1 secure routing in wireless sensor networks : attacks and countermeasures authors: chris karlof and...
Post on 21-Dec-2015
215 views
TRANSCRIPT
1
Secure Routing in Wireless Sensor Networks : Attacks and Countermeasures
Authors: Chris Karlof and David Wagner
Presenter: Ivanka Todorova
2
Outline
Introduction and Contributions Background Sensor vs. ad-hoc wireless networks Problem Statement Attacks on sensor network routing Attacks on specific sensor network protocols Countermeasures Conclusions
3
Introduction and Contributions Threat models and security goals for routing in WSNs
Two new attacks Sinkhole attacks HELLO floods
How to adapt attacks against ad-hoc wireless networks into powerful attacks against WSNs
Practical attacks against routing protocols and topology maintenance algorithms for WSNs
Countermeasures and design considerations for secure routing protocols in WSNs
4
Background WSNs consist of hundreds or thousands of
low-power, low-cost nodes having a CPU, power source, radio, and other sensing elements
Have one or more points of centralized control called base stations or sinks
Sensor readings from multiple nodes processed at aggregation points
Power is the scarcest resource
5
Background
A representative sensor network architecture
Picture from [7]
6
WSNs vs. Ad-hoc WNs
WSNs Communication method -
multihop networking One or more points of
centralized control such as base stations
Routing - specialized communication pattern
Resource-starved nature Trust relationships between
nodes assumed Public key cryptography not
feasible
AD-hoc WNs Communication method
- multihop networking There is no fixed
infrastructure such as base stations
Routing - any pair of nodes
Limited resources Trust relationships
between nodes not assumed
Public key cryptography possible
7
Problem Statement Network assumptions
Insecure radio links Malicious nodes may collude to attack the
network Sensor nodes not temper resistant Physical and MAC layers vulnerable to direct
attacks Trust Requirements
Base stations are trustworthy Aggregation points not necessarily trustworthy
8
Problem Statement cont’d Two types of threat models Based on type of attacking devices
Mote-class attackers Laptop-class attackers
Based on attacker location Outsider attacks Insider attacks
Security goals Confidentiality, integrity, authenticity, and
availability of all messages
9
Attacks on sensor network routing Spoofed, altered, or replayed routing
information Selective forwarding Sinkhole attacks
Adversary’s goal is to lure traffic through a compromised node
Work by making the compromised node look attractive
Makes selective forwarding trivial
10
Attacks on sensor network routing cont’d
Sybil Attack“One can have, some claim, as many electronic personas as one has time and energy to create.”
Judith S. Donath [1]
Picture from [2]
11
Attacks on sensor network routing cont’d
WormholeAn adversary tunnels packets received in one part of the network over a low-latency link and replays them in a different part of the network
Picture from http://library/thinkquest.org/27930/wormhole.htm
12
Attacks on sensor network routing cont’d HELLO flood attack
Many protocols require that nodes broadcast HELLO packets to announce themselves to their neighbors
Laptop-class attacker can convince all nodes that it is their neighbor by transmitting at high power
Acknowledgement spoofing
13
Attacks on specific sensor network protocols TinyOS beaconing
Description Attacks
Can authenticated routing updates solve the problem?
Picture from [7]
14
Attacks on specific sensor network protocols cont’d
Combined wormhole/sinkhole attack
Picture from [7]
15
Attacks on specific sensor network protocols cont’d
What if a laptop-class adversary uses a HELLO flood attack?
What about mote-class adversaries? Routing loops
Picture from [7]
16
Attacks on specific sensor network protocols cont’d
Directed diffusion
•AttacksAttacks – Suppression, Cloning, Path influence, Selective – Suppression, Cloning, Path influence, Selective forwarding and data tamperingforwarding and data tampering
Interest propagation Initial gradients set up Data delivery along reinforced path
Pictures from [6]
17
Attacks on specific sensor network protocols cont’d
Geographic routing Two protocols
GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing)
Description Greedy forwarding routing each packet to the neighbor
closest to the destination GEAR weighs the choice of the next hop by both remaining
energy and distance from the target
18
Attacks on specific sensor network protocols cont’d Geographic routing
Greedy forwarding example: y is x’s closest neighbor to D
Greedy forwarding failure: x is a local maximum inits geographic proximity to D; w and y are farther from D.
Pictures from [14]
19
Attacks on specific sensor network protocols cont’d
Geographic routing
Node x’s void with respect to destination D.
Picture from [14]
20
Attacks on specific sensor network protocols cont’d
Geographic routing Attacks
Sybil attack
Picture from [7]
21
Attacks on specific sensor network protocols cont’d
Attacks cont’d Creating routing loops in GPSR
Picture from 7
22
Attacks on specific sensor network protocols cont’d Minimum cost forwarding
Description
Attacks Sinkhole attack HELLO flood attack can disable the entire network
MN
CM+LN, M
CN
CM
23
Attacks on specific sensor network protocols cont’d LEACH: low-energy adaptive clustering
hierarchy Description
Nodes organized into clusters with one node serving as a cluster-head
Cluster-heads aggregate data for transmission to a base station
Attacks HELLO flood attack Countermeasures defeated by a Sybil attack
24
Attacks on specific sensor network protocols cont’d
Energy conserving topology maintenance Geographic Adaptive Fidelity
(GAF)State transitions
Node redundancy
Virtual grid
Pictures from [5]
25
Countermeasures Shared key and link layer encryption
Prevent outsider attacks - Sybil attacks, selective forwarding, ACK spoofing
Cannot handle insider attacks - Wormhole, HELLO flood, TinyOS beaconing attacks In case of a wormhole encryption may make selective
forwarding more difficult but cannot prevent blackholes
Sybil and HELLO flood attacks A globally shared key allows an insider to masquerade
as any node A pair of nodes can use a Needham-Schroeder
protocol to establish a shared key Limit the number of neighbors for a node Verify the bidirectionality of the link for a HELLO flood
attack
26
Countermeasures Amended Needham Schroeder Symmetric Key
Author(s): Roger Needham and Michael Schroeder (1987) Distribution of a shared symmetric key by a trusted server
and mutual authentication. Symmetric key cryptography with server.
