Abstract Since wireless sensor networks are emergingas innovative technologies for realizing a variety offunctions through a number of compact sensor nodes,security must be justified and ensured prior to theirdeployment. An adversary may compromise sensornodes, forcing them to generate undesired data, andpropagation of these data packets through the networkresults in wasteful energy consumption. We develop asecurity mechanism to detect energy-consuming uselesspackets, assuming that a sensor node is able to gen-erate multiple message authentication codes (MAC)using preshared secrets. The forwarding nodes alongthe path verify the validity of the packet by checkingthe authenticity of the attached MACs. This mechanismperforms well when a malicious node does not haveall the cryptographic keys. However, packets, gener-ated by the malicious node having all the keys, wouldbe considered as legitimate, and thus, the forwardingnodes become unable to detect and discard them. Todeal with this problem, we devise another mechanismin which each forwarding node is capable of checkingsuch suspicious nodes. We have quantified the securitystrength through analysis and simulations to show thatthe proposed mechanisms make the entire networkenergy conserving.
M. A. Hamid · C. S. Hong (B)Networking Lab, Department of Computer Engineering,School of Electronics and Information,Kyung Hee University, 1 Seocheon, Giheung,Yongin, Gyeonggi 446-701, South Koreae-mail: [email protected]
The expected achievement of a wireless sensor network(WSN) is to produce, over an extended period of time,global information from local data sensed by individualsensor nodes. The characteristics of sensor networksdiffer from traditional wireless networks in a way whereenergy conservation and self-configuration are the pri-mary goals, while pernode fairness and latency areless important. Sensor networks usually consist of alarge number of ultrasmall autonomous devices. Eachdevice, called a sensor node, is battery-powered andequipped with integrated sensors, data processing capa-bilities, and short-range radio communications. Sensornetworks are being deployed for a wide variety ofapplications [1], including military sensing and track-ing, environment monitoring, patient monitoring andtracking, smart environments, etc. When sensor net-works are deployed in a hostile environment, securitybecomes extremely important, as they are prone todifferent types of malicious attacks. For example, anadversary can easily listen to the traffic, impersonateone of the network nodes, or intentionally providemisleading information to other nodes.
The perceived usefulness of sensor network will bedangerously curtailed if misbehavior (by an adversaryor a compromised node) occurs that threats the work ofthe network by perturbing the information produced,stopping production, or proliferating information. Im-plementing security mechanisms to restrict mass flow
of illegitimate information can increase the lifetime ofthe entire network, thereby conserving the energy. Inthis paper, we present a security scheme to identifyand restrict the illegitimate data packets to flow inthe network. Intuitively, early detection and discard ofthose packets will allow the entire network to conserveenergy, which is one of the primary goals in the designof resource-constrained sensor networks.
Networks may suffer in many ways due to the inser-tion of junk or misleading packets. First, it may causecongestion in the network and, therefore, the data ac-quisition point (base station) may loose its perceivedgoal from extracting information in a timely fashion.Second, attackers may intentionally insert wrong infor-mation in the data packets and the base station willproceed with this information. So, the main defense isto ensure that a route may serve the legitimate packetsby detecting and preventing untrustworthy or replayedpackets in the route. Thus, the overall lifetime of thenetwork can be increased by reducing the transmis-sion/reception power consumed by the large number ofunexpected traffic.
We exploit the multiple complementary tree-basedkey predistribution protocol [2] to develop the de-tection technique in which each sensor is preassignedsecret keys from complementary trees. When a sensorsenses an event, it generates multiple message authen-tication codes (MAC) using distinct secret keys fromdistinct trees and appends these MACs to the senseddata. As the data packet traverses towards the basestation, intermediate nodes verify the legitimacy ofthe data packet by checking the authenticity of theappended MACs. If the packet is detected to be illegit-imate, the forwarding node discards the packet to savethe wasteful energy that would have been consumedif the packet were traversing all the way to the basestation. The security protocol performs well when anadversary does not have cryptographic keys from allthe complementary trees. However, if an attacker node(compromised by the adversary) has all the keys, it cangenerate packets that would be considered as legitimateto the forwarding nodes and, hence, cannot be dis-carded. Such a malicious node may disrupt the normaloperation of the network by continuously sending datato deplete the channel capacity in their vicinity and,hence, prevent other legitimate nodes from communi-cating. To deal with this problem, we devise a techniquethat runs in each node along with the aforementionedsecurity mechanism to identify malicious nodes. Totrace the suspicious node, each forwarding node mon-itors the traffic loads of its descendant nodes for aperiod of time and calculates the probability of a nodebeing suspicious. Through analysis and simulations, we
show the proposed scheme to be energy-conserving. Apreliminary version of this paper can be found in [3].
The rest of the paper is organized as follows: InSection 2, we briefly explain related works. Networkmodel and assumptions are outlined in Section 3. InSection 4, we present our security mechanisms in detail.The performance is evaluated analytically and throughsimulations to justify efficiency and practicability inSections 5 and 6, respectively. Discussion and furtherissues are presented in Section 7. Section 8 concludesthis paper.
2 Related works
Over the past few years, exhaustive research hasbeen conducted on energy-conserving routing proto-cols for WSNs. In [4], the authors proposed a power-saving protocol that included the quantification of thetrade-off between power conservation and quality ofsurveillance, the development of an efficient sleep–awake protocol, and the evaluation of soft deploymenttechniques. The sleep–awake protocol [4] providesbetter-quality surveillance while reducing power con-sumption. In [5], the authors proposed a geographicprobabilistic flow-based spreading (PFS) routing proto-col to extend the network lifetime. PFS spreads incom-ing traffic to eligible next-hop neighbors according to aprobability distribution. The values of this distributionare set so as to balance the traffic load reported from allpossible next-hop neighbors, and only next-hop neigh-bors with enough residual energy are eligible to receivepackets for forwarding. Wie et al. in [6] proposed anenergy-efficient, medium-access control protocol by pe-riodically keeping the sensor nodes in listen and sleepmodes. Their periodic listen and sleep scheme reducesenergy consumption by minimizing radio transceivers’idle time.
