copyright © erdal cayirci, 2010 1/326 security in wireless ad hoc and sensor networks erdal cayirci...
TRANSCRIPT
Copyright © Erdal Cayirci , 20101/326
Security in Wireless Ad Hoc and Sensor Networks
Erdal Cayirci
Electrical Engineering &
Computer Science Department
University of Stavanger
Stavanger, Norway
Head, CAX Support Branch
NATO Joint Warfare Centre
SMC4 Division
Stavanger, Norway
Copyright © Erdal Cayirci , 20102/326
Introduction
Wireless Ad Hoc, Sensor and Mesh Networks
Security Mechanisms
Conclusion
Outline
Copyright © Erdal Cayirci , 20103/326
Text Book
Security in Wireless Ad Hoc and Mesh Networks
Erdal Cayirci, Chunming Rong
ISBN: 978-0-470-02748-6Publisher: Wiley and Sons
Copyright: 2009Published: March/23/2009
Copyright © Erdal Cayirci , 20104/326
Introduction
Copyright © Erdal Cayirci , 20105/326
Taxonomy
Infrastructureless Infrastructured
Ad hoc
Sensor
Mesh
Local
Wide area
Copyright © Erdal Cayirci , 20106/326
Taxonomy
High Tier Low Tier
Terrestrial
Satellite
Aerial
Another approach licensed vs unlicensed
Copyright © Erdal Cayirci , 20107/326
Cellular Paradigm
- infrastructured- single hop
source
destination
Copyright © Erdal Cayirci , 20108/326
Ad Hoc Paradigm
source
destination- infrastructureless- multihop
Copyright © Erdal Cayirci , 20109/326
Ad Hoc Network Applications
• Temporary network deployment
• Disaster relief operations
• Smart buildings
• Cooperative objects (COs)
• Health care
Copyright © Erdal Cayirci , 201010/326
Ad Hoc Networking Challenges
• Wireless medium
• Interference, Hidden Terminal and Exposed Terminal
• Mobility, Node Failures, Self-forming, Self-configuration, Topology Maintenance, Routing and Self-healing
• Node Localization and Time Synchronization
• End-to-end Reliability and Congestion Control
Copyright © Erdal Cayirci , 201011/326
Hidden and Exposed Terminals
a b c
a b cdata data
hidden terminal,primary interference,
a b c d
a b cdata data
exposed terminal,overhearing,
Copyright © Erdal Cayirci , 201012/326
sensor node (snode)actuator (anode)collector (cnode)gateway (gnode)wireless link
TaskTaskManagerManager
Users
ProxyServer
Internet, Internet, Satellite, Satellite, etcetc
Wireless Sensor and Actuator Networks
Copyright © Erdal Cayirci , 201013/326
• Military
• Environmental
• Health
• Home
• Disaster relief
• Space exploration
• Chemical processing
• Other commercial
Wireless sensor and actuator network applications
Copyright © Erdal Cayirci , 201014/326
• Ability to sustain sensor network functionality without any interruption.• Protocols and schemes should be designed with the target level of fault tolerance.
Fault Tolerance
Copyright © Erdal Cayirci , 201015/326
• May reach millions of sensor nodes in studying a phenomenon or stimuli,• Schemes tend to form clusters,• Each cluster may have a coverage area of less than 10 meter.• Each cluster may have several to hundred sensor nodes.• Density of sensor nodes is high,
Scalability
Copyright © Erdal Cayirci , 201016/326
Scalability (Cont’d)
• Cluster density: N. Bulusu, D. Estrin, L. Girod, and J. Heidemann, “Scalable Coordination for Wireless
Sensor Networks: Self-Configuring Localization Systems,” International Symposium on Communication Theory and Applications, Ambleside, UK, July 2001.
A/)R**N()R( 2
N : total number of sensor nodesR : the range of a sensorA : the area covered by a sensor
Copyright © Erdal Cayirci , 201017/326
Scalability (Cont’d)
• Military Force Tracking System: Less than 50 sensor nodes in a squad, up to 500 nodes in a company.
• Crises Response Management System: Up to 20 million nodes in a city like Istanbul.
