copyright © erdal cayirci, 2010 1/326 security in wireless ad hoc and sensor networks erdal cayirci...

Copyright © Erdal Cayirci , 20101/326

Security in Wireless Ad Hoc and Sensor Networks

Erdal Cayirci

Electrical Engineering &

Computer Science Department

University of Stavanger

Stavanger, Norway

[email protected]

Head, CAX Support Branch

NATO Joint Warfare Centre

SMC4 Division

Stavanger, Norway

[email protected]


Introduction

Wireless Ad Hoc, Sensor and Mesh Networks

Security Mechanisms

Conclusion

Outline


Text Book

Security in Wireless Ad Hoc and Mesh Networks

Erdal Cayirci, Chunming Rong

ISBN: 978-0-470-02748-6Publisher: Wiley and Sons

Copyright: 2009Published: March/23/2009


Introduction


Taxonomy

Infrastructureless Infrastructured

Ad hoc

Sensor

Mesh

Local

Wide area


Taxonomy

High Tier Low Tier

Terrestrial

Satellite

Aerial

Another approach licensed vs unlicensed


Cellular Paradigm

- infrastructured- single hop

source

destination


Ad Hoc Paradigm

source

destination- infrastructureless- multihop


Ad Hoc Network Applications

• Temporary network deployment

• Disaster relief operations

• Smart buildings

• Cooperative objects (COs)

• Health care


Ad Hoc Networking Challenges

• Wireless medium

• Interference, Hidden Terminal and Exposed Terminal

• Mobility, Node Failures, Self-forming, Self-configuration, Topology Maintenance, Routing and Self-healing

• Node Localization and Time Synchronization

• End-to-end Reliability and Congestion Control


Hidden and Exposed Terminals

a b c

a b cdata data

hidden terminal,primary interference,

a b c d

a b cdata data

exposed terminal,overhearing,


sensor node (snode)actuator (anode)collector (cnode)gateway (gnode)wireless link

TaskTaskManagerManager

Users

ProxyServer

Internet, Internet, Satellite, Satellite, etcetc

Wireless Sensor and Actuator Networks


• Military

• Environmental

• Health

• Home

• Disaster relief

• Space exploration

• Chemical processing

• Other commercial

Wireless sensor and actuator network applications


• Ability to sustain sensor network functionality without any interruption.• Protocols and schemes should be designed with the target level of fault tolerance.

Fault Tolerance


• May reach millions of sensor nodes in studying a phenomenon or stimuli,• Schemes tend to form clusters,• Each cluster may have a coverage area of less than 10 meter.• Each cluster may have several to hundred sensor nodes.• Density of sensor nodes is high,

Scalability


Scalability (Cont’d)

• Cluster density: N. Bulusu, D. Estrin, L. Girod, and J. Heidemann, “Scalable Coordination for Wireless

Sensor Networks: Self-Configuring Localization Systems,” International Symposium on Communication Theory and Applications, Ambleside, UK, July 2001.

A/)R**N()R( 2

N : total number of sensor nodesR : the range of a sensorA : the area covered by a sensor


Scalability (Cont’d)

• Military Force Tracking System: Less than 50 sensor nodes in a squad, up to 500 nodes in a company.

• Crises Response Management System: Up to 20 million nodes in a city like Istanbul.

• Underwater Surveillance System: Up to 5 hundred nodes for a region 500m×500m.


Nodes must be cheap enough to be scalable.

Production Cost


Power Unit Power Generator

Sensors ADCProcessor

MemoryTransceiver

Location Finding System Mobilizer

• Small,• Low cost (dispensable), • Low power,• Low bit rate,• Low memory capacity, • Limited computational power.

Other Interfaces

Sensor Node Hardware


Sensor Nodes

Mica2

Telos

Genetlab SenseNode


1980’s-1990’s 2000-2003 2010Manufacturer custom contractors Crossbow, Sensoria, Dust, Inc, and

Ember, Genetlab, etc othersSize large shoe box small shoe box dust particleWeight kilograms grams negligibleArchitecture separate sensing, proc., integrated integrated

comm. unitsTopology point-to-point, star client server, peer-to-peer peer-to-peerPower supply large batteries AA batteries solar

hours, days, longer days-to-weeks months-to-yearsDeployment vehicle placed or air hand-emplaced embedded,

drop single sensors sprinkled left behind

C. Chong, S.P. Kumar, “Sensor Networks: Evolution, Opportunities, and Chalenges,” Proceedings of IEEE, Vol. 91, No. 8, August 2003.

Sensor Nodes


sensor node actuator collector gateway wireless link

b

c

d

a

b

c

d

a

b

c

d

a

Sensor networksSemi-automated

sensor & actuator networks

Automated sensor & actuator

networks

many-to-oneone-to-many

many-to-oneone-to-many

many-to-many

Topology in sensor and actuator networks


• Network lifetime depends on battery lifetime

• Generally irreplaceable

• Limited battery (~1 V)

Power Consumption


• In sensor networks, power conservation is of utmost importance.

• Hence, novel power-aware protocols and algorithms needed.

• In sensor & actuator networks end-to-end propagation delay may become a parameter conflicting with power consumption in some real time applications.

• Hence tradeoff mechanisms between power consumption and end-to-end delay are needed for some sensor&actuator network applications.

• Issues related to battery recovery rate must also be taken into account.

Power Consumption


• Communications

• Data Processing

• Sensing

Three Domains of Power Consumption


• Transmission and reception energy costs are nearly the same.

• Transceiver circuitry has both active and start-up power consumption

• Sensors communicate in short data packets.

• Start-up power starts dominating as packet size is reduced.

• Cannot blindly turn off the transceiver during idling.

• Path-loss slope is around four due to low lying antenna.

Power Consumption in Communications


• This is much less than the power consumption in communications.

For example a 100 million instructions per second processor can execute 3 million instructions by the energy cost of transmitting 1 KB a distance of 100 m.

• Therefore, local data processing is crucial in minimizing power consumption in a wireless sensor network.

• However, the energy cost of data processing is not negligible.

Power Consumption in Data Processing


Depends on

• The type of sensor:

- microsensors: active or passive

- cameras, etc.

• Nature of sensing : Sporadic or Constant

• Detection complexity

• The interface between the processor and sensors

Power Consumption in Sensing


Mesh Networks

Cellular Wireless LAN

InternetMesh Client

Mesh Router

Backbone Mesh

AccessMesh


Mesh Network Applications

• Broadband home networking

• Community and neighborhood networking

• Enterprise networking

• Transportation systems

• Building automation and control networks


Mesh Networking Challenges

• Broadband communications

• Quality of service requirements


Tactical Communications

radio access point

mobile radio

mobile radio

local area subsystem terminal

wide area subsystem node

wireless communications

non-wireless communications

externalnetwork

mobilesubsystem

mobilesubsystem

local areasubsystem

local areanetwork

local areasubsystem

mobilesubsystem

wide areasubsystem


Mobile Subsystem

mobile radio (MR)

cluster head MR

relaying MR

SATT SAT tier

UAVT UAV tier

RAPT RAP tier

MRT MR tier

radio access point (RAP)unmanned aerial vehicle (UAV)satellite (SAT)

satellite ground terminal antenna

MRT

MRT RAPTRAPT

RAPT

SATT

UAVT

UAVT


Tactical Communications Challenges

• Multimedia communications

• Multi-tier networking

• Mobile networking

• Mobile and rapidly deployable infrastructure

• Survivable infrastructure

• Tailorable infrastructure

• Multi-functional infrastructure


Tactical Communications Challenges

• Modular infrastructure

• Flexible infrastructure

• Both terrestrial and non-terrestrial networking

• Horizontal and vertical communications ability

• High circuit quality and wide bandwidth

• Secure networking

• Real-time and batch networking

• Ability to operate in every weather and terrain conditions


Factors Influencing the DesignFactor Ad Hoc Mesh Sensor & Actuator

Wireless medium ISM ISMISM, acoustic, low lying

antenna

Networking regime random one-to-oneRandom one-to-one,

gateway nodesone-to-many, many-to-one,

many-to-many

Traffic random, multimedia Random, multimediatemporally and spatially

correlated, data

QoS requirementsbandwidth, delay, jitter,

reliabilitybandwidth, delay, jitter,

reliabilitypower consumption, delay,

reliability

Mobility Mobile typically fixedgenerally fixed, network

mobility

Fault tolerancetypically no critical point of

failurecritical points of failure

critical points of failures, high fault tolerance requirements

Operating environmenttypical day to day

environmenttypical day to day

environmenthostile and harsh, often

unreachable

Power efficiency not very critical not critical very critical

Scalability order of hundreds order of tens order of thousands

Hardware constraints laptops, PDAs no constrainttiny, low processing and

memory capacity

Production cost no hard constraints no hard constraints must be cost effective


37

Solar PanelSolar Panel

High Gain GPRS High Gain GPRS AntennaAntenna

Outdoor PIR’sOutdoor PIR’s

Outdoor PanelOutdoor Panel

Challenges in Practice


Challenges in Practice


Wireless Medium


Channel CapacityNyquist

C = 2 B log2 Mwhere

C is capacity in bit per second (bps),B is bandwidth in hertz (Hz),M is discrete signal levels.

Shannon

C = B log2 (1 +SNR)

SNRdB= 10 log10 (SNR)


Electromagnetic Spectrum

102 103 104 105 106 107 108 109 1010 1011 1012 1013 1014 1015

ELF VF VLF LF MF HF VHF UHF SHF EHF

Frequency(Hertz)

Wavelength(meters)

Power and Telephone

106 105 104 103 102 101 100 10-1 10-2 10-3 10-4 10-5 10-6

Radio Microwave Infrared Visiblelight

Twisted pair

Coaxial cable

AM radio FM radioand TV

Terrestrial and

satellite

Opticalfiber

Wavelength = c / f

Hertz Kilohertz Megahertz Gigahertz Terahertz


Antennas

Omnidirectional (isotropic)Antenna

A

B

A

B

Directional (isotropic)Antenna

Antenna gain is a measure of the directionality of an antenna. Antenna gain is defined as the power output, in a particular direction, compared to that produced in any direction, compared to that in any direction by a perfect omnidirectional antenna.


Antennas

/4/2

feedinggap

Half-wave dipole(Hertz antenna)

collinearconductor

Quarter-wave dipole(Marconi antenna)

Parabolic reflectiveantenna


Propagation Modes

Ground wavef < 2 MHz

Sky wave2 MHz < f <30MHz

Line of sight30 MHz < f

Ionosphere


Line of Sight

h1

d1 d2

r

h2

11 57.3 khd where k is an adjustment factor and generally assumed to be 4/3

2157.3 khkhr


Satellite Orbits

35,800

20,000

15,000

5,000

0

Upper Van Allen belt

Lower Van Allen belt

Altitude(km) Type

Latency(ms)

Satellitesneeded

GEO

MEO

LEO

270 3

35-85 10

1-7 50

Van Allen belts


The Principal Satellite Bands

BandFrequency range

User

L - band1530 - 1650 MHz

Inmarsat, air and sea traffic. Meteorological services.

S - band2535 - 2655 MHz

Downlink for communication satellites. For example ArabSat and Insat.

C - band3700 - 4200 MHz

Downlink for communication satellites. Most satellite in America, Asia and Africa.

C - band4500 - 4800 MHz

Downlink for military satellites.

C - band5900 - 7000 MHz

Uplink[ii] for military and communication satellites.



X - band7200 - 7750 MHz

Military satellites, NATO.

X - band7900 - 8400 MHz

Uplink military satellites.

Ku - band 110.700 - 11.750 GHz

Downlink for FSS [iii]

Ku - band 211.750 - 12.500 GHz

Downlink DBS [iv]

Ku - band 312.500 - 12.750 GHz

Downlink for Telecom range [v]



Ku - band12.750 - 13.250 GHz

Uplink for telecommunication satellites.