In [7], Wu et al. proposed a distributed schedul-ing mechanism called lightweight deployment-awarescheduling (LDAS). This work assumes that sensornodes are not equipped with GPS or other devicesto obtain location information. LDAS can achieve aspecific level of partial sensing coverage in a statisticalsense. In LDAS, nodes are assumed to be randomly anduniformly distributed over the coverage area, and theprotocol does not require accurate location informa-tion. Nodes have asynchronous sleeping schedules tobalance energy consumption. In [8], authors proposedASCENT, which uses sensors’ local measurements toautomatically configure network topology in a high-density sensor network. The goal is to maintain acertain data delivery ratio while allowing redundant
sensors to stay asleep in order to conserve energy.Achieving this goal requires configuring the networkto the right level of connectivity; it cannot be too lowto hamper data delivery, but it cannot be too high ei-ther since neighboring nodes might interfere with eachother, leading to a high collision rate. The approachadopted by ASCENT is to let sensors measure theirconnectivity as well as their data loss rate and activatetheir neighbors based on these local measurements.
Bandyopadhyay et al. [9, 10] considered a sim-ple strategy to select cluster heads—they are chosenrandomly with a probability p. There are two kindsof cluster heads: volunteer cluster heads and forcedcluster heads. Each sensor can become a volunteercluster head with probability p. A volunteer clusterhead advertises itself to the neighboring sensors, whichthen forward the advertisement within k hops. Anynoncluster-head sensor that receives such advertise-ments joins the cluster of the closest cluster head. Anysensor not associated with a cluster within t units oftime becomes a forced cluster head. In [11], an energy-efficient protocol, TEEN, was proposed for reactivenetworks. The authors made a formal classification ofsensor networks based on their modes of functioning asproactive and reactive networks.
In [12], Karlof et al. thoroughly discussed the prob-lem of secure data transmission for different routingprotocols, and they concluded that few of the manysensor network routing protocols have been designedwith security as a goal. They suggested the securitygoals required for routing in sensor networks. A securerouting was proposed in [13], called security-aware adhoc routing, that incorporates security attributes asparameters into ad hoc route discovery. Their goal isto characterize and explicitly represent the trust valuesand trust relationships associated with ad hoc nodes anduse these values to make routing decisions. A new secu-rity threat, defined as rushing attack, was introduced in[14], and the authors showed that it is possible to securesuch an attack, and a general design that uses thiscomponent may secure any on-demand route discoverymechanism against the rushing attack.
Random pairwise key distributions were discussed in[15] and [16] to make the sensor networks resilient tosecurity threats. Kulkarni et al. [2] analyzed the prob-lem of assigning initial secrets to users in ad-hoc sensornetworks to ensure authentication and privacy duringcommunications and pointed out possible ways of shar-ing the secrets. Particularly, they proposed two (treeand complementary tree) probabilistic protocols thatmaintain O(logN) secrets, where N is the number ofnodes in the network. They showed that the probabilityof a security compromise between two users (nodes)
is inversely proportional to the number of secrets theymaintain.
A security mechanism is developed in [3] to thwartunauthorized data flow in the WSN by applying thecomplementary tree-based distribution of the cryp-tographic keys to the sensor nodes. The illegitimatepacket is defended by checking the MACs attachedto the data packet. Each node generates MACs withdifferent cryptographic keys (from different comple-mentary trees) and appends them with the data packet.The security mechanism works well when an adversarydoes not have cryptographic keys from all the comple-mentary trees. However, if all the keys are compro-mised by the adversary, the security mechanism failsto detect the unauthorized data packets. To overcomethis limitation, along with the security mechanism [3],we develop another mechanism to identify the ma-licious node when the security checking fails due tothe compromise of all the cryptographic keys. In thismechanism, each forwarding node monitors the trafficloads of its descendant nodes for a period of time andcalculates the probability of a node being suspiciouswhen the traffic load exceeds the desired average value.The goal of both mechanisms is to detect and preventmalicious or misleading packet flow in the network and,thereby, to save wasteful energy consumption.
3 Network model and assumptions
We consider a uniformly distributed WSN that consistsof N sensor nodes with equal capabilities and one datacollection center called base station (BS) or sink. Weassume that every sensor has a unique identifier (ID)idSN such that 1 ≤ idSN ≤ N. Once deployed, each nodeis assumed to be static. The BS is typically equippedwith sufficient computation and storage capabilities,and it might have workstation- or laptop-class proces-sor, memory, and storage [12]. However, sensor nodesare usually battery-powered, and the limited capacity ofthese batteries substantially limits the network lifetime[4]. Therefore, relaying by intermediate nodes needsto be performed so that the data can ultimately reachthe BS.
We assume that the BS/sink is under the directcontrol of the network owner [12], and therefore, it isassumed that the adversary does not have the capabilityto attack the BS/sink because the powerful BS can pro-tect any kind of malicious effort well. Note that usingthe mobile sink may create security problems since anadversary may find significant interest in compromisingthe mobile sink to easily bring down, or even take over,the sensor network. In such cases, security mechanisms
that can tolerate mobile sink compromises are essential.We do not consider the use of a mobile sink in ourwork. However, our assumption on the network is thatthe attacker may know the basic approaches of thesecurity mechanism and be able to compromise throughradio communication channels. If the sensor node iscompromised, all the information it holds will also becompromised (and, thus, the attacker knows all thecryptographic keys). Once the secret keys are known,a node can be used to generate/propagate sensed datathat are illegitimate. Additionally, it may launch var-ious other attacks, such as simply generating packetsto congest the network (a selfish node may choose towait for a smaller backoff interval, thereby increasingits chances of accessing the channel and, hence, reduc-ing the throughput share received by other legitimatenodes) and recording and replaying older data packets,thereby consuming the network’s overall energy.
