1 / 35

SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks

Protocol Exchange Meeting Feb 1-2, Naval Postgraduate School. SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks. Radha Poovendran Network Security Lab University of Washington. Graduate Student: Loukas Lazos. Outline. Motivation Secure Localization Problem

lacey
Télécharger la présentation

SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protocol Exchange Meeting Feb 1-2, Naval Postgraduate School SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network Security Lab University of Washington Graduate Student: Loukas Lazos

  2. Outline • Motivation • Secure Localization Problem • SeRLoc • Threats and defenses • Performance Evaluation • Conclusions Radha Poovendran Seattle, Washington

  3. Why do we need location in WSN? Location-dependent services Network functions Access Control Monitoring Apps Radha Poovendran Seattle, Washington

  4. Localization Problem Localization: Sensor Location Estimation • How do sensors become aware of their position undernon-deterministic deployment? • Choice of localization algorithm is based on: • Resolution required • Region of deployment • Resource constraints of the devices Radha Poovendran Seattle, Washington

  5. Classification of Loc. Schemes • Indoors vs. Outdoors: • GPS, Centroid (outdoors). • RADAR, Active Bat, AhLos (indoors). • Infrastructureless (I-L) vs. Infrastructure based (I-B): • AhLos, Amorphous, DV-Hop (I-L). • RADAR, Active Bat, AVL (I-B). • Range-based (R-B) vs. Range-Independent (R-I): • RADAR, Ahlos, GPS, Active Bat (R-B). • APIT, DV-Hop, Amorphous, Centroid (R-I). • Active vs. Passive • Dv-hop, APIT (Active). • RADAR (Passive). Radha Poovendran Seattle, Washington

  6. Localization in un-trusted environment • WSN may be deployed in hostile environments. • Threats in sensor localization: • External • Replay attacks. • Node Impersonation attacks. • Internal • Compromise of network entities. • False location claims. Radha Poovendran Seattle, Washington

  7. Secure Location Services • Secure Verification of Location Claims • [Sastry et al. WISE 2002]. • Location Privacy • Privacy-aware Location Sensor Networks [Gruteser et al. USENIX 2003]. • Secure Localization: Ensurerobust location estimationevenin the presence ofadversaries. • SeRLoc: [Lazos and Poovendran, WISE 2004]. • S-GPS: [Kuhn 2004]. • SPINE: [Capkun & Hubeaux, Infocom 2005]. Radha Poovendran Seattle, Washington

  8. Outline • Motivation • Problem Description • SeRLoc • Threats and defense • Performance • Conclusions Radha Poovendran Seattle, Washington

  9. Our Approach: SeRLoc • SeRLoc:SEcure Range-independent LOCalization. • SeRLoc features • Passive Localization. • No ranging hardware required. • Decentralized Implementation, Scalable. • Robust against attacks - Lightweight security. Radha Poovendran Seattle, Washington

  10. Network Model Assumptions (1) Omnidirectional Antennas Sensors: Randomly deployed, unknown location Sensor range r Locators: Randomly deployed Directional Antennas r Known Location, Orientation R θ Beamwidth θ Locator range R Locator Sensor Two-tier network architecture (X2, Y2) (X4, Y4) (X3, Y3) (X1, Y1) (X5, Y5) Radha Poovendran Seattle, Washington

  11. Network Model Assumptions (2) • Locator deployment: Homogeneous Poisson point process of rate ρL (ρL: Locator density). • Sensor deployment: Poisson point process of rate ρsindependent of locator deployment (ρs:sensor density). • Or can be seen as random sampling of the deployment area with rate ρs (ρs >> ρL). LHs: Locators heard at a sensor s. Radha Poovendran Seattle, Washington

  12. The Idea of SeRLoc ROI Locator Sensor L4 • Each locator Li transmits information that defines the sector Si, covered by each transmission. • Sensor defines the region of intersection (ROI) from all locators it hears. L1 L3 s L3 (0, 0) Radha Poovendran Seattle, Washington

  13. Outline • Motivation • Problem • SeRLoc • Threats and defense • Performance • High resolution localization: HiRLoc • Conclusions Radha Poovendran Seattle, Washington

  14. Threats s L1 • Attacker aims at displacing the sensors (false info is worse than no info). • We do not address DoS attacks. • We do not address jamming of the communication medium. [Lazos & Poovendran, IPSN 2005] Radha Poovendran Seattle, Washington

  15. How can a sensor be displaced? • In SeRLoc: Sensor gets false localization information. • A) Replay beacons from a far-away region. • B) Impersonate locators and fabricate beacons. • How can we protect broadcasted localization information? Radha Poovendran Seattle, Washington

  16. SeRLoc - Security mechanisms H1(Pwi) Hn(Pwi) H H H H Hash chain one-way hash function • Message Encryption: Messages encrypted with a symmetric key K0. • Beacon Format: ID authentication Synchronization var Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j } K0 Locator’s coordinates Slopes of the sector Shared symmetric key H0(Pwi) PWi • Every sensor stores the values Hn(PWi) for all the locators. • A sensor can authenticate all locators that are within its range (one-hop authentication). Radha Poovendran Seattle, Washington

  17. SeRLoc – Wormhole Attack Record beacons sensor Locator Attacker • THREAT MODEL • The attacker records beacon information at region A L4 L3 • Tunnels it via the wormhole link at region B, and replays the beacons. L1 Region B • Sensor is misled to believe it hears the set of locators LHs: {L1 - L8}. L2 Wormhole link Region A L7 L8 • No compromise of integrity, authenticity of the communication • or crypto protocols. • Direct link allows replay of the beacons in a timely fashion. L5 L6 Radha Poovendran Seattle, Washington

