Monte Carlo Techniques for Secure Localization David Evans

advertisement
Monte Carlo
Techniques
for Secure Localization
ARO Workshop on Localization in
Wireless Sensor Networks
14 June 2005
http://www.cs.virginia.edu/evans
David Evans
University of Virginia
Computer Science
MICA2 Mote
(UCB/Crossbow)
Sensor Nodes
MICA2
Typical 2005
Desktop
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor
Speed
7 MHz
500 x
Electrical
Power
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
18 grams
(+ batteries)
167 x
3kg
Memory
www.cs.virginia.edu/physicrypt
2
Apollo
Guidance
Computer
MICA2
MICA2
Typical 2005
Desktop
Typical 2004
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor 0.007 x
(add in 20s)
Speed
7 MHz
500 x
Electrical
Power
1500 x
~70W
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
1667 x
30kg
18 grams
(+ batteries)
167 x
3kg
Memory
0.01 x
(4K 14-bit words)
Photo: http://ed-thelen.org/comp-hist/
www.cs.virginia.edu/physicrypt
3
Desktop
Apollo
Guidance
Computer
MICA2
MICA2
Typical 2004
Desktop
Typical 2004
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor 0.007 x
(add in 20s)
Speed
7 MHz
500 x
Electrical
Power
1500 x
~70W
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
1667 x
30kg
18 grams
(+ batteries)
167 x
3kg
Memory
0.01 x
(4K 14-bit words)
Photo: http://ed-thelen.org/comp-hist/
www.cs.virginia.edu/physicrypt
4
Desktop
Sensor Network Applications
Volcano Monitoring
http://www.eecs.harvard.edu/~werner/projects/volcano/
Reindeer Tracking
(Sámi Network Connectivity Project)
Photo: http://news.bbc.co.uk/1/hi/technology/2491501.stm
Battlefield Event Tracking
www.cs.virginia.edu/physicrypt
5
This Talk
• Location Matters
– How do nodes know where they are?
L. Hu and D. Evans. Localization for Mobile
Sensor Networks. MobiCom 2004.
• Security (Sometimes) Matters
– How can we provide trust without
infrastructure? L. Hu and D. Evans. Using Directional Antennas
to Prevent Wormhole Attacks. NDSS 2004.
www.cs.virginia.edu/physicrypt
6
Determining Location
• Direct approaches
– Configured manually
• Expensive
• Not possible for ad hoc, mobile networks
– GPS
• Expensive (cost, size, energy)
• Only works outdoors, on Earth
• Indirect approaches
– Small number of seed nodes
• Seeds are configured or have GPS
– Other nodes determine location based on
messages received
www.cs.virginia.edu/physicrypt
7
Hop-Count Techniques
r
4
1
2
3
1
3
4
4
5
2
3
7
4
3
8
6
DV-HOP
[Niculescu & Nath,
2003]
Amorphous
[Nagpal et. al,
2003]
4
5
Works well with a few, well-located seeds and
regular, static node distribution. Works poorly if
nodes move or are unevenly distributed.
www.cs.virginia.edu/physicrypt
8
Local Techniques
Centroid [Bulusu,
Heidemann, Estrin,
2000]:
Calculate center of all
heard seed locations
Depend on a high density of seeds
(with long transmission ranges)
www.cs.virginia.edu/physicrypt
9
APIT [He, et. al,
Mobicom 2003]:
Use triangular
regions
Our Goal
• (Reasonably) Accurate Localization in
Mobile Networks
• Low Density, Arbitrarily Placed Seeds
• Range-free: no special hardware
• Low communication (limited addition to
normal neighbor discovery)
www.cs.virginia.edu/physicrypt
10
Scenarios
Nodes stationary, seeds moving
NASA Mars Tumbleweed
Image by Jeff Antol
Nodes moving, seeds stationary
Nodes and seeds moving
www.cs.virginia.edu/physicrypt
11
Our Approach:
Monte Carlo Localization
• Adapts an approach from robotics
localization Frank Dellaert, Dieter Fox, Wolfram
Burgard and Sebastian Thrun. Monte Carlo
Localization for Mobile Robots. ICRA 1999.