4 Security scheme
In this section, we present our proposed securityscheme in detail.
4.1 Complementary tree-based key predistribution
In this section, we describe the probabilistic protocol,the complementary tree protocol, for assigning the ini-tial secret keys to the sensor nodes. We first describethe single complementary tree-based key distributionprotocol and then describe the multiple complementarytree-based protocol. We organize the cryptographickeys in the tree of degree d, as shown in Fig. 1. In thispaper, we use d = 3.
All nodes in the tree, except the root, are associatedwith a secret key. Each leaf of the tree is associatedwith a sensor node. Note that a leaf is associated witha sensor as well as a key, as shown in Fig. 1. Thekey distribution protocol is as follows: For each level(except level 1), the node gets keys associated with the
Fig. 1 Single complementary tree-based cryptographic key dis-tribution to the sensor nodes
siblings of its ancestors (including itself). Therefore,node s1 gets keys k2, k3 (level 2), k5, k6 (level 3), k14, andk15 (level 4). A node does not get the keys associatedwith its ancestors.
When two nodes, say j and k, want to communicate,they first identify their least common ancestor. Let zbe the least common ancestor of j and k. Let x denotethe child of z that is an ancestor of j. Likewise, let ydenote the child of z that is an ancestor of k. Now, tocommunicate, j and k use the keys associated with allchildren of z except x and y. For example, if s1 and s2
want to communicate, they use the key k15. If nodes s1
and s9 want to communicate, they will use the key k5. Ifs1 and s15 want to communicate, they will use the secretkey k3.
For a single complementary tree protocol, each nodegets (d − 1)logd(N) keys, and the probability to com-promise a node is 2
d+1 , where N is the number ofsensors. From Fig. 1, there are 27 sensor nodes, eachnode gets six keys, and the probability of compromiseis 1/2 [2]. There are a total of
∑levelj=2 d j−1 = 39 keys in a
single complementary tree, where d = 3.It is possible to reduce the probability of compromise
in the complementary tree protocol even further, if wemaintain multiple trees, where each tree includes all thesensor nodes and secret keys. More specifically, if wemaintain t trees, where there is no correlation betweennodes’ locations in different trees and t � N, thenthe probability of security compromise, pcompromise, is(
2(d+1)
)tand each node gets t(d − 1)logd(N) keys [2]. As
an example, for eight trees with degree d = 3, the prob-ability of compromise is ( 1
2 )8 = 0.0039. The authorsrefer readers to [2] for more details; however, for thecompleteness of the paper, we provide the derivationof the probability of compromise in the Appendix. Withthe initial secret keys assigned, the sensors are deployedin the desired area, and it is assumed that the sensornetwork is deployed by a single party and all the sensorsare static after they are deployed in the area of interest.
4.2 Source data generation and forwarding
When an event occurs, the node that senses the signalwill prepare the sensed data as a message to be sentto the BS through intermediate forwarding nodes. Themessage format is in the form of (idSN, nonce, msg)
where, msg is the sensed data, idSN is the ID of thesensor node, and nonce is a special marker (e.g., atime stamp or a counter) intended to limit or preventthe unauthorized replay or reproduction of a message.Prior to forwarding the message to its upstream neigh-bor (i.e., next hop node towards the BS), the source
node randomly selects f number of keys from f differ-ent complementary trees from its key-chain and gener-ates f MACs and attaches them with the message msg.Source node computes f MACs, using those selected fkeys, msg, idSN and nonce according to Eq. 1:
MACi = (ki, idSN||nonce||msg), (1)
where i = 1, 2, . . . , f and || represents stream concate-nation. The MAC (which is of fixed length) is attachedto the input and serves to prove integrity and authen-ticity of the input [17]. A MAC is also known as acryptographic checksum [18]. Then, the source nodecombines the message, nonce, and MACs along withthe key indices as a packet and sends to the forwardingnode according to Eq. 2:
packet = (idSN, nonce, msg, kID1, . . . , kID f ,
MAC1, . . . , MAC f ).(2)
The packet is said to be legitimate and allowed to beforwarded if it contains idSN, nonce, msg, f MACs, andf key indices. Furthermore, keys selected by the sourcenode must be different (from different trees) so that thesame cryptographic key is not used more than once togenerate the MACs.
4.3 Illegitimate packet detection
To check the legitimacy of a data packet, each forward-ing node verifies the correctness of the MACs attachedto the packet. If a malicious (compromised) node hasonly one key, it can generate one correct MAC. Sincethere are f distinct MACs (and f distinct key indices)that must be present in a legitimate packet, the attackerneeds to forge f − 1 key indices (i.e., needs to knowvalid keys) and corresponding MACs. This is a difficulttask for a compromised node (attacker) as the predistri-bution of keys is in such a way where finding the exactkey that is shared between any pair of sensor nodes isdifficult, as described in Section 4.1. However, if all thekeys are correctly chosen from the total key pool, anyattacker node can use f of its keys to generate multipleMACs, which would have been indistinguishable fromthose generated by f keys in the source (sending) node.In this case, an intermediate forwarding node cannotdetect the illegitimate packet.
At the time when the forwarding node receives thepacket, it looks at the key indices and the number ofMACs. If this value is less than f or one key index isused more than once, the packet is considered to be il-legitimate and, thus, is discarded. If the node has any ofthe key indices in common, it calculates the MAC usingits own key and compares the result with the receivedMAC attached in the packet. The packet is discarded in
case the attached one differs from the reproduced one.If it matches exactly or this forwarding node does nothave any of the f keys in common (since key sharingis probabilistic), the node passes the packet to the nexthop towards the BS/sink. This process continues at eachforwarding node until the BS receives the packet.