Ku - band14.000 - 14.800 GHz


Ku - band17.300 - 18.100 GHz


Ka - band18.300 - 21.200 GHz

Rarely used. Kopernicus satellites have one of these transponders. Used for some transmissions. In the future it will be more in use because the whole KU band will be used completely.

K - band27.500 - 31.000 GHz

Uplink for future telecommunication satellites.


Free Space Loss

2

2

2

2 )4()4(

c

fdd

P

P

r

t

wherePt = signal power at the transmitting antennaPr = signal power at the receiving antenna = carrier wavelengthd = propagation distance between antennasc = speed of light (3 108 m/s)

dBdfc

fd

P

PL

r

tdB 56.147)log(20)log(20

4log20log10


Noise• Thermal noise

• No=kT (W/Hz)

where

k is Boltzman’s constant (1.380310-23 J/K)

T is absolute temperature in Kelvins.• N=kTB

• NdBW=-228.6+10logT+10logB dBW

• Intermodulation noise

• Crosstalk

• Impulse noise

kTR

S

NR

S

N

Eb 00

TRSN

EdBW

dB

b log106.228log100


Atmospheric Absorption

• Water vapour and oxygen contribute to attenuation.

• A peak attenuation occurs in the vicinity of 22 GHz.

• At frequencies less than 15 GHz, the attenuation is less.

• Rain and fog cause scattering.


Multipath

Reflection

Scattering

Diffraction


FadingA

mpl

itude

(dB

m)

Position (m)

-80

-1300 30

slow

fast

In flat (nonselective) fading,effects equally the different spectral components.Selective fading effects unequally.


Directional and Smart Antennas

a. Switched beam.

b. Adaptive.

mobile node

mobile node


Software Radios

• Analog to digital conversion (ADC) as close to the antenna as possible

• Generic hardware

• Software implementation of the digital processes


Cognitive Radios

Software radios provide the base to realize cognitive radios that can

- observe the available spectrum and

- choose dynamically the frequency and other parameters to operate.


Data Link Layer

Medium Access and Error Control


Multiple Access Schemes

Contention Based Schemes Conflict Free Schemes

- Aloha- Slotted Aloha- Carrier Sense Multiple Access (CSMA)- CSMA / Collision Detection- CSMA / Collision Avoidance

Hybrid

Reservation BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA

Token BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA

Fixed AllocationFrequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA)Code Division Multiple Access (CDMA)


ALOHA and Slotted ALOHA• ALOHA

• Start transmitting whenever you have a frame to send.• Retransmit if the transmission is unsuccessful.

• Slotted ALOHA• Wait until the beginning of the first time slot for

transmission.

time

time slots


Carrier Sense Multiple Access(CSMA)

• Non persistent CSMA• Sense the media, and access if there is no other transmission

on the media.• If the channel is already in use, wait a random period and then

repeat the algorithm.

• P-Persistent CSMA• The probability that a node accesses the media when no other

transmission is sensed is equal to p.• If the channel is already in use, the probability that the node

accesses the media in the next time slot is again equal to p.


Hidden and Exposed Terminals

a b c

a b cdata data

hidden terminal,primary interference,

a b c d

a b cdata data

exposed terminal,overhearing,


a b c

hdf

eg

a b

Request to Send (RTS)

Clear to Send (CTS)

Data

Acknowledgement

Multiple Access with Collision Avoidance Wireless (MACAW)

V.Bharghavan, AV.Bharghavan, A..Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM SIGCOMM’94, pp. 212-225, 1994.SIGCOMM’94, pp. 212-225, 1994.

MACAW


IEEE 802.11IEEE 802.11 Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)

Distributed Coordination Function (DCF)

source

destination

DIFS RTS

SIFS

CTS SIFS DATA ACK

SIFSNetwork Allocation Vector (NAV): Defer access

DIFS: DCF Interframe SpaceSIFS: Short Interframe Space


IEEE 802.11 (Cont’d)IEEE 802.11 Distributed Coordination Function (DCF)

transmission range

carrier sensingrange

carriersensing zone

Extended Interframe Space

RTS, CTS frames and inter frame spaces introduce:

• additional overhead and• additional delay.





Hybrid





Conflict Free Multiple Access Schemes

1. Frequency Division Multiple Access:

Channel = Frequency

2. Time Division Multiple Access:

Channel = Frequency + Time Slice

3. Code Division Multiple Access :

Channel = Code

CDMAFDMA

spectrum

1 3 2 1 3 2 1 3 2 1

4 6 5 4 6 5 4 6 5 4

7 9 8 7 9 8 7 9 8 7

TDMA


CDMA

1. Frequency Hopping CDMA,

a. Slow Hopping,

b. Fast Hopping,

2. Direct Sequence CDMA

FH-CDMA


FH-CDMA

Process Gain

PG = 10 logN (db)

where N is the number of frequency channels used.


DS-CDMA spreading process

Data

PNPN

Data

Noise

Data

Spreaded data

Data

Noise


DS-CDMA spreading process

Data

PNPN

Data

Spreaded Data

Data

PN

Spreaded Data

Data

in data (bit) rate

in chip rate

in chip rate

in data (bit) rate


DS-CDMA Spreading Process

Tx St(t)

f0

Rb

Data x(t)S(t)

Spreading Code G(t)

Rp = CHIP transfer rate

Rv ST(t-Td)

F

S(t-Td)

f0

Data x(t)

Correlator

Bc = Rb

Bss = Rp

Spreading Code G(t-Td)


DS-CDMA

Process Gain

PG = 10 log(Bss/B) (db)where B is the bandwidth required for the data rate,

Bss is the bandwidth where the signal is spreaded.


CDMA CodesA spread spectrum code on DS-CDMA is a bit sequence (a sequence of 1s and -1s). -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1

CDMA sequences can be categorized as - Pseudo Noise (PN) sequences

- Short codes- Long codes

- Orthogonal codes


Properties of Pseudo Noise Sequences Balance property : The difference in the number of 1s and -1s in a pseudonoise cannot be higher than one. -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 (15 chips, 7 of them are -1s, and 8 of them are 1s.)

Run property: 50% of runs must be -1 runs, and the other 50% must be 1 runs, and 1/2n of runs must be n length runs.

-1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1

(8 runs, 4 of them are -1 runs, and 4 of them are 1 runs.)

Auto-correlation property: The number of chips that are the same differs from those that are different by at most 1 when a pseudonoise is compared chip by chip with any cycle of shift of itself.


Auto-correlationAuto-correlation is the correlation of a code with any cycle of shift of itself.

Example: -1 -1 1 1 -1 1 -1 N=7

C0=7 and C7=7

C1= 1 -1 1 -1 -1 -1 1= -1

C2= -1 -1 -1 1 1 -1 1= -1

C3= -1 1 1 -1 1 -1 -1= -1

C4= 1 -1 -1 -1 1 1 -1= -1

C5= -1 1 -1 -1 -1 1 1= -1

C6= 1 1 -1 1 -1 -1 -1= -1

N

nknnk aaC

1


Linear Maximal Length Sequence Generator

1 -1 -1 -1

OUTPUTX1 X2 X3 X4

OUTPUT : -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1

p = 2n -1where p is the length of the sequence and

n is the number of bits in the shift register.


Short and Long Codes

• Short codes can generally be transfered in the duration of a symbol. In IS-95, the length of short codes is 215-1, and they can be transferred in 26.67 seconds when chip rate is 1.2888 Mcps. They are generally used in downlink to identify cells or location areas in cellular networks.

• In IS-95, the length of long codes is 242-1, and they can

be transferred in 44.5 days when chip rate is 1.2888 Mcps. They are generally used in uplink to identify mobile terminals.


# of Terminals that can Share a Sequence• A good pseudonoise is different enough from any shifted version of itself. Shifting only one chip is enough to obtain a different pseudonoise from the original. However, the difference between the pseudonoises assigned to different terminals must be high enough to compensate the differences in propagation delays.

15.6 km

Chiprate = 3.6864 Mcps# of bits in maximal lengthcode generator n = 15

Example:

The length of sequence p=215-1=32767The delay for 15.6 km td=15.6/300000=0.052 msec# of chips that can betransferred in td s=0.0523,686.4=192 chips

# of available codes d= 32,767/192 = 170


Orthogonal Codes

• Orthogonal codes are used for channelization in downlink.

• Their autocorrelation are generally very low.

• However, their cross correlation is 0.


Cross-correlationCross-correlation is the correlation of a code with all of the shifted versions of another code.

Example: a={ -1 1 -1 1} N=4

b={ -1 -1 1 1} N=4

R0= 0 and R4= 0

R1= 1 1 -1 -1 = 0

R2= -1 1 1 -1 = 0

R3= -1 -1 1 1 = 0

N

nknnk baR

1


Walsh Hadamard Codes

01 H

10

002H

nn

nnn HH

HHH 2

01

11

10

0010

00

10

00

4H


Variable Length Orthogonal Codes

TT

TTT

1111

111111

1111

111111

1


The Advantages of CDMA• CDMA has a soft capacity limited by interference. The decrease in

interference will directly increase the capacity:• Voice channels are generally utilized 3/8 of time.• Multi-beamed and multisectored antennas can reduce the interference.

• In FDMA and TDMA, some capacity between frequency channels is wasted.

• In CDMA, all the frequencies can be reused in the neighboring cells.

• In FDMA and CDMA, the frequency channel must be changed during handoff, i.e., hard handoff. This is not necessary in CDMA, i.e.,soft handoff.

• CDMA needs power control which actually decreases the interference, and increases the capacity.

• CDMA naturally provides frequency diversity which means additional security and reliability especially for military systems.


The Capacity of CDMA

BSMSN

RS

NEb

)(0

whereS is the power of the signal at the receiverR is the bit rate of the channel (bps)N is the number of channels used for the voice traffic is the voice activity factor for the voice channelsM is the number of channels used for the constant bit rate traffic is all the other noise over the mediaB is the bandwidth of the channels (Hz).


The Capacity of CDMA

SMNR

B

NEb

)(0

N+M = (B/R) / (Eb/N0)

N = (((B/R) / (Eb/N0)) -1) / when only voice

N = (((B/R) / (Eb/N0)) -1) / ( + 0.247) when remote cell interference applied


Example

B: 5 MHz, BFDMA: 30 KHz, BTDMA= 200 KHz

Eb/N0: 5, =3/8, R: 9.6 kbps

nt: 8 (# of time slots in each TDMA frame)

: 4 (frequency reuse factor)

no gaps between frequency channels, all voice channels,

SOFT

For CDMA N = (((5000000/9600) / 5) – 1) / (3/8 + 0.247) = 166 voice channels

For TDMA N = ((5000000/200000)/4)8 = 50 voice channels

For FDMA N = (5000000/30000)/4 = 42 voice channels


Token Based Dynamic Conflict Free Schemes

token

token





Hybrid





Reservation Based Dynamic Conflict Free Schemes

- Packet Reservation Multiple Access – PRMA

- Dynamic TDMA – DTDMA

- Resource Auction Multiple Access – RAMA


PRMA

Reservation Based Hybrid Schemes

R A A ............................. R

S slots (R: reserved slots, A: available slots)

........ 1 2 3 ................ Sv ........

Sr reservation slots

Sv voice slots

Sd data slots

variable border

D - TDMA

........ 1 2 3 ................ Sv ........

Sa auction slots

Sv voice slots

Sd data slots

variable border

RAMA


Reservation Based Hybrid Schemes

TsTs

Td

Auction Slot

Auction Allocation

time

Ts

Td

Uplink

Downlink

Bit transfer time

Propagation and processing delay


MAC for Ad Hoc and Sensor Networks


• Contention based medium access

• Traditional CSMA schemes are inappropriate

•Assume stochastically distributed traffic

•Support point-to-point independent flows• Traffic in sensor networks is

• Highly correlated • Dominantly periodic• Variable

CSMA-based MACs


Other CSMA-based MACs for Ad Hoc Networks

PiconetF.Bennett, D.Clarke, J.B. Evans, A.Hopper, A.Jones, and D.Leask, “Piconet: Embedded mobile networking”, IEEE Personal Communications Magazine, vol. 4, no. 5, pp. 8–15, Oct. 1997.