  18. Wormhole attack detection (1) Accept only single message per locator sensor Locator Attacker obstacle • Multiple messages from the same locator are heard due to: • Multi-path effects; • Imperfect sectorization. • Replay attack. R Ac R Wormhole link R: locator-to-sensor communication range. Radha Poovendran Seattle, Washington

  19. Wormhole attack detection (2) Locators heard by a sensor cannot be more than 2R apart sensor Locator Attacker 2R Ai Aj R Li Lj R Wormhole link R: locator-to-sensor communication range. Radha Poovendran Seattle, Washington

  20. Wormhole attack detection (3) Probability of wormhole detection sensor Locator Attacker The events of a locator being within any region Ai, Aj, Ac are inde-pendent (Regions do not overlap). 2R Ai Aj Ac Wormhole link Radha Poovendran Seattle, Washington

  21. Wormhole attack detection (4) 99.48% Probability of wormhole detection L Radha Poovendran Seattle, Washington

  22. Resolution of location ambiguity Closest Locator A sensor needs to distinguish the valid set of locators from the replayed ones. Attach to Closest Locator Algorithm (ACLA) • Sensor s  : Broadcasts a nonce η. L4 • Locator Li : Reply with a beacon + the nonce η, encrypted with the pair-wise key Ks,Li. L3 L1 Region B • Sensor s  : Identify the locator Lc with the first authentic reply. • Sensor s  : A locator Li belongs to the valid set, only if it overlaps with the sector defined by the beacon of Lc. L2 L8 L5 Region A Wormhole link L7 L6 Radha Poovendran Seattle, Washington

  23. SeRLoc – Sybil Attack Collect hash values Impersonator • THREAT MODEL • The attacker impersonates multiple locators (compromiseof the globally shared key K0). L3 L2 L1 L4 • Attacker can fabricate arbitrary beacons. • Hence, compromise the majority-based scheme, if more than |LHs| locators impersonated. Radha Poovendran Seattle, Washington

  24. Sybil Attack detection (1) • In a Sybil attack, the sensor hears at least twice the number of locators it would normally hear. • Define a threshold Lmax as the maximum allowable number of locators heard, such that: Probability of false alarm Probability of Sybil attack detection • Design goal: Given security requirementδ, minimize false alarm probability ε. Radha Poovendran Seattle, Washington

  25. Sybil Attack detection (2) 99% Detection probability 52 locators 26 locators 5% • Random locator deployment we can derive the Lmax value: False alarm Probability Radha Poovendran Seattle, Washington

  26. Sybil Attack defense • Once a Sybil attack is detected, i.e. More than Lmax locators are heard: • Execute ACLA to attach sensor’s position to the closest locator. • Attacker needs to compromise the pairwise key between a locator and the sensor under attack to compromise ACLA. • What if a locator is compromised? Radha Poovendran Seattle, Washington

  27. SeRLoc – Compromised Locators • Compromise of alocatorLi reveals K0, seed PWi to the hash chain of the locator. • Attacker can • Impersonate the Closest Locator. • Compromise the ACLA algorithm. • Displace any sensor that uses ACLA. • Need an Enhanced version of ACLA Radha Poovendran Seattle, Washington

  28. Enhanced location determination algorithm 1. The sensor transmits a nonce with its ID and set LHs 2. Locators within r from the sensor relay the nonce. L1 L7 3. Locators within R reply with a beacon + the nonce. L2 4. Sensor accepts first Lmax replies. L9 L6 L3 L5 • Attacker has to compromise more than Lmax/2 locators, AND • Replay before authentic replies arrive at s. L8 L4 Radha Poovendran Seattle, Washington

  29. Outline • Motivation • Secure Localization Problem • SeRLoc • Threats and defenses • Performance Evaluation • Conclusions Radha Poovendran Seattle, Washington

  30. Performance Evaluation • Simulation setup: • Random locator distribution with density ρL. • Random sensor distribution with density 0.5. • Performance evaluation metric: • : Sensor location estimation. • si : Sensor actual location. • r : Sensor-to-sensor communication range. • |S| : Number of sensors. Radha Poovendran Seattle, Washington

  31. Localization Error vs. Avg. LH • M number of antenna sectors. • Each locator is equivalent to M reference points. • In our simulation set up, SeRLoc outperforms most of the schemes. LH: Locators Heard Radha Poovendran Seattle, Washington

  32. Localization error vs. sector error • Sector error: Fraction of sectors falsely estimated at each sensor. • Even when 50% of the sectors are falsely estimated, LE < r for LH  6 • SeRLoc is resilient against sector error due to the majority vote scheme. Radha Poovendran Seattle, Washington

  33. Localization error vs. GPS error • GPS Error (GPSE): Error in the locators’ coordinates. • For GPSE = 1.8r and LH = 3, LE = 1.1r. • DV-hop/Amorphous: LE = 1.1r requires LH = 5 with no GPSE. • APIT: LE = 1.1r requires LH = 15 with no GPSE. Radha Poovendran Seattle, Washington

  34. Summary and Conclusions • SeRLoc is a two-tier network architecture: • Locators: Known coordinates, sectored antennas, fixed transmission range. • Sensors: Passively determine their position, by intersecting the antenna sectors heard. • Resistance to attacks in WSN using: • Cryptographic primitives (encryption, hashing). • Geometric properties (Range of transmission). • Analytically evaluated level of security via spatial statistics. • Current developments: • Characterize wormhole Problem [UW+NRL; WCNC 2005] • Resistance to jamming attacks, analytical evaluation of error bounds [Lazos & Poovendran; ROPE 2005] Radha Poovendran Seattle, Washington

  35. Workshop Announcement Workshop on Secure Localization of Wireless Sensor Networks:June 2005, University of Washington. Radha Poovendran Seattle, Washington

More Related