Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures

brainybootsMobile - Wireless

Nov 21, 2013 (3 years and 4 months ago)

97 views

1

Secure Routing in Wireless Sensor
Networks : Attacks and Countermeasures

Authors: Chris Karlof and David Wagner





Presenter: Ivanka Todorova

2

Outline


Introduction and Contributions


Background


Sensor vs. ad
-
hoc wireless networks


Problem Statement


Attacks on sensor network routing


Attacks on specific sensor network protocols


Countermeasures


Conclusions


3

Introduction and Contributions


Threat models and security goals for routing in
WSNs


Two new attacks


Sinkhole attacks


HELLO floods


How to adapt attacks against ad
-
hoc wireless
networks into powerful attacks against WSNs


Practical attacks against routing protocols and
topology maintenance algorithms for WSNs


Countermeasures and design considerations for
secure routing protocols in WSNs


4

Background


WSNs consist of hundreds or thousands of
low
-
power, low
-
cost nodes having a CPU,
power source, radio, and other sensing
elements


Have one or more points of centralized
control called
base stations or sinks



Sensor readings from multiple nodes
processed at
aggregation points


Power is the scarcest resource

5

Background


A representative sensor network architecture

Picture from [7]

6

WSNs vs. Ad
-
hoc WNs

WSNs


Communication method
-

multihop networking


One or more points of
centralized control such as
base stations


Routing
-

specialized
communication pattern


Resource
-
starved nature


Trust relationships between
nodes assumed


Public key cryptography not
feasible


AD
-
hoc WNs


Communication method
-

multihop networking


There is no fixed
infrastructure such as
base stations


Routing
-

any pair of
nodes


Limited resources


Trust relationships
between nodes not
assumed


Public key cryptography
possible

7

Problem Statement


Network assumptions


Insecure radio links


Malicious nodes may collude to attack the network


Sensor nodes not temper resistant


Physical and MAC layers vulnerable to direct
attacks


Trust Requirements


Base stations are trustworthy


Aggregation points not necessarily trustworthy


8

Problem Statement cont’d


Two types of threat models


Based on type of attacking devices


Mote
-
class attackers


Laptop
-
class attackers



Based on attacker location


Outsider attacks


Insider attacks


Security goals


Confidentiality, integrity, authenticity, and
availability of all messages



9

Attacks on sensor network routing


Spoofed, altered, or replayed routing
information


Selective forwarding


Sinkhole attacks


Adversary’s goal is to lure traffic through a
compromised node


Work by making the compromised node look
attractive


Makes selective forwarding trivial


10

Attacks on sensor network routing cont’d

Sybil Attack

“One can have, some claim,
as many electronic personas
as one has time and energy
to create.”

Judith S. Donath [1]





Picture from [2]

11

Attacks on sensor network routing cont’d

Wormhole


An adversary tunnels
packets received in one
part of the network over
a low
-
latency link and
replays them in a
different part of the
network

Picture from http://library/thinkquest.org/27930/wormhole.htm

12

Attacks on sensor network routing cont’d


HELLO flood attack


Many protocols require that nodes broadcast
HELLO packets to announce themselves to their
neighbors


Laptop
-
class attacker can convince all nodes that
it is their neighbor by transmitting at high power


Acknowledgement spoofing

13

Attacks on specific sensor network
protocols


TinyOS beaconing


Description


Attacks


Can authenticated
routing updates solve
the problem?

Picture from [7]

14

Attacks on specific sensor network
protocols cont’d


Combined wormhole/sinkhole attack

Picture from [7]

15

Attacks on specific sensor network protocols
cont’d


What if a laptop
-
class
adversary uses a
HELLO flood attack?





What about mote
-
class
adversaries?


Routing loops


Picture from [7]

16

Attacks on specific sensor network protocols
cont’d


Directed diffusion









Attacks



Suppression, Cloning, Path influence, Selective forwarding
and data tampering

Interest propagation

Initial gradients set up

Data delivery along reinforced
path

Pictures from [6]

17

Attacks on specific sensor network protocols
cont’d


Geographic routing


Two protocols


GPSR (Greedy Perimeter Stateless Routing)


GEAR (Geographic and Energy Aware Routing)


Description


Greedy forwarding routing each packet to the neighbor
closest to the destination


GEAR weighs the choice of the next hop by both remaining
energy and distance from the target

18

Attacks on specific sensor network protocols
cont’d


Geographic routing

Greedy forwarding example: y is x’s
closest neighbor to D

Greedy forwarding failure:
x
is a local
maximum in

its geographic proximity to

D
;
w
and

y
are

farther from

D
.


Pictures from [14]

19

Attacks on specific sensor network protocols
cont’d


Geographic routing

Node
x
’s
void
with respect to
destination
D
.


