Monte Carlo Techniques for Secure Localization David Evans
advertisement
Monte Carlo
Techniques
for Secure Localization
ARO Workshop on Localization in
Wireless Sensor Networks
14 June 2005
http://www.cs.virginia.edu/evans
David Evans
University of Virginia
Computer Science
MICA2 Mote
(UCB/Crossbow)
Sensor Nodes
MICA2
Typical 2005
Desktop
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor
Speed
7 MHz
500 x
Electrical
Power
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
18 grams
(+ batteries)
167 x
3kg
Memory
www.cs.virginia.edu/physicrypt
2
Apollo
Guidance
Computer
MICA2
MICA2
Typical 2005
Desktop
Typical 2004
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor 0.007 x
(add in 20s)
Speed
7 MHz
500 x
Electrical
Power
1500 x
~70W
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
1667 x
30kg
18 grams
(+ batteries)
167 x
3kg
Memory
0.01 x
(4K 14-bit words)
Photo: http://ed-thelen.org/comp-hist/
www.cs.virginia.edu/physicrypt
3
Desktop
Apollo
Guidance
Computer
MICA2
MICA2
Typical 2004
Desktop
Typical 2004
644 KB
400 x (just RAM)
(128 K program flash
memory /
4 K config EEPROM / 512 K
data)
130 000 x (hard drive)
Processor 0.007 x
(add in 20s)
Speed
7 MHz
500 x
Electrical
Power
1500 x
~70W
~40mW
2 AA batteries
2000 x
~100W (CPU only)
Mass
1667 x
30kg
18 grams
(+ batteries)
167 x
3kg
Memory
0.01 x
(4K 14-bit words)
Photo: http://ed-thelen.org/comp-hist/
www.cs.virginia.edu/physicrypt
4
Desktop
Sensor Network Applications
Volcano Monitoring
http://www.eecs.harvard.edu/~werner/projects/volcano/
Reindeer Tracking
(Sámi Network Connectivity Project)
Photo: http://news.bbc.co.uk/1/hi/technology/2491501.stm
Battlefield Event Tracking
www.cs.virginia.edu/physicrypt
5
This Talk
• Location Matters
– How do nodes know where they are?
L. Hu and D. Evans. Localization for Mobile
Sensor Networks. MobiCom 2004.
• Security (Sometimes) Matters
– How can we provide trust without
infrastructure? L. Hu and D. Evans. Using Directional Antennas
to Prevent Wormhole Attacks. NDSS 2004.
www.cs.virginia.edu/physicrypt
6
Determining Location
• Direct approaches
– Configured manually
• Expensive
• Not possible for ad hoc, mobile networks
– GPS
• Expensive (cost, size, energy)
• Only works outdoors, on Earth
• Indirect approaches
– Small number of seed nodes
• Seeds are configured or have GPS
– Other nodes determine location based on
messages received
www.cs.virginia.edu/physicrypt
7
Hop-Count Techniques
r
4
1
2
3
1
3
4
4
5
2
3
7
4
3
8
6
DV-HOP
[Niculescu & Nath,
2003]
Amorphous
[Nagpal et. al,
2003]
4
5
Works well with a few, well-located seeds and
regular, static node distribution. Works poorly if
nodes move or are unevenly distributed.
www.cs.virginia.edu/physicrypt
8
Local Techniques
Centroid [Bulusu,
Heidemann, Estrin,
2000]:
Calculate center of all
heard seed locations
Depend on a high density of seeds
(with long transmission ranges)
www.cs.virginia.edu/physicrypt
9
APIT [He, et. al,
Mobicom 2003]:
Use triangular
regions
Our Goal
• (Reasonably) Accurate Localization in
Mobile Networks
• Low Density, Arbitrarily Placed Seeds
• Range-free: no special hardware
• Low communication (limited addition to
normal neighbor discovery)
www.cs.virginia.edu/physicrypt
10
Scenarios
Nodes stationary, seeds moving
NASA Mars Tumbleweed
Image by Jeff Antol
Nodes moving, seeds stationary
Nodes and seeds moving
www.cs.virginia.edu/physicrypt
11
Our Approach:
Monte Carlo Localization
• Adapts an approach from robotics
localization Frank Dellaert, Dieter Fox, Wolfram
Burgard and Sebastian Thrun. Monte Carlo
Localization for Mobile Robots. ICRA 1999.