4.4 Illegitimate sensor node detection
As stated in Section 4.3, if all the keys are correctlychosen from the total key pool, any attacker node canuse f of its keys to generate multiple MACs (and,thus, legitimate packets) that are indistinguishable fromthose generated by f keys in the source (sending) node.Therefore, an intermediate forwarding node cannotdetect the illegitimate packet. In this case, the sensornode itself is illegitimate but can continuously generatevalid packets. This becomes a serious problem as thenetwork energy may deplete, resulting in reduced net-work lifetime. To mitigate this problem, we present asimple and distributed detection algorithm to identifythis kind of node (i.e., the illegitimate nodes). To iden-tify a node, each forwarding node runs the algorithmto calculate the probability of a node to be illegitimatebased on the number of packets it receives from itsdescendant nodes. The load at a forwarding node isthe total number of data packets that arrive per unittime from its descendants. For any descendant node,the total number of packets sent to the forwardingnode includes the packets from its descendants (if any)and the number of data packets generated by itself.We consider that each forwarding node considers onlythe generated packets from its descendants to identifywhether the node is malicious or not. In what follows,we describe our proposed illegitimate sensor node de-tection algorithm.
Let piF(T) be the probability that node i is illegiti-
mate calculated by the forwarding node F in a samplinginterval T. This probability is a local signal calculatedby the forwarding node and, thus, the protocol is fullylocalized and is run in a distributed manner. Let usconsider a forwarding node F and n neighbor nodes(descendants) that forward their packets to F, as shownin Fig. 2. Let xi(T) be the number of packets receivedby F from a descendant i at sampling interval T. Then,the average number of packets, Favg(T), received by Fcan be given by Eq. 3:
Favg(T) =∑n
i=1 xi(T)
n. (3)
Let D be the number of descendant nodes for whichFi(T) < Favg(T), where Fi(T) is the number of packetsreceived from node i at forwarding node F at sampling
728 Ann. Telecommun. (2009) 64:723–734
Forwarding node
SN1
SN2
SN3
SNn
…
…
Descendant nodes
F
Fig. 2 Analytical model: n descendant nodes send data packetto the forwarding node F, which receives all the packets andredirects each packet towards the destination
interval T. So, (n − D) is the number of descendantnodes for which Fi(T) > Favg(T). The forwarding nodeF calculates pi
F(T) according to Eqs. 4 and 5 as follows:
piF(T) = 0 ∀i, if Fi(T) ≤ Favg(T) and i ∈ D, (4)
piF(T) = Fi(T) − Favg(T)
Fi(T), if Fi(T) > Favg(T)
and i ∈ n − D.
(5)
Equation 4 specifies that the probability of a nodebeing suspicious remains zero when the expected num-ber of packets received from individual nodes is lessthan or equal to the average calculated in Eq. 3.Equation 5 specifies the probability of a node beingsuspicious when the number of packets exceeds thedesired average value. Based on this value, calculatedin Eq. 5, each forwarding node F discards the packetsfrom this particular suspicious node. Based on the out-
p = 0.066, g = 0 p = 0.055, g = 1 p = 0.044, g = 2 p = 0.033, g = 3
Fig. 3 Performance analysis. Fraction of illegitimate packetsdiscarded by the intermediate forwarding nodes on the routetowards the sink
put of the detection, the network operator may decidehow to react to the attacker nodes. For example, theoperator may revoke the attacker nodes and refresh thecryptographic material (i.e., rekeying).
To trace the suspicious node, the number of packetsof the sending nodes is collected at the forwarding nodefor a period of time termed as the sampling interval.At the end of each interval, the detection mechanism isrun at each forwarding node. It has been shown in [19]that the binary exponential backoff algorithm of IEEE802.11 DCF is unfair in the short term. This wouldresult in false positives if the sampling interval is short,even in the absence of malicious nodes. Therefore, theinterval needs to be large enough to achieve long-termbackoff fairness (we will specify the exact value of T inSection 6). In fact, taking into account the typical datarates, sampling interval may be short enough to preventthe illegitimate node from gaining large benefits beforebeing detected. Detection efficiency depends on thetypical network topology at hand and the number ofmalicious nodes and their behavior in the network.Through simulation, we will evaluate the performanceof the proposed technique in terms of detection accu-racy and energy conservation.
5 Performance analysis
In this section, we analyze two performance issues toevaluate the strength of our proposed security checkingmechanism. First, we analyze the illegitimate packetdetection efficiency, and secondly, we analyze the en-ergy consumption with and without incorporating thesecurity mechanism.