• Underwater Surveillance System: Up to 5 hundred nodes for a region 500m×500m.
Copyright © Erdal Cayirci , 201018/326
Nodes must be cheap enough to be scalable.
Production Cost
Copyright © Erdal Cayirci , 201019/326
Power Unit Power Generator
Sensors ADCProcessor
MemoryTransceiver
Location Finding System Mobilizer
• Small,• Low cost (dispensable), • Low power,• Low bit rate,• Low memory capacity, • Limited computational power.
Other Interfaces
Sensor Node Hardware
Copyright © Erdal Cayirci , 201020/326
Sensor Nodes
Mica2
Telos
Genetlab SenseNode
Copyright © Erdal Cayirci , 201021/326
1980’s-1990’s 2000-2003 2010Manufacturer custom contractors Crossbow, Sensoria, Dust, Inc, and
Ember, Genetlab, etc othersSize large shoe box small shoe box dust particleWeight kilograms grams negligibleArchitecture separate sensing, proc., integrated integrated
comm. unitsTopology point-to-point, star client server, peer-to-peer peer-to-peerPower supply large batteries AA batteries solar
hours, days, longer days-to-weeks months-to-yearsDeployment vehicle placed or air hand-emplaced embedded,
drop single sensors sprinkled left behind
C. Chong, S.P. Kumar, “Sensor Networks: Evolution, Opportunities, and Chalenges,” Proceedings of IEEE, Vol. 91, No. 8, August 2003.
Sensor Nodes
Copyright © Erdal Cayirci , 201022/326
sensor node actuator collector gateway wireless link
b
c
d
a
b
c
d
a
b
c
d
a
Sensor networksSemi-automated
sensor & actuator networks
Automated sensor & actuator
networks
many-to-oneone-to-many
many-to-oneone-to-many
many-to-many
Topology in sensor and actuator networks
Copyright © Erdal Cayirci , 201023/326
• Network lifetime depends on battery lifetime
• Generally irreplaceable
• Limited battery (~1 V)
Power Consumption
Copyright © Erdal Cayirci , 201024/326
• In sensor networks, power conservation is of utmost importance.
• Hence, novel power-aware protocols and algorithms needed.
• In sensor & actuator networks end-to-end propagation delay may become a parameter conflicting with power consumption in some real time applications.
• Hence tradeoff mechanisms between power consumption and end-to-end delay are needed for some sensor&actuator network applications.
• Issues related to battery recovery rate must also be taken into account.
Power Consumption
Copyright © Erdal Cayirci , 201025/326
• Communications
• Data Processing
• Sensing
Three Domains of Power Consumption
Copyright © Erdal Cayirci , 201026/326
• Transmission and reception energy costs are nearly the same.
• Transceiver circuitry has both active and start-up power consumption
• Sensors communicate in short data packets.
• Start-up power starts dominating as packet size is reduced.
• Cannot blindly turn off the transceiver during idling.
• Path-loss slope is around four due to low lying antenna.
Power Consumption in Communications
Copyright © Erdal Cayirci , 201027/326
• This is much less than the power consumption in communications.
For example a 100 million instructions per second processor can execute 3 million instructions by the energy cost of transmitting 1 KB a distance of 100 m.
• Therefore, local data processing is crucial in minimizing power consumption in a wireless sensor network.
• However, the energy cost of data processing is not negligible.
Power Consumption in Data Processing
Copyright © Erdal Cayirci , 201028/326
Depends on
• The type of sensor:
- microsensors: active or passive
- cameras, etc.