• Take advantage of mobility:
– Moving makes things harder…but provides
more information
– Properties of time and space limit possible
locations; cooperation from neighbors
www.cs.virginia.edu/physicrypt
12
MCL: Initialization
Node’s actual position
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
www.cs.virginia.edu/physicrypt
13
MCL Step: Filter
Predict
Node’s actual position
p(lt | lt-1) =
c if d(lt, lt-1)
< vmax
0 if d(lt, lt-1)
≥ vmax
r
Seed node:
knows
and transmits
location
Predict:Remove
Node guesses
locationswith
based on
Filter:
samplesnew
thatpossible
are inconsistent
previous
possible locations and maximum velocity, vmax
observations
www.cs.virginia.edu/physicrypt
14
Observations
S
S
Direct Seed
If node hears a seed,
the node must (likely) be
with distance r of
the seed’s location
www.cs.virginia.edu/physicrypt
Indirect Seed
If node doesn’t hear a seed,
but one of your neighbors
hears it, node must be within
distance (r, 2r] of that seed’s
location.
15
Resampling
N = 20 is
good,
N = 50
is plenty
Use prediction distribution to create enough sample
points that are consistent with the observations.
www.cs.virginia.edu/physicrypt
16
Recap: Algorithm
Initialization: Node has no knowledge of its location.
L0 = { set of N random locations in the deployment area }
Iteration Step:
Compute new possible location set Lt based on Lt-1, the
possible location set from the previous time step, and
the new observations.
Lt = { }
while (size (Lt) < N) do
R = { l | l is selected from the prediction distribution }
Rfiltered = { l | l where l R and filtering condition is met }
Lt = choose (Lt Rfiltered, N)
www.cs.virginia.edu/physicrypt
17
Convergence
Average Estimate Error (r)
2
Node density nd = 10, seed density sd = 1
1.8
1.6
1.4
1.2
v max =.2 r , s max =0
1
0.8
v max =r, s max =0
0.6
0.4
v max =r, s max =r
0.2
0
0
5
10
15
20
25
30
35
40
45
Time (steps)
Localization error converges in first 10-20 steps
www.cs.virginia.edu/physicrypt
18
50
Speed Helps and Hurts
1
Node density nd = 10
0.9
Estimate Error (r)
0.8
0.7
0.6
0.5
sd=1, smin =0, smax =vmax
sd=1, smax =smin =r
0.4
0.3
sd=2, smax =vmax
0.2
0.1
0
sd=2, smax =smin =r
0.1 0.2 0.4
0.6 0.8 1
1.2 1.4 1.6
vmax (r distances per time unit)
1.8
Increasing speed increases location uncertainty
̶ but provides more observations.
www.cs.virginia.edu/physicrypt
19
2
Estimate Error (r)
Seed Density
3
2.8
2.6
2.4
2.2
2
1.8
1.6
1.4
1.2
1
0.8
0.6
0.4
0.2
0
nd = 10, vmax = smax=.2r
Centroid: Bulusu,
Heidemann and
Estrin. IEEE
Centroid
Personal
Communications
Magazine. Oct 2000.
Amorphous
Amorphous: Nagpal,
Shrobe and
Bachrach. IPSN
2003.
MCL
0.1 0.5
1
1.5
2
2.5
Seed Density
3
3.5
4
Better accuracy than other localization algorithms over
range of seed densities
www.cs.virginia.edu/physicrypt
20
Questionable Assumption:
Radio Transmissions
r
r
Model: all nodes
with distance r hear
transmission, no nodes
further away do
www.cs.virginia.edu/physicrypt
Reality: radio
tranmissions
are irregular
21
Radio Irregularity
2
nd = 10, sd = 1, vmax = smax=.2r
1.8
Estimate Error (r)
1.6
Centroid
1.4
1.2
1
Amorphous
0.8
0.6
MCL
0.4
0.2
0
0
0.1
0.2
0.3
0.4
Degree of Irregularity (r varies ±dr)
Insensitive to irregular radio pattern
www.cs.virginia.edu/physicrypt
22
0.5
Questionable Assumption:
Motion is Random
Model: modified
random waypoint
www.cs.virginia.edu/physicrypt
Reality:
environment
creates motion
23
Motion
Stream and Currents
Random Waypoint vs. Area Scan
4
Estimate Error (r)
Estimate Error (r)
6
5.5
nd=10, vmax=smax=r
5
4.5
4
3.5
sd =.3
3
2.5
2
sd =1
1.5
1
sd =2
0.5
0
0 0.5 1
2
4
6
Maximum Group Motion Speed (r units per time step)
Adversely affected by
consistent group motion
www.cs.virginia.edu/physicrypt
Random,
vmax=0, smax=.2r
3
2
Random, vmax=smax=.2r
Area Scan
1
Scan
0
0
20
40
60
80 100 120 140 160 180 200
Time
Controlled motion of seeds
improves accuracy
24
What
about
security?
