Detecting Malicious Beacon Nodes for Secure

flangeeasyMobile - Wireless

Nov 21, 2013 (3 years and 4 months ago)

93 views

Computer Science

Detecting Malicious Beacon Nodes for Secure
Location Discovery in Wireless Sensor
Networks

Presented by

Akshay Lal

Computer Science

Roadmap


Official terminology.


THE sensor network.


What’s the problem ?


A practical solution.


Detection of malicious beacon nodes.


Special considerations.


Revocation of malicious beacon nodes.


Performance review.


Conclusion.

Computer Science

Official Terminology


Beacon node:

Convey information about location.


Non
-
beacon nodes:

The rest of the network.


Beacon signals:

Signal sent out by beacon nodes.



Detecting beacon node:

Node performing detection on a received signal.


Target beacon node:

Node being detected.



Detecting Id:

Id used by a detecting beacon node to make a target beacon
node believe that a non
-
beacon node wants to communicate.

Computer Science

THE Sensor Network


Network constituting spatially distributed devices using sensors to monitor
conditions (temperature, sounds, vibrations, etc.) at different locations.



These sensors are: low
-
cost, low
-
power, multi
-
functional and communicate
within a short range.



Location of the sensor is the critical part of the network


located using
geographical routing (GPSR), or some form of “
location discovery
”.


Computer Science

THE Sensor Network (contd.)


Naïve methodology for location discovery:



Step I:



Receive beacon signal from beacon nodes.


Calculate multiple location reference (distance, signal strength, time
of arrival, etc.) from various beacon nodes.



Step II:



Determine ones own location using the locations of the beacon
nodes, with minimum error.



Very straight forward approach


but what if a malicious node sends an
incorrect beacon signal ?



Computer Science

And Now The Problem


A malicious beacon node can provide incorrect location reference.



Non
-
beacon nodes determine location incorrectly

Computer Science

The Problem (contd.)


Location verification techniques have been proposed which can verify
relative distances between beacon nodes and non
-
beacon nodes.



None can ensure correct location discovery in a
hostile environment

(with
malicious beacon nodes).



None can remove the impact of a compromised beacon node.

Computer Science

A Practical Solution


Detect malicious beacon nodes



Location of a beacon nodes are known
-

(x,y).


Location derived from the beacon signal received (using any
measurement scheme such as distance)


(x’,y’).


If
(x, y)
≠ (x’, y’)


malicious node caught.



Using this data filter out replayed beacon signals


Worm hole attacks
-

tunnel signal packets from one part of the
network to another, and replay the signal packet.


Locally replayed beacon signal


beacon signal received from a
neighbor node is replayed by the malicious node.



Revoke the malicious beacon nodes
.

Computer Science

Detection of Malicious Beacon Nodes


Assumptions
:


Communicating nodes share a unique pair
-
wise key.



A beacon node cannot distinguish between communications with a
non
-
beacon node or another beacon node.



Communication is always bi
-
directional.



Beacon signals are
unicasted
to non
-
beacon nodes and all packets
are authenticated using the pair wise shared key.

Computer Science

Detection of Malicious Beacon Nodes (contd.)


Beacon nodes use
detecting IDs
to perform detection on a signals it hears
from another beacon node.



Detecting Node


Target Node


Request message


Reply beacon signal containing its location
-

(
x’,y’
)


Detecting node


-

estimates distance between itself and target node.


-

calculates distance between itself
(x, y)

and
(x’, y’).





If difference between the two values > maximum distance error :



received signal is malicious hence, target node is malicious

Computer Science

Special Considerations


Thwarting Worm Hole Attack


Assumptions
:


Worm hole detector installed on every node in the network.


Able to state whether two communicating nodes are neighbors or
not with certain accuracy.



Methodology followed
:


If signal detected to be malicious a check is made for whether it is
because of a worm hole attack.


Detecting node calculates distance between itself and the location
received from the target.


If calculate distance larger than radio communication range


the
worm hole detector determines that a worm hole exists


beacon
signal is a replayed signal and is ignored.


Drawback is that the worm hole detectors cannot ALWAYS
guarantee that it can detect a worm hole.