• Nature of sensing : Sporadic or Constant
• Detection complexity
• The interface between the processor and sensors
Power Consumption in Sensing
Copyright © Erdal Cayirci , 201029/326
Mesh Networks
Cellular Wireless LAN
InternetMesh Client
Mesh Router
Backbone Mesh
AccessMesh
Copyright © Erdal Cayirci , 201030/326
Mesh Network Applications
• Broadband home networking
• Community and neighborhood networking
• Enterprise networking
• Transportation systems
• Building automation and control networks
Copyright © Erdal Cayirci , 201031/326
Mesh Networking Challenges
• Broadband communications
• Quality of service requirements
Copyright © Erdal Cayirci , 201032/326
Tactical Communications
radio access point
mobile radio
mobile radio
local area subsystem terminal
wide area subsystem node
wireless communications
non-wireless communications
externalnetwork
mobilesubsystem
mobilesubsystem
local areasubsystem
local areanetwork
local areasubsystem
mobilesubsystem
wide areasubsystem
Copyright © Erdal Cayirci , 201033/326
Mobile Subsystem
mobile radio (MR)
cluster head MR
relaying MR
SATT SAT tier
UAVT UAV tier
RAPT RAP tier
MRT MR tier
radio access point (RAP)unmanned aerial vehicle (UAV)satellite (SAT)
satellite ground terminal antenna
MRT
MRT RAPTRAPT
RAPT
SATT
UAVT
UAVT
Copyright © Erdal Cayirci , 201034/326
Tactical Communications Challenges
• Multimedia communications
• Multi-tier networking
• Mobile networking
• Mobile and rapidly deployable infrastructure
• Survivable infrastructure
• Tailorable infrastructure
• Multi-functional infrastructure
Copyright © Erdal Cayirci , 201035/326
Tactical Communications Challenges
• Modular infrastructure
• Flexible infrastructure
• Both terrestrial and non-terrestrial networking
• Horizontal and vertical communications ability
• High circuit quality and wide bandwidth
• Secure networking
• Real-time and batch networking
• Ability to operate in every weather and terrain conditions
Copyright © Erdal Cayirci , 201036/326
Factors Influencing the DesignFactor Ad Hoc Mesh Sensor & Actuator
Wireless medium ISM ISMISM, acoustic, low lying
antenna
Networking regime random one-to-oneRandom one-to-one,
gateway nodesone-to-many, many-to-one,
many-to-many
Traffic random, multimedia Random, multimediatemporally and spatially
correlated, data
QoS requirementsbandwidth, delay, jitter,
reliabilitybandwidth, delay, jitter,
reliabilitypower consumption, delay,
reliability
Mobility Mobile typically fixedgenerally fixed, network
mobility
Fault tolerancetypically no critical point of
failurecritical points of failure
critical points of failures, high fault tolerance requirements
Operating environmenttypical day to day
environmenttypical day to day
environmenthostile and harsh, often
unreachable
Power efficiency not very critical not critical very critical
Scalability order of hundreds order of tens order of thousands
Hardware constraints laptops, PDAs no constrainttiny, low processing and
memory capacity
Production cost no hard constraints no hard constraints must be cost effective
Copyright © Erdal Cayirci , 201037/326
37
Solar PanelSolar Panel
High Gain GPRS High Gain GPRS AntennaAntenna
Outdoor PIR’sOutdoor PIR’s
Outdoor PanelOutdoor Panel
Challenges in Practice
Copyright © Erdal Cayirci , 201038/326
Challenges in Practice
Copyright © Erdal Cayirci , 201039/326
Wireless Medium
Copyright © Erdal Cayirci , 201040/326
Channel CapacityNyquist
C = 2 B log2 Mwhere
C is capacity in bit per second (bps),B is bandwidth in hertz (Hz),M is discrete signal levels.
Shannon
C = B log2 (1 +SNR)
SNRdB= 10 log10 (SNR)
Copyright © Erdal Cayirci , 201041/326
Electromagnetic Spectrum
102 103 104 105 106 107 108 109 1010 1011 1012 1013 1014 1015
ELF VF VLF LF MF HF VHF UHF SHF EHF
Frequency(Hertz)
Wavelength(meters)
Power and Telephone
106 105 104 103 102 101 100 10-1 10-2 10-3 10-4 10-5 10-6
Radio Microwave Infrared Visiblelight
Twisted pair
Coaxial cable
AM radio FM radioand TV
Terrestrial and
satellite
Opticalfiber
Wavelength = c / f
Hertz Kilohertz Megahertz Gigahertz Terahertz
Copyright © Erdal Cayirci , 201042/326
Antennas
Omnidirectional (isotropic)Antenna
A
B
A
B
Directional (isotropic)Antenna
Antenna gain is a measure of the directionality of an antenna. Antenna gain is defined as the power output, in a particular direction, compared to that produced in any direction, compared to that in any direction by a perfect omnidirectional antenna.
