1 / 90

Security of Sensor Networks

Security of Sensor Networks. Tanya Roosta TRUST Seminar UC Berkeley, November 9, 2006 . Overview. Taxonomy of attacks on sensor networks Convergence analysis of Reweighted-Tree sum-product algorithms Time synchronization security Reputation system for tracking Game theory. Overview.

edie
Télécharger la présentation

Security of Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Sensor Networks Tanya Roosta TRUST Seminar UC Berkeley, November 9, 2006

  2. Overview • Taxonomy of attacks on sensor networks • Convergence analysis of Reweighted-Tree sum-product algorithms • Time synchronization security • Reputation system for tracking • Game theory

  3. Overview • Taxonomy of attacks on sensor networks • Convergence analysis of Reweighted-Tree sum-product algorithms • Time synchronization security • Reputation system for tracking • Game theory

  4. Background on Sensor Network • Wireless networks consist of a large number of motes • self-organizing, highly integrated with changing environment and network • Highly Constrained resources • processing, storage, bandwidth, power • Facilitate large scale deployment • Health care • Surveillance • Critical infrastructure

  5. Motivation • Sometimes deployed in hostile environment, and have random topology • Vision is to integrate sensors into critical infrastructure, such as wireless Supervisory Control And Data Acquisition systems (SCADA) • Traditional security techniques can not be applied because …

  6. Challenges Unique to Sensor Networks • Random Topology • Secure aggregation • Context privacy [PMRSSW06] • Scalability of trust/key management schemes • Power and computation efficiency [PMRBSSW06] “Sameer Pai, Marci Meingast, Tanya Roosta, Sergio Bermudez, Shankar Sastry, Stephen Wicker. “Privacy in Sensor Networks: A Focus On Transactional Information”. Under submission to IEEE Security and Privacy Magazine

  7. Security Attacks on Sensor Networks • Need to have a comprehensive taxonomy of security and confidentiality attacks on sensor networks to describe [RSS06]: • Attacker’s goal • Trust model • Security requirements • Various types of attacks [RSS06] Tanya Roosta, Shiuhpyng Shieh, Shankar Sastry. "Taxonomy of Security Attacks on Sensor Networks". IEEE International Conference on System Integration and Reliability Improvements 2006

  8. Attacker’s Goal • Eavesdropping (outsider attacker) • Disruption of applications (insider attacker) • Subverting a subset of sensor nodes (insider attacker)

  9. Trust Model • There is usually a central base station that gathers all the data reported by the sensor nodes • Only trust assumption: the base station is trustworthy • No other trust requirement is placed

  10. Security Requirements • Confidentiality • Authentication • Integrity • Freshness • Secure Group Management • Availability • Graceful degradation

  11. Cryptography • Cryptography is the first line of defense • Cryptography helps with message integrity, authentication, and confidentiality • TinySec: symmetric key cryptographic algorithm • TinyECC: Elliptic Curve Cryptography (ECC) • Cryptography can not solve all the problems of security in sensor networks

  12. Security Attacks • Attacks can be categorized into [RSS 06]: • Attacks on the sensor mote • Attacks on the protocols and applications

  13. Attacks on the Sensor Mote • Non-invasive: The embedded device is not physically tampered with • Side-channel attack • Invasive: Reverse engineering followed by probing techniques • Extract cryptographic keys • Exploit software vulnerabilities: • Memory access control

  14. Attacks on Protocols/Applications • Denial of service • Traffic analysis • Time synchronization • Key management protocols • Data aggregation protocols • Comprehensive list in [RSS06] DOS

  15. Overview • Taxonomy of attacks on sensor networks • Convergence analysis of Reweighted-Tree sum-product algorithms • Time synchronization security • Reputation system for tracking • Game theory

  16. Graphical Models • In probabilistic graphical models, the nodes are random variables, and arcs (or lack of them) encodes the conditional independence of these random variables • Specify a joint probability distribution among random variables

  17. Graphical Models in Sensor Networks • Graphical models useful for distributed fusion in sensor networks [CCFIMWW06]: • Well-suited for sensor network structure • Scalable inference algorithm, new message-passing algorithms • Parallel message-passing [CCFIMWW06] M. Cetin, L. Chen, J. W. Fisher, A. T. Ihler, R. L. Moses, M. J. Wainwright, A. Willsky. “Distributed Fusion in Sensor Networks”. IEEE Signal Processing Magazine, July 2006.