Computer Science

Special Considerations


Thwarting Locally Replayed
Beacon Signals


Methodology followed
:


The replay of a beacon signal always induce extra delay.


This can be detected by using the Round Trip Time between two
nodes.




Detecting
Node


Target
Node



1


t
1


1


t
2


Request


1


t
4


1


t
3


Reply


Detecting node calculates RTT = (t
4
-

t
1
)


(t
3
-

t
2
)


t
1
: time to finish sending first byte of request


t
2
: time to finish receiving first byte of request


t
3
: time to finish sending first byte of reply


t
4
: time to finish receiving first byte of reply

Computer Science

Special Considerations


Thwarting Locally Replayed
Beacon Signals (contd.)


RTT is not affected by the MAC protocol or any processing delay hence,
the distribution of RTT is within a narrow range




X
min

= maximum value for X such that F(x) = 0


X
max

= minimum value for X such that F(x) = 1


X
max


X
min


Transmission time per clock

pulse = 384 clock cycles

X
min

= 1,951

X
max

= 7,506


Detection is possible for any replayed signal if delay introduced


is longer than transmission time for 14.5 bits

Computer Science

The Algorithm Thus Far




Detecting Node


Target Node


Request message


Reply beacon signal containing its location
-

(
x’,y’
)


-

if difference between distances
> maximum distance error



Then signal is malicious


Check for
worm hole attack
.


-

if Target node passes worm hole detector



Check for
locally replayed beacon signal
.


Calculate RTT based on response time from Target


if RTT

X
max

Then:


Beacon signal is considered not locally replayed.


elseif RTT > X
max

Then:


Beacon signal is considered locally replayed.

Computer Science

Revocation of Malicious Beacon Nodes


Assumption
:


The base station has a method to revoke malicious beacon nodes.


Each node shares a unique key with the beacon node.



Methodology followed
:


All alerts constitute the IDs of both the detecting and target node.


Base stations constitutes a table with an entry for each beacon node.


Associated with them is an alert counter and a report counter.


Alert Counter


records suspiciousness of a beacon node.


Report Counter


records number of alerts reported by a node and accepted
by the base station.


For every received alert the
Report Counter
for the detecting node is
increased.


Beacon nodes with a high
Alert Degree
are considered malicious.


A threshold is set for the maximum allowable alerts against a node after
which the beacon node is revoked.


Computer Science

Revocation of Malicious Beacon Nodes


A Subtle
Issue to Consider


Two thresholds exist
:


Γ



maximum limit for alerts against a beacon node.


Ѓ



maximum limit for reports sent by a beacon node.



Reason for two thresholds
:


Malicious beacon node tires to revoke a non
-
malicious beacon node.


This will cause the value of
Γ

to increase upto threshold
-

Γ
.


Beacon node will revoke the beacon node but will still accept alerts from
that node until report count reaches threshold
-

Ѓ

.


Also the number of reports sent by any beacon node cannot exceed
Ѓ
,
hence a malicious node cannot revoke ALL the non
-
malicious beacon
nodes before getting revoked itself.

Computer Science

Performance Review


Notations for Node Detection


P
d
:
Detection rate of the worm hole detector.


P
r
:
Detection rate of a malicious node by a detecting node.


P
n
:
Fraction of nodes that receive the malicious beacon signal.


P
w
:
Fraction of the nodes that are convinced of a worm hole.


P
l
:
Fraction of the nodes that are convinced the signal is locally replayed.


P
: The probability that a node receives a signal from a malicious node
which is not removed by the replay detector.


m:
Number of Id’s for a detecting node.



Computer Science

Performance Review


Node Detection


Detection Mechanism Analysis
:


Computational and storage overhead is mainly due to key establishment
protocols and cryptographic operations.


The probability of a beacon node reporting an alert for a non
-
malicious
beacon node is 1
-
P
d
, if a worm hole exits and 0 is no worm hole exists.


Probability that a non
-
malicious detecting node will send an alert for a
malicious beacon node, considering the detecting node has
m

detecting Ids
is: 1


( 1
-

( 1


P
n

) ( 1


P
w

) ( 1


P
l

) )
m


Probability that a node receives a beacon from a malicious node which is
not caught by the replay detector is: P = ( 1


P
n

) ( 1


P
w

) ( 1


P
l

) .


