Unit-IV-Ad Hoc & WSN

Download as pdf or txt
Download as pdf or txt
You are on page 1of 44

UNIT IV

SENSOR NETWORK
SECURITY
UNIT IV
SENSOR NETWORK SECURITY

• Network Security Requirements


• Issues and Challenges in Security Provisioning
• Network Security Attacks
• Layer wise attacks in wireless sensor networks
• possible solutions for jamming, tampering, black hole attack,
flooding attack.
• Key Distribution and Management
• Secure Routing – SPINS
• reliability requirements in sensor networks.
Security
• Network security is one of the most pressing concerns in all wireless
networks, including wireless sensor networks.
Fundamentals
Network designers have to be aware of and decide about suitable
mechanisms to implement one or more of the following general security
goals
Confidentiality
• Security mechanisms must ensure that only the intended receiver can
correctly interpret a message and that unauthorized access and usage is
prevented.
• For example, confidentiality ensures that sensitive information such as a
person’s social security number or credit card information are not
obtained by an unauthorized individual
Integrity:
• Security mechanisms must ensure that a message cannot be modified as
it propagates from the sender to the receiver, that is, unauthorized
individuals should not be able to destroy or alter the contents of
sensitive information.

Availability:
• Security mechanisms must ensure that a system or network and its
applications are able to perform their tasks at any time without
interruption.
• Availability is often measured in terms of percentages of up or down
time
Accountability
• The entity requesting a service, triggering an action, or sending a packet
must be uniquely identifiable.
Controlled access
• A service or information access should only be granted to authorized
entities.

• Any security analysis must start with stating the desired security goals,
followed by an assessment of the possible risks or security threats posed
by an attacker.
• Some common threats are eavesdropping, masquerading (i.e. pretending
to have another entity’s identity), authorization violation (using services
without being allowed to use them), provoking loss or modification of
information, forgery (i.e. creating new information), repudiation, and
sabotage.
• When considering networking, some of the common attacks are
– eavesdropping as a purely passive attack, and
– insertion, deletion, or replaying of packets as an active attack.
• Attacks can be placed on all the layers of a given protocol stack.
• Many countermeasures have been developed against these threats.
• These mechanisms frequently depend on on symmetric or asymmetric
cryptographic algorithms.
• Cryptography is the process of hiding and protecting information using
encoding and decoding mechanisms.
• In symmetric key cryptography, a single key between two
communicating parties is used for the encryption and decryption of a
message.
• These algorithms can be used to encrypt data packets, to sign these with
almost unique hash/cryptographic check values, or to create certificates.
• Cryptographic algorithms essentially work by applying certain operations on
combinations of the user data and specific key values, which optimally are only
known to the sender and the receiver of a packet.
• For example, a simplistic encoding strategy could be to replace each
plaintext letter with another letter that is a certain number of positions
down the alphabet.
• For example, using a shift of 2 would replace the letter A with the letter
C.
• In this shift cipher, the fixed shift value is then the symmetric key
• Distributing these keys to the users and taking care of their lifecycle are
essential parts of key management protocols.
• In practice, key management turns out to be the most complex part of
security protocols; the raw encryption and decryption procedures are
small but important building blocks
Security considerations in wireless sensor networks
• Can security measures and cryptographic protocols in wireless sensor
networks be considered in the same way as for other types of networks?
There is some consensus that the answer seems to be “no”, for the
following reasons:
• The network infrastructure of a WSN is made up of small, cheap nodes
spread over a possibly hostile area.
• Unlike other types of networks, it is often impossible to prevent the
sensor nodes from being physically accessed by attackers. This is also
referred to as node capture.
• It is reasonable to assume that an attacker can achieve full control over a
captured node, that is he can read its memory or influence the operation
of the node software.
• Special secure memory devices would be needed to prevent the attacker
from reading the memory; however, these will only rarely be present in
cheap sensor nodes.
• The constraints regarding memory and computational capabilities are a
serious obstacle for implementing cryptographic algorithms.
• Especially asymmetric key cryptography is considered too heavyweight
for small processors, let alone the key management involved.
• When in-network processing is to be performed, intermediate nodes
need to access and modify the information contained in packets; hence, a
larger number of parties is involved in end-to-end information transfers.