5.1 Illegitimate packet detection efficiency
Since the proposed security protocol deals with fMACs to send the packet to the upstream node (to-wards the destination), an adversary, that has compro-mised keys from f or all the complementary trees,can successfully generate legitimate packets. In thiscase, our proposed method cannot detect or discardsuch packets. Thus, the protocol is confined with itsefficiency when an adversary has g number of com-promised keys such that 0 ≤ g < f . So, if the attacker(node) wants to forward an illegitimate packet, he/she(it) has to compromise f − g cryptographic keys andgenerate f − g MACs. Now, if the attacker randomlychooses f − g keys from distinct complementary trees,we compute the probability that a forwarding node hasone of the f − g keys and, thus, is able to detect anincorrect MAC and discard the packet. In this case, the
Ann. Telecommun. (2009) 64:723–734 729
probability that a forwarding sensor node has one of thef − g keys, denoted by p, is given by Eq. 6
p = ( f − g)
t× t(d − 1)logd(N)
∑levelj=2 d j−1
. (6)
The per-hop packet detection probability, denotedby pper-hop, is given by Eq. 7:
pper-hop = p × (1 − pcompromise) ≈ p. (7)
As the probability of compromise, pcompromise, inEq. 7 is very small (as described in Section 4.1), weconsider this value to be negligible. Therefore, we takep = pper-hop. Now, we can compute the expected frac-tion, pH , of illegitimate packets being identified anddiscarded within H hops as (Eq. 8):
pH = 1 − (1 − p)H. (8)
As a natural corollary, we can compute the averagenumber of hops, Havg, an illegitimate packet passes theintermediate forwarding nodes according to Eq. 9
Havg =∞∑
i=0
i × (1 − p)i−1 × p = 1
p. (9)
The efficiency is shown in Fig. 3. The fraction ofdiscarded packets increases as the number of hopsgrows. Here, we consider N = 729 sensor nodes, a totalof 1,092 cryptographic keys, the number of complemen-tary trees, t = 8, and each packet carries f = 6 MACs.We have quantified the efficiency when an adversary(node) has keys from g = 0, 1, 2, and 3 trees. Figure 3shows that more than 64% of packets are discardedwithin 15 hops when an adversary has no compromisedkeys. Approximately 59% of illegitimate packets arediscarded within 15 hops if the adversary has compro-mised keys from one complementary tree, and thosepackets pass only 18 hops on average. About 81% ofpackets are discarded within 50 hops when three MACsare incorrect (i.e., g = 3), and they pass 30 hops onaverage. Clearly, the protocol performs well when thenumber of hops is large. This is because, the more anillegitimate packet travels, the greater the probabilitythat this packet will be detected (and discarded) by oneof the intermediate forwarding nodes is. For example,within 50 hops, almost 100% of packets are discarded ifan attacker has only one valid MAC.
5.2 Energy conservation
In this section, we present the analysis to quantify thetotal energy consumption when the network operateswithout any security protocol and when the network
incorporates the proposed security protocol. Total en-ergy consumption in the sensor network results mainlyfrom the energy consumed in transmission, reception,and computation. We ignore the energy consumptionwhen a sensor keeps itself in active, sleep, or idle mode,since these will not make any difference in our analysiswith and without the security protocol.
The proposed security protocol includes additionalparameters of f key indices and f MACs. Let thebyte length of the MAC and the key index be lMAC
and lkey-index, respectively. Let lmsg denote the length ofthe original message,(idSN, nonce, msg). Then, the totallength of the packet (with security parameters as inEq. 2) becomes f × lkey-index + lMAC + lmsg.
Let H be the number of hops a packet flows fromthe source towards the destination, let Qillegitimate be thenumber of illegitimate packets, and let the number oflegitimate packet be 1. All the packets traverse all theH hops when the security mechanism is not incorpo-rated in the network. However, with the security mech-anism enabled, an illegitimate packet will flow exactlyH hops with the probability (1 − p)H−1 p. Therefore,the amount of energy consumed for forwarding all thetraffic without security, denoted by Eno-sec, and withsecurity, denoted by Esec, can be computed accordingto Eqs. 10 and 11
where, ETX and ERX denote the amounts of energyconsumed in transmitting and receiving one byte, re-spectively. Additionally, the amount of energy con-sumption for the computation of security parameters,denoted by Ecomp, can be approximated according toEq. 12
Ecomp = f × EMAC(1 + H + Qillegitimate
× (1 − (1 − p)H)
/p), (12)
where, EMAC is the amount of energy required forthe MAC computation. So, the total amount of energyconsumption with the security mechanism is Esec-total =Esec + Ecomp.
Figure 4 shows the comparison of energy consump-tion with and without the security mechanism for differ-ent numbers of illegitimate packets, Qillegitimate, whenH = 80, lmsg = 32 bytes, lkey-index = 2 bytes, lMAC = 4bytes, and an attacker node has cryptographic keysfrom 1, 2, and 3 complementary trees. We take ETX =17 and ERX = 13 μJ required [20] to transmit and
730 Ann. Telecommun. (2009) 64:723–734
0 4 5 6 7 8 9321 10 11 12 13 14 15
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
1.1
1.2
1.3
1.4E
nerg
y co
nsum
ptio
n (J
oule
)
Number of illegitimate packets
Eno-sec
Esec-total
, g = 0
Esec-total
, g = 1
Esec-total
, g = 2
Esec-total
, g = 3
Fig. 4 Performance analysis. Comparison of energy consumptionwith and without the security mechanism as a function of thenumber of illegitimate packets
receive one byte of data, respectively, and EMAC =16 μJ for MAC computation [18]. We observe (fromFig. 4) that Eno-sec increases much faster than Esec-total,and thus, the proposed security mechanism conservesthe overall network energy. If Qillegitimate increases, theamount of energy that is saved gets higher and higher.For example, more than 35% of the energy is savedwhen 10 illegitimate packets are present in the network,and 40% energy can be saved with 15 illegitimate pack-ets, where an attacker node has keys from only onetree. About 47% of the energy can be saved for 15illegitimate packets when a node has no compromisedkey(s), as depicted in Fig. 4.
6 Performance evaluation
The effectiveness of the proposed security scheme isevaluated through simulations in NS-2 [21]. The sim-ulation parameters are shown in Table 1. We have
Table 1 Simulation parameters
Parameter Value
Deployment area 1,500 × 300 mNo. of sensor nodes, N 243TX range of a sensor node 40 mChannel capacity 19.2 kbpsPacket size 68 bytesSink location [1,500, 150]No. of complementary trees, t 8No. of MAC, f 6No. of forged MAC, g(0 ≤ g < f ) 1, 2, 3Sampling period, T 13.5 sSimulation time 135 s
constructed a sink-rooted, tree-based routing, whereidentical sensors are uniformly distributed over theterrain. Sensor nodes and the sink are static after thedeployment. The routing tree is constructed usingWarshall’s algorithm so that the sensed data couldreach the sink with the shortest number of hops. It maybe mentioned here that the choice of the downstreamnode(s) does not depend on any traditional parametersof sensor network routing (e.g., energy or delay).