Tseng et al.Y.Tseng, C.Hsu, and T.Hsieh, “Power-saving protocols for IEEE 802.11-based multi-hop ad hoc networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 200–209.

SEEDEXR.Rozovsky and P.R.Kumar, “Seedex: A MAC protocol for ad hoc networks”, In Proceedings of the 2nd ACM International Symposium on Mobile ad hoc networking and computing, pages 67-75, New York, NY, USA, 2001. ACM Press.

RBARG.Holland, N.Vaidya, and P.Bahl, “A rate-adaptive MAC protocol for multi-hop wireless networks. In Proceedings of ACM MOBICOM'01, Rome, Italy, 2001.

OARB.Sadeghi, V.Kanodia, A.Sabharwal, and E.Knighlty, “Opportunistic Media Access for Multirate Ad Hoc Networks”, in Proceedings of ACM MobiCom'02 , Atlanta, GA, September 2002.

Woo & CullerA.Woo and D.Culler, “A transmission control scheme for media access in sensor networks”, in Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking, Rome, Italy, July 2001, pp. 221–235, ACM.


Sensor MAC (S-MAC)

WW..Ye, JYe, J..Heidemann, and DHeidemann, and D..Estrin, “An energy-efficient mac protocol for wireless sensor networks”Estrin, “An energy-efficient mac protocol for wireless sensor networks”,, in Proceedings of the IEEE in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 1567–1576.Infocom, New York, NY, June 2002, pp. 1567–1576.

• Each node obeys its neighbors’ schedule if one was heard, otherwise chooses and broadcasts one

• Schedule table is maintained locally and updated after receiving SYNC packets

• Sleep period does not hinder a transmission

SleepListen Listen Sleep

SYNC RTS, CTS SYNC RTS, CTS


• Collision avoidance : similar to 802.11 DCF

• Overhearing : duration field of the packets

• Idle listening : low-duty cycle and virtual clusters

• Required synchronization is embedded at the start of the listen interval

• Message passing and adaptive listening techniques for optimizing the latency

Sensor MAC (S-MAC)

SleepListen Listen Sleep

SYNC RTS, CTS SYNC RTS, CTS


Timeout MAC (T-MAC)

TT..van Dam and Kvan Dam and K..Langendoen, Langendoen, ““An Adaptive Energy-Efficient MAC Protocol for Wireless Sensor NetworksAn Adaptive Energy-Efficient MAC Protocol for Wireless Sensor Networks””, , ACM SenSys, Los Angeles, CA, November, 2003.ACM SenSys, Los Angeles, CA, November, 2003.

• Clustering and synchronization as in S-MAC

• Adaptive duty cycle to handle load variations in time and location (i.e. near the sink)

• Fixed contention interval

SleepActive Time Sleep

TA TX/RX TA

Active Time

TA

Active TimeSleep


• Buffer capacity and time-out period “TA” are the key properties

• Solutions to early sleeping problem;

• Future RTS packet: to get an appointment from the intended receiver for the next available moment

• Full buffer priority scheme: refuse an RTS and issue own RTS to empty the buffer

Timeout- MAC (T-MAC)

SleepActive Time Sleep

TA TX/RX TA

Active Time

TA

Active TimeSleep


Power Control

Power control schemes can be classified as:

• Open Loop / Closed Loop / Combined Open and Closed Loop

• Centralized / Distributed

• RSSI-based / SIR-based / BER-based

• Continuous Power / Discrete Power

• Fixed Step Size / Adaptive Step Size

• Common Power Control / Independent Power Control


BASIC

E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002, , SeptemberSeptember 200 20022..

a b c

hdf

eg

rmax

rmax

rmin

• RTS and CTS are transmitted at the maximum power (rmax).

• DATA and ACK are transmitted at the minimum power required (rmin).

• To improve the performance of BASIC scheme, the transmission power is periodically increased while a DATA frame is being transmitted.


Power Controlled S-MAC (PCSMAC)

a b c

df

e

rmax

rmax

rab

rae

raf

rbc

rbd

Active Sleep

SYNC RTS SDSH, DATACTS ACK

Both open loop and closed loop, distributed, RSSI-based, fixed step size, discrete and independent.

SYNC: rmax

RTS: open loop, max(rab, rae, raf).CTS, ACK: open loop, max(rab, rbc, rbd).SDSH: open loop, max(rab, rae, raf).DATA: closed loop, rab.

P.C.Nar, E.Cayirci , “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSNP.C.Nar, E.Cayirci , “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSN 200 20055..


SMACS and EARSMACS and EAR

(K.Sohrabi et al., “Protocols for Self-Organization of a Wireless Sensor Network”, IEEE Personal Communications, October 2000.)

• Each node maintains its own frame (superframe).

• Time slots are wasted if nothing to transmit.

• Uses FDMA or CDMA for multiple access.• Neighbor discovery and channel assignment combined.• Random wake up during connection phase.

TA

TB

fX

fX

Transmitting slot Receiving slot

Connection messaging


• Contention resolution schemes for packet radio networks.

• 2-hop neighborhood awareness is essential which requires a random access period for distributing one-hop neighbor information.

• Nodes unelected during a time slot switch to receive mode

L.Bao and J.J.Garcia-Luna-AcevesL.Bao and J.J.Garcia-Luna-Aceves, “, “A new approach to channel access scheduling for ad hoc networksA new approach to channel access scheduling for ad hoc networks”, ”, In In The seventh annual international conference on Mobile computing and networking 2001, pages 210-221, The seventh annual international conference on Mobile computing and networking 2001, pages 210-221, 2001.2001.

NAMA, LAMA, PAMA

Wireless Tactical Underwater Surveillance NetworksErdal CAYIRCI104


• Contention resolution scheme for wireless sensor networks inspired from NAMA/LAMA/PAMA

• Nodes unelected during a time slot switch to sleep mode, instead of receive mode

V. Rajendran, K. Obraczka, and J.J. Garcia-Luna-Aceves, “Energy-Efficient, Collision-Free Medium Access Control for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003.

TRAMA


• Assumes a clustering scheme exists in the WSN.

• Each time slot = CR + TC + Data parts.

• CR (Communication Request) TC (Traffic Control)

• Sleeping nodes do not own a timeslot.

• Two types of sleep mode; standby and dormant.

• Integrated, collaborative approach that is part of the EYES project.

S.Dulman, L. van Hoesel, T.Nieberg, and P.Havinga, “Collaborative communication protocols for wireless sensor networks”, European research on middleware and architectures for complex and embedded cooperative systems, workshop held in conjunction with IEEE ISADS 2003, Pisa, Italy, pp. 3-7, ISBN- 0-7695-1876-1, April 2003.

EMACS


Ad Hoc Networks and Network Layer


Routing

• Flooding

• Distance Vector

• Link State

sr

a

b c

d e

f

g

h

i

k

l

m

router

routeror

switch


Distance Vector

g

h

i

k

l

m

router

53

3

5

4

4

6

4

Dest. Gateway Costh h 4i h 10l h 12k h 9m h 13

Dest. Gateway Costg g 5h h 16l l 3k l 6m l 7

Dest. Gateway Costh h 4i i 5l i 8k h 9m i 12

Table of g(previous)

Table of i(previous)

Table of g(modified)


Count to Infinity Problem for Distance Vector

A B C D E

A is down at the beginning. A comes up. 1 after 1 exc. 1 2 after 2 exc. 1 2 3 after 3 exc. 1 2 3 4 after 4 exc.

Algorithm rapidly reacts to good news.In N exchanges, everyone knows about the new router where the longest path is N hop.

A B C D E

A is up at the beginning. 1 2 3 4A goes down. 3 2 3 4 after 1 exc. 3 4 3 4 after 2 exc. 5 4 5 4 after 3 exc. 5 6 5 6 after 4 exc. 7 6 7 6 after 5 exc. 7 8 7 8 after 6 exc. 9 8 9 8 after 6 exc.It repeats until What is infinitive?It is the highest number of hop plus 1, if the paths are measured according to the number of hops.What if we use delay?


Link State

g

h

i

router

5

4

g’s link stateNeighbor Cost h 4 i 5

m3

4

l’s link stateNeighbor Cost i 3 m 4 k 3

4

k’s link stateNeighbor Cost l 3 m 4 h 5

l3

6

i’s link stateNeighbor Cost h 6 g 5 l 3

k

5

h’s link stateNeighbor Cost i 6 g 4 k 5


Routing in the Internet

• Interior Gateway Protocols• RIP (distance vector)• OSPF (link state)• IS-IS (link state)

• Exterior Gateway Protocols• BGP

Network 1 Network 2

Network 3

Network 4

Network 5


Mobile IP

• Addressing is themain issue.• Care-of address avertisements vs requests.• Address bindings that need periodical refresh .• Secure authentication.

Home LANForeign LAN

tunnelinghome agent

foreign agent

care-of address

home address


Quality of Service

Application Reliability Delay Jitter Bandwidth

E-mail High Low Low Low

File transfer High Low Low Medium

Web access High Medium Low Medium

Remote login High Medium Medium Low

Audio on demand Low Low High Medium

Video on demand Low Low High High

Telephony Low High High Low

Videoconferencing Low High High High


Quality of Service

• Techniques• Overprovisioning• Buffering• Traffic shaping

– Leaky bucket– Token bucket

• Resource reservation• Admission control• Proportional routing• Packet scheduling


Quality of Service

• Protocols– Integrated Services (IntServ)– Resource reSerVation Protocol (RSVP)– Differentiated Services– MultiProtocol Label Switching (MPLS)


Ad Hoc Networks

- no fixed infrastructure- multihop- no centralized administration- nodes act both as a host and a router - wireless medium- topology changes- resources are limited

source


Ad Hoc Network Architectures

tier-1

tier-2

Flat Architectures(not scalable)

Hierarchical architectures (cluster-based)


Scheduling in Ad Hoc Networks

• A MAC layer related challenge.

• Important when TDMA is used.

• Can be defined as:

“schedule a time slot ti for every node i such that is minimized

where n is the total number of nodes that have something to transmit.

• Must tackle with the interference problem.

n

iit

1

a b c

Primary Interference

a b c

Secondary Interference

d


Topology Maintenance in Ad Hoc Networks

Topology maintenance schemes can be classified as:

1. According to control packet traffic generated for topology maintenance:

- Active

- Passive

2. According to the frequency of control packets

- On demand (event driven)

- Continuous (time driven)

3. According to the storage of topology data

- Central

- Distributed


Ad Hoc Routing Algorithms

Table Driven(Proactive)

On demand(Reactive)

DSDV WRP AODV DSR LMR ABR

CGSR TORA SSR

Destination sequenced distance vectorCluster-head gateway switching routingWireless routing protocol

Adhoc on demand distance vectorDynamic source routingLightweight mobile routingTemporally ordered routingAssociativity based routingSignal stability routing


Fisheye Approach

sa

b

c

d

e

g

f

The accuracy of the topology data is higher for the nodes closer.


Wireless Routing Protocol (WRP)

• DSDV and CGRS are based on Bellman-Ford algorithm and they suffer from count-to-infinity problem.

• WRP is a table-based proactive routing protocol that is based on path-finding algorithm.

• In WRP each node in the network maintains four tables:• Distance table

• Routing table

• Link-cost table

• Message retransmission list


Wireless Routing Protocol (WRP)

• WRP uses both periodic and event triggered (in case of a link status change) update messages for topology maintenance. Update messages are exchanged among the neighboring nodes.

