Monte Carlo Techniques for Secure Localization ARO Workshop on Localization in Wireless Sensor Networks 14 June 2005 http://www.cs.virginia.edu/evans David Evans University of Virginia Computer Science MICA2 Mote (UCB/Crossbow) Sensor Nodes MICA2 Typical 2005 Desktop 644 KB 400 x (just RAM) (128 K program flash memory / 4 K config EEPROM / 512 K data) 130 000 x (hard drive) Processor Speed 7 MHz 500 x Electrical Power ~40mW 2 AA batteries 2000 x ~100W (CPU only) Mass 18 grams (+ batteries) 167 x 3kg Memory www.cs.virginia.edu/physicrypt 2 Apollo Guidance Computer MICA2 MICA2 Typical 2005 Desktop Typical 2004 644 KB 400 x (just RAM) (128 K program flash memory / 4 K config EEPROM / 512 K data) 130 000 x (hard drive) Processor 0.007 x (add in 20s) Speed 7 MHz 500 x Electrical Power 1500 x ~70W ~40mW 2 AA batteries 2000 x ~100W (CPU only) Mass 1667 x 30kg 18 grams (+ batteries) 167 x 3kg Memory 0.01 x (4K 14-bit words) Photo: http://ed-thelen.org/comp-hist/ www.cs.virginia.edu/physicrypt 3 Desktop Apollo Guidance Computer MICA2 MICA2 Typical 2004 Desktop Typical 2004 644 KB 400 x (just RAM) (128 K program flash memory / 4 K config EEPROM / 512 K data) 130 000 x (hard drive) Processor 0.007 x (add in 20s) Speed 7 MHz 500 x Electrical Power 1500 x ~70W ~40mW 2 AA batteries 2000 x ~100W (CPU only) Mass 1667 x 30kg 18 grams (+ batteries) 167 x 3kg Memory 0.01 x (4K 14-bit words) Photo: http://ed-thelen.org/comp-hist/ www.cs.virginia.edu/physicrypt 4 Desktop Sensor Network Applications Volcano Monitoring http://www.eecs.harvard.edu/~werner/projects/volcano/ Reindeer Tracking (Sámi Network Connectivity Project) Photo: http://news.bbc.co.uk/1/hi/technology/2491501.stm Battlefield Event Tracking www.cs.virginia.edu/physicrypt 5 This Talk • Location Matters – How do nodes know where they are? L. Hu and D. Evans. Localization for Mobile Sensor Networks. MobiCom 2004. • Security (Sometimes) Matters – How can we provide trust without infrastructure? L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. NDSS 2004. www.cs.virginia.edu/physicrypt 6 Determining Location • Direct approaches – Configured manually • Expensive • Not possible for ad hoc, mobile networks – GPS • Expensive (cost, size, energy) • Only works outdoors, on Earth • Indirect approaches – Small number of seed nodes • Seeds are configured or have GPS – Other nodes determine location based on messages received www.cs.virginia.edu/physicrypt 7 Hop-Count Techniques r 4 1 2 3 1 3 4 4 5 2 3 7 4 3 8 6 DV-HOP [Niculescu & Nath, 2003] Amorphous [Nagpal et. al, 2003] 4 5 Works well with a few, well-located seeds and regular, static node distribution. Works poorly if nodes move or are unevenly distributed. www.cs.virginia.edu/physicrypt 8 Local Techniques Centroid [Bulusu, Heidemann, Estrin, 2000]: Calculate center of all heard seed locations Depend on a high density of seeds (with long transmission ranges) www.cs.virginia.edu/physicrypt 9 APIT [He, et. al, Mobicom 2003]: Use triangular regions Our Goal • (Reasonably) Accurate Localization in Mobile Networks • Low Density, Arbitrarily Placed Seeds • Range-free: no special hardware • Low communication (limited addition to normal neighbor discovery) www.cs.virginia.edu/physicrypt 10 Scenarios Nodes stationary, seeds moving NASA Mars Tumbleweed Image by Jeff Antol Nodes moving, seeds stationary Nodes and seeds moving www.cs.virginia.edu/physicrypt 11 Our Approach: Monte Carlo Localization • Adapts an approach from robotics localization Frank Dellaert, Dieter Fox, Wolfram Burgard and Sebastian Thrun. Monte Carlo Localization for Mobile Robots. ICRA 1999. • Take advantage of mobility: – Moving makes things harder…but provides more information – Properties of time and space limit possible locations; cooperation from neighbors www.cs.virginia.edu/physicrypt 12 MCL: Initialization Node’s actual position Initialization: Node has no knowledge of its