We have implemented our security mechanisms tocheck the legitimacy of the data packets and nodes inthe network. Our security module performs legitimacychecking on the data packets at each intermediate node(as described in Section 4.3), and each valid packet isforwarded along the shortest path towards the sink.Note that invalid packets are discarded if identified bythe forwarding nodes. To evaluate the node detectionefficiency, we simulate the proposed illegitimate nodedetection protocol described in Section 4.4. If a nodeis identified to be malicious by a forwarding node, allthe packets are discarded by the forwarding node. First,we take a sensor node as a source that is 50 hops awayfrom the sink. The source node randomly generateslegitimate and illegitimate packets. With this setting, wequantify the strength of the proposed security check-ing mechanism when an attacker node is capable ofgenerating g = f − 1 valid MACs. Second, we quantifythe strength of the proposed node detection techniqueconsidering different percentages of nodes (out of 243nodes) having all the cryptographic keys and being ableto generate legitimate packets (i.e., g = f ). The resultsare averaged over 10 simulation runs.
6.1 Simulation results
The analytical results of the proposed security mecha-nism are justified as can be observed from the simulatedresults depicted in Figs. 5 and 6. Figure 5 demonstratesthe efficiency of discarding the illegitimate packets gen-erated by the node as a function of the number of hopsthose packets traversed when g = 1, 2, and 3. Wheng = 1, more than 75% of the forged packets aredropped within 10 hops, and 68% and 57% of thepackets are discarded with g = 2 and 3, respectively.
Figure 6 presents the comparison of energy con-sumptions with and without the proposed securitymechanism as a function of the number of illegitimatepackets. More than 50% of the energy is saved whenan attacker has keys from one complementary treeand the number of forged packet is 10. When g = 2,about 44% of the energy is saved. Performance (i.e.,energy conservation) is even better when the number ofillegitimate packets is higher. For example, when g = 1,
Ann. Telecommun. (2009) 64:723–734 731
0 5 10 15 20 25 30 35 40 45 500.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0F
ract
ion
of il
legi
timat
e pa
cket
s di
scar
ded
Number of hops illegitimate packets traversed
p = 0.137, g = 1 p = 0.110, g = 2 p = 0.083, g = 3
Fig. 5 Simulation results. Fraction of illegitimate packets dis-carded by the intermediate forwarding nodes on the route to-wards the sink
for 20 illegitimate packets, approximately 59% of theenergy is saved. Hence, the proposed protocol performsbetter with a large number of malicious packets.
To evaluate the node detection efficiency, we sim-ulate the proposed illegitimate node detection mech-anism described in Section 4.4. We consider differentpercentages of nodes (out of 243 nodes) that haveall the cryptographic keys and are able to generatelegitimate packets (i.e., g = f ). As stated earlier, sam-pling interval T is particularly important to increasethe efficiency of the detection mechanism. To get thereference record of the traffic loads (i.e., number ofpackets of the descendant nodes) at the forwarding
0 2 4 6 8 10 12 14 16 18 200.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
1.1
1.2
Ene
rgy
cons
umpt
ion
(Jou
le)
Number of illegitimate packets
Eno-sec
Esec-total
, (g = 1)
Esec-total
, (g = 2)
Esec-total
, (g = 3)
Fig. 6 Simulation results. Comparison of energy consumptionwith and without the security mechanism as a function of thenumber of illegitimate packets
node, the value of T should be chosen carefully so thatthe usual variation of the short-term unfairness of thebinary exponential backoff algorithm of IEEE 802.11is taken into account. We derive the value of T to be13.5 s from our simulation in NS-2 without the absenceof any attacker node(s). The forwarding node computespi
F(T) to identify the malicious node(s) when all thegenerated packets are indistinguishable by checking theattached MACs. Detection accuracy is expressed interms of detection efficiency and false positives, and it isplotted in Fig. 7 as a function of pi
F(T) and percentageof the attacker nodes, respectively. Detection efficiencyis calculated as the ratio of the number of attackernodes detected correctly and the total number of at-tacker nodes in the network. False positive is calculatedas the ratio of the number of legitimate nodes detected
0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.00
10
20
30
40
50
60
70
80
90
100
Det
ectio
n ac
cura
cy (
%)
piF(T)
Detection efficiency False positive
(a)
5 10 15 20 250
10
20
30
40
50
60
70
80
90
100
Det
ectio
n ac
cura
cy (
%)
Attacker nodes (%)
Detection efficiency False positive
(b)
Fig. 7 Illegitimate node detection accuracy. a Detection effi-ciency and false positives with different pi
F(T). b Detectionefficiency as a function of the percentage of attacker nodes (total243 sensor nodes in the network)
732 Ann. Telecommun. (2009) 64:723–734
as attacker nodes and the total number of nodes in thenetwork.
Figure 7a shows that the detection efficiency getsbetter with low false positives when pi
F(T) ≥ 0.4.Figure 7b shows the efficiency and false positive ratewith pi
F(T) = 0.4, and the mechanism performs betterwhen the percentage of malicious nodes is smaller.Figure 7a shows that around 90% detection efficiencyis achieved with pi
F(T) = 0.4 and almost 100% of theattacker nodes are detected with pi
F(T) ≥ 0.5, keepingthe false positive rate bellow 4%. Figure 7b showsthat approximately 90% detection efficiency is achievedwith 9% false positive rate when 6.17% (15 out of 243sensors) attacker nodes are present in the network.
