, Y2) r
Omnidirectional
Sensors:
Randomly
deployed, unknown
Antennas
location
(X4, Y4)
(X3, Y3)
(X1, Y1)
θ
R
(X5, Y5)
Beamwidth θ
N
Locator
Sensor
Locator range R
W
E
S
Radha Poovendran Seattle, Washington
13
Network Model Assumptions (2)
• Locator deployment: Homogeneous Poisson
point process of rate ρL (ρL: Locator density).
• Sensor deployment: Poisson point process
of rate ρs independent of locator
deployment (ρs: sensor density).
• Or can be seen as random sampling of the
deployment area with rate ρs (ρs >> ρL).
PLH s

 R 
 k 
2 k
L
k!
e
  LR 2
LHs: Locators heard at
a sensor s.
Radha Poovendran Seattle, Washington
14
The Idea of SeRLoc
Locator
Sensor
ROI
L4
L1
L3
• Each locator Li transmits
information that defines
the sector Si, covered by
each transmission.
s
• Sensor defines the region
of intersection (ROI) from
all locators it hears.
L3
ROI 
(0, 0)
LH s
S
i
i 1
Radha Poovendran Seattle, Washington
15
Outline
•
•
•
•
•
•
•
Motivation
Problem
SeRLoc
Threats and defense
Performance
High resolution localization: HiRLoc
Conclusions
Radha Poovendran Seattle, Washington
21
Threats
• Attacker aims at displacing the sensors
(false info is worse than no info).
• We do not address DoS attacks.
• We do not address jamming of the
communication medium. [Lazos &
Poovendran, IPSN 2005]
s
L1
Jamming
f
Radha Poovendran Seattle, Washington
22
How can a sensor be displaced?
• In SeRLoc: Sensor gets false localization
information.
• A) Replay beacons from a far-away
region.
• B) Impersonate locators and fabricate
beacons.
How can we protect broadcasted
localization information?
Radha Poovendran Seattle, Washington
23
SeRLoc - Security mechanisms
• Message Encryption: Messages encrypted with a
symmetric key K0.
ID authentication
• Beacon Format:
Synchronization var
Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j }
Locator’s coordinates
PWi
H
H0(Pwi)
H
Slopes of the sector
H1(Pwi)
H
K0
Shared symmetric key
H
Hn(Pwi)
Hash chain
function
•one-way
Every hash
sensor
stores the values Hn(PWi) for all the locators.
•
A sensor can authenticate all locators that are within its range
(one-hop authentication).
Radha Poovendran Seattle, Washington
24
SeRLoc – Wormhole Attack
sensor
Locator
Attacker
THREAT MODEL
• The attacker records beacon information
at region A
L4
L3
L1
• Tunnels it via the wormhole link at
region B, and replays the beacons.
Region B
• Sensor is misled to believe it hears the
set of locators LHs: {L1 - L8}.
L2
Wormhole link
Region A
• No compromise of integrity,
L8
L7
L5
authenticity of the communication
or crypto protocols.
Record beacons
• Direct link allows replay of the beacons
L6
in a timely fashion.
Radha Poovendran Seattle, Washington
25
Wormhole attack detection (1)
Accept only single message per locator
sensor
Locator
Attacker
obstacle
R
R
Ac
Wormhole link
Multiple messages from
the same locator are
heard due to:
–Multi-path effects;
–Imperfect sectorization.
–Replay attack.
R: locator-to-sensor
communication range. PSM   P LH A  1  1  e  L Ac
c

Radha Poovendran Seattle, Washington

26
Wormhole attack detection (2)
Locators heard by a sensor cannot be
more than 2R apart
sensor
Locator
2R
Ai
Attacker
Aj
R
Li
R
Li  L j  2 R
Lj
Wormhole link
R: locator-to-sensor
communication range.

PCR   1  e
Radha Poovendran Seattle, Washington
  L Ai
1  e
 L Aj

27
Wormhole attack detection (3)
Probability of wormhole detection
sensor
Locator
Attacker
2R
Ai
Aj
Ac
The events of a locator
being within any region
Ai, Aj, Ac are independent (Regions do not
overlap).
Wormhole link


Pdet  P SM  CR  PSM   PCR   P( SM ) P(CR)