Relationship between P
r

and P: P
r

= 1


( 1


P )
m


Conclusion I:


Cannot increase P without simultaneously


increasing P
r.

Computer Science

Performance Review


Notations for Node Revocation


N
: Total number of sensor nodes.


N
a
: Total number of malicious beacon nodes.


N
b
: Total number of beacon nodes.


N
c
: Total number of nodes that send requests to a malicious beacon nodes.


N
w
: Number of pairs affected by a worm hole attack.


N`:

Average number of affected nodes.



P`:

Probability of accepting a signal from a revoked node.


P
d
: Detection rate.


P
r
: Probability of reporting an error.


P
a
: Probability of the base station having an alert against a malicious node.


P
1
P
2
: Probability that the report counter of a non
-
malicious node increases
by 1 / 2 when reporting a malicious node.


Computer Science

Performance Review


Notations for Node Revocation


Node Revocation Analysis
:


A beacon nodes only reports about other within its communication range
hence the storage and communication overhead is very limited.


The detection rate or probability that a malicious beacon node will be
revoked is:



Where







τ
0
i
P(i)
1
d
P
i
c
N
)
a
P
(1
i
a
P
i)!*i!
c
(N
!
c
N
P(i)




N
P
*
)
N
(N
P
r
a
b
a



Conclusion II:


Detection rate increase as a node


continues to behave maliciously.


Conclusion III:


As
Γ

increases detection rate


decreases.


Conclusion IV:


And as
m
increases detection rate


Increases.


m = 1


ґ

= 4

Computer Science

Performance Review


Notations for Node Revocation
(contd.)


Effect of an increase in N
c

on the detection rate.








Relation between P` and N`.







Conclusion V:


As the number of requesting nodes to a


malicious node increase, detection rate


increases due to the increase in number


of alerts sent.



Conclusion VI:


As
Γ

increases N` and P` increase.


As
m

increases N` and P` decrease.

Computer Science

Performance Review


Notations for Node Revocation
(contd.)


Effect on N` when P is chosen so that P` is maximized








The average number of non
-
malicious nodes revoked by the base
station is at most:



The reference used to define
Γ

and
Ѓ
:



Conclusion VII:

Initially N` increases fast but after a point
it decreases due to the increase in the
number of request serviced.


Conclusion VIII:

N` decreases when threshold
Γ

decreases.

1
τ
1)
`
(
a
N
w
)N
d
P
2(1
f
N






k!
k)!
w
(N
j!
j)!
a
(N
k
w
N
)
2
P
(1
k
2
P
j
a
N
)
1
P
(1
j
1
P
!
w
N
!
a
N
i
k
j
P`(i)











Conclusion IX:

The threshold for
Ѓ

and
Γ

can be obtained by the above analysis,
which should satisfy the condition on low N
f

or by chosing
Ѓ

and
Γ

that yield a minimum N
f
, given P
d
, N
w

and N
a.


Computer Science

Performance Review


Implementation on TinyOs


Simulation results obtained from Nido (TinyOS simulator) conform to the
theoretical values; some having a small difference but in general the results
are close to what was expected.



Receiver Operating Characteristic curves (ROC
-
curves)



Conclusion X:

Most of the beacon nodes are detected with
small false positives however, as the network
continues to get compromised, the
performance degrades accordingly.

Γ

and
Ѓ

were varied and P is configured
such that N` is maximized.

Computer Science

And in Conclusion …


Many protocols exist today, that help in location discovery such as AHLos,
coarse
-
grained localization schemes etc. None work properly in hostile
environments wherein malicious nodes jeopardize the location discovery.



SERLOC (SEcure Range
-
independent LOCalization for wireless sensor
networks) is a secure range free localization technique, but it cannot detect
and remove malicious beacon nodes.



In this paper localization is protected by detecting compromised beacon
nodes. Methods adopted are very simple yet effective, and efficiency is
guaranteed within the constraints of a sensor’s battery life and limited
memory.



Future work can be aimed at more efficient ways of reducing the false alert
rate and methods to revoke malicious nodes without using the base station.