Finally, we evaluate the energy conservationachieved through detecting the attacker node. We con-sider four source nodes that generate the data pack-ets and send them to the forwarding node. One node(out of four) is considered to be the attacker havingall the cryptographic keys and, thus, generates legiti-mate packets and sends packets continuously. Thesource nodes are placed 50 hops away from the sink.Figure 8 presents the comparison of the energy con-sumptions with and without the proposed node detec-tion mechanism. We have normalized the number oflegitimate packets to be one, and accordingly, the num-ber of illegitimate packets is calculated, which we usedfor measuring the energy consumption, as shown inFig. 8. As the attacker node has all the (valid) cryp-tographic keys, all the packets are transmitted towardsthe destination without being detected by checkingthe attached MACs (i.e., all the packets traverse all
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 150.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
1.1
1.2
1.3
1.4
1.5
Ene
rgy
cons
umpt
ion
(Jou
le)
Number of illegitimate packets
Enot-detected
Edetected
Fig. 8 Simulation results. Comparison of energy consumptionwith and without the proposed malicious node detection mech-anism as a function of the number of illegitimate packets
the hops). However, when the attacker node is de-tected by the forwarding node, all the packets gen-erated by the attacker node will be discarded bythe forwarding node. In Fig. 8, Enot-detected denotesthe amount of energy consumption when the nodeis not detected and Edetected denotes the amount ofenergy consumption when the node is detected bythe forwarding node. Figure 8 shows that the energyconsumption is much less with the proposed detectionmechanism. Moreover, energy conservation gets higherwith higher numbers of illegitimate packets since allthe packets are discarded once the attacker node isdetected by the forwarding node.
7 Discussion and further issues
The security scheme is analyzed and simulated usingthe topology with a large number of hops (value of His 80 in analysis and 50 in simulations) that may notseem practical for WSN applications. However, withthe smaller value of H (e.g., 20 hops), it is evidentfrom the results that the security scheme has gooddetection efficiency and, thus, saves overall networkenergy by discarding the illegitimate packets. So, thesecurity mechanism can be applied for both small- andlarge-scale networks.
For the proposed security mechanism, each sensornode needs to store t(d − 1)logd(N) cryptographic keysto check the attached MACs to identify the illegiti-mate packets, where N is the number of sensors inthe network. The computation overhead for each nodeincludes the computation of f MACs. The communi-cation overhead includes the transmission of f MACs,f key indices, and a nonce. For the proposed mali-cious node detection mechanism, each node keeps therecords of the number of packets it receives from itsn descendant (child) nodes during the sampling pe-riod T. So, the storage overhead is confined by thenumber of descendant nodes and the duration ofthe sampling period. Computation overhead includesthe simple arithmetic calculation on the number ofpackets, average, and the probability pi
F(T). Thus, theimplementation overhead is lightweight for the con-strained sensor nodes.
The malicious node detection mechanism is pro-posed to deal with the situation when all the cryp-tographic keys of a node are compromised. Analternative technique may be developed with the as-sumption that each node is capable of using multipledistinct communication channels. In fact, with radiocapabilities of MicaZ motes as specified in the 802.15.4standard [22], nodes can communicate on multiple
Ann. Telecommun. (2009) 64:723–734 733
frequencies. Communication during the normal oper-ation of the network is done on a single common chan-nel, and the multichannel capability of the network isutilized only when a node suspects that its neighbornode is compromised. For example, when a node re-ceives a large number of packets from one or more ofits neighbor nodes and all the packets are legitimate(i.e., the receiving node cannot detect whether pack-ets are illegitimate since the neighbor node(s) is (are)compromised), the receiving node may suspect thatthis is unusual behavior. The receiving node switcheschannels to communicate with other nodes and sendsan alarm message to the BS so that the compromisednode can be revoked. Latin square matrices [23] maybe used to design such a switching schedule.
Finally, we believe that, in addition to the usualsecurity concerns, it is also necessary to address selfishbehavior (e.g., the protection of undesired data flow)that requires more attention and a more systematicapproach. Design of energy-efficient techniques shouldconsider sensors’ capabilities, network structure, anddeployment strategy. For example, the techniques de-veloped in this paper mainly focus on how to save theoverall network energy. A complementary mechanismcan be designed to balance the energy consumption tomaximize the network lifetime.
8 Conclusions
In this paper, we have developed two simple but effi-cient techniques to thwart unauthorized data flow inWSNs. A security protocol is devised to check thelegitimacy of the packets (by the intermediate forward-ing nodes), and a detection technique is devised toidentify the malicious node (by the forwarding node)when the security checking fails due to compromise ofall the cryptographic keys. The key features of bothtechniques are that they are: (1) simple and easy to inte-grate in the sensor node without interfering with its nor-mal functioning (this is achieved by means of passiveapproaches based on legitimacy check and traffic mon-itoring) and (2) fully distributed and compatible withexisting networks without requiring any modificationof the standard communication protocols. Our analysisand simulations show the efficiency of the proposedtechniques both in legitimacy check and energy con-servation. We believe that our simple and distributedapproaches that leverage on the sensor node character-istics can be effective in addressing security challengesfor WSNs. Finally, discussions are made with potentialresearch directions for further improvements.
Acknowledgements This research was supported by the MKEunder the ITRC support program supervised by the IITA(IITA-2008-(C1090-0801-0016)). Dr. Choong Seon Hong is the corre-sponding author.
Appendix
Theorem In the multiple complementary tree-basedkey distribution with t trees, where there is no correlationbetween nodes’ locations in different trees and t � N,the probability of security compromise, pcompromise, is(
2(d+1)
)t.