www.cs.virginia.edu/physicrypt
25
Localization Security Issues
• Denial-of-Service: prevent node from
localizing
– Global: jam GPS or radio transmissions
– Local: disrupt a particular nodes localization
• Confidentiality: keep location secret
• Verifiability: prove your location to others
• Integrity
– Attacker makes node think it is somewhere
different from actual location
www.cs.virginia.edu/physicrypt
26
MCL Advantages
• Filtering
– Bogus seeds filter out possible locations
– As long as one legitimate observation is received,
worst attacker can do is denial-of-service
• Direct
– Does not require long range seed-node
communication
• Historical
– Current possible location set reflects history of
previous observations
www.cs.virginia.edu/physicrypt
27
Authenticating Announcements
(Simple, Insecure Version)
2. IDN
1. IDS
S
N
3. EKNS(LS)
1. S region IDS
2. N S
IDN
3. S N
EKNS(LS )
KNS is a
pre-loaded
pairwise
shared key
Broadcast identity
Send identity
Respond with location encrypted
with shared key
Vulnerable to simple replay attacks
www.cs.virginia.edu/physicrypt
28
Authenticating Announcements
2. RN | IDN
1. IDS
S
N
3. EKNS(RN | LS)
1. S region IDS
2. N S
RN | IDN
3. S N
EKNS(RN | LS )
Broadcast identity
Send nonce challenge
Respond with location
Prevents simple replay attacks (but not wormhole attacks)
www.cs.virginia.edu/physicrypt
29
Broadcast Authentication
• Requires asymmetry:
– Every node can verify message
– Only legitimate seed can create it
• Traditional approach: asymmetry of
information (public/private keys)
– Requires long messages: too expensive for
sensor nodes
• Instead use time asymmetry
www.cs.virginia.edu/physicrypt
30
Using Time Asymmetry
Based on Tesla:
Perrig, et. al. 2002
KSn-1 | Sign (IDS | LS , KSn)
KSn | Sign (IDS | LS , KSn + 1)
Time n
Time n + 1
f is a one-way function (easy to compute f(x), hard to invert)
Initially:
nodes know KS0 = f max(x) for each seed
seed knows x, calculates KSn = f max-n (x)
Nodes verifies each key as it is received f (KS0) = KS1
Requires loose time synchronization
Saves node transmissions, multiple seed transmissions
www.cs.virginia.edu/physicrypt
31
Wormhole Attack
Y
X
Attacker uses transceivers at two locations in the network
to replay (selectively) packets at different location
www.cs.virginia.edu/physicrypt
32
Protocol Idea
• Wormhole attack depends on a node
that is not nearby convincing another
node it is
• Periodically verify neighbors are really
neighbors
• Only accept messages from verified
neighbors
www.cs.virginia.edu/physicrypt
33
Previous Solutions:
Light Speed is Slow
• Distance Bounding
Brands and Chaum, EUROCRYPT 1993
– Light travels 1 ft per nanosecond (~4 cycles
on modern PC!)
Yih-Chun Hu, Perrig and
Johnson. INFOCOM 2003
• Packet “Leashes”
• Use distance bounding to perform secure
Capkun and Hubaux, 2004
multilateration
• Need special hardware to instantly
respond to received bits
www.cs.virginia.edu/physicrypt
34
Our Approach: Use Direction
3
2
4
1
5
Directional
Transmission
from Zone 4
www.cs.virginia.edu/physicrypt
North
6
Aligned to
magnetic North,
so zone 1 always
faces East
Omnidirectional Transmission
Model based on [Choudhury and Vaidya, 2002]
General benefits: power saving, less collisions
Improve localization accuracy
35
Directional
Neighbor
Discovery
3
4
2
1
A
5
6
B
zone (B, A) = 4
is the antenna
zone in which
B hears A
1. A Region
HELLO | IDA
Sent by all antenna elements (sweeping)
2. B A
IDB | EKBA (IDA | R | zone (B, A))
Sent by zone (B, A) element, R is nonce
3. A B
R
Checks zone is opposite, sent by zone (A, B)
www.cs.virginia.edu/physicrypt
36
Detecting
False
Neighbors
A
X
3
4
1
5
zone (B, A[Y]) = 1
zone (A, B [X]) = 1
False Neighbor:
zone (A, B) should be opposite zone (B, A)
www.cs.virginia.edu/physicrypt
2
37
6
B
Y
3
Not Detecting
False Neighbors
A
4
1
5
Y
X
6
B
zone (B, A[Y]) = 4
zone (A, B [X]) = 1
Undetected False Neighbor:
zone (A, B) = opposite of zone (B, A)
Directional neighbor discovery prevents 1/6 of
false direct links…but doesn’t prevent disruption
www.cs.virginia.edu/physicrypt
2
38
Observation: Cooperate!