• Every node broadcasts a periodic update (HELLO message) reporting no changes if it does not report an update for a specific time period. Periodic updates are not acknowledged.

• Event triggered updates are broadcasted when topology changes are detected, and acknowledged by the related nodes.


Ad Hoc On Demand Distance Vector (AODV)

• AODV is an improved version of DSDV and CGSR:

– AODV is based on a route discovery process whereas DSDV is based on periodic update messages.

– DSDV maintains all the routes whereas AODV maintains a route only when needed.


Ad Hoc On Demand Distance Vector (AODV)

• Path discovery is initiated by a route request (RREQ) packet:

Source addr Source seq # Broadcast id Destination addr Destination seq # Hop count

RREQ Packet

Destination Destination seq # Next hop Active neighbors # of hops Expiration time

Routing Table

s

d

a

b

c

e

f

gh


Dynamic Source Routing (DSR)

• Route discovery and route maintenance modes.• It is based on source routing.

s

d

a

b

c

e

f

gh


Temporally Ordered Routing Algorithm (TORA)

• TORA has three basic functions:• Route creation• Route maintenance• Route erasure

• A height metric is used by the nodes in route creation and maintenance in order to establish a directed acyclic graph. The height metric is related with the logical time of link failure.

• Route erasure function uses a clear (CLR) packet throughout the network to erase invalid routes.


Temporally Ordered Routing Algorithm (TORA)

source

destination

node

heightmetric

b

ac

d g

fe

The link between nodes d and f fails.

b

ac

dg

fe

b

ac

dg

fe

b

ac

dg

fe

Step 1 Step 2 Step 3


Categorization of Routing Protocols for Wireless Sensor Networks:(K. Akkaya, M. Younis, “A Survey on Routing Protocols for Wireless Sensor Networks,” Elsevier AdHoc Networks)

• Data centric protocolsFlooding, Gossiping, SPIN, SAR, Directed Diffusion, Energy Aware Routing, Rumor Routing, TEEN, APTEEN, CADR

• HierarchicalLEACH, PEGASIS, Self organizing protocol

• Location basedMECN, SMECN, GAF

Routing Protocols for Sensor Networks


• Flooding: Broadcast data to all neighbor nodes.

• Gossiping: Sends data to one randomly selected neighbor.

Although these techniques are simple and reactive, they have some disadvantages including the following:

- Implosion,

- Data Overlap,

- Resource blindness.

Flooding and Gossiping


Implosion

s

d

a b

Data Overlap

d

a b

t1 t2

Resource Blindness

They are not resource aware protocols.

Implosion, Data Overlap, Resource Blindness


• Uses three types of messages: ADV, REQ, and DATA.

• When a sensor node has something new, it broadcasts an advertisement (ADV) packet that defines the new data by using meta data.

• Interested nodes send a request (REQ) packet.

• Data is sent to the nodes that request by DATA packets.

W.R. Heinzelman, et.al., “Adaptive Protocols for Information Dissemination in Wireless Sensor Networks”, MobiCom’99.

Sensor Protocols for Information via Negotiation (SPIN)


ADVADV sa

b

c

d REQREQ

sa

b

c

d

DATADATA sa

b

c

d



ADVADV sa

b

c

dREQREQ

sa

b

c

d

DATADATA sa

b

c

d



•SAR algorithm creates multiple trees that are routed from one hop neighbors of the sink.

•Each tree grows outward from the sink by avoiding nodes with very low QoS and energy reserves.

•At the end of this procedure, most nodes belong to multiple trees.

K. Sohrabi, et.al., “Protocols for Self Organization of a Wireless Sensor Network”, IEEE Personal Communications Mag., pp. 16-27, October 2000.

Sequential Assignment Routing (SAR)


•The sink sends out task descriptors (interest).

•Task descriptors are named by assigning attribute-value pairs that describe the task.

•If a sensor node has data for that interest, the data is routed along the reverse path of interest propagation.

•The interest and data propagation and aggregation are determined locally.

C. Intanagonwiwat, et.al., “Directed Diffusion: A Scalable and Robust Communication Paradigm for Sensor Networks”, MobiCom’00.

Directed Diffusion


Source Sink

Directed Diffusion


Interest PropagationInterest Propagation

Source Sink

Directed Diffusion


Source Sink

Gradient SetupGradient Setup

Directed Diffusion


Source Sink

Data DeliveryData Delivery

Directed Diffusion


•In LEACH, the nodes organize themselves into clusters.

•Sensors may elect themselves to be a local cluster head at any time with a certain probability.

•Each node access the network through the cluster head that requires minimum energy to reach.

W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energy-Efficient Communication Protocol for Wireless Microsensor Networks,'' IEEE Proceedings of the Hawaii International Conference on System Sciences, pp. 1-10, January, 2000.

Low Energy Adaptive Clustering Hierarchy (LEACH)


• Uses graph theory,

• Each node knows its exact location,

• Network is represented by a graph G’, and it is assumed that the resulting graph is connected.

L. Li and J.Y. Halpern, “Minimum-Energy Mobile Wireless Networks Revisited”, ICC’01.)

Minimum Energy Communication Network (MECN)


• A sub-graph G of G’ is computed. G connects all nodes with minimum energy cost.

AA

BB

Connection A requires less energy than connection B because the power required to transmit between a pair of nodes increases as the nth power of the distance between them (n>=2).

Minimum Energy Communication Network (MECN)


E. Cayirci, T.Coplu, O.Emiroglu, “Power Aware Many-to-many Routing in Wireless Sensor and Actuator Networks”, EWSN’05.

b

c

d

a

• Actuators register for the sensed data by disseminating a registration message.

• Every node maintains a registration table according to the registration messages.

• Every node derives a routing table from the registration table.

• Incoming sensed data packets are forwarded according to the routing table.

A B

C

Power Controlled and Power Aware Routing in Sensor & Actuator Networks


ActuatorId

Uplink Node Id

Echelon minPA totalPA totalPU Task

A a 2 5 5 2 t1

A d 2 4 4 3 t1

B b 2 7 7 2 t1,t2

C b 3 3 10 5 t1,t3

Task Uplink Node Id

t1 a

t1 b

t2 b

t3 b

Registration Table

Routing TableRoute Selection Functionfi=(1)+(2)+(3)+(4)

Power Controlled and Power Aware Routing in Sensor & Actuator Networks

n

kk

n

kik

e

ee

1

1


• Energy Aware RoutingR.Shah, J. Rabaey, “Energy Aware Routing for Low Energy Ad Hoc Sensor Networks,” IEEE WCNC’02, Orlando, March 2002.

• Rumor RoutingD. Braginsky, D. Estrin, “Rumor Routing Algorithm for Sensor Networks,” ACM WSNA’02, Atlanta, October 2002.

• Threshold sensitive Energy Efficient sensor Network (TEEN)A. Manjeshwar, D.P. Agrawal, “TEEN: A Protocol for Enhanced Efficiency in Wireless Sensor Networks,” IEEE WCNC’02, Orlando, March 2002.

• Constrained Anisotropic Diffusion Routing (CADR)M. Chu, H.Hausecker, F.Zhao, “Scalable Information-Driven Sensor Querying and Routing for Ad Hoc Heterogeneous Sensor Networks,” International Journal of High Performance Computing Applications, Vol. 16, No. 3, August 2002.

Other Routing Protocols


• Power Efficient Gathering in Sensor Information Systems (PEGASIS)S. Lindsey, C.S. Raghavendra, “PEGASIS: Power Efficient Gathering in Sensor Information Systems,” IEEE Aerospace Conference, Montana, March 2002.

• Self Organizing ProtocolL. Subramanian, R.H. Katz, “An Architecture for Building Self Configurable Systems,” IEEE/ACM Workshop on Mobile Ad Hoc Networking and Computing, Boston, August 2000.

• Geographic Adaptive Fidelity (GAF)Y. Yu, J. Heideman, D. Estrin, “Geography-informed energy conservation for ad hoc routing,” MobiCom’01, Rome, July 2001.

Other Routing Protocols


3D Routing

• Underwater acoustic

• Geographic routing protocol

• Cross layer (MAC + Network)

• Latency is an important QoS metric

• Techniques that monitor layers and avoid them


Transport layer for wireless networks

Reliability Flow and Congestion Control


SinkSink

rr

aa

bb

cc

dd

rr

event regionevent region

sensor coveragesensor coverage

sensor rangesensor range

•Source to sink reliability.Source to sink reliability.•Sink to source reliability.Sink to source reliability.

End-to-end Reliable Event Transfer


• RMST is a transport layer protocol for directed diffusion.• RMST provides end-to-end data-packet transfer reliability.• RMST is a selective NACK-based protocol that can be configured for in-network caching and repair.• There are two modes for RMST: caching mode, non-caching mode.• In caching mode, a number of nodes along a reinforced path, path being used to convey the data to the sink by directed diffusion, are assigned as RMST nodes.

F. Stann, J.Wagner, “RMST: Reliable Data Transport in Sensor Networks,” SNPA 2003.

Reliable Multi-Segment Transport (RMST)


• Each RMST node caches the fragments identified by FragNo of a flow identified by RmstNo.• When a fragment is not received before the watchdog timer for the flow expires, a negative acknowledgement is sent backward.• The first RMST node that has the required fragment along the path retransmits the fragment.• In non-caching mode, sink is the only RMST node.• RMST relies on directed diffusion scheme for recovery from the failed reinforced paths.

RMST NodeRMST NodeSource NodeSource Node

SinkSink

Reliable Multi-Segment Transport (RMST)


• Three functions: pump, fetch, and report operations.• Every intermediate node maintains a data cache.• A node that receives a packet check its content against its local cache, and discards any duplicates.• If the received packet is new, the TTL field in the packet is decremented.• If the TTL field is higher than 0 after being decremented, and there is no gap in the packet sequence numbers, the packet is relayed after being delayed a random period.• A node goes to fetch mode once a sequence number gap is detected.• The node in fetch mode requests a retransmission from neighboring nodes.

C-Y Wan, A.T. Campbell, L. Krishnamurty, “PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks,” WSNA’02

Pump Slowly Fetch Quickly (PSFQ)


• ESRT is the first scheme that focuses on the end-to-end reliable event transfer.• The end-to-end event transfer reliability is controlled based on the reporting frequencies of sensor nodes.

Y. Sankarasubramaniam, O.B. Akan, I.F. Akyildiz, “ESRT: Event-to-Sink Reliable Transport in Wireless Sensor Networks,” Mobihoc’03

SinkSink

aa

bb

cc

dd

Event-to-Sink Reliable Transport (ESRT)


Congestion Detection Mechanism:• local buffer level monitoring

Mark Congestion Notification Field when

bk + b > Bwhere

bk is buffer fullness at interval k,b is buffer length increment,B is buffer size.

bk-1bk

b

Event-to-Sink Reliable Transport (ESRT)


N.Tezcan, E. Cayirci, U. Caglayan, “End-to-end reliable event transfer in wireless sensor networks,” PIMRC 2004.

temperaturetemperature

timetime11 22 33 44 55 66 77 88 99 1010 1111 1212 1313 1414

thresholdthreshold

End-to-end Acknowledgements for Events


• Both ends know the threshold.• When the receiver finds out that the difference between the value in a new sensed data packet and in the previous packet is higher than the threshold, this indicates a critical data packet, and it acknowledges the receipt of the critical packet.• If the sender does not receive an acknowledgement for a critical packet during the timeout period, it retransmits the critical packet.

Selective Acknowledgements


• Two parameters: tmax, tavg

• A critical packet is retransmitted tmax after its transmission if it is not acknowledged.

• If (numberOfEventsintheList>listSize-n)for(allEventsintheList)

if(eventTimetmax || eventTimetavg)retransmit(event);

• tavg = tavg + (1 - ) tack

Timeout Period


• The source node marks the critical packet.