• The finite energy budget of sensor nodes opens up a particularly


attractive line of attacks: to force victim sensor nodes to exhaust their
energy budget quickly and to die.
• Figure 11.1 illustrates examples of attacks on a transmission
between a sender and its intended receiver.
• Eavesdropping refers to the reception of a message by an
unauthorized individual, which can be prevented using
confidentiality measures.
• A man-in-the-middle attack refers to a situation where an unauthorized
individual or system positions itself between the sender and receiver
such that the sender’s messages are intercepted, modified, and
retransmitted to the receiver (where the receiver believes the received
message came directly from the original sender). This illustrates the
need for integrity mechanisms.

• Finally, a denial-of-service attack refers to an adversary’s attempt to


disrupt the transmission or service provided by the sender.
• For example, the adversary can overload the sender with requests and
tasks such that the sender is not able to transmit its message (in a timely
fashion) to the receiver.
• This type of attack necessitates security mechanisms that ensure
availability.
• In addition to the three components of the CIA triad, authentication
refers to the process of establishing or confirming the identify of a
user or a device, ensuring that a message came from who it claims to
have come from.
• Also, nonrepudiation refers to the process of proving that a person or
device has performed a transaction or transmission.
• Digital signatures are often used to support both authentication and
nonrepudiation, but are also used to provide confidence that a
message has not been altered (i.e., integrity).
Challenges of Security in Wireless Sensor Networks
• Security has been a challenge in computing systems and networks for
several decades, during which the types of attacks and the security
measures and mechanisms to counter them have advanced and
developed significantly, particularly because of the rapid growth of the
Internet.
• Compared to the traditional attacks and security mechanisms developed
for the Internet, WSNs exhibit a variety of unique challenges that must
be considered when addressing the security concerns that may arise in
sensor network applications:
Resource constraints:
• Traditional security mechanisms that have high overheads are not
suitable for resource-constrained WSNs.
• Many security mechanisms are computationally expensive or require
communication with other nodes or “remote” devices (e.g., for
authorization purposes), thereby leading to energy overheads.
• Small sensor devices are also constrained in their available memory and
storage capacities.
• Common sensor devices have very limited amounts of memory, for
example, TelosB devices only have 10 kbytes RAM and 48 kbytes flash
memory available.
• Traditional security algorithms that require a significant amount of
memory and storage space are therefore infeasible for such sensors.
Lack of central control:
• It is often infeasible to have a central point of control in sensor
networks, for example, because of their large scale, resource constraints,
and network dynamics (topology changes, network partitioning).
• Therefore, security solutions should be decentralized and nodes must
collaborate to achieve security.
Remote location:
• The first line of defense against security attacks is to provide only
controlled physical access to a sensor node.
• Many WSNs are left unattended, because they are operated in remote
and hard-to-reach locations, deployed in environments open to public
access, or so large that it would be infeasible to continuously monitor
and protect sensor nodes from attacks.
• These challenges make it difficult to prevent unauthorized physical
access and to detect tampering with the sensor devices, particularly since
the low cost of many sensor nodes may prohibit advanced (and
expensive) protective measures
Error-prone communication:
• Packets in WSNs may be lost or corrupted due to a variety of reasons,
including channel errors, routing failures, and collisions.
• This may interfere with some security mechanisms or their ability to
obtain critical event reports.
• Furthermore, this may make it difficult to distinguish “benign”
erroneous communications or node and link failures from malicious
attacks.
• Certain characteristics of sensor networks, on the other hand, facilitate
the provision of security.
• For example, the self-managing and self-repairing nature of a WSN
may allow it to continue to operate even if a sensor or entire regions of
the sensor network have been compromised.
• Redundancy in a sensor network allows it to gather information about
events in the environment even when some sensors are unavailable due
to an attack.
• Furthermore, this redundancy can be used to detect, isolate, and mask
potentially compromised nodes.
• Data collected by sensors may contain sensitive information and should
not be leaked to unauthorized devices.
• Further, encryption keys and information about sensors themselves(e.g.,
identity, location, etc.) must be protected to prevent eavesdropping and
attacks based on traffic analysis.
• These challenges require measures that provide data confidentiality for
sensor networks.
• Integrity is required to prevent adversaries from modifying sensor data,
for example, with the purpose of injecting false readings and therefore
affecting the response to the sensor readings.
• Authentication is necessary to ensure that any data disseminated in a
sensor network originates from the correct source, particularly when a
single node controls the entire network (e.g., a base station establishing
routes or distributing multicast tree information).
• Further, many security attacks in sensor networks have the goal to
disrupt the correct functioning of the network altogether, necessitating
measures that ensure network availability.
• An additional requirement in sensor networks is the need for data
freshness, which ensures that sensor data are recent and no old
recordings of such data are being replayed.
• This is particularly important for key distribution schemes, for example,
an attacker could record shared keys that are being exchanged in a
network and replay these key distribution messages at a later time.
• Finally, many node and network management responsibilities found in
WSNs provide adversaries with opportunities for attacks. For example,
sensor node localization is important for correctly interpreting sensor
