Secure Localization: Location
Verification and detection of
Malicious nodes in WSN
Advisor: Dr. Tricia Chigan
Presenter: Solomon Ayalew
3/16/2012
1
Outline








Introduction and Background
Location discovery in wireless sensor networks
Localization systems
Detection of malicious nodes
Types of attacks on WSN’s
Cryptography in secure localization
Revocation of malicious nodes
Comparison of Secure Localization Algorithms
3/16/2012
2
Introduction & background (I)
 Wireless Sensor Ntk’s







3/16/2012
Low cost,
Low power,
mobility of nodes  dynamic topology,
withstand harsh environment
unattended operation,
ability to cope with node failure
Autonomous systems randomly deployed in remote hostile
environments.
3
Introduction & background (II)
 Multi functional
 Applications




battlefield surveillance
enemy tracking
Environmental
medical and industrial fields
 Their location play’s a very important role in their application
 localization systems are target of attack
 Wrong location:- wrong military plan, wrong decision
3/16/2012
4
source of Pictures
http://www.decentlab.com/index.php?id=2
http://www.indefia.com/products/hardware/wsn/
http://www.sics.se/~luca/profile.html
3/16/2012
5
3/16/2012
6
Cont…
 Official terminologies
 GPS is expensive. So new protocols come:
 use special nodes called Beacon Nodes (landmarks, anchors, locators)
o They Know their own location through GPS receivers or Manual
configuration
 Regular (unknown/free/dumb) nodes will learn from the beacons.

How????
 Detecting beacon node:- node performing detection on received signal
 Target node:- node being detected
 Node ID: - Id used by a detecting beacon node to make a target
beacon node believe that a non-beacon node wants to communicate.
3/16/2012
7
cont
Deployment of sensor nodes. Ref [1]
3/16/2012
8
Location discovery in WSN nodes.
 Stage 1
 Non beacon nodes receive radio signal called Beacon
Signal/Beacon Packet form Beacon nodes.
 Beacon Packet = f (RSSI, ToA, TDoA, AoA, (x,y)) where
 RSSI is Received Signal Strength Indicator.
 ToA :- Time of Arrival.
 TDoA Time Difference of Arrival.
Location References
 AoA:- Angle of Arrival
 Stage 2
 Based on different References', nodes determine
their own location with minimum estimation error.
But if some beacon nodes r malicious???
3/16/2012
9
Localization systems
1. Distance/angle estimation: Estimate regarding distance &/or angle b/n 2
nodes.
 Based on RSSI, ToA, or hop count analysis.
• This values are affected by Δ signal power or introduce
noise obstacles or magnet to the sensor field.
2. Position computation: Compute the position of a node based on the
received signal.
•
3/16/2012
Some techniques use trilateration, multilateration or
triangulation.
10
Cont…
3. Localization algorithms: Main component of the localization system
 Distributed and multi-hop algorithms
 Info manipulated; WSN nodes know their
positions.

rref [6]
Fig xx the division of localization systems in to 3 distinct components
3/16/2012
11
Detection of malicious nodes
Example. [1]
ref [1]
 Detecting node N sends request message to the
target node NA.
 Target node reply a Beacon Packet (beacon signal)
that includes its own location (x’, y’).
 Then the detecting node will do calculations
Estimates the distance between them based on Beacon
signal.
3/16/2012
12
Cont..
Calculate the distance between them from (x’,y’)& (x,y)
If |
- measured distance| > maximum
measurement error,  the node is Malicious
 can’t be a node Malicious by satisfying the above condition
???? ....
Condition not satisfied mean this node is Malicious???
Consider an attacker reply a previously captured signal.
 DRBTS[7] (distributed reputation based beacon trust
system):- each beacon node monitors its
neighborhood for suspicious beacon nodes.
 Build a trustworthy table so that other nodes will chose
highly trustworthy nodes.
3/16/2012
13
Types of Attack’s