Picture from [14]

20

Attacks on specific sensor network protocols
cont’d


Geographic routing


Attacks


Sybil attack

Picture from [7]

21

Attacks on specific sensor network protocols
cont’d


Attacks cont’d


Creating routing loops in GPSR

Picture from 7

22

Attacks on specific sensor network protocols
cont’d


Minimum cost forwarding


Description



Attacks


Sinkhole attack


HELLO flood attack can disable the entire network


M

N

C
M
+L
N, M

C
N

C
M

23

Attacks on specific sensor network protocols
cont’d


LEACH: low
-
energy adaptive clustering
hierarchy


Description


Nodes organized into clusters with one node serving as
a
cluster
-
head


Cluster
-
heads aggregate data for transmission to a base
station


Attacks


HELLO flood attack


Countermeasures defeated by a Sybil attack

24

Attacks on specific sensor network protocols
cont’d


Energy conserving topology
maintenance


Geographic Adaptive Fidelity
(GAF)

State transitions


Node redundancy

Virtual grid

Pictures from [5]

25

Countermeasures


Shared key and link layer encryption


Prevent outsider attacks
-

Sybil attacks, selective
forwarding, ACK spoofing


Cannot handle insider attacks
-

Wormhole, HELLO
flood, TinyOS beaconing attacks


In case of a wormhole encryption may make selective
forwarding more difficult but cannot prevent blackholes



Sybil and HELLO flood attacks


A globally shared key allows an insider to masquerade
as any node


A pair of nodes can use a Needham
-
Schroeder protocol
to establish a shared key


Limit the number of neighbors for a node


Verify the bidirectionality of the link for a HELLO flood
attack

26

Countermeasures


Amended Needham Schroeder Symmetric Key


Author(s):

Roger Needham and Michael Schroeder

(1987)


Distribution of a shared symmetric key by a trusted server
and mutual authentication. Symmetric key cryptography
with server.



27

Countermeasures


Wormhole and sinkhole attacks


Protocols that construct a topology initiated by a base station
are the most vulnerable


Good routing protocol design may be the solution


geographic routing protocols


Geographic routing attacks


Use fixed topology to eliminate the need for location
information


Selective forwarding


Multipath routing


Braided paths


Allowing nodes to dynamically choose a packet’s next hop
probabilistically from a set of possible candidates


28

Countermeasures

Braided path

Picture from [10]


29

Countermeasures


Authenticated broadcast and flooding


μ
TESLA protocol to prevent replay of broadcast
messages issued by the base station


Replay is prevented because messages authenticated
with previously disclosed keys are ignored


Flood the information about the malicious nodes
in the network

30

Conclusions


End
-
to
-
end security mechanisms between a
sensor node and a base station unlikely to
guarantee integrity, authenticity, and
confidentiality of messages


Link layer security not enough to protect
against insider attacks


The routing protocol itself must be secure

31

Conclusions


Protection against the replay of data packets should
not be a security goal of a routing protocol


Sinkhole attacks and wormholes are a significant
challenge


Wormholes are hard to detect because they use private,
out
-
of
-
band channel invisible to the underlying network


Sinkholes are difficult to defend against because they
leverage hard to verify information such as remaining
energy


Protocols that construct topology initiated by a base station
are most vulnerable


Geographic routing protocols are resistant


Crucial to design routing protocols in which these
attacks are meaningless


32

Conclusions


Geographic routing relatively secure against
wormhole, sinkhole, and Sybil attacks


Traffic naturally routed toward the physical location of a
base station


The main remaining problem is that location
information must be trusted


Restricting the structure of the topology
eliminates the need for nodes to advertise
their locations


If nodes are arranged in a grid every node can easily
derive its neighbors’ locations

33

Conclusions


Clustering protocols like LEACH may yield
the most secure solutions against node
compromise and insider attacks


Virtual base stations can be used to create
an overlay network

34

Future Work


How the feature of autonomic computing can
be applied to WSNs to improve security
[
11,12
]


Self
-
healing in WSNs [
13
]

35

References

1.
J. S. Donath, “Identity and Deception in the Virtual Community”,
Communities
in Cyberspace
, Routledge, 1998.

2.
J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer
-
to
-
Peer Systems (IPTPS 02), 2002.

3.
L. Zhou, Z. Haas, Securing ad hoc networks, IEEE Network Magazine 13 (6)
(1999) 24

30.

4.
F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad
-
hoc wireless networks, in: Seventh International Security Protocols
Workshop, 1999, pp. 172

194.

5.
Y. Xu, J. Heidemann, D. Estrin, Geography
-
informed energy conservation for
ad hoc routing, in: Proceedings of the Seventh Annual ACM/IEEE
International Conference on Mobile Computing and Networking, 2001.

6.
C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and
robust communication paradigm for sensor networks, in: Proceedings of the
Sixth Annual International Conference on Mobile Computing and Networks
(Mobi
-
COM 00), 2000.

7.
C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks:
Attacks and Countermeasures," in IEEE SPNA, 2002


36

References

8.
F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding
in large sensor networks, in: Tenth International Conference on Computer
Communications and Networks, 2001, pp. 304

309.

9.
W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy
-
efficient
communication protocol for wireless microsensor networks, in: 33rd Annual
Hawaii International Conference on System Sciences, 2000, pp. 3005

3014.

10.
Deepak Ganesan, Ramesh Govindan, Scott Shenker, Deborah Estrin, Highly
-
resilient, energy
-
efficient multipath routing in wireless sensor networks, in:
Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc
Networking & Computing, 2001, pp. 251
-
254.

11.
http://s3lab.cs.okstate.edu/projects/CIP
-
WSN/

12.
http://www.cse.msu.edu/~mckinley/920/Spring
-
2006/920
-
reading
-
final.html

13.
Tatiana Bokareva, Nirupama Bulusu, Sanjay Jha, SASHA: Toward a Self
-
Healing Hybrid Sensor Network Architecture. Retrieved from
http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf
on March 2, 2008.

14.
Brad Karp, H.T. Kung, GPSR: Greedy Perimeter Stateless Routing for
WirelessNetworks, Retrieved March 4, 2008 from
http://www.eecs.harvard.edu/~htk/publication/2000
-
mobi
-
karp
-
kung.pdf