• The receiver acknowledges the marked packet.

• If the sender does not receive an acknowledgement for the critical packet during the timeout period, it retransmits the critical packet.

Enforced Acknowledgement


Blanket Acknowledgement is used in SENDROM.

A. Erdogan, E. Cayirci, V. Coskun, “Sectoral Sweepers for Sensor Node Management and Location Estimation in AdHoc Sensor Networks,” MILCOM 2003.

E.Cayirci, T.Coplu, “Sensor Networks for Disaster Relief Operations Management,” MedHocNet 2004.

S Depth

Rm

ax

SS

ENGAGE

TASK

REGIO

N

Rmin

ENGAGE : { Task

_id, Rmin, R

max, Task

_descrip

tions }

RESPO

NSERESPO

NSE : { T

ask_

id, N

ode_

id, D

ata

}

Border for ROUTING nodes

via the ROUTING

node

s

Blanket Acknowledgement


Localization and Positioning


Localization

Localization

GPS Based (Direct) Indirect

Global Positioning System (GPS)

Manual Configuration

Absolute

Range-free


Localization can be done: • Centralized,Centralized,

• Locally centralized,Locally centralized,

• Distributed.Distributed.

Localization in Sensor Networks


GPS-less techniques typically use one of the following techniques for location estimation:

• Received signal strength (RSS),

• Time of arrival (TOA),

• Time difference of arrival (TDOA),

• Angle of arrival (AOA).

Localization in Sensor Networks


11

2233

xx1 1 ,y,y11

xx2 2 ,y,y22

xx3 3 ,y,y33

beaconbeacon

sensorsensor

Three or more beacon location and their direction according to the node location are known.

Three or more beacon location and their distance to the node location are known.

dd11 xx1 1 ,y,y

11

xx2 2 ,y,y

22

xx3 3 ,y,y

33

dd22

dd33

(x-x1)2 + (y-y1)2 d1

(x-x2)2 + (y-y2)2 = d2

(x-x3)2 + (y-y3)2 d3

Triangulation or Trilateration


The following information is used to estimate the distance to a transmitter:

• Received power,• Transmitted power,• Path loss model.

RSSI method may be unreliable and inaccurate due to:• Multi-path effects,• Shadowing, scattering, and other impairments,• Non line of sight conditions.

Received signal strength



• Reception time,• Transmition time,• Propagation speed.

Time of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions.

The beacon and the node needs to be synchronized.

The propagation speed of RF signals is too high for beacon based localization in sensor networks. Therefore signals with lower propagation speed such as ultrasound should be used.

Time of arrival



• Arrival time of an RF signal,• Arrival time of an ultrasound signal,• Propagation speed of these signals.

The difference between the propagation delays of RF and ultrasound signals gives the distance.

Time difference of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions.

Time difference of arrival


Special antenna configurations are used to estimate the angle of arrival of the received signal.

Angle of arrival method may also be unreliable and inaccurate due to:

• Multi-path effects,• Shadowing, scattering, and other impairments,• Non line of sight conditions.

Angle of arrival


beaconbeacon

sensorsensor

One-hop multilateration. Two-hop collaborative multilateration.

Use at least n equations to estimate n variables. The solution uniqueness is required.

Collaborative Multilateration


beaconbeacon

sensorsensor

receiverreceiver

the location forthe location forprevious readingprevious reading

Using Previous Measurements from Fixed Locations


target

lighthouse

Lighthouse


Range Free Techniques

a. Sectoral sweepers. b. Centroid.

x1, y1x2, y2

x3, y3x4, y4


rubble

20 – 25 meters

20 – 25 meters

directional antenna

2–3 m location of adetected person

coverage area of a transmitted task

Range Free Techniques

Cayirci, E., Coplu T., “SENDROM: Sensor Networks for Disaster Relief Operations Management,” ACM/Kluwer Wireless Networks (to appear).


Time Synchronization


Nodes need to maintain the same time frame for:

time synchronization for communications protocols

data fusion• associating the sensed data,• aggregating the sensed data,• target tracking, • finding out the direction and speed of a target.



• Temperature: Temperature variations during day may cause the clock speed up or down (a few microseconds per day). • Phase noise: Access fluctuation at the hardware interface, response variation of the operating system to interrupts, jitter in delay, etc.• Frequency noise: The frequency spectrum of a crystal has large sidebands on adjacent frequencies.• Asymmetric delay: The delay of a path may be different for each direction.• Clock glitches: Hardware or software anomalies may cause sudden jumps in time.

Factors Influencing Time Synchronization


Offset (ο): Nodes may be started at different times. Therefore, Node A may have a clock CA different from the clock CB that Node B has when the network starts at time t0.

Skew (s): The factors like frequency noise and hardware may make the crystals of nodes are running at different frequencies. This causes clock skew, which may be ±30-40 part per million (ppm) for sensor node hardware. Skew may make times of two nodes get closer or further based on the offset. The skew related change per unit time t is constant.

Drift (d): The factors like temperature, phase, asymmetric delay and clock glitches may change the offset between two nodes in time. Since these factors are temporarily variable, the change in clock, called drift, per unit time is not a fixed value.




Clustered

Synchronization

Accuracy

Exact

Loose

Distribution

Centralized

Distributed

Procedure

Pair-wise (Sender/Receiver)

Broadcast (Receiver/Receiver)


Data Querying


• Continuous (persistent) queries or one time (snap shot) queries,

• Historical or real-time queries,

• Aggregate or simple queries,

• Complex or simple queries,

• Spatial or temporal queries.

Data Querying in Sensor Networks


Select [ task, time, location, [distinct | all], amplitude, [[avg | min |max | count | sum ] (amplitude)]]

from [any , every , aggregate m , dilute m] where [ power available [<|>] PA | location [in | not in] RECT | tmin < time < tmax |

task = t | amplitude [<|==|>] a ]

group by task based on [time limit = lt | packet limit = lp |

resolution = r | region = xy]Virtual Local Sensor Node Table

Sensor Network Database View

External Sensor Network Database Table

TaskTask AmplitudeAmplitudeLocationLocationTimeTime

TaskTask AmplitudeAmplitudeLocationLocation

TaskTask AmplitudeAmplitude

E.Cayirci, “Data Aggregation and Dilution by Modulus Addressing in WSNs,” IEEE Communications Letters, August, 2003.

DADMA: Data Aggregation and Dilution by Modulus Addressing


• SQTL is a procedural scripting language.

• It provides interfaces to access sensor hardware:

- getTemperature, turnOn

for location awareness:

- isNeighbor, getPosition

and for communication:

- tell, execute.

C-C Shen, et.al., “Sensor Information Networking Architecture and Applications”, C-C Shen, et.al., “Sensor Information Networking Architecture and Applications”, IEEE Personal Communications MagazineIEEE Personal Communications Magazine, pp. 52-59, , pp. 52-59, August 2001.)August 2001.)

Sensor Query and Tasking Language (SQTL)


By using the upon construct, a programmer can create an event handling block for three kinds of event:

- Events generated when a message is received by a sensor node,

- Events triggered periodically,

- Events caused by the expiration of a timer.

• These types of events are defined by SQTL keywords receive, every and expire, respectively.

Sensor Query and Tasking Language (SQTL)


E. Cayirci, C.Cimen, V. Coskun, “Querying Sensor Networks By Using Dynamic Task Sets,” Computer Networks (Elsevier), 2006.

Task Sets

Quadtree Sensor Power TaskAddress Type Available Set

00 1 0.95 2 00 1 0.98 1 00 1 0.93 2 00 1 0.96 2

0000 0101

1111 1010

Task Set 1Task Set 1

0000

Task Set 2Task Set 2

0000

sensor nodesensor node

eventevent

status table


query nodequery node

active nodeactive node


active queryactive query

sensed datasensed data

complete datacomplete data

N. Sadagopan, B. Krishnamachari, A. Helmy, “The Acquire Mechanism for Efficient Querying in Sensor Networks,” Elsevier Ad Hoc and Sensor Networks, 2004.

ACQUIRE


S Selector NodeR zone radius (in hops)

R

R

R

R

S

contact

contact

contact

A. Helmy, “Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks” Special Issue Computer Networks (Elsevier) on Wireless Sensor Networks, 2003.

Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks


Coverage


- Node deployment scheme

- Sensing and communications range

- Energy efficiency and connectivity requirements

- Algorithm paradigm, i.e., centralized or distributed

Factors for Node Coverage


In area coverage the objective is to cover an area, which means for the sensing coverage problem to ensure every point in a given area can be observed, and for the communications coverage problem a node at any point in the area can access the network.

In point coverage the objective is to ensure that a given set of points are covered by the network.

In barrier coverage the objective is to ensure that there is no hidden path through the network, i.e., an intruder cannot go through the network without crossing the coverage area of at least one node.

Coverage Problem


-The nodes are assumed to be deployed randomly according to a distribution, and the minimum number of nodes that satisfies a given probability of coverage is determined.

-It is assumed that the nodes can be deployed at certain locations, and the location for each node is determined such that the maximum coverage for the given number of nodes can be achieved.

Approaches for Coverage Problem


Security in Wireless Communications


Security Challenges Specific to Wireless Networks

• Easier to tap

• Limited resources and stringent constraints

• Self forming, self organization and self healing algorithms

• Hidden and exposed terminal

• Jamming and the other denial of service attacks


Information Security

Information Security

Computer Security Communications Security

Hardware Security

Software Security

Transmission Security

Emanation Security


Security Attacks

Security attacks can be classified into two broad classes:•Passive: no emission to conduct the attack•Active: emit, interfere or tamper


Passive Attacks

Passive Attacks

Eavesdropping Traffic Analysis

Eavesdrop: Tap the communication lines - wireless links are easier to tap- signals are sent to shorter distances in wireless ad hoc networks- challenges when multiple networks with different classification- privacy challenges- collection vs analysis

Traffic analysis: Traffic patterns and rates- friendship trees


Traffic Analysis

- Traffic analysis at the physical layer: In this attack only the carrier is sensed and the traffic rates are analyzed for the nodes at a location.

- Traffic analysis in MAC and higher layers: MAC frames and data packets can be de-multiplexed and the headers can be analyzed. This can reveal the routing information, topology of the network and friendship trees.

- Traffic analysis by event correlation: Events like a detection in sensor network or transmission by an end user can be correlated with the traffic and more detailed information, e.g., routes, etc., can be derived.

- Active traffic analysis: For example, certain number of nodes can be destroyed, which stimulates the self organization in the network, and valuable data about the topology can be gathered.


Active Attacks

Physical

Active Attacks

Masquerade, Replay, Message Modification

- Integrity- Unauthorized Access- Confidentiality- Privacy

Denial of Service

- Physical Layer- MAC Layer- Network Layer- Transport Layer - Application Layer

- Destruction- EMP- Tampering

Misbehaving

- Selfishness- Attacks against charging scheme


Tampering

Invasive(unlimited access)

Traffic Analysis(analyze the behaviour)

Example attacks:- micro probing - laser cutting- focused ion-beam manipulation- glitch attacks- power analysis


Masquerade, Modify, Replay

A masquerading node acts as if it is another node.

Messages can be captured and replayed by the masquerading nodes.

The content of the captured messages can be modified before being replayed.



Attacks can be organized against

- Node localization- Time synchronization- Data aggregation and fusion- Data correlation and association- Event and event boundary detection- Node management



- Sybil attack: introduce multiple identities

- Unauthorized access

- Phishing: Password fishing

- Preserve anonymity of the attacker


Denial of Service Attack

Any event that diminishes a network capacity to perform its expected function correctly or in a timely manner

A DOS attack is characterized by:

- Malicious: It is carried out to prevent the network from fulfilling its intended functions. It is not accidental. Otherwise it is not in the domain of security but reliability and fault tolerance.

- Disruptive: It degrades the quality of services by the network.