Distance fraud attack
Mafia fraud attack
Terrorist fraud attack
Wormhole attack
Sybil attack
Spoofing attack
Jamming
Overshadowing
Manipulation and Replay
3/16/2012
14
ref [8]
Attacks against Location discovery
beacon node NB
attacking node NA
Malicious node NB
(x’, y’)
(x,y)
(x, y)
I am NB location
(x, y)
I am NB & my location is
(x’, y’)
N
N
a) Masquerade beacon
Beacon node NB
I am NB my location
(x, y)
is (x, y)
b) compromised beacon node
attacking node NA
(x’,y’)
Malicious/ attacking node is a node that have access to a
compromised cryptographic keys
.
I am NB @ (x,y)
N
c) Replay attack
3/16/2012
15
ref [1]
Cont…
a) Sybil attack
b) reply attack
Ref [6]
3/16/2012
16
c) wormhole attack
Cont…
a) Sybil attack: Malicious node appears in different poistions.
b) Reply attacks: Store a received packet(from a beacon node) &
respond it later.
 Estimated distance & calculated distance are
different. Cant be the some????
3/16/2012
17
Cont…
C ) Wormhole attack: Received signal by malicious node in 1 side of the
ntk is sent and replicated by other side of the ntk.
 Developed algorithms: Geographical Leashes, Directional
antenna  works if two nodes are neighbors. Temporal Leashes
needs synchronization and large mem space to save auth. Keys.
 Round trip time:- doesn’t need synchronization.
 Assumption, all nodes are equipped with Wormhole detectors.
RTT = [(R4-R1)-(R3-R2)] where t1: time to finish sending first byte of request
t2: time to finish receiving first byte of request
t3: time to finish sending first byte of reply
t4: time to finish receiving first byte of reply
3/16/2012
18
Cryptography in secure localization
 Cryptograph is against externally deployed hostile nodes.
 But here we are talking about compromised nodes. Attackers
have access to secret keys and passwords
 So most secure localization algorithms use non-cryptographic
security techniques.
 Cryptography is 2nd Line of defense.
E.g HiRLoc, ROUPE, SeRLoc
 Communication between beacon nodes &BS and some
algorithms use cryptography.
 E.g SPINe19
3/16/2012
Revocation of Malicious Nodes
• A Beacon node will report its detection to the
base station securely. ==>they use shared key.
• Alert [detecting node ID, target node ID].
• Base station maintains alert counter & report
counter.
 Alert counter :- suspiciousness of this node.
 Report counter:- # of alerts this node reported.
 Why?? If malicious node repots against Benign B. nodes
3/16/2012
20
Comparison of different algorithms ref[6]
3/16/2012
21
Cont…
3/16/2012
22
Cont…
 HiRloc/SeRloc
 Rope
 Liu et al
 Based on Distance estimation
 RTT (round trip time)
 WRBTS
 Keeps neighbor- reputation table
 Trustworthiness by voting
3/16/2012
23
Cont…
 HiRloc (High resolution range independent localization)
 Extended version of SerLoc (secure range independent localization)
 doesn’t perform range measurment
 Sensors don’t interact to determine their location
 Beacon nodes called locaters
 Locators know their location and orientation (antenna)
 Sensors determine their position Passively.
3/16/2012
24
Location determination
 Each locator transmits
1. Locators coordinate
2. Angel of sector boundary
3. Locators communication range
 Sensors don’t perform
 Signal strength measurement
 angle of arrival measurement or time of flight
 HirLoc and SeRloc are range independent
3/16/2012
25
Cont…
3/16/2012
26
Cont…
 Region of intersection (ROI)
 Is the region formed by intersection of the locators signal
 Location determination perfection
 Varying the antenna orientation or rotation
 Varying the communication range.
 SeRloc do this by
 Increasing the locator density
 Narrower antenna sectors
  hardware complexity, expensive
 Weakness of HiRloc and SeRloc, assumption no
Jamming
3/16/2012
27
ROPE
 ROPE (RObust Position Estimation)






Resistant to jamming
Accept the existence of malicious nodes
Assuming Benign nodes outnumber malicious nodes
Statistical and outlier filtering techniques
Sensors request update of their position
Assumption: Sensors share a pair wise key.
 DBIR (Distance Bounding Intersection Region)
3/16/2012
28
Cont…
3/16/2012
29
Location estimation in ROUPE
1. Sensor broadcasts it ID and nonce Ns
2. Locator that is in range performs distance bounding

Sensor defines its LDB
3. If LDB>=3 perform Verifiable Multilateration (VM)



Computes it location
Notify this to locators
Terminate the algorithm
4. If locator didn’t receive notification==> sensor don’t know
his position. Do more specific steps looks like the above.
 Weakness of ROPE, needs at least 3 locators unlike 2 for
HiRloc/SeRloc
3/16/2012
30
.
?
3/16/2012
31
References
1.
2.
3.
4.
5.
6.
7.
8.
D.Liu, P.Ning, and W.Du “”Detecting Malicious beacon Nodes fir Secure Location Discovery in
Wireless Sensor Networks” 25th ICDCS, 2005,pp.609-19.
L.lazos, R. Poovendran, and S.Capkun “Rope: Robust Position Estimation in Wireless sensor
Networks” Proc IPSN, Apr. 2005 pp. 324-31
L.lazos, and R. Poovendran, “Hirloc: High-Resolution Robust Localization for Wireless Sensor
Networks ” IEEE JSAC Vol. 24, Feb 2006, pp. 233-46
L.lazos, and R. Poovendran, “Serloc: Secure Range-independent Localization for Wireless
Sensor Networks” IPSN, Apr. 2005, pp.324-31.
S.Capkun and J. Hubaux “Secure Positioning in Sensor Networks” …
A.Boukerche, H. Oleiveira, E. Nakamura and A. Loureio “Secure Localization Algorithms for
Wireless Sensor Networks” …
Z. Li et al., “Robust Statistical Methods for Securing Wireless Localization in Sensor Networks”
IPSN ’05, p. 12
W. Ammar, A. ELDawy, M. Youssef “ Sensor Localization in a Wireless Sensor Networks” June
2007
3/16/2012
32