27
Countermeasures Wormhole and sinkhole attacks
Protocols that construct a topology initiated by a base station are the most vulnerable
Good routing protocol design may be the solution – geographic routing protocols
Geographic routing attacks Use fixed topology to eliminate the need for location
information Selective forwarding
Multipath routing Braided paths Allowing nodes to dynamically choose a packet’s next hop
probabilistically from a set of possible candidates
28
Countermeasures
Braided path
Picture from [10]
29
Countermeasures Authenticated broadcast and flooding
μTESLA protocol to prevent replay of broadcast messages issued by the base station Replay is prevented because messages authenticated
with previously disclosed keys are ignored Flood the information about the malicious nodes
in the network
30
Conclusions
End-to-end security mechanisms between a sensor node and a base station unlikely to guarantee integrity, authenticity, and confidentiality of messages
Link layer security not enough to protect against insider attacks
The routing protocol itself must be secure
31
Conclusions Protection against the replay of data packets should
not be a security goal of a routing protocol Sinkhole attacks and wormholes are a significant
challenge Wormholes are hard to detect because they use private,
out-of-band channel invisible to the underlying network Sinkholes are difficult to defend against because they
leverage hard to verify information such as remaining energy
Protocols that construct topology initiated by a base station are most vulnerable
Geographic routing protocols are resistant Crucial to design routing protocols in which these
attacks are meaningless
32
Conclusions Geographic routing relatively secure against
wormhole, sinkhole, and Sybil attacks Traffic naturally routed toward the physical location of a
base station
The main remaining problem is that location information must be trusted
Restricting the structure of the topology eliminates the need for nodes to advertise their locations
If nodes are arranged in a grid every node can easily derive its neighbors’ locations
33
Conclusions
Clustering protocols like LEACH may yield the most secure solutions against node compromise and insider attacks
Virtual base stations can be used to create an overlay network
34
Future Work
How the feature of autonomic computing can be applied to WSNs to improve security [11,12]
Self-healing in WSNs [13]
35
References1. J. S. Donath, “Identity and Deception in the Virtual Community”, Communities
in Cyberspace, Routledge, 1998.2. J.R. Douceur, The Sybil attack, in: 1st International Workshop on Peer-to-
Peer Systems (IPTPS 02), 2002.3. L. Zhou, Z. Haas, Securing ad hoc networks, IEEE Network Magazine 13 (6)
(1999) 24–30.4. F. Stajano, R.J. Anderson, The resurrecting duckling: security issues for ad-
hoc wireless networks, in: Seventh International Security Protocols Workshop, 1999, pp. 172–194.
5. Y. Xu, J. Heidemann, D. Estrin, Geography-informed energy conservation for ad hoc routing, in: Proceedings of the Seventh Annual ACM/IEEE International Conference on Mobile Computing and Networking, 2001.
6. C. Intanagonwiwat, R. Govindan, D. Estrin, Directed diffusion: a scalable and robust communication paradigm for sensor networks, in: Proceedings of the Sixth Annual International Conference on Mobile Computing and Networks (Mobi-COM 00), 2000.
7. C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures," in IEEE SPNA, 2002
36
References8. F. Ye, A. Chen, S. Lu, L. Zhang, A scalable solution to minimum cost forwarding
in large sensor networks, in: Tenth International Conference on Computer Communications and Networks, 2001, pp. 304–309.
9. W.R. Heinzelman, A. Chandrakasan, H. Balakrishnan, Energy-efficient communication protocol for wireless microsensor networks, in: 33rd Annual Hawaii International Conference on System Sciences, 2000, pp. 3005–3014.
10. Deepak Ganesan, Ramesh Govindan, Scott Shenker, Deborah Estrin, Highly-resilient, energy-efficient multipath routing in wireless sensor networks, in: Proceedings of the 2nd ACM International Symposium on Mobile Ad Hoc Networking & Computing, 2001, pp. 251-254.
11. http://s3lab.cs.okstate.edu/projects/CIP-WSN/12. http://www.cse.msu.edu/~mckinley/920/Spring-2006/920-reading-final.html13. Tatiana Bokareva, Nirupama Bulusu, Sanjay Jha, SASHA: Toward a Self-
Healing Hybrid Sensor Network Architecture. Retrieved from http://web.cecs.pdx.edu/~nbulusu/papers/emnets.pdf on March 2, 2008.
14. Brad Karp, H.T. Kung, GPSR: Greedy Perimeter Stateless Routing for WirelessNetworks, Retrieved March 4, 2008 from http://www.eecs.harvard.edu/~htk/publication/2000-mobi-karp-kung.pdf