• Take advantage of mobility:
– Moving makes things harder…but provides
more information
– Properties of time and space limit possible
locations; cooperation from neighbors
www.cs.virginia.edu/physicrypt
12
MCL: Initialization
Node’s actual position
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
www.cs.virginia.edu/physicrypt
13
MCL Step: Filter
Predict
Node’s actual position
p(lt | lt-1) =
c if d(lt, lt-1)
< vmax
0 if d(lt, lt-1)
≥ vmax
r
Seed node:
knows
and transmits
location
Predict:Remove
Node guesses
locationswith
based on
Filter:
samplesnew
thatpossible
are inconsistent
previous
possible locations and maximum velocity, vmax
observations
www.cs.virginia.edu/physicrypt
14
Observations
S
S
Direct Seed
If node hears a seed,
the node must (likely) be
with distance r of
the seed’s location
www.cs.virginia.edu/physicrypt
Indirect Seed
If node doesn’t hear a seed,
but one of your neighbors
hears it, node must be within
distance (r, 2r] of that seed’s
location.
15
Resampling
N = 20 is
good,
N = 50
is plenty
Use prediction distribution to create enough sample
points that are consistent with the observations.
www.cs.virginia.edu/physicrypt
16
Recap: Algorithm
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
Iteration Step:
Compute new possible location set Lt based on Lt-1, the
possible location set from the previous time step, and
the new observations.
Lt = { }
while (size (Lt) < N) do
R = { l | l is selected from the prediction distribution }
Rfiltered = { l | l where l  R and filtering condition is met }
Lt = choose (Lt  Rfiltered, N)
www.cs.virginia.edu/physicrypt
17
Convergence
Average Estimate Error (r)
2
Node density nd = 10, seed density sd = 1
1.8
1.6
1.4
1.2
v max =.2 r , s max =0
1
0.8
v max =r, s max =0
0.6
0.4
v max =r, s max =r
0.2
0
0
5
10
15
20
25
30
35
40
45
Time (steps)
Localization error converges in first 10-20 steps
www.cs.virginia.edu/physicrypt
18
50
Speed Helps and Hurts
1
Node density nd = 10
0.9
Estimate Error (r)
0.8
0.7
0.6
0.5
sd=1, smin =0, smax =vmax
sd=1, smax =smin =r
0.4
0.3
sd=2, smax =vmax
0.2
0.1
0
sd=2, smax =smin =r
0.1 0.2 0.4
0.6 0.8 1
1.2 1.4 1.6
vmax (r distances per time unit)
1.8
Increasing speed increases location uncertainty
̶ but provides more observations.
www.cs.virginia.edu/physicrypt
19
2
Estimate Error (r)
Seed Density
3
2.8
2.6
2.4
2.2
2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
nd = 10, vmax = smax=.2r
Centroid: Bulusu,
Heidemann and
Estrin. IEEE
Centroid
Personal
Communications
Magazine. Oct 2000.
Amorphous
Amorphous: Nagpal,
Shrobe and
Bachrach. IPSN
2003.
MCL
0.1 0.5
1
1.5
2
2.5
Seed Density
3
3.5
4
Better accuracy than other localization algorithms over
range of seed densities
www.cs.virginia.edu/physicrypt
20
Questionable Assumption:
Radio Transmissions
r
r
Model: all nodes
with distance r hear
transmission, no nodes
further away do
www.cs.virginia.edu/physicrypt
Reality: radio
tranmissions
are irregular
21
Radio Irregularity
2
nd = 10, sd = 1, vmax = smax=.2r
1.8
Estimate Error (r)
1.6
Centroid
1.4
1.2
1
Amorphous
0.8
0.6
MCL
0.4
0.2
0
0
0.1
0.2
0.3
0.4
Degree of Irregularity (r varies ±dr)
Insensitive to irregular radio pattern
www.cs.virginia.edu/physicrypt
22
0.5
Questionable Assumption:
Motion is Random
Model: modified
random waypoint
www.cs.virginia.edu/physicrypt
Reality:
environment
creates motion
23
Motion
Stream and Currents
Random Waypoint vs. Area Scan
4
Estimate Error (r)
Estimate Error (r)
6
5.5
nd=10, vmax=smax=r
5
4.5
4
3.5
sd =.3
3
2.5
2
sd =1
1.5
1
sd =2
0.5
0
0 0.5 1
2
4
6
Maximum Group Motion Speed (r units per time step)
Adversely affected by
consistent group motion
www.cs.virginia.edu/physicrypt
Random,
vmax=0, smax=.2r
3
2
Random, vmax=smax=.2r
Area Scan
1
Scan
0
0
20
40
60
80 100 120 140 160 180 200
Time
Controlled motion of seeds
improves accuracy
24
What
about
security?