 1 e
  L Ac
 e
  L Ac
1  e

  L Ai 2
Radha Poovendran Seattle, Washington
28
Wormhole attack detection (4)
Probability of wormhole detection
99.48%
L
Radha Poovendran Seattle, Washington
29
Resolution of location ambiguity
A sensor needs to distinguish the valid set of locators from the
replayed ones.
Attach to Closest Locator Algorithm (ACLA)
Closest Locator
L4
L1
Region B
L2
L3
1.
2.
Sensor s  : Broadcasts a nonce η.
Locator Li : Reply with a beacon +
the nonce η, encrypted with the pair-
wise key Ks,Li.
3. Sensor s  : Identify the locator
Lc with the first authentic reply.
4. Sensor s  : A locator Li belongs to the
valid set, only if it overlaps with the
sector defined by the beacon of Lc.
L8
L5
Wormhole link
Region A
L7
L6
Radha Poovendran Seattle, Washington
30
SeRLoc – Sybil Attack
THREAT MODEL
• The attacker impersonates multiple locators
(compromise of the globally shared key K0).
L2
L3
L1
L4
Collect hash values
Impersonator
• Attacker can fabricate arbitrary beacons.
• Hence, compromise the majority-based scheme, if
more than |LHs| locators impersonated.
Radha Poovendran Seattle, Washington
31
Sybil Attack detection (1)
• In a Sybil attack, the sensor hears at least twice the number of
locators it would normally hear.
• Define a threshold Lmax as the maximum allowable number of
locators heard, such that:
P(| LH s | Lmax )   ,
Lmax
P(| LH s |
)  1 
2
Probability of false alarm
Probability of Sybil
attack detection
• Design goal: Given security requirement δ, minimize false
alarm probability ε.
Radha Poovendran Seattle, Washington
32
Sybil Attack detection (2)
• Random locator deployment we can derive the Lmax value:
P LH s  k   1  
k
i 1
 R  e
2 i
L
  LR 2
i!
99%
Detection
probability
1 
52 locators
26 locators
5%
False alarm
Probability

Radha Poovendran Seattle, Washington
33
Sybil Attack defense
• Once a Sybil attack is detected, i.e. More
than Lmax locators are heard:
• Execute ACLA to attach sensor’s position
to the closest locator.
• Attacker needs to compromise the
pairwise key between a locator and the
sensor under attack to compromise ACLA.
What if a locator is compromised?
Radha Poovendran Seattle, Washington
34
SeRLoc – Compromised Locators
• Compromise of a locator Li reveals K0,
seed PWi to the hash chain of the locator.
• Attacker can
• Impersonate the Closest Locator.
• Compromise the ACLA algorithm.
• Displace any sensor that uses ACLA.
• Need an Enhanced version of ACLA
Radha Poovendran Seattle, Washington
35
Enhanced location determination algorithm
1. The sensor transmits a nonce with its ID
2. Locators within r from
and set LHs
the sensor relay the
nonce.
L1
L7
3. Locators within R
reply with a beacon +
the nonce.
L2
4. Sensor accepts
L9
first Lmax replies.
L6
L3
L5
• Attacker has to
compromise more than
Lmax/2 locators, AND
L4
L8
• Replay before authentic
replies arrive at s.
Radha Poovendran Seattle, Washington
36
Outline
•
•
•
•
•
•
Motivation
Secure Localization Problem
SeRLoc
Threats and defenses
Performance Evaluation
Conclusions
Radha Poovendran Seattle, Washington
37
Performance Evaluation
• Simulation setup:
― Random locator distribution with density ρL.
― Random sensor distribution with density 0.5.
• Performance evaluation metric:
1
LE 
S
S
siest  si
i 1
r

est
• s i : Sensor location estimation.
• si : Sensor actual location.
• r
: Sensor-to-sensor communication range.
• |S| : Number of sensors.
Radha Poovendran Seattle, Washington
38
Localization Error vs. Avg. LH
• M number of antenna
sectors.
• Each locator is
equivalent to M
reference points.
• In our simulation set
up, SeRLoc
outperforms most of
the schemes.
LH: Locators Heard
Radha Poovendran Seattle, Washington
39
Localization error vs. sector error
• Sector error: Fraction
of sectors falsely
estimated at each
sensor.
• Even when 50% of the
sectors are falsely
estimated, LE < r for LH
6
• SeRLoc is resilient
against sector error
due to the majority
vote scheme.
Radha Poovendran Seattle, Washington
41
Localization error vs. GPS error
• GPS Error (GPSE): Error
in the locators’
coordinates.
• For GPSE = 1.8r and
LH = 3, LE = 1.1r.
• DV-hop/Amorphous: LE
= 1.1r requires LH = 5
with no GPSE.
• APIT: LE = 1.1r
requires LH = 15 with
no GPSE.
Radha Poovendran Seattle, Washington
42
Summary and Conclusions
 SeRLoc is a two-tier network architecture:

Locators: Known coordinates, sectored antennas, fixed
transmission range.

Sensors: Passively determine their position, by
intersecting the antenna sectors heard.
 Resistance to attacks in WSN using:

Cryptographic primitives (encryption, hashing).

Geometric properties (Range of transmission).
 Analytically evaluated level of security via spatial
statistics.
 Current developments:

Characterize wormhole Problem [UW+NRL; WCNC 2005]

Resistance to jamming attacks, analytical evaluation
of error bounds [Lazos & Poovendran; ROPE 2005]
Radha Poovendran Seattle, Washington
45
Workshop Announcement
Workshop on Secure Localization of Wireless
Sensor Networks: June 2005, University of
Washington.
Radha Poovendran Seattle, Washington
47