  18. Inferenceon Graphical Models • Calculating posterior marginals is NP-hard • Junction Tree algorithm finds exact marginals, but is computationally expensive • Standard Belief Propagation (BP) is used as an approximate inference algorithm BP Equation

  19. Tree-Reweighted Sum-Product Algorithm • TRW is a broader class of approximate inference algorithms • Message adjusted by edge-based weights • The weights are ts2[0,1] • Computational complexity identical to BP •  = 1: recovers the standard BP [WJW05] M. J. Wainwright and T. S. Jaakkola and A. S. Willsky. "A new class of upper bounds on the log partition function"IEEE Trans. Info. Theory, 2005.

  20. Advantages of TRW • For suitable choices of , TRW, in sharp contrast to BP, always has a unique fixed point for any graph and any dependency strength • Additional benefit: • Message-passing updates tend to be more stable • Faster convergence rate

  21. TRW in Sensor Networks • TRW can be used in sensor networks [CWCW03] • TRW and security: • Compromised nodes give faulty updates • Need to understand: • How much of an effect the faulty updates will have on the estimation • How the characteristics of the fixed points of TRW are changed [CWCW03] L. Chen, M. J. Wainwright, M. Cetin, A. S. Willsky. “Multitarget-Multisensor Data Association Using Tree-Reweighted Max-Product Algorithm”. SPIE AeroSense Conference, 2003.

  22. Convergence Analysis of TRW [RW06] • The objective is to analyze the convergence of the family of reweighted sum-product algorithms • We assume that the ‘true’ messages are fixed points of the algorithm • The messages are perturbed by some amount [RW06] Tanya Roosta, Martin J. Wainwright. "Convergence Analysis of Reweighted Sum-Product Algorithms“. Submitted to IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP)

  23. Convergence Analysis [RW06] • W.L.O.G restrict attention to the case of pair-wise cliques st • The distribution defined on this graph is: • Analyze homogeneous and non-homogeneous models

  24. Homogeneous Model • st = ,s= θ for all edges and all nodes • Let d=degree of the nodes • If d-1  1, then we are guaranteed uniqueness and convergence of the updates • If d-1 > 1 , the update equation may have more than one fixed point, depending on the choice of  and  Proof

  25. Plot of the appearance of multiple fixed points versus  and  d=4 critical θ 

  26. Non-Homogeneous Model • In the general model, convergence analysis is based on establishing, under suitable conditions, the updates specify a contractive mapping in the l1 norm, i.e.

  27. Simulation Results •  uniform from [0.05,0.5], edge potentials st, uniform from [0.01,1], and different values for  • Number of nodes between 49-169 • Plot of log |zm-z*|1 vs. the number of iterations (m)

  28. More figures

  29. Ongoing and Future Work • The convergence condition is somewhat conservative • Requires the message updates be contractive at every node of the graph • We like to have an average-case analysis • Require that updates be attractive in an average sense

  30. Overview • Taxonomy of attacks on sensor networks • Convergence analysis of Reweighted-Tree sum-product algorithms • Time synchronization security • Reputation system for tracking • Game theory

  31. Why Need Time Sync.? • Sources of error in time are: • Clock skew: the difference in the frequencies of the clock and the perfect clock • Clock offset: the difference between the time reported by a clock and the real time Time sync.

  32. Effect of Time Sync. Attacks • Time sync. protocols are vulnerable to security attacks • Effect on applications/services [MRS05]: • Shooter Localization • TDMA-based Channel Sharing: • Flexible Power Scheduling • TDMA-based MAC protocol • Estimation • Authenticated Broadcast (Tesla) [MRS05] Mike Manzo, Tanya Roosta, Shankar Sastry. “Time Synchronization Attacks in Sensor Networks“. The Third ACM Workshop on Security of Ad Hoc and Sensor Networks 2005

  33. Time Sync. Protocols in Sensor Network • Three general categories: • Reference Broadcast Synchronization (RBS) • TPSN • Flooding Time Synchronization Protocol (FTSP) • In [MRS05] attacks and possible countermeasures for each time sync. protocols was explained Description