- Asymmetric: The attacker puts much less effort comparing to the impact made on the network.


Denial of Service Attack

- In physical layer (jamming) either continuous or temporary and random

- In MAC layer:- Whenever an RTS signal is received, a signal that collides with the CTS signal is transmitted.- If the MAC scheme is based on the sleep and active periods, jamming only the active periods can continuously block the channel.- False RTS or CTS signals with long data transmission parameters are continuously sent out.- Acknowledgement spoofing, where an adversary sends false link layer acknowledgements.


DOS Against Routing Spoofed, altered, or replayed routing information Hello flood Wormhole Detour

m

a w1

ef

cb

d

w2

Hello Flood Wormhole


DOS Against Routing Sinkhole: attractive malicious node

Blackhole: malicious node drops every packet Selective forwarding: malicious node does not forward every packet - Routing loop attack: Detour or sinkhole attacks to create routing loops - Sybil attack: A single node presents multiple identities - Rushing attack: An attacker disseminates route request and reply messages quickly throughout the network. - Attacks that exploit node penalizing schemes - Attacks to deplete network resources


DOS Against Transport Layer

- Transport layer acknowledgement spoofing

- Replaying acknowledgement

- Jamming acknowledgements

- Changing sequence number

- Connection request spoofing


Misbehaving- Selfishness

- Attacks against payment schemes- Refusal to pay- Dishonest rewards- Free riding

source

destination

infrastructure

routingnode

routingnode

routingnode

routingnode


Attackers

Motivation - Confidentiality- Integrity- Privacy- Unauthorized Access - DoS- Selfishness- Charging- Rewarding

Emission- Active- Passive

Location - Insider- Outsider

Quantity - Single- Multiple- Coordinating Multiple

Rationality - Naive- Irrational- Rational

Mobility - Fixed- Mobile


Security Goals

• Authentication• Access control• Confidentiality to protect content • Confidentiality to prevent traffic analysis• Privacy• Integrity• Authorization• Anonymity• Non-repudiation• Freshness• Availability• Resilience against attacks


Challenges and Solutions: Basic Issues


Security challenges and solutions in wireless networks

• Bootstrapping security in Ad Hoc networks

• Bootstrapping security in sensor networks

• Key distribution, exchange and management

• Authentication issues

• Integrity


Bootstrapping security in Ad Hoc networks

• Build a security infrastructure between the nodes during the bootstrapping phase

• new nodes that can join the network can form a secure association with the nodes already in the network

• the trust infrastructure can be set up without the knowledge of the network topology

• the credential verification scheme should be strong enough to resist DoS attack and at the same time do not need large computational ability and memory


Building security infrastructure in Ad Hoc networks

• Prior context can be used

• Trusted third party can be used to facilitate the establishment

• More natural to self-organize the trust infrastructure


Bootstrapping security in sensor networks

• Resilience against node capture

• Resistance against node replication

• Revocation

• Scalability


Key distribution, exchange and management

• Desirable features of ad hoc network key management scheme:

• applicability • security • Robustness• scalability• simplicity



• Standards• None MANET internet drafts and RFCs has thus

part• IEEE 802.11i assumes keys are preshared or

established with the aid of fixed infrastructure

• ZigBee, IEEE 802.15.4, Bluetooth are infrastructure-based networks and do not apply to

MANETs



• Classification of key management schemes

Key management schemes

Contributory Schemeskey agreement

Distributive schemeskey distribution

Z-HMOCASEKMUBIQAKM

PGP-ACOMP

MOB-a/MoB-so

D-HINGB-DH&OCLIQ

PSGKSKIMPyS-HEAL

LKHGKMPAN

Symmetric schemes

MANET schemes

PRESPINSPEBLINF

LEAP

WSN schemes

Public key schemes

Certificate based

IBC-K

Identity based


Contributory key management schemes

• D-H

• ING

• B-D

• H&O

• A-G

• CLIQ


Distributive key management schemes

• Public key schemes:• Certificate based - Z-H - MOCA - SEKM - UBIQ - AKM - PGP-A - COMP - MoB-a/MoB-so• Identity based

- IBC-K• Symmetric key schemes


Partially distributed Threshold CA Scheme (Z-H )

• Provide an available, intrusion tolerant, and robust CA functionality for ad hoc networks

• Private CA key distributed over a set of server nodes

• Using share refreshing to counter mobile adversaries

• synchronization needed


MOCA

• An extension to Z-H

• Nodes that exhibit best physical security and computational resources serve as MOCAs

• Moves the combiner function of Z-H from CA servers to requesting end-nodes

• MOCA certification protocol


SEKM

• Servers of MOCA form a multicast group

• Efficient updating of secret shares and certificates


UBIQ

• Fully distributed threshold CA scheme

• All nodes get a share of the private CA key

• Certification service is delivered within 1-hop neighborhoods

• Bandwidth efficient and good for the scalability

• Possible requirement of human involvement


AKM

R

R

R

G H

N1

N1

N2 N3

N2

N4 N6N5N3N2

N3 H4N1 H6H5

Initialization

f(N1) f(N2) f(N3)S1 S2 S3

(k,n) = (3,3)

New node added

f(N1) f(N2) f(N3) f(N4) f(N5) f(N6)(k,n) = (3,6)S1 S2 S3

Split

g(N1) g(N2) g(N3) h(N4) h(N5) h(N6)(k,n) = (3,3) (k,n) = (3,3)

S’=f(N1)+f(N2)+f(N3)

g()=S”+b1+b2 S”=f(N4)+f(N5)+f(N6) g()=S”+c1+c2

S=S1+S2+S3 f()=S+a1+a2

Autonomous key management (AKM)


PGP-A

• CA functionality completely distributed,all nodes have equal roles

• Assumes trust is transitive

• Certificates exchanged periodically

• Renewals require contact with the issuer


COMP

• Combines MOCA’s partially distributed threshold CA with PGP-A certificate-chaining

• Each certificate includes a confidence value reflecting the level of confidence

• Higher security than obtainable with PGP-A

• Increased availability of CA service compared to MOCA


MOB

• Seeks to mimic human behavior

• Can be fully self-organizing (MOB-so) or rely on an off-line authority (MOB-a)

• Bandwidth efficient with limited scalability

• Long delay to establish security associations with all communication partners


IBC-K

PKG

1 SETUP

PKG chooses two large primes as private maser key, and publishesthe chosen and calulated public system parameters as shownPrivate Master Key : p, q (two large primes)Public system params:n = p·q (factorization is kept secret)e = large prime, gdc (e,φ(n)) = 1f = hash function

PKG

2 EXTRACTION

3 SIGNING

PKG

user

The user presents its identity, to PKGPKG returns the corresponding private key:gThe identity is related to g in the following wayg =i (mod n)

e

g

Alice Bob

e

f(t,m) (i, m, t, s)

4 VERIFICATION

The signature (s,t) of themessage m is verified by checking:

e f(t,m)S = i·t (mod n)

The security of Shamir’s IBS schem relies the difficulty of deciding g given g mod n when the factorization of n is unknowne

securechannel

The signature (s,t) of the message mis caculated as follows:

t = r , s =g·r (mod n) i : user id m : message s,t : signatrue r : random


Symmetric key schemes

• Public key schemes:• MANETschemes - PSGK - SKIMPy - S-HEAL - LKH - GKMPAN• Identity based

- PRE - SPINS - PEBL - INF - LEAP


PSGK

• Key distribution centre pre-distributing a symmetric key to all members of the group

• Lacks intrusion tolerance in the sense that security succumbs to a single captured node

• Not designed specially for ad hoc networks


SKiMPy

• Designed for MANETs to protect network layer routing information or application layer user data

• Periodical updates group key to counter cryptoanalysis

• Bandwidth efficient

• Adds complexity compared to PSGK


S-HEAL

• Key distribution scheme with revocation, for networks with unreliable links

• Demands pre-shared secrets and group manager

• Self-healing

• Inapplicable for protection of routing information


LKH

K12345678

K1234

K1

K12

K2 K3

K34

K4

K5678

K5

K56

K6 K7

K78

K8

N1 N2 N3 N7N5 N8N4 N6


GKMPAN

• Designed for secure multicast in ad hoc networks

• Assumes a pre-distributed group key plus a pre-distributed commitment

• Increases intrusion tolerance compared to PSGK


PRE

• Assumes WSN nodes outfitted with a pre-installed key ring

• A number of PRE schemes for WSNs have been proposed

• The idea of the key ring of PRE is intrusion tolerance

• Intrusion resistance comparable to PSGK


SPINS

• Assume pre-installed individual (pairwise) keys between sensor nodes and base station

• Demands routing protocol and reliable access to the base station

• Includes a scheme for authenticated broadcast


PEBL

• Refer to large ad hoc networks with small size and large number nodes

• An extension to PSGK

• Protection of application data

• Offers no protection against replay or intrusion attacks

• Bandwidth consuming, needs synchronization


INF

• Intended for WSNs • Assumes static sensor nodes and mass

deployment • A key whispering approach is used• Simple, self-organizing, and robust to

Byzantine behavior and faulty nodes • Bandwidth efficient, scales well • Vulnerable to eavesdropping during key

whispering


LEAP

• Designed for static WSNs

• Different keys for different purposes

• Pre-distributed individual keys are used for communication between sensor nodes and the base station

• Pre-shared group key is applied for protection of broadcast information from the base station


Authentication issues

• Authentication needed in wireless networks

• MAC (message authentication code) used to provide authentication

• Asymmetric mechanisms adopted for multi-party communication


Integrity

• Data integrity needed in wireless networks

• CRC and MAC can be used to provide data integrity


Challenges and Solutions: Protection


Privacy and anonymity

• There is conflict between the need for public information and the demand of personal privacy in wireless networks

• Anonymity techniques are needed to provide privacy

• Information flooding is an efficient way to provide anonymity

• Policy-based access control decision and authentication can also help


Privacy and anonymity

• Anonymity approaches to provide privacy

• Decentralize sensitive data

• Using secure communication protocols, SPINS

• De-patterning data transmission

• Increasing sensor node mobility


Intrusion detection

• Intrusion detection is the first line of defense

• Intrusion detection techniques

• Abnormality detection

• Misuse detection

• Specification based detection


Intrusion detection

• Architectures for IDS in wireless ad hoc networks

• Stand-alone IDS

• Distributed and Cooperative IDS

• Hierarchical IDS

• Mobile Agent for IDS• IDS for sensor networks


Defense against traffic analysis

• Rate monitoring attack • Method against rate monitoring attack

• Time correlation attack• Method against time correlation attack


Access control and secure human computer interaction

• Problems related with password mechanism

• Characteristics should be considered for password design

• Different methods for access control and strange password design


Software based anti-tamper techniques

• Software based anti-tamper techniques is efficient for software cracking attacks

• Encryption wrappers• Code obfuscation• Software watermarking and fingerprinting• Guarding



• Encryption wrappers • Software is encrypted and has to be decrypted

before use • Only the codes that will execute in the system

should be decrypted • Decryption keys have to be protected • Add overhead for decryption in run time.



• Code obfuscation • Code obfuscation can prevent attacks of reverse

engineering • Quality of obfuscating transformations: potency,

resilience ,cost • Different kinds of obfuscation transformations:

layout transformation, data transformation, control transformation, preventive transformation



• Software watermarking and fingerprinting • Software watermarking and fingerprinting can

protect illegal copying of digital items • Behavior of the watermarked program should be

affected if the watermark is distorted or destroyed • Fingerprinting embeds a unique message in the

software for traitor tracing • Static watermarking and dynamic watermarking



• Guarding • Multiple (possibly simple) protection techniques

provide robust protections• Guard is a piece of code responsible for

performing certain security-related actions • Guards can provide multiple layers of defense


Hardware protection

• Physical attacks toward the wireless sensor networks

• Hardware protection of physical attacks

• Using tamper-resistant processors and lightweight hardware

• Advantages and disadvantages of hardware based protection


Availability and plausibility

• Network availability can be increased using security techniques

• Checking the plausibility is a useful method for defending against compromised nodes


Secure Routing


Secure Routing Approaches

- attack prevention

- attack detection and recovery from the attack

- resilience against security attacks


Defense Against Wormholes

Geographical Leashes: The source node S includes its location lS and the packet

transmission time tS as the geographical leash into its packet PS sent to

destination D.