Proof Consider the single complementary tree-basedkey distribution in Fig. 1. Let l be the intruder thatcan observe the communication between sensor j andk. We want to identify the probability that l is aware ofthe secret(s) used by j and k. Now, consider differentcases based on the shared secrets that j and k use duringcommunication. Since no secrets are associated withthe root, first consider the case where j and k use thesecret(s) at level 2. Such a situation occurs if k is not adescendant of the level-2 ancestor of j. Thus, the prob-ability of this case is (d−1)
d . Additionally, the probabilitythat l is aware of all the secrets is d/2; l knows all thesecrets used by j and k if and only if l is a descendantof the level-2 ancestor of j or l is a descendant of thelevel-2 ancestor of k. Next, we consider the probabilitythat j and k use the secret at level 3 in the tree. Sucha situation arises if k is a descendent of the level-2ancestor of j and k is not a descendent of the level-3ancestor of j. Thus, the probability of this case is1d × (d−1)
2 . Moreover, l is aware of the shared secret(s)between j and k if and only if l is a descendant of thelevel-3 ancestor of j or l is a descendant of the level-3ancestor of k. Thus, the probability of this case is 2
d × 1d .
Continuing this way, the probability, pcompromise, thatl is aware of the secret(s) used by j and k in a singlecomplementary tree is
3. Hamid MA, Rahman M, Hong CS (2006) Energy conservingsecurity mechanism for wireless sensor network. In: ICCSA(2), Glasgow, 8–11 May 2006, pp 866–875
4. Gui C, Mohapatra P (2004) Power conservation and qual-ity of surveillance in target tracking sensor networks.In: MobiCom ’04: Proceedings of the 10th annual inter-national conference on mobile computing and networking.ACM, New York, pp 129–143. doi:http://doi.acm.org/10.1145/1023720.1023734
5. Wang N, Chang CH (2007) Performance evaluation of geo-graphic probabilistic flow-based spreading routing in wirelesssensor networks. In: PE-WASUN ’07: Proceedings of the4th ACM workshop on performance evaluation of wirelessad hoc, sensor,and ubiquitous networks. ACM, New York,pp 32–38. doi:http://doi.acm.org/10.1145/1298197.1298204
6. Ye W, Heidemann J, Estrin D (2002) An energy-efficientmac protocol for wireless sensor networks. INFOCOM 2002.In: Twenty-first annual joint conference of the IEEE com-puter and communications societies, vol 3. IEEE, Piscataway,pp 1567–1576. doi:10.1109/INFCOM.2002.1019408
7. Wu K, Gao Y, Li F, Xiao Y (2005) Lightweight deployment-aware scheduling for wireless sensor networks. Mob NetwAppl 10(6):837–852. doi:http://dx.doi.org/10.1007/s11036-005-4442-8
8. Cerpa A, Estrin D (2002) ASCENT: Adaptive self-configuring sensor networks topologies. In: INFOCOM 2002.Twenty-First annual joint conference of the IEEE com-puter and communications societies, vol 3. IEEE, Piscataway,pp 1278–1287. doi:10.1109/INFCOM.2002.1019378
9. Bandyopadhyay S, Coyle E (2003) An energy efficient hi-erarchical clustering algorithm for wireless sensor networks.INFOCOM 2003. Twenty-second annual joint conference ofthe IEEE computer and communications societies. IEEE3:1713–1723
10. Bandyopadhyay S, Coyle EJ (2004) Minimizing communi-cation costs in hierarchically-clustered networks of wirelesssensors. Comput Netw 44(1):1–16
11. Manjeshwar A, Agrawal D (2001) TEEN: a routing proto-col for enhanced efficiency in wireless sensor networks. In:Parallel and distributed processing symposium. Proceedings15th international, San Francisco, 23–27 April 2001, pp 2009–2015
12. Karlof C, Wagner D (2003) Secure routing in wireless sensornetworks: attacks and countermeasures. Ad Hoc Netw 1(2–3):293–315
13. Yi S, Naldurg P, Kravets R (2001) Security-aware ad hocrouting for wireless networks. In: ACM international sym-posium on mobile ad hoc networking and computing. ACM,New York, pp 299–302
14. Hu YC, Perrig A, Johnson DB (2003) Rushing attacks anddefense in wireless ad hoc network routing protocols. In:WiSe ’03: proceedings of the 2nd ACM workshop on wirelesssecurity. ACM, New York, pp 30–40. doi:http://doi.acm.org/10.1145/941311.941317
15. Chan H, Perrig A, Song D (2003) Random key predis-tribution schemes for sensor networks. In: IEEE sympo-sium on security and privacy, Berkeley, 11–14 May 2003,pp 197–213
16. Du W, Deng J, Han YS, Varshney PK, Katz J, Khalili A(2003) A pairwise key pre-distribution scheme for wirelesssensor networks. In: ACM conference on computer and com-munications security (CCS). ACM, New York, pp 42–51
18. Law YW, Doumen J, Hartel P (2006) Survey and bench-mark of block ciphers for wireless sensor networks. ACMTrans Sen Netw 2(1):65–93. doi:http://doi.acm.org/10.1145/1138127.1138130
19. Barrett CL, Marathe MV, Engelhart DC, SivasubramaniamA (2002) Analyzing the short-term fairness of ieee 802.11in wireless multi-hop radio networks. In: MASCOTS ’02:proceedings of the 10th IEEE international symposium onmodeling, analysis, and simulation of computer and telecom-munications systems (MASCOTS’02). IEEE Computer Soci-ety, Washington, DC, p 137
20. C. T. Inc. (2005) MPR400/410/420 mica2 mote. Datasheet2005
21. The Network Simulator - ns-2 (2003) http://www.isi.edu/nsnam/ns/index.html
22. The Zigbee Alliance (2008) http://www.zigbee.org/en23. Denes J, Keedwell AD (1974) Latin squares and their appli-
