Post on 09-Feb-2016
description
transcript
Distributed Detection of Node Replication Attacks in Sensor
NetworksBryan Parno, Adrian perrig, Virgil GligorIEEE Symposium on Security and Privacy 2005
Xia WangCS610, Fall 2005
Outline• Introduction• Preliminary protocols• Randomized multicast• Line-selected multicast• Simulations• Conclusions and Future work
Introduction• Sensor nodes are small, low-cost and
usually hardware unprotected.• Unshielded sensor nodes are easily to be
captured, replicated in hostile environments.
• Node replication attacks: A legitimate node is captured and compromised by an adversary, then the adversary can replicate the node with the same ID and insert those nodes in the network.
• Using replicated nodes the adversary could subvert the whole network.
Existing Approaches• Centralized monitoring: all nodes
transfer a list of their neighbors’ claimed locations to a central base station that examines location conflicts. Single Point Failure
• Localized voting systems: nodes can revoke their neighbors. Can not detect distributed node replication.
Some assumptions and Goals
Assumptions:• The adversary cannot create new IDs for nodes or
simply guess a new ID.• The percentage of nodes captured are limited.• Any cloned node has at least one legitimate node
as a neighbor. (can be removed)• Each node knows its geographic position. Goal:• Provide schemes to detect node replication attack
without centralized monitoring and revoke the replicated nodes.
• Lower memory consumptions and communication costs
Preliminary approaches• Node-To-Network Broadcasting• Deterministic Multicast
Node-To-Network Broadcasting(1)
• Each node uses an authenticated broadcast message to flood the network with its location information.
• Each node stores the location information for its neighbors.
• If conflicting claim is detected, the offending node is revoked.
Node-To-Network Broadcasting(2)
• Simple and achieve 100% detection rate
• Each node stores location information for its d neighbors.
• Total communication cost is O(n2)
Deterministic Multicast• Each node broadcasts its location to its neighbors.• Neighbors forward location claim to a subset of the nodes “witnesses”
F(α) = W1, W2, …, Wg• Once the witness detects a location conflict, it revokes αby flooding.• If each node selects (glng)/d random destination from the set of witnesses. • Average path length is O( ), then communication cost is • F is a deterministic function, an adversary can also determine all witness nodes.
n)ln(
dnggO
Randomized Multicast(1)• Each nodeαbroadcasts its location to its neighbors β1 β2 ...βd with the format <IDα, lα, {H(IDα, lα)} >• Each neighbor verifies α’s signature and location lα• With probability p, each neighbor selects g random locations as witnesses.• Use geographic routing to forward α’s location.• Upon receiving a location claim, each witness verifies the signature, and check location conflicts.• If a node replication attack is detected, it floods through the network with the two conflicting locations. What’s the probability of a collision?
1K
Security Analysis of Randomized Multicast (1)
• Suppose malicious nodeαis replicated at location l1, l2, …, lL• At each location li, p.d nodes randomly select g witnesses. p – Probability a neighbor will replicate location informationd - Average degree of each nodeg - Number of witnesses selected by each neighbor• The probability that two conflicting location reports collide at some witness node.• Birthday paradox predicts at least one collision with high probability.(In a room with 23 persons, there is a chance of more than 50% that two persons have the same birthday).• Perfectly, α‘s location will be saved at p.d.g locations.
gdp
nc ngdpP
11
gdp
nc ngdpP
212
1
1
1L
i
gdp
nc ngdpiP
xyx y 1)1(xex )1(
2)1(222
LL
ngdp
nc eP
Pnc1 is the probability that the p.d.g recipients of claim l1 do not receive any of the p.d.g copies of claim l2
Pnc is the probability of no collision at all.
N = 10,000, g =100, d=20, p = 0.05, Probability to detect single replication is greater than 63%, Probability to detect two replication is greater than 95%
ncc PP 1
Not efficient, communication cost is O(n2)
Line-Selected Multicast• When a location claim travels from
one node to another node, all the intermediate nodes store the location and virtually form a line across the network.
• If a conflicting location claim ever crosses the line, then the node at the intersection will detect the conflict.
Analysis of Line-Selected Multicast
• The probability that two line-segments intersect
• Use the solution to Sylvester’s Four-Point Problem.
• The probability that four randomly selected points in a convex domain will form a re-entrant quadrilateral is
21235
235.012351
31
2sec
tinerP
Advanced Analysis of Line-Selected Multicast
• With only 2 random segments per point, the probability is >56%
• 5 segments per point, the probability is 95%
Simulations
Communication Overhead
Simulation(2)
The average probability of detecting a single node replicationusing Line-Selected Multicast in a variety of topologies.
Conclusions and Future Work
• Conclusions– Proposed randomized multicast scheme and line-selected
multicast scheme to detect distributed node replication attack– Line-selected multicast provides excellent resiliency while
achieving near optimal communication overhead.– Both primary protocols illustrate the power of emergent
properties in sensor networks.• Future work
– Consider misbehavior malicious nodes• Critique
– Once one location claim conflicting is detected, the revocation activity of the replicated nodes will be flooded through the whole network. As the node replication attack happens during certain time slot, the malicious node may get other nodes’ ID information before a detection starts. In that case, this malicious node can fabricate a location conflicting information and flood it into the network. The malicious node exhaust the energy of the network by flooding those conflicting information.