location. L0 = { set of N random locations in the deployment area } www.cs.virginia.edu/physicrypt 13 MCL Step: Filter Predict Node’s actual position p(lt | lt-1) = c if d(lt, lt-1) < vmax 0 if d(lt, lt-1) ≥ vmax r Seed node: knows and transmits location Predict:Remove Node guesses locationswith based on Filter: samplesnew thatpossible are inconsistent previous possible locations and maximum velocity, vmax observations www.cs.virginia.edu/physicrypt 14 Observations S S Direct Seed If node hears a seed, the node must (likely) be with distance r of the seed’s location www.cs.virginia.edu/physicrypt Indirect Seed If node doesn’t hear a seed, but one of your neighbors hears it, node must be within distance (r, 2r] of that seed’s location. 15 Resampling N = 20 is good, N = 50 is plenty Use prediction distribution to create enough sample points that are consistent with the observations. www.cs.virginia.edu/physicrypt 16 Recap: Algorithm Initialization: Node has no knowledge of its location. L0 = { set of N random locations in the deployment area } Iteration Step: Compute new possible location set Lt based on Lt-1, the possible location set from the previous time step, and the new observations. Lt = { } while (size (Lt) < N) do R = { l | l is selected from the prediction distribution } Rfiltered = { l | l where l R and filtering condition is met } Lt = choose (Lt Rfiltered, N) www.cs.virginia.edu/physicrypt 17 Convergence Average Estimate Error (r) 2 Node density nd = 10, seed density sd = 1 1.8 1.6 1.4 1.2 v max =.2 r , s max =0 1 0.8 v max =r, s max =0 0.6 0.4 v max =r, s max =r 0.2 0 0 5 10 15 20 25 30 35 40 45 Time (steps) Localization error converges in first 10-20 steps www.cs.virginia.edu/physicrypt 18 50 Speed Helps and Hurts 1 Node density nd = 10 0.9 Estimate Error (r) 0.8 0.7 0.6 0.5 sd=1, smin =0, smax =vmax sd=1, smax =smin =r 0.4 0.3 sd=2, smax =vmax 0.2 0.1 0 sd=2, smax =smin =r 0.1 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 vmax (r distances per time unit) 1.8 Increasing speed increases location uncertainty ̶ but provides more observations. www.cs.virginia.edu/physicrypt 19 2 Estimate Error (r) Seed Density 3 2.8 2.6 2.4 2.2 2 1.8 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 nd = 10, vmax = smax=.2r Centroid: Bulusu, Heidemann and Estrin. IEEE Centroid Personal Communications Magazine. Oct 2000. Amorphous Amorphous: Nagpal, Shrobe and Bachrach. IPSN 2003. MCL 0.1 0.5 1 1.5 2 2.5 Seed Density 3 3.5 4 Better accuracy than other localization algorithms over range of seed densities www.cs.virginia.edu/physicrypt 20 Questionable Assumption: Radio Transmissions r r Model: all nodes with distance r hear transmission, no nodes further away do www.cs.virginia.edu/physicrypt Reality: radio tranmissions are irregular 21 Radio Irregularity 2 nd = 10, sd = 1, vmax = smax=.2r 1.8 Estimate Error (r) 1.6 Centroid 1.4 1.2 1 Amorphous 0.8 0.6 MCL 0.4 0.2 0 0 0.1 0.2 0.3 0.4 Degree of Irregularity (r varies ±dr) Insensitive to irregular radio pattern www.cs.virginia.edu/physicrypt 22 0.5 Questionable Assumption: Motion is Random Model: modified random waypoint www.cs.virginia.edu/physicrypt Reality: environment creates motion 23 Motion Stream and Currents Random Waypoint vs. Area Scan 4 Estimate Error (r) Estimate Error (r) 6 5.5 nd=10, vmax=smax=r 5 4.5 4 3.5 sd =.3 3 2.5 2 sd =1 1.5 1 sd =2 0.5 0 0 0.5 1 2 4 6 Maximum Group Motion Speed (r units per time step) Adversely affected by consistent group motion www.cs.virginia.edu/physicrypt Random, vmax=0, smax=.2r 3 2 Random, vmax=smax=.2r Area Scan 1 Scan 0 0 20 40 60 80 100 120 140 160 180 200 Time Controlled motion of seeds improves accuracy 24 What about security? www.cs.virginia.edu/physicrypt 25 Localization Security Issues • Denial-of-Service: prevent node from localizing – Global: jam GPS or radio transmissions – Local: disrupt a particular nodes localization • Confidentiality: keep location secret • Verifiability: prove your location to others • Integrity – Attacker makes node think it is somewhere different from actual location www.cs.virginia.edu/physicrypt 26 MCL Advantages • Filtering – Bogus seeds filter out possible locations – As long as one legitimate observation is received, worst attacker can do is denial-of-service • Direct – Does not require long range seed-node communication • Historical – Current possible location set reflects history of previous observations www.cs.virginia.edu/physicrypt 27 Authenticating Announcements (Simple, Insecure Version) 2. IDN 1. IDS S N 3. EKNS(LS) 1. S region IDS 2. N S IDN 3. S N EKNS(LS ) KNS is a pre-loaded pairwise shared key Broadcast identity Send identity Respond with location encrypted with shared key Vulnerable to simple replay attacks www.cs.virginia.edu/physicrypt 28 Authenticating Announcements 2. RN | IDN 1. IDS S N 3. EKNS(RN | LS) 1. S region IDS 2. N S RN | IDN 3. S N EKNS(RN | LS ) Broadcast identity Send nonce challenge Respond with location Prevents simple replay attacks (but not wormhole attacks) www.cs.virginia.edu/physicrypt 29 Broadcast Authentication • Requires asymmetry: – Every node can verify message – Only legitimate seed can create it • Traditional approach: asymmetry of information (public/private keys) – Requires long messages: too expensive for sensor nodes • Instead use time asymmetry www.cs.virginia.edu/physicrypt 30 Using Time Asymmetry Based on Tesla: Perrig, et. al. 2002 KSn-1 | Sign (IDS | LS , KSn) KSn | Sign (IDS | LS , KSn + 1) Time n Time n + 1 f is a one-way function (easy to compute f(x), hard to invert) Initially: nodes know KS0 = f max(x) for each seed seed knows x, calculates KSn = f max-n (x) Nodes verifies each key as it is received f (KS0) = KS1 Requires loose time synchronization Saves node transmissions, multiple seed transmissions www.cs.virginia.edu/physicrypt 31 Wormhole Attack Y X Attacker uses transceivers at two locations in the network to replay (selectively) packets at different location www.cs.virginia.edu/physicrypt 32 Protocol Idea • Wormhole attack depends on a node that is not nearby convincing another node it is • Periodically verify neighbors are really neighbors • Only accept messages from verified neighbors www.cs.virginia.edu/physicrypt 33 Previous Solutions: Light Speed is Slow • Distance Bounding Brands and Chaum, EUROCRYPT 1993 – Light travels 1 ft per nanosecond (~4 cycles on modern PC!) Yih-Chun Hu, Perrig and Johnson. INFOCOM 2003 • Packet “Leashes” • Use distance bounding to perform secure Capkun and Hubaux, 2004 multilateration • Need special hardware to instantly respond to received bits www.cs.virginia.edu/physicrypt 34 Our Approach: Use Direction 3 2 4 1 5 Directional Transmission from Zone 4 www.cs.virginia.edu/physicrypt North 6 Aligned to magnetic North, so zone 1 always faces East Omnidirectional Transmission Model based on [Choudhury and Vaidya, 2002] General benefits: power saving, less collisions Improve localization accuracy 35 Directional Neighbor Discovery 3 4 2 1 A 5 6 B zone (B, A) = 4 is the antenna zone in which B hears A 1. A Region HELLO | IDA Sent by all antenna elements (sweeping) 2. B A IDB | EKBA (IDA | R | zone (B, A)) Sent by zone (B, A) element, R is nonce 3. A B R Checks zone is opposite, sent by zone (A, B) www.cs.virginia.edu/physicrypt 36 Detecting False Neighbors A X 3 4 1 5 zone (B, A[Y]) = 1 zone (A, B [X]) = 1 False Neighbor: zone (A, B) should be opposite zone (B, A) www.cs.virginia.edu/physicrypt 2 37 6 B Y 3 Not Detecting False Neighbors A 4 1 5 Y X 6 B zone (B, A[Y]) = 4 zone (A, B [X]) = 1 Undetected False Neighbor: zone (A, B) = opposite of zone (B, A) Directional neighbor discovery prevents 1/6 of false direct links…but doesn’t prevent disruption www.cs.virginia.edu/physicrypt 2 38 Observation: Cooperate! • Wormhole can only trick nodes