• Wormhole can only trick nodes in
particular locations
• Verify neighbors using other nodes
• Based on the direction from which you
hear the verifier node, and it hears the
announcer, can distinguish legitimate
neighbor
www.cs.virginia.edu/physicrypt
39
Verifier
Region
3
v
2
4
1
5
6
A verifier must satisfy these two properties:
zone (B, A) = 4
1. B and V hear A in different zones:
zone (V, A) = 3
zone (B, A) ≠ zone (V, A)
proves B and V don’t hear A through wormhole
2. Be heard by B in a different zone:
zone (B, A) = 4
zone (B, A) ≠ zone (B, V)
zone (B, V) = 5
proves B is not hearing V through wormhole
(one more constraint will be explained soon)
www.cs.virginia.edu/physicrypt
40
Worawannotai Attack
V hears
A and B directly
v
3
3
2
2
B
4
A
5
1
X
6
Region 1
www.cs.virginia.edu/physicrypt
5
6
Region 2
41
A and B hear
V directly
But, A and B
hear each other
only through
repeated X
Preventing Attack
1. zone (B, A) zone (B, V)
2. zone (B, A) zone (V, A)
3. zone (B, V) cannot be both adjacent to zone (B, A)
and adjacent to zone (V, A)
www.cs.virginia.edu/physicrypt
42
Verified Neighbor Discovery
V
A
1. A Region
2. B A
3. A B
5. IDV | EKBV (IDA | zone (V, B))
B 4. INQUIRY | IDB | IDA | zone (B, A)
Announcement, done through sequential sweeping
Include nonce and zone information in the message
Check zone information and send back the nonce
4. B Region
5. V B
6. B A
www.cs.virginia.edu/physicrypt
Same as
before
Request for verifier to validate A
If V is a valid verifier, sends confirmation
Accept A as its neighbor and notify A
43
Cost Analysis
• Communication Overhead
– Adds messages for inquiry, verification and
acceptance
– Minimal for slow-changing networks
• Connectivity
– How many legitimate links are lost because
they cannot be verified?
www.cs.virginia.edu/physicrypt
44
Lose Some Legitimate Links
Network Density = 10
Network Density = 3
1
Verified
Protocol
Link Discovery Probability
0.9
0.8
0.7
Verified
Protocol
0.6
0.5
0.4
0.3
Strict Protocol
(Preventing
Worawannotai Attack)
Strict Protocol
(Preventing
Worawannotai Attack)
0.2
0.1
0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9
Node Distance (r)
www.cs.virginia.edu/physicrypt
10
45
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Node Distance (r)
…but small effect on connectivity
and routing
10
Network density = 10
9
Average Path Length
8
7
Strict Protocol
6
Verified Protocol
5
Trust All
4
3
2
1
0
4
6
8
10
12
14
16
18
20
Omnidirectional Node Density
www.cs.virginia.edu/physicrypt
46
Verified protocol:
0.5% links are lost
no nodes disconnected
Strict protocol:
40% links are lost
0.03% nodes
disconnected
Dealing with Error
Network Density = 3
1
1
0.9
0.9
0.8
0.8
0.7
Ratio
Network Density = 10
0.7
Lost Links, Strict Protocol
0.6
0.6
0.5
0.5
0.4
0.4
Disconnected
Nodes,
Strict Protocol
0.3
0.2
0.3
0.2
0.1
0
Lost Links, Strict Protocol
0.1
0
10
20
30
40
50
Maximum Directional Error Degree
60
0
Disconnected Nodes
0
10
20
30
40
50
Maximum Directional Error Degree
Even with no control over antenna
alignment, few nodes are disconnected
www.cs.virginia.edu/physicrypt
47
60
Vulnerabilities
• Attacker with multiple wormhole
endpoints
– Can create packets coming from different
directions to appear neighborly
• Antenna, orientation inaccuracies
– Real transmissions are not perfect wedges
• Magnet Attacks
– Protocol depends on compass alignment
www.cs.virginia.edu/physicrypt
48
Conclusion
• Computing is moving into the real world:
– Rich interfaces to environment
– No perimeters
• Simple properties of physical world are
useful:
– Space and time can be used to achieve
accurate localization cheaply
– Space consistency requirements can prevent
wormhole attacks
www.cs.virginia.edu/physicrypt
49
Thanks!
Students: Lingxuan Hu, Chalermpong Worawannotai
Nathaneal Paul, Ana Nora Sovarel,
Jinlin Yang, Joel Winstead
Funding: NSF ITR, NSF CAREER, DARPA SRS
For slides and paper links:
http://www.cs.virginia.edu/evans/talks/aro/
www.cs.virginia.edu/physicrypt
50
