Secure Localization: Location Verification and detection of Malicious nodes in WSN Advisor: Dr. Tricia Chigan Presenter: Solomon Ayalew 3/16/2012 1 Outline Introduction and Background Location discovery in wireless sensor networks Localization systems Detection of malicious nodes Types of attacks on WSN’s Cryptography in secure localization Revocation of malicious nodes Comparison of Secure Localization Algorithms 3/16/2012 2 Introduction & background (I) Wireless Sensor Ntk’s 3/16/2012 Low cost, Low power, mobility of nodes dynamic topology, withstand harsh environment unattended operation, ability to cope with node failure Autonomous systems randomly deployed in remote hostile environments. 3 Introduction & background (II) Multi functional Applications battlefield surveillance enemy tracking Environmental medical and industrial fields Their location play’s a very important role in their application localization systems are target of attack Wrong location:- wrong military plan, wrong decision 3/16/2012 4 source of Pictures http://www.decentlab.com/index.php?id=2 http://www.indefia.com/products/hardware/wsn/ http://www.sics.se/~luca/profile.html 3/16/2012 5 3/16/2012 6 Cont… Official terminologies GPS is expensive. So new protocols come: use special nodes called Beacon Nodes (landmarks, anchors, locators) o They Know their own location through GPS receivers or Manual configuration Regular (unknown/free/dumb) nodes will learn from the beacons. How???? Detecting beacon node:- node performing detection on received signal Target node:- node being detected Node ID: - Id used by a detecting beacon node to make a target beacon node believe that a non-beacon node wants to communicate. 3/16/2012 7 cont Deployment of sensor nodes. Ref [1] 3/16/2012 8 Location discovery in WSN nodes. Stage 1 Non beacon nodes receive radio signal called Beacon Signal/Beacon Packet form Beacon nodes. Beacon Packet = f (RSSI, ToA, TDoA, AoA, (x,y)) where RSSI is Received Signal Strength Indicator. ToA :- Time of Arrival. TDoA Time Difference of Arrival. Location References AoA:- Angle of Arrival Stage 2 Based on different References', nodes determine their own location with minimum estimation error. But if some beacon nodes r malicious??? 3/16/2012 9 Localization systems 1. Distance/angle estimation: Estimate regarding distance &/or angle b/n 2 nodes. Based on RSSI, ToA, or hop count analysis. • This values are affected by Δ signal power or introduce noise obstacles or magnet to the sensor field. 2. Position computation: Compute the position of a node based on the received signal. • 3/16/2012 Some techniques use trilateration, multilateration or triangulation. 10 Cont… 3. Localization algorithms: Main component of the localization system Distributed and multi-hop algorithms Info manipulated; WSN nodes know their positions. rref [6] Fig xx the division of localization systems in to 3 distinct components 3/16/2012 11 Detection of malicious nodes Example. [1] ref [1] Detecting node N sends request message to the target node NA. Target node reply a Beacon Packet (beacon signal) that includes its own location (x’, y’). Then the detecting node will do calculations Estimates the distance between them based on Beacon signal. 3/16/2012 12 Cont.. Calculate the distance between them from (x’,y’)& (x,y) If | - measured distance| > maximum measurement error, the node is Malicious can’t be a node Malicious by satisfying the above condition ???? .... Condition not satisfied mean this node is Malicious??? Consider an attacker reply a previously captured signal. DRBTS[7] (distributed reputation based beacon trust system):- each beacon node monitors its neighborhood for suspicious beacon nodes. Build a trustworthy table so that other nodes will chose highly trustworthy nodes. 3/16/2012 13 Types of Attack’s Distance fraud attack Mafia fraud attack Terrorist fraud attack Wormhole attack Sybil attack Spoofing attack Jamming Overshadowing Manipulation and Replay 3/16/2012 14 ref [8] Attacks against Location discovery beacon node NB attacking node NA Malicious node NB (x’, y’) (x,y) (x, y) I am NB location (x, y) I am NB & my location is (x’, y’) N N a) Masquerade beacon Beacon node NB I am NB my location (x, y) is (x, y) b) compromised beacon node attacking node NA (x’,y’) Malicious/ attacking node is a node that have access to a compromised cryptographic keys . I am NB @ (x,y) N c) Replay attack 3/16/2012 15 ref [1] Cont… a) Sybil attack b) reply attack Ref [6] 3/16/2012 16 c) wormhole attack Cont… a) Sybil attack: Malicious node appears in different poistions. b) Reply attacks: Store a received packet(from a beacon node) & respond it