Copyright © Erdal Cayirci , 201043/326
Antennas
/4/2
feedinggap
Half-wave dipole(Hertz antenna)
collinearconductor
Quarter-wave dipole(Marconi antenna)
Parabolic reflectiveantenna
Copyright © Erdal Cayirci , 201044/326
Propagation Modes
Ground wavef < 2 MHz
Sky wave2 MHz < f <30MHz
Line of sight30 MHz < f
Ionosphere
Copyright © Erdal Cayirci , 201045/326
Line of Sight
h1
d1 d2
r
h2
11 57.3 khd where k is an adjustment factor and generally assumed to be 4/3
2157.3 khkhr
Copyright © Erdal Cayirci , 201046/326
Satellite Orbits
35,800
20,000
15,000
5,000
0
Upper Van Allen belt
Lower Van Allen belt
Altitude(km) Type
Latency(ms)
Satellitesneeded
GEO
MEO
LEO
270 3
35-85 10
1-7 50
Van Allen belts
Copyright © Erdal Cayirci , 201047/326
The Principal Satellite Bands
BandFrequency range
User
L - band1530 - 1650 MHz
Inmarsat, air and sea traffic. Meteorological services.
S - band2535 - 2655 MHz
Downlink for communication satellites. For example ArabSat and Insat.
C - band3700 - 4200 MHz
Downlink for communication satellites. Most satellite in America, Asia and Africa.
C - band4500 - 4800 MHz
Downlink for military satellites.
C - band5900 - 7000 MHz
Uplink[ii] for military and communication satellites.
Copyright © Erdal Cayirci , 201048/326
The Principal Satellite Bands
X - band7200 - 7750 MHz
Military satellites, NATO.
X - band7900 - 8400 MHz
Uplink military satellites.
Ku - band 110.700 - 11.750 GHz
Downlink for FSS [iii]
Ku - band 211.750 - 12.500 GHz
Downlink DBS [iv]
Ku - band 312.500 - 12.750 GHz
Downlink for Telecom range [v]
Copyright © Erdal Cayirci , 201049/326
The Principal Satellite Bands
Ku - band12.750 - 13.250 GHz
Uplink for telecommunication satellites.
Ku - band14.000 - 14.800 GHz
Uplink for telecommunication satellites.
Ku - band17.300 - 18.100 GHz
Uplink for telecommunication satellites.
Ka - band18.300 - 21.200 GHz
Rarely used. Kopernicus satellites have one of these transponders. Used for some transmissions. In the future it will be more in use because the whole KU band will be used completely.
K - band27.500 - 31.000 GHz
Uplink for future telecommunication satellites.
Copyright © Erdal Cayirci , 201050/326
Free Space Loss
2
2
2
2 )4()4(
c
fdd
P
P
r
t
wherePt = signal power at the transmitting antennaPr = signal power at the receiving antenna = carrier wavelengthd = propagation distance between antennasc = speed of light (3 108 m/s)
dBdfc
fd
P
PL
r
tdB 56.147)log(20)log(20
4log20log10
Copyright © Erdal Cayirci , 201051/326
Noise• Thermal noise
• No=kT (W/Hz)
where
k is Boltzman’s constant (1.380310-23 J/K)
T is absolute temperature in Kelvins.• N=kTB
• NdBW=-228.6+10logT+10logB dBW
• Intermodulation noise
• Crosstalk
• Impulse noise
kTR
S
NR
S
N
Eb 00
TRSN
EdBW
dB
b log106.228log100
Copyright © Erdal Cayirci , 201052/326
Atmospheric Absorption
• Water vapour and oxygen contribute to attenuation.
• A peak attenuation occurs in the vicinity of 22 GHz.
• At frequencies less than 15 GHz, the attenuation is less.
• Rain and fog cause scattering.
Copyright © Erdal Cayirci , 201053/326
Multipath
Reflection