www.cs.virginia.edu/physicrypt
25
Localization Security Issues
• Denial-of-Service: prevent node from
localizing
– Global: jam GPS or radio transmissions
– Local: disrupt a particular nodes localization
• Confidentiality: keep location secret
• Verifiability: prove your location to others
• Integrity
– Attacker makes node think it is somewhere
different from actual location
www.cs.virginia.edu/physicrypt
26
MCL Advantages
• Filtering
– Bogus seeds filter out possible locations
– As long as one legitimate observation is received,
worst attacker can do is denial-of-service
• Direct
– Does not require long range seed-node
communication
• Historical
– Current possible location set reflects history of
previous observations
www.cs.virginia.edu/physicrypt
27
Authenticating Announcements
(Simple, Insecure Version)
2. IDN
1. IDS
S
N
3. EKNS(LS)
1. S  region IDS
2. N  S
IDN
3. S  N
EKNS(LS )
KNS is a
pre-loaded
pairwise
shared key
Broadcast identity
Send identity
Respond with location encrypted
with shared key
Vulnerable to simple replay attacks
www.cs.virginia.edu/physicrypt
28
Authenticating Announcements
2. RN | IDN
1. IDS
S
N
3. EKNS(RN | LS)
1. S  region IDS
2. N  S
RN | IDN
3. S  N
EKNS(RN | LS )
Broadcast identity
Send nonce challenge
Respond with location
Prevents simple replay attacks (but not wormhole attacks)
www.cs.virginia.edu/physicrypt
29
Broadcast Authentication
• Requires asymmetry:
– Every node can verify message
– Only legitimate seed can create it
• Traditional approach: asymmetry of
information (public/private keys)
– Requires long messages: too expensive for
sensor nodes
• Instead use time asymmetry
www.cs.virginia.edu/physicrypt
30
Using Time Asymmetry
Based on Tesla:
Perrig, et. al. 2002
KSn-1 | Sign (IDS | LS , KSn)
KSn | Sign (IDS | LS , KSn + 1)
Time n
Time n + 1
f is a one-way function (easy to compute f(x), hard to invert)
Initially:
nodes know KS0 = f max(x) for each seed
seed knows x, calculates KSn = f max-n (x)
Nodes verifies each key as it is received f (KS0) = KS1
Requires loose time synchronization
Saves node transmissions, multiple seed transmissions
www.cs.virginia.edu/physicrypt
31
Wormhole Attack
Y
X
Attacker uses transceivers at two locations in the network
to replay (selectively) packets at different location
www.cs.virginia.edu/physicrypt
32
Protocol Idea
• Wormhole attack depends on a node
that is not nearby convincing another
node it is
• Periodically verify neighbors are really
neighbors
• Only accept messages from verified
neighbors
www.cs.virginia.edu/physicrypt
33
Previous Solutions:
Light Speed is Slow
• Distance Bounding
Brands and Chaum, EUROCRYPT 1993
– Light travels 1 ft per nanosecond (~4 cycles
on modern PC!)
Yih-Chun Hu, Perrig and
Johnson. INFOCOM 2003
• Packet “Leashes”
• Use distance bounding to perform secure
Capkun and Hubaux, 2004
multilateration
• Need special hardware to instantly
respond to received bits
www.cs.virginia.edu/physicrypt
34
Our Approach: Use Direction
3
2
4
1
5
Directional
Transmission
from Zone 4
www.cs.virginia.edu/physicrypt
North
6
Aligned to
magnetic North,
so zone 1 always
faces East
Omnidirectional Transmission
Model based on [Choudhury and Vaidya, 2002]
General benefits: power saving, less collisions
Improve localization accuracy
35
Directional
Neighbor
Discovery
3
4
2
1
A
5
6
B
zone (B, A) = 4
is the antenna
zone in which
B hears A
1. A  Region
HELLO | IDA
Sent by all antenna elements (sweeping)
2. B  A
IDB | EKBA (IDA | R | zone (B, A))
Sent by zone (B, A) element, R is nonce
3. A  B
R
Checks zone is opposite, sent by zone (A, B)
www.cs.virginia.edu/physicrypt
36
Detecting
False
Neighbors
A
X
3
4
1
5
zone (B, A[Y]) = 1
zone (A, B [X]) = 1
False Neighbor:
zone (A, B) should be opposite zone (B, A)
www.cs.virginia.edu/physicrypt
2
37
6
B
Y
3
Not Detecting
False Neighbors
A
4
1
5
Y
X
6
B
zone (B, A[Y]) = 4
zone (A, B [X]) = 1
Undetected False Neighbor:
zone (A, B) = opposite of zone (B, A)
Directional neighbor discovery prevents 1/6 of
false direct links…but doesn’t prevent disruption
www.cs.virginia.edu/physicrypt
2
38
Observation: Cooperate!