later. Estimated distance & calculated distance are different. Cant be the some???? 3/16/2012 17 Cont… C ) Wormhole attack: Received signal by malicious node in 1 side of the ntk is sent and replicated by other side of the ntk. Developed algorithms: Geographical Leashes, Directional antenna works if two nodes are neighbors. Temporal Leashes needs synchronization and large mem space to save auth. Keys. Round trip time:- doesn’t need synchronization. Assumption, all nodes are equipped with Wormhole detectors. RTT = [(R4-R1)-(R3-R2)] where t1: time to finish sending first byte of request t2: time to finish receiving first byte of request t3: time to finish sending first byte of reply t4: time to finish receiving first byte of reply 3/16/2012 18 Cryptography in secure localization Cryptograph is against externally deployed hostile nodes. But here we are talking about compromised nodes. Attackers have access to secret keys and passwords So most secure localization algorithms use non-cryptographic security techniques. Cryptography is 2nd Line of defense. E.g HiRLoc, ROUPE, SeRLoc Communication between beacon nodes &BS and some algorithms use cryptography. E.g SPINe19 3/16/2012 Revocation of Malicious Nodes • A Beacon node will report its detection to the base station securely. ==>they use shared key. • Alert [detecting node ID, target node ID]. • Base station maintains alert counter & report counter. Alert counter :- suspiciousness of this node. Report counter:- # of alerts this node reported. Why?? If malicious node repots against Benign B. nodes 3/16/2012 20 Comparison of different algorithms ref[6] 3/16/2012 21 Cont… 3/16/2012 22 Cont… HiRloc/SeRloc Rope Liu et al Based on Distance estimation RTT (round trip time) WRBTS Keeps neighbor- reputation table Trustworthiness by voting 3/16/2012 23 Cont… HiRloc (High resolution range independent localization) Extended version of SerLoc (secure range independent localization) doesn’t perform range measurment Sensors don’t interact to determine their location Beacon nodes called locaters Locators know their location and orientation (antenna) Sensors determine their position Passively. 3/16/2012 24 Location determination Each locator transmits 1. Locators coordinate 2. Angel of sector boundary 3. Locators communication range Sensors don’t perform Signal strength measurement angle of arrival measurement or time of flight HirLoc and SeRloc are range independent 3/16/2012 25 Cont… 3/16/2012 26 Cont… Region of intersection (ROI) Is the region formed by intersection of the locators signal Location determination perfection Varying the antenna orientation or rotation Varying the communication range. SeRloc do this by Increasing the locator density Narrower antenna sectors hardware complexity, expensive Weakness of HiRloc and SeRloc, assumption no Jamming 3/16/2012 27 ROPE ROPE (RObust Position Estimation) Resistant to jamming Accept the existence of malicious nodes Assuming Benign nodes outnumber malicious nodes Statistical and outlier filtering techniques Sensors request update of their position Assumption: Sensors share a pair wise key. DBIR (Distance Bounding Intersection Region) 3/16/2012 28 Cont… 3/16/2012 29 Location estimation in ROUPE 1. Sensor broadcasts it ID and nonce Ns 2. Locator that is in range performs distance bounding Sensor defines its LDB 3. If LDB>=3 perform Verifiable Multilateration (VM) Computes it location Notify this to locators Terminate the algorithm 4. If locator didn’t receive notification==> sensor don’t know his position. Do more specific steps looks like the above. Weakness of ROPE, needs at least 3 locators unlike 2 for HiRloc/SeRloc 3/16/2012 30 . ? 3/16/2012 31 References 1. 2. 3. 4. 5. 6. 7. 8. D.Liu, P.Ning, and W.Du “”Detecting Malicious beacon Nodes fir Secure Location Discovery in Wireless Sensor Networks” 25th ICDCS, 2005,pp.609-19. L.lazos, R. Poovendran, and S.Capkun “Rope: Robust Position Estimation in Wireless sensor Networks” Proc IPSN, Apr. 2005 pp. 324-31 L.lazos, and R. Poovendran, “Hirloc: High-Resolution Robust Localization for Wireless Sensor Networks ” IEEE JSAC Vol. 24, Feb 2006, pp. 233-46 L.lazos, and R. Poovendran, “Serloc: Secure Range-independent Localization for Wireless Sensor Networks” IPSN, Apr. 2005, pp.324-31. S.Capkun and J. Hubaux “Secure Positioning in Sensor Networks” … A.Boukerche, H. Oleiveira, E. Nakamura and A. Loureio “Secure Localization Algorithms for Wireless Sensor Networks” … Z. Li et al., “Robust Statistical Methods for Securing Wireless Localization in Sensor Networks” IPSN ’05, p. 12 W. Ammar, A. ELDawy, M. Youssef “ Sensor Localization in a Wireless Sensor Networks” June 2007 3/16/2012 32