S→D: lS, tS, PS

The clocks are synchronized to within ±Δ. The upper bound for the distance is db.

The node localization error upper bound is δ. The upper bound for the velocity in transmitting signals is v The node i that forwards the packet, which is at location li, and receives the

packet at time ti can check the following condition:

db ≤ |li – lS|+2v × (ti-tS + Δ) + δ



Temporal Leashes: The transmission and reception times of the packets are used for detecting wormholes. When a node A sends or forwards a packet to another node B, it also includes the transmission time tA into the packet PA.

A→B: tA, PA

Node B checks the difference dAB between the transmission time tA and reception

time tB of the packet.

If dAB is larger than a given threshold θ, it may indicate a wormhole attack.



a

w1

e f

c

b

d w2

2

1

3

6

4

5

3

6

5


Defense Against Sybil

Direct validation: A node directly verifies if the identity of a neighboring node is valid. For example, a node may assign each of its neighbors a separate channel to communicate, and ask them to transmit during a period. Then it checks these channels in a random order within that period. If a node is transmitting in its assigned channel, the node is a physical node. Indirect validation: Another trusted node provides the verification for the identity of the node. For example, every node may share a unique key with the base station. When two nodes need to establish a link between them, they verify each others identity through the base station by using these keys. Random key: Random keys assigned to nodes also provide security against sybil attacks.


Defense Against Selective Forwarding

Acknowledgements: Every intermediate node that forwards a packet waits for an acknowledgement from the next hope. If the next hope node does not return the same number of acknowledgements as the number of the packets sent, the node generates an alarm about the next hop node. Compromised nodes can generate acknowledgements also for the packets that they dropped which make this scheme fails. Moreover a malicious node can generate fake alarms to organize a DoS attack. Multipath routing: This requires at least link disjoint paths, where two paths may share some nodes but any link. Of course node disjoint paths, where two paths do not have any node in common, are better and reduce the risk of selective forwarding attack


Secure Routing in Sensor Networks

- Secure broadcasting for the downstream traffic.

- Secure multicasting for the downstream traffic.

- Secure data aggregation when routing from multiple nodes to a base station.

- Secure data aggregation and multicasting when routing from multiple nodes to multiple base stations or actuators.


Routing that Enhance Security

- Random Walk

- Greedy Random Walk

- Flooding-Baseline flooding-Probabilistic flooding-Flooding with fake messages-Phantom flooding


Secure Routing Protocols

- Intrusion Tolerant Routing in Wireless Sensor Networks (INSENS)

- Authenticated Routing for Ad Hoc Networking (ARAN)

- On Demand Secure Ad Hoc Routing (ARIADNE)

- Watchdog Pathrater

- Secure Ad Hoc on Demand Distance Vector (SAODV)

- Secure Link State Routing Protocol (SLSP)


INSENS

- Fixed sensor networks

- Multipath link state routing

- Base station computes and broadcasts the routes


INSENS- Route Discovery Phase

- Base station floods a route request message- Use TESLA for authentication- Everynode appends its id and a MAC by using a secret key before forwarding the route request- Everynode returns a route reply to the base station message after waiting t- Base station verifies MAC, computes the routes, and send them to nodes

- Data Forwarding Phase<destination, source, immediate sender> Example:Route: S to D: S → a → b → c → D The forwarding table of a: <D, S, S> The forwarding table of b: <D, S, a> The forwarding table of b: <D, S, b>.


ARAN

Dynamic source routing for ad hoc networks

When a node A accesses the network first time or needs a certificate for route discovery, it requests the certificate from the trusted server T. The server T first authenticates the node A and sends a certificate to it:

T → A: certificateA

IPA is the IP address of Node A,

KA+ is the public key of A,

t is the time the certificate is created,e is the time that the certificate expires,

KT- is the private key of T.

TKAAA etKIPecertificat },,,{


ARAN

A node S that has a valid certificate can start a route discovery for another node D by broadcasting a route discovery packet (RDP):

where NS is a nonce, which is the sequence number, i.e., the source node S

monotonically increase the nonce each time it performs a route discovery, to ensure the freshness of the reply message expected from the destination D.

SKSSD tNecertificatIPRDPbroadcastS },,,,{:


ARAN

When a node receives an RDP message, it first decrypts the message, and then records the neighbor that sends the message as the next hop node for the source node of the message. If the node receives a reply message for this RDP, it just forwards the reply to the neighbor in this record. Finally, it encrypts the message by using its private key, appends its certificate and broadcasts the message.

BKKSSD ecertificattNecertificatIPRDPbroadcastBBS

,},,,,{:


ARAN

When destination node D receives the route discovery message from the last node in the route, i.e., let it be C for our example, it first verifies the source’s signature, and then prepares a reply (REP) message and unicasts it to C:

DKSDS tNecertificatIPREPCD },,,,{:


ARIADNEARIADNE route discovery process starts with a ‘route request’ that has the following fields: - Route request - Source node - Destination node - Route request Id - Time interval - Hash chain: The hash value created by all the nodes in the route - Node list: The list of nodes in the route - MAC list: The list of the MAC values calculated by every node in the route Hash chain is computed first by the source node S as follows:

h0=MAC(KSD, REQUEST | S | D | id | ti)

After computing h0, source node initializes node list and MAC list fields as empty lists

and broadcasts the ‘route request’ message.

S → broadcast:{REQUEST, S, D, id, ti, h0, (), ()}


ARIADNEEvery node that receives route request first checks <source, id> fields in its buffer. If this request has already been received, the new request is dropped. The node also checks the time interval. If it is too far in the future or the key associated with it is already disclosed, packet is discarded. Otherwise the receiving node modifies the hash chain hi. Assume that A is a node one hop from the source node S. It computes

h1 as follows:

h1=H(A, h0)

It also calculates its MAC value by using the next key KAti in the TESLA key chain,

adds it’s address and the MAC value into the ‘route request’ message and broadcasts it:

A → broadcast:{REQUEST, S, D, id, ti, h1, (A), (MA)}


ARIADNEWhen the destination node receives the ‘route request’, it checks the validity of the request by determining that the keys of the time interval are not disclosed yet, and the final hash chain is equal to

H(an, H(an-1, H(…..,H(a1, MAC(KSD, REQUEST | S | D | id | ti))….)))

where an is the address of the node at position n and there are n nodes in the node

list. If both of these conditions are hold, it indicates that the request is valid. Then the destination node D computes the destination MAC MD, prepares ‘route reply’

message and returns it along the source route that can be obtained by reversing the sequence of hops in the node list of the ‘route request’ message.

D → C:{REPLY, D, S, ti,,(A, B, C), (MA, MB, MC), MD, ()}


ARIADNE

In the reverse path, every node waits until it can disclose its TESLA key. After than it appends its TESLA key and forwards to the next hop in the reverse path. When source receives the ‘route reply’ message, it verifies that each key and each MAC are valid. If they are, it accepts the ‘route reply’ message. Otherwise it discards the message. After this the route is maintained in the ‘route cache’ until a ‘route error’ message is received. When an intermediate node B that tries to forward a message to the next node C in the route fails, it generates the following ‘route error’ message and sends it to source node S along the reverse path.


WATCHDOG PATHRATER

Pathrater rates the links based on the reliability of the links and misbehaving knowledge of the nodes. Every node rates every other node in the network. When a link used successfully, its rate increases. If a link break occurs, the rate of the link decreases. High negative numbers are assigned to the nodes suspected misbehaving. Paths are rated averaging the link ratings along the path. When the source node has multiple options to a destination, it selects the path with the highest path rate. Paths that contain misbehaving nodes are avoided. When there is no misbehaving link free path to the destination, the source node initiates a ‘route request’ process.


SAODV

To secure the integrity of hop count, a hash chain is formed by applying one way hash function H to a randomly selected seed value s. Before transmitting a route request (RREQ) or route reply (RREP) message the source sets hash value h to seed s. The maximum hop count is assigned the time to live value ttl, and then top hash value T is computed by applying hash function ttl times to seed s.

h=sT=Httl(s)

When a node i receives a message after i hops from the source node, it first checks if the following condition holds:

T = Httl-i(h)


SAODV

Since every intermediate node applies hash function H once to the hash value h in the message before relaying it, when H is applied ttl-i times to the current h, it should give top hash value T. Otherwise it indicates either the hash value h or hop count i is not correct. After this check, node i applies H to h and forwards it.

h=H(h) To protect the integrity of the other fields in the message the source node signs every thing but the hop count and hash value h fields, which are modified by every intermediate node.


SLSPA node V broadcasts its link state data by using an LSU packet.

V → broadcast:{TYPE, R, Zone_R, LSU_Seq, LSU_signature, Hops_Traversed, LS_Data} where Type is the packet type,R is the number of hops from the node to the zone boundary,Zone_R=HR(X),Hops_Traversed=H(X),X is a random number,H is the hash function that every node knows,LSU_Seq is the sequence number of the LSU packet,


SLSP

Receiving nodes first validate the signature. If the LSU packet is valid, they can derive the link state information in the packet. Then they hash Hops_Traversed value in the LSU packet.

Hop_Traversed=H(Hop_Traversed) If the new Hop_Traversed value is equal to Zone_R value after hashing, it indicates that the packet is reached to the boundary of zone, and should not be forwarded further.


Specific Challenges


Security Protocols for Sensor Networks

- Sensor Network Encryption Protocol (SNEP)Data confidentialityAuthenticationIntegrityFreshness

- µTESLA Authenticated Broadcast

(Perrig A, Szewczyk R, Wen V, Culler D, Tygar J D, ‘SPINS: Security Protocols for Sensor Networks,’ MOBICOM, 2001.)


Sensor Network Encryption ProtocolSNEP

In SNEP, A sends the following message to B to transmit a data fragment D:

A→B: є, м

whereє is the encrypted data fragment, i.e., є ={D}< Κencr, c> м is the MAC, i.e., м =MAC( Κmac , с│є )с is the counter value.


Sensor Network Encryption ProtocolSNEP

For strong freshness

-Node A generates a nonce ηA randomly and sends it along with a request message ρA.

A→B: ηA, ρA

- Node B returns the nonce ηA with a response message ρB after a MAC computation.

B→A: {ρB}< Κencr, c>, MAC(Κmac , ηA │c│{ρB}< Κencr, c>)


µTESLA

Ki = F(Ki +1)

timet1 t2 t3 t4 t5 tn

P1 P2 P3 P4 P5 P6 Pk

K1 K2 K3 K4 K5 KnK0


Quarantine region is the region in the coverage area of an anti-node.

anti-nodeanti-node


quarantine quarantine regionregion

quarantined sensor quarantined sensor nodenode

sensor sensor rangerange

Quarantine Region Scheme

(Coskun, V, Cayirci, E., Levi, A., Sancak, S., “Quarantine Region Scheme to Prevent Spam Attacks in Wireless Sensor Networks,” IEEE Transactions on Mobile Computing, Volume 5, No. 8, pp 1074-1086, August 2006.)


• d receives authenticated from b, and sends authenticated to j,

• o receives authenticated from l, and sends unauthenticated to p.

• o receives unauthenticated from n, and sends unauthenticated to p.

aa bbcc

ddee ffjjgg

hhii kk

ll mm

nn oocollectocollectorrpp

• Detecting an attack, and declaring a quarantine period,• Finding quarantined nodes,• Authentication in quarantine region,• Cancelling a quarantine period.