  34. FTSP • FTSP uses reference points for synchronization • Reference point = (globalTime, localTime) • globalTime: time of the transmitting node • localTime: time of the receiving node • The receiving node uses linear regression on 8 reference points to find offset and skew Detail

  35. Attacks on FTSP [RS06] • A compromised node can claim to be the root node • The compromised root sends false updates, which will get propagated in the network • Every node accepting the false updates calculates false offset and skew [RS06] Tanya Roosta, Shankar Sastry. “Securing Flooding Time Synchronization Protocol in Sensor Networks". Workshop of 6th ACM & IEEE Conference on Embedded Software

  36. Proposed Countermeasures [RS06] • Secure leader election mechanism: • distributed coin-flipping algorithms (use cryptographic commitments) • Using redundancy: • Instead of LS on one neighbor, run LS on multiple neighbors and take the median • Run LS on multiple random subsets of data • Using robust estimators: Least Median of Squares (LMS)

  37. Future work • Experiments: • Implementing the attacks • Analyze the effect on the tracking application • Implement some of the countermeasures • Time line: 6 months

  38. Overview • Taxonomy of attacks on sensor networks • Convergence analysis of Reweighted-Tree sum-product algorithms • Time synchronization security • Reputation system for tracking • Game theory

  39. Reputation System • Reputation systems have been used in online ranking systems • They have proven useful as a self-policing mechanism • In [GS04] the authors propose extending this framework to sensor networks [GS04] Saurahb Ganeriwal, Mani Srivastava.“Reputation-based framework for high integrity sensor Networks”. Proceedings of the 2nd ACM workshop on Security of ad hoc and sensor networks, 2004.

  40. Reputation System in Sensor Network • No unifying way to design the “watchdog” mechanism • Application dependent [GS04]

  41. Reputation System for Tracking [RMS06] • We designed a reputation system for the tracking application • Tracking is fundamental in sensor networks • Surveillance • Pursuit Evasion Games • Focused on Hierarchical Multi-Object Tracking Algorithm (MCMCDA) [RMS06] Tanya Roosta, Marci Meingast, Shankar Sastry. "Distributed Reputation System for Tracking Applications in Sensor Networks". In proc. of International Workshop on Advances in Sensor Networks 2006

  42. MCMCDA • The input: • a set of data indexed by time • The output: • the association of the observed data with object tracks • The tracking algorithm has two phases: • Data Fusion • Data Association [ORS04] S. Oh, S. Russell, and S. Sastry. “Markov Chain Monte Carlo Data Association for General Multiple-Target Tracking Problems”. IEEE International Conference on Decision and Control (CDC), 2004.

  43. Example • Figure (a) shows the observed data indexed by time, • Figure (b) shows the tracks that were formed based on the maximum likelihood function [ORS04]

  44. MCMCDA [ORS04] • Nodes equipped with motion detection sensors • Sensor model:

  45. Data Fusion • In each local neighborhood, the node with the highest signal strength declares itself to be the leader • All the other nodes in the neighborhood send their observations to this leader • The leader aggregates the data:

  46. Data Association • Each leader sends the fused observation to the closest super-node • Super-node send their gathered fused observations to the base station • Base station uses Markov Chain Monte Carlo (MCMC) to associate the fused data by maximizing the posterior of the track, given the observations Formula

  47. Possible Attacks [RMS06] • Adversary physically captures a subset of the sensor nodes • Compromised nodes send faulty observations to the leader • Results in wrong fused observations and formation of non-existent tracks for the moving objects

  48. Attacks Not Considered • We did not allow the compromised nodes to claim to be the leader • This problem could be solved using standard distributed coin-flipping algorithms using cryptographic commitments • At the central level, we need to use statistical methods that would filter out the faulty observations coming from the compromised leaders

  49. Reputation System [RMS06] • The nodes do not share their reputation table • At this point, we only use first hand observations for updating the reputation • Each node updates the reputation of its neighbors only when it becomes the leader • The reputation is a value in [0,1]

  50. The Algorithm [RMS06] • Leader node gathers all the observations from its neighbors • It chooses m subsets of the observations • The members of each subset are chosen randomly from among all the neighbors • The leader computes the fused observation for each subset ( )

More Related