in particular locations • Verify neighbors using other nodes • Based on the direction from which you hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor www.cs.virginia.edu/physicrypt 39 Verifier Region 3 v 2 4 1 5 6 A verifier must satisfy these two properties: zone (B, A) = 4 1. B and V hear A in different zones: zone (V, A) = 3 zone (B, A) ≠ zone (V, A) proves B and V don’t hear A through wormhole 2. Be heard by B in a different zone: zone (B, A) = 4 zone (B, A) ≠ zone (B, V) zone (B, V) = 5 proves B is not hearing V through wormhole (one more constraint will be explained soon) www.cs.virginia.edu/physicrypt 40 Worawannotai Attack V hears A and B directly v 3 3 2 2 B 4 A 5 1 X 6 Region 1 www.cs.virginia.edu/physicrypt 5 6 Region 2 41 A and B hear V directly But, A and B hear each other only through repeated X Preventing Attack 1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A) 3. zone (B, V) cannot be both adjacent to zone (B, A) and adjacent to zone (V, A) www.cs.virginia.edu/physicrypt 42 Verified Neighbor Discovery V A 1. A Region 2. B A 3. A B 5. IDV | EKBV (IDA | zone (V, B)) B 4. INQUIRY | IDB | IDA | zone (B, A) Announcement, done through sequential sweeping Include nonce and zone information in the message Check zone information and send back the nonce 4. B Region 5. V B 6. B A www.cs.virginia.edu/physicrypt Same as before Request for verifier to validate A If V is a valid verifier, sends confirmation Accept A as its neighbor and notify A 43 Cost Analysis • Communication Overhead – Adds messages for inquiry, verification and acceptance – Minimal for slow-changing networks • Connectivity – How many legitimate links are lost because they cannot be verified? www.cs.virginia.edu/physicrypt 44 Lose Some Legitimate Links Network Density = 10 Network Density = 3 1 Verified Protocol Link Discovery Probability 0.9 0.8 0.7 Verified Protocol 0.6 0.5 0.4 0.3 Strict Protocol (Preventing Worawannotai Attack) Strict Protocol (Preventing Worawannotai Attack) 0.2 0.1 0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 Node Distance (r) www.cs.virginia.edu/physicrypt 10 45 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Node Distance (r) …but small effect on connectivity and routing 10 Network density = 10 9 Average Path Length 8 7 Strict Protocol 6 Verified Protocol 5 Trust All 4 3 2 1 0 4 6 8 10 12 14 16 18 20 Omnidirectional Node Density www.cs.virginia.edu/physicrypt 46 Verified protocol: 0.5% links are lost no nodes disconnected Strict protocol: 40% links are lost 0.03% nodes disconnected Dealing with Error Network Density = 3 1 1 0.9 0.9 0.8 0.8 0.7 Ratio Network Density = 10 0.7 Lost Links, Strict Protocol 0.6 0.6 0.5 0.5 0.4 0.4 Disconnected Nodes, Strict Protocol 0.3 0.2 0.3 0.2 0.1 0 Lost Links, Strict Protocol 0.1 0 10 20 30 40 50 Maximum Directional Error Degree 60 0 Disconnected Nodes 0 10 20 30 40 50 Maximum Directional Error Degree Even with no control over antenna alignment, few nodes are disconnected www.cs.virginia.edu/physicrypt 47 60 Vulnerabilities • Attacker with multiple wormhole endpoints – Can create packets coming from different directions to appear neighborly • Antenna, orientation inaccuracies – Real transmissions are not perfect wedges • Magnet Attacks – Protocol depends on compass alignment www.cs.virginia.edu/physicrypt 48 Conclusion • Computing is moving into the real world: – Rich interfaces to environment – No perimeters • Simple properties of physical world are useful: – Space and time can be used to achieve accurate localization cheaply – Space consistency requirements can prevent wormhole attacks www.cs.virginia.edu/physicrypt 49 Thanks! Students: Lingxuan Hu, Chalermpong Worawannotai Nathaneal Paul, Ana Nora Sovarel, Jinlin Yang, Joel Winstead Funding: NSF ITR, NSF CAREER, DARPA SRS For slides and paper links: http://www.cs.virginia.edu/evans/talks/aro/ www.cs.virginia.edu/physicrypt 50