• Wormhole can only trick nodes in
particular locations
• Verify neighbors using other nodes
• Based on the direction from which you
hear the verifier node, and it hears the
announcer, can distinguish legitimate
neighbor
www.cs.virginia.edu/physicrypt
39
Verifier
Region
3
v
2
4
1
5
6
A verifier must satisfy these two properties:
zone (B, A) = 4
1. B and V hear A in different zones:
zone (V, A) = 3
zone (B, A) ≠ zone (V, A)
proves B and V don’t hear A through wormhole
2. Be heard by B in a different zone:
zone (B, A) = 4
zone (B, A) ≠ zone (B, V)
zone (B, V) = 5
proves B is not hearing V through wormhole
(one more constraint will be explained soon)
www.cs.virginia.edu/physicrypt
40
Worawannotai Attack
V hears
A and B directly
v
3
3
2
2
B
4
A
5
1
X
6
Region 1
www.cs.virginia.edu/physicrypt
5
6
Region 2
41
A and B hear
V directly
But, A and B
hear each other
only through
repeated X
Preventing Attack
1. zone (B, A)  zone (B, V)
2. zone (B, A)  zone (V, A)
3. zone (B, V) cannot be both adjacent to zone (B, A)
and adjacent to zone (V, A)
www.cs.virginia.edu/physicrypt
42
Verified Neighbor Discovery
V
A
1. A  Region
2. B A
3. A  B
5. IDV | EKBV (IDA | zone (V, B))
B 4. INQUIRY | IDB | IDA | zone (B, A)
Announcement, done through sequential sweeping
Include nonce and zone information in the message
Check zone information and send back the nonce
4. B  Region
5. V  B
6. B  A
www.cs.virginia.edu/physicrypt
Same as
before
Request for verifier to validate A
If V is a valid verifier, sends confirmation
Accept A as its neighbor and notify A
43
Cost Analysis
• Communication Overhead
– Adds messages for inquiry, verification and
acceptance
– Minimal for slow-changing networks
• Connectivity
– How many legitimate links are lost because
they cannot be verified?
www.cs.virginia.edu/physicrypt
44
Lose Some Legitimate Links
Network Density = 10
Network Density = 3
1
Verified
Protocol
Link Discovery Probability
0.9
0.8
0.7
Verified
Protocol
0.6
0.5
0.4
0.3
Strict Protocol
(Preventing
Worawannotai Attack)
Strict Protocol
(Preventing
Worawannotai Attack)
0.2
0.1
0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Node Distance (r)
www.cs.virginia.edu/physicrypt
10
45
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Node Distance (r)
…but small effect on connectivity
and routing
10
Network density = 10
9
Average Path Length
8
7
Strict Protocol
6
Verified Protocol
5
Trust All
4
3
2
1
0
4
6
8
10
12
14
16
18
20
Omnidirectional Node Density
www.cs.virginia.edu/physicrypt
46
Verified protocol:
0.5% links are lost
no nodes disconnected
Strict protocol:
40% links are lost
0.03% nodes
disconnected
Dealing with Error
Network Density = 3
1
1
0.9
0.9
0.8
0.8
0.7
Ratio
Network Density = 10
0.7
Lost Links, Strict Protocol
0.6
0.6
0.5
0.5
0.4
0.4
Disconnected
Nodes,
Strict Protocol
0.3
0.2
0.3
0.2
0.1
0
Lost Links, Strict Protocol
0.1
0
10
20
30
40
50
Maximum Directional Error Degree
60
0
Disconnected Nodes
0
10
20
30
40
50
Maximum Directional Error Degree
Even with no control over antenna
alignment, few nodes are disconnected
www.cs.virginia.edu/physicrypt
47
60
Vulnerabilities
• Attacker with multiple wormhole
endpoints
– Can create packets coming from different
directions to appear neighborly
• Antenna, orientation inaccuracies
– Real transmissions are not perfect wedges
• Magnet Attacks
– Protocol depends on compass alignment
www.cs.virginia.edu/physicrypt
48
Conclusion
• Computing is moving into the real world:
– Rich interfaces to environment
– No perimeters
• Simple properties of physical world are
useful:
– Space and time can be used to achieve
accurate localization cheaply
– Space consistency requirements can prevent
wormhole attacks
www.cs.virginia.edu/physicrypt
49
Thanks!
Students: Lingxuan Hu, Chalermpong Worawannotai
Nathaneal Paul, Ana Nora Sovarel,
Jinlin Yang, Joel Winstead
Funding: NSF ITR, NSF CAREER, DARPA SRS
For slides and paper links:
http://www.cs.virginia.edu/evans/talks/aro/
www.cs.virginia.edu/physicrypt
50
Download