Authentication in a Quarantine Region


Quarantine Region

t t c2

a

t c1 t k1

b

k2

quarantinednot quarantined

c3 t

h

a

i

j

d

e

f

g

b

c

k

(a) Before displacement (b) After displacement

h

a

i

j

d

e

f

g

b

c

k


Quarantine Region

k x t k t c

a e

t c t k

b c d

not quarantinednode

antinode

quarantined node

quarantine region

bufferzone


Secure Charging and Rewarding

BConf

AB

infrastructureu f

AReq

AConf

BReq

BRep

BSA

BSB

(Salem N B, Buttyan N, Hubaux J, Jakobsson M, ‘A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks,’ MobiHoc, 2003.)


Secure Charging and Rewarding

- Authenticate the initiating node A, and charge A before its packets are delivered to prevent refusal to pay attacks.

- Authenticate the forwarding nodes to ensure that only the selected nodes can forward and nodes that do not forward cannot claim that they do.

- Reward upstream nodes when the packets from A reach BSA.

- Reward downstream nodes when B acknowledges.

- Charge B when the packets from A are forwarded to B by BSB. Reimburse this charge when B acknowledges.


Secure Charging and Rewarding(Session Establishment -1)

Source sends a request to BSA: A→BSA: AReq0

AReq0 = AReqID│oldASID│ARoute│TrafficInfo, MAC(KA, AReqID│oldASID│ARoute│TrafficInfo)

Intermediate upstream nodes forwardsAReqi = AReqID│oldASID│ARoute│TrafficInfo, MAC(Ki, AReqi-1)

BSB forwards the request to destination: BSB→B: BReq0

BReq0 = BReqID│oldBSID│BRoute│TrafficInfo

Intermediate downstream nodes forwardsBReqj = BReqID│oldBSID│BRoute│TrafficInfo, MAC(Ki, BReqj-1)


Secure Charging and Rewarding(Session Establishment -2)

Destination acceptsBReqj = BReqID, MAC(KB, BReqB-1)

Base stations confirms source and destinations

AConf = AReqID│ASID│AMACA│AMAC1│…….│AMACa

AMACi = MAC(Ki, AReqID│ASID│oldASID│ARoute│TrafficInfo)

BConf = BReqID│BSID│BMACA│BMAC1│…….│BMACa

BMACj = MAC(Kj, BReqID│BSID│oldBSID│BRoute│TrafficInfo)


Secure Charging and Rewarding(Packet Delivery)

Source prepares the packetSPkt0,η = SSID│ Body0,η

Body0,η = η│Payloadη │MAC(KS, SSID│η │Payloadη)

η is the sequence number

Intermediate nodes forward the packet

SPkti,η = SSID│ Bodyi,η

Bodyi,η = PADi,η Bodyi-1,η

Acknowledging deliveryDAck = DSID│Batch│LastPkt│LostPkts,

MAC(KD, DSID│Batch│LastPkt│LostPkts)


Secure Node Localization

- Techniques against masquerading, replaying and node tampering

- Secure routing techniques

- Multimodal localization schemes, e.g., received signal strength indicator and time difference of arrival

- Assessing the reliability of beacon nodes

- Consistency checks by statistical methods

- Attack resistant node localization schemes


Malicious Beacon Node Detection - 1

- The detecting beacon, requests a beacon signal, i.e., Breq, from another beacon node na, the target beacon node. Detecting beacon acts as it is not a beacon node.

n→na: Breq

- Target beacon sends the beacon signal, i.e., Bbeacon, which includes the location (xa, ya) of the target beacon na.

na →n: Bbeacon


Malicious Beacon Node Detection - 2

- Detecting beacon estimates the distance da to the location (xa, ya) of the target beacon based on the RSSI calculation.

-The detecting node knows its location, it can calculate the distance between itself and the target node location sent in Bbeacon. If the difference between the estimated distance da, and the calculated distance d is higher than the threshold τ, this may indicate that the target node is malicious.

.,)()( 22 maliciousisitdyyxxif aaa


Attack Resistant Location Estimation

Inconsistency among the location data can be detected by inspecting the mean square error of estimation (MMSE) given by

m

yyxxdm

iiii

1

222 )()(

where ε is the mean square error,(xi, yi) is the location of beacon node i,

(x, y) is the estimated location,di is the distance to beacon node i,

m is the number of beacon nodes used in the location estimation.


Voting Scheme for Location Estimation

3a

b

c

m

a

22


Secure Time Synchronization

- Step 1: Node A sends Node B a synchronization message at t1, and the message is received by Node B at t2.

A(t1)→(t2)B: A, B, NA, synch

- Step 2: Node B replies Node A at t3, and the reply message is received by Node A at t4.

B(t3)→(t4)A: B, A, NA, t2, t3, ack, MAC(KAB, B│A│NA│t2│t3│ack)

-Step 3: Node A calculates RTT. If RTT is smaller than the maximum RTT threshold, the synchronization is accomplished. Otherwise it is aborted.

If (t4-t1)-(t3- t1) < θ, proceed.

(Ganeriwal S, Capcun S, Han C, Srivastava M B, ‘Secure Time Synchronization Service for Sensor Networks,‘ WiSE, 2005.)


Secure Event & Event Boundary Detection

(Ding M, Chen D, Xing K, and Cheng X, ‘Localized Fault Tolerant Event Boundary Detection in Sensor Networks’, INFOCOM, 2005.)

N(S1) N(Si)N(Sn)

S1 Si

Sn

N*(Si)

di = xi – medi

N(Si) N*(Si)N*(Si) (N(S1) N(Si) N(Sn))N*(Si)={S1, …, Si, …, Sn}

n

iid

n 1

1

2

1

)(1

1

n

iid

n

ii

dy

1. Faulty Node Detection


Secure Event & Event Boundary Detection

2. Boundary Node Detection

Sector A

Si

N(Si)

Event Region E

Out of Event Region E

Sector B

Sector C

1. Construct the set of faulty nodes Ω1.2. For each sensor Si not in Ω1, - Partition the N(Si) into sectors.- Calculate the difference dij for each sector.- Assign the largest dij as the new di for Si.- Recalculate the mean μ, standard deviation σ, and yi for N*(Si)-Ω1 and the new di.- If |yi|≥θ2 after recalculation, Si goes into the set of boundary nodes denoted by Ω2.


Wireless Security Standards


X.800 and IETF RFC2828

• X.800 • ITU-T recommendation• Security architecture for OSI• Define general security-related architectural elements • Establishes guidelines and constraints to improve existing

recommendations and/or to develop new recommendations

• IETF RFC2828 • Internet Security Glossary• Provides abbreviations, explanations, and recommendations

for information system security


Security threats and attacks

• Threats • Accidental vs. intentional threats• Passive vs. active threats

• Attacks • Insider vs. outsider attacks• Active vs. passive attacks


Security services

• Authentication service • Data origin authentication• Peer entity authentication

• Access control

• Data confidentiality• Connection confidentiality• Connectionless confidentiality• Selective field confidentiality• Traffic flow confidentiality


Security services

• Data integrity • Connection integrity with recovery• Connection integrity without recovery• Selective field connection integrity• Connectionless integrity• Selective field connectionless integrity

• Non-repudiation• Non-repudiation with proof of origin• Non-repudiation with proof of delivery


Security mechanisms

• Specific security mechanisms and pervasive security mechanism

• Specific security mechanisms • Encipherment• Digital signature• Access control• Data integrity• Authentication exchange• Traffic padding mechanism• Routing control• Notarization mechanism


Security mechanisms

• Pervasive security mechanisms • Trusted functionality• Security labels• Event detection• Security audit trail• Security recovery


Relationships between security services and mechanisms

signature control integrity exchange padding control

Data origin authentication Y Y - - - - - -

Peer entity authentication Y Y - - Y - - -

Access control - - Y - - - - -

Connection Confidentiality Y - - - - - Y -

Connectionless Confidentiality Y - - - - - Y -

Selective Field confidentiality Y - - - - - - -

Traffic Flow Confidentiality Y - - - - Y Y -


Relationships between security services and mechanisms

Connection Integrity with Recovery

Y - - Y - - -l -

Connection Integrity without Recovery

Y - - Y - - - -

Selective Field Connection Integrity

Y - - Y - - - -

Connectionless Integrity Y Y - Y - - - -

Selective Field Connectionless Integrity

Y Y - Y - - - -

Non-repudiation with proof of origin

- Y - Y - - - Y

Non-repudiation with proof of

delivery - Y - Y - - - Y

Notes:

Y: the mechanism is considered to be appropriate, either on its own or in combination with other mechanisms

- : the mechanism is considered not to be appropriate


Placements of security services and mechanisms

Service Layers

1 2 3 4 5 6 7*

Data origin authentication - - Y Y - - Y

Peer entity authentication - - Y Y - - Y

Access control - - Y Y - - Y

Connection Confidentiality Y Y Y Y - Y Y

Connectionless Confidentiality - Y Y Y - Y Y

Selective Field confidentiality - - - - - Y Y

Traffic Flow Confidentiality Y - Y - - - Y


Placements of security services and mechanisms

Connection Integrity with Recovery

- - - Y - - Y

Connection Integrity without Recovery

- - Y Y - - Y

Selective Field Connection Integrity

- - - - - - Y

Connectionless Integrity - - Y Y - - Y

Selective Field Connectionless Integrity

- - - - - - Y

Non-repudiation with proof of origin

- - - - - - Y

Non-repudiation with proof of

delivery - - - - - - Y

Y: Service is provided within the layer mentioned.

- : Service is not provided within the layer mentioned

* It should be noted, with respect to layer 7, that the application process may, itself, provide security services


Wired equivalent privacy (WEP)

• WEP-based WLAN configuration



• WEP encryption principle

||RC4

PRNG

Initialization Vector (IV)

WEP Key

||Plaintext

CRC-32

+

Integrity Check Value (ICV)

Seed Key Stream

Cipher-text

IV



• WEP decryption principle

||RC4

PRNG

WEP Key

Plaintext

Integrity Algorithm+

ICV

Seed Key Stream

Cipher-text

IV ICV’

ICV=ICV’?

Message


WEP weakness

• Passive attacks to decrypt traffic

• Active attacks to inject traffic

• Active attack from both ends

• Table-based attack

• Monitoring


Wi-Fi protected access (WPA)

• WPA enterprise mode

Access Point

LAN

WLAN Client

Authentication Server (RADIUS/LDAP)

Credentials check &Encryption key

distribution



• WPA personal mode

Access Point

LAN

WLAN Client

Password check & Encryption key

distribution



• Authentication

• Encryption • Using a longer IV (48 bits)• Increasing the key size from 40 to 128 bits• Renewing encryption key every 10,000 packets• Using per packet key mixing of the IV

• Message integrity


WEP and WPA comparison

WEP WPA

Encryption

Flawed, cracked by scientists and hackers

Fixes all WEP flaws

40-bit keys 128-bit keys

Static key – Same key used by everyone on the network

Dynamic session keys, i.e., per user, per session, per packet keys

Manual distribution of keys – Hand typed into each device

Automatic distribution of keys

Authentication

Flawed, used WEP key itself for authentication

Strong user authentication, utilizing 802.1X and EAP


WPA2

• Based on the Robust Security Network (RSN) mechanism

• Support for all mechanisms available in WPA

• Encryption mechanism different with WPA

• Using Advance Encryption Standard (AES) with CCMP


Conclusion


Introduction

Physical Protection

Wireless Medium

MAC Layer

Routing Protocols

Transport Layer

Node Localization and Time Synchronization

Conclusion

copyright © erdal cayirci, 2010 1/326 security in wireless ad hoc and sensor networks erdal cayirci...

Documents

copyright erdal cayirci

mesh networks erdal

sons copyright

scalability slide

introduction slide

multihop slide

march232009 slide

wireless sensor networks