data, for geographic routing protocols, and for redundancy elimination.
• However, many localization techniques require the exchange of
information among sensors (e.g., beacons carrying positions, time
stamps, and identity information) that may necessitate encryption.
• Similarly, time synchronization in sensor networks is based on
message exchange among sensor nodes, where an adversary could
inject false time stamps to increase synchronization errors among
sensors
Denial-of-Service
• A Denial-of-Service (DoS) attack can be characterized as an attempt of
an adversary to stop a network from functioning or to disrupt the
services a network provides.
• Denial-of-service attacks in general can try to
– Disable services, or
– to deplete service providers, for example, by overusing the service.
– To disable a sensor network’s service,
– an attacker might simply destroy nodes.
• Although sensor networks have some resilience to node failures, the
attacker can distort the network by destroying a large number of nodes
or by focusing on especially important nodes, for example, sensor nodes
in the neighborhood of sinks that are needed for forwarding.
• In wireless sensor networks, DoS attacks can occur at various layers of
the protocol stack
Physical Layer DoS
• The wireless medium used in a WSN facilitates a variety of attacks.
• A jamming attack occurs when an adversary interferes with the radio
frequencies of a WSN.
• If well positioned, a few attacking nodes can disable an entire network,
even if the number of attacking nodes is much smaller than the number
of nodes in the network.
• Even a single attacking node could disable an entire network if it is
positioned close to a “critical” node (e.g., a gateway, therefore
preventing any sensor data from leaving the sensor network) or its
transmission power is large such that all nodes in a network may be
prevented from correctly receiving any meaningful data.
• A common technique against jamming is to use spread-spectrum
communication, as found in well-known standards such as IEEE 802.11
and Bluetooth
• For example, in frequency-hopping spread spectrum (FHSS),
communicating devices frequently hop between frequencies according
to a certain hopping sequence.
• A jammer either must know this sequence to be able to jam the correct
frequency for continuous disruption, or must jam a large frequency
band.
• In addition, sensor networks should be able to detect and respond to
jamming attacks in the network, for example, by switching nodes into
low-power sleep modes (in order to preserve energy), while awakening
them periodically to check if the jamming attack is still active.
• Nodes may also want to alert a gateway or base station to report the
attack.
• Toward this end, nodes detecting a jamming attack could issue brief
alerts to their neighbors and if at least one of these neighbors is outside
the region of the attack (i.e., it is able to receive the alert message
without interference), the message can be propagated to other nodes
including the base station.
• A tampering attack in a sensor network occurs when an adversary
obtains physical access to a sensor node, allowing the attacker to destroy
or modify the device, gain access to sensitive information (e.g.,
cryptographic keys), or use the device as an entry point for further
attacks into the network.
• Possible strategies to protect a device from tampering and the
consequences thereof include using tamper-proof materials and
enclosures and to disable a device or delete its information when an
attack is detected.
• For example, a technique often used in systems handling sensitive
information (e.g., credit card payment terminals) is to erase all such data
whenever a light sensor activates (e.g., due to the terminal’s enclosure
being opened).
Link Layer DoS
• A collision attack at the link layer attempts to interfere with packet
transmissions, thereby causing costly exponential backoff procedures
and retransmissions in some MAC protocols.
• While error-correcting codes can be used to recover from corrupted bits
in a packet, they may not be able to recover from all types of
interferences (e.g., if too many bits have been corrupted) and they incur
additional resource and energy overheads.
• An attacker could also attempt to cause collisions near the end of a
frame, causing a node to repeatedly retransmit the entire packet.
• The goal of an attacker could be to cause the premature depletion of the
node’s energy resources (exhaustion attack).
• Similarly, a malicious node could exploit certain handshake techniques
often found in MAC protocols.
• For example, an attacker could continuously issue an RTS message
(IEEE 802.11 protocol) to prompt a CTS response from another node,
eventually exhausting the energy resources of both nodes.
Gossiping:
• A derivation of flooding is gossiping in which nodes do not broadcast
but send the incoming packets to a randomly selected neighbor.
• A sensor node randomly selects one of its neighbors to send the data.
Once the neighbor node receives the data, it selects randomly another
sensor node.
• Although this approach avoid the implosion problem by just having one
copy of a message at any node, it takes long time to propagate the
message to all sensor nodes.
Sensor protocols for information via negotiation(SPIN):
• A family of adaptive protocols called SPIN is designed to address the
deficiencies of classic flooding by negotiation and resource adaptation.
• The SPIN family of protocols are designed based on two basic ideas:
sensor nodes operate more efficiently and conserve energy by sending
data that describe the sensor data instead of sending the whole data, e.g.,
image, and sensor nodes must monitor the changes in their energy
resources.
• SPIN has three types of messages, i.e., ADV, REQ, and DATA. Before
sending a DATA message, the sensor broadcasts an ADV message
containing a descriptor, i.e., meta-data, of the DATA as shown in Step 1
of Fig. 6.
• If a neighbour is interested in the data, it sends a REQ message for the
DATA and DATA is sent to this neighbor sensor node as shown in Steps
2 and 3 of Fig. 6, respectively.
• The neighbor sensor node then repeats this process as illustrated in Steps
4, 5, and 6 of Fig. 6.
• As a result, the sensor nodes in the entire sensor network, which are
interested in the data, will get a copy.
• Note that SPIN is based on data-centric routing where the sensor nodes
broadcast an advertisement for the available data and wait for a request
from interested sinks.

Sequential assignment routing (SAR):


• A set of algorithms, which perform organization, management and
mobility management operations in sensor networks, are proposed.
• Self-organizing MAC for sensor networks (SMACS) is a distributed
protocol that enables a collection of sensor nodes to discover their
neighbors and establish transmission/reception schedules without the
need for a central management system.
• The eavesdrop and register (EAR) algorithm is designed to support
seamless interconnection of the mobile nodes.
• The EAR algorithm is based on the invitation messages and on the
registration of stationary nodes by the mobile nodes.
• The SAR algorithm creates multiple trees where the root of each tree is
an one hop neighbor from the sink.
• Each tree grows outward from the sink while avoiding nodes with very
low QoS (i.e., low throughput/high delay) and energy reserves.
• At the end of this procedure, most nodes belong to multiple trees.
• This allows a sensor node to choose a tree to transmit its information
back to the sink.
• There are two parameters associated with each path, i.e., a tree, back to
the sink:
Energy resources:
• The energy resources is estimated by the number of packets, which the
sensor node can send, if the sensor node has exclusive use of the path.

Additive QoS metric:


• A high additive QoS metric means low QoS.

• The SAR algorithm selects the path based on the energy resources and
additive QoS metric of each path, and the packet’s priority level.
• As a result, each sensor node selects its path to route the data back to the
sink.
• Also, two more algorithms called single winner election and
multiwinner election handle the necessary signaling and data transfer
tasks in local cooperative information processing
Reliability requirements in sensor networks
• What are the requirements for reliable data transport in wireless sensor
networks? A first glance toward this question can be gained by
comparing sensor networks with other networks.
• In traditional networks like the Internet, the transport protocols (TCP,
UDP) and the underlying network layer protocols have essentially no
clue which kind of data they transport.
• In fact, a key design requirement for these protocols is data
transparency. Such a protocol must strive to deliver every single bit to
the receiver(s), since nothing is known about the relative importance of
the different data bits.
• On the other hand, sensor networks are not designed with the goal of
transporting multiple independent data streams.
• Sensor networks are data-centric and rely on in-network processing. The
reliability requirements are pretty much application specific and the
protocols can take advantage of this; they know the data they carry.
• These can be roughly classified into the following orthogonal axes:

Single packet versus block versus stream delivery:


• The cases of delivering only a single packet on the one hand and of
delivering a number or even an infinite stream of packets on the other
hand differ substantially in the protocol mechanisms usable in either
case.
• In the single packet delivery problem, a single packet must be reliably
transported between two nodes.
• It may be argued that such a requirement will not occur in dense
wireless sensor networks where many nodes observe the same
phenomenon and report highly correlated data.
• However, there are arguments against this claim.
• The first one is that not all sensor networks will be dense.
• Secondly, data aggregation is an important strategy in wireless sensor
networks to condense many redundant or correlated measurements into a
small piece of data.
• Aggregation drastically reduces the amount of data that must be
transmitted to distant sink nodes, but on the other hand, the reliability
requirements for the summary packet are much higher than for any of
the individual sensor readings.
• In the block delivery problem, a finite data block comprising multiple
packets must be delivered to a sensor or a set of sensors.
• Some application examples for this are the retasking of a sensor network
(i.e. the distribution of new application code to a set of sensor nodes) or
the injection of user queries.
• Finally, in the stream delivery problem, a theoretically unbounded
number of packets has to be transported between two nodes. An example
for this is periodic measurement reports.
Sink-to-sensors versus sensors-to-sink versus local sensor-to-sensor:
• It can be assumed that most communications in sensor networks are not
between arbitrary peer nodes, but information flows either from sensor
nodes toward a single or a few sink/gateway nodes or in the opposite
direction, from sinks to sensors.
• In the latter case, the groups of sensors can be geographically specified
(“all sensors in the conference room”) or by other attributes (“all
temperature sensors with less than 50% battery capacity”).
• Other applications like, for example, target tracking ( (e.g.estimated
position, speed) between neighboring nodes close to the target’s
trajectory.
Guaranteed versus stochastic delivery:
• In the case of guaranteed delivery, it is expected that all transmitted
packets reach the destination; anything else is considered a failure.
• For example, when a block of application code is distributed to a set of
sensors, losing any packet reduces the code block useless.
• In general, guaranteed delivery is challenging and costly in terms of
energy and bandwidth expenditure, specifically over links with
sometimes high error rates like wireless ones.
• Furthermore, many applications can live with some losses, provided that
there are not too many of them.
• The concept of stochastic delivery guarantees allows a limited amount
of losses.
• There are several ways to specify stochastic guarantees.
• For example, one might specify that for periodic data delivery within
every k subsequent packets at least m packets must reach the destination;
any number below m is considered a failure.
• Such a specification has similarities to the concept of (m, k)-firm
deadlines.
• It is applicable when subsequent sensor readings are highly correlated,
for example, because a slowly varying physical process is monitored.
• A similar specification requires that at least m out of k sensors detecting
an event must deliver a packet to the sink or to a local clusterhead for
proper detection/aggregation.
• A third approach to deal with stochastic guarantees is to specify a
delivery probability simply as the long-term fraction of arriving
packets.
• In general, the higher the desired delivery probability, the higher are the
energy costs needed to achieve this.
• As the reliability requirements are application dependent, several works
have focused on developing transport protocols for “single points” or
“small point sets” in the “space” spanned by the previous three axes.
• Generally applicable transport protocols that are lightweight enough to
run on constrained sensor nodes seem not to have appeared yet.
• Even in the Internet world, there is no single protocol:
• TCP is used for unicast applications, whereas for reliable multicast,
other protocols like, for example, Scalable Reliable Multicast (SRM)
have been developed.
• However, even for more specialized protocols, it is a design challenge to
achieve a small footprint in terms of code size, size of runtime data, and
computational complexity.
Network Layer Attacks
• Spoofed Routing Information
• Selective Forwarding
• Sinkhole
• Sybil Attack
• Wormhole
• Black hole and Gray Hole
• HELLO Flood
• Byzantine Attack
• Information Disclosure
• Resource Depletion Attack
• Acknowledgement Spoofing
Network Layer Attacks - Solutions
• Egress Filtering
• Authentication, Monitoring, Redundancy
• Probing and Packet leashing by using
geographic
• Temporal information and by verifying
bidirectional links
Transport Layer Attacks
• Responsible for End to End Delivery
• TCP and UDP
• Flooding Attack
• Desynchronization Attack

Solutions:
Client Puzzles and Authentication schemes
Application Layer Attacks
• Attacks by sending large amount of stimuli
• Network Programming attack
• Path based DOS

Solutions:
Periodic monitoring of sensor nodes
Layer Attacks Defense (Solutions)

Spread-spectrum, priority messages,


Physical Jamming lower duty cycle, region mapping,
mode change

Collision Error-correcting code

Link Exhaustion Rate limitation

Unfairness Small frames

Egress filtering, authentication,


Spoofed routing information monitoring and Selective forwarding

Sinkhole Redundancy probing


Authentication, monitoring,
Sybil Redundancy
Network
Wormhole Authentication, probing

Authentication, packet leashes by


HELLO Flood using geographic and temporal information
Authentication, verify the bidirectional
Acknowledgment flooding
link authentication

Flooding Client puzzles


Transport
De-synchronization Authentication

Sending Large amount of data


Authentication and Periodic
Application
Network programming attack monitoring of sensor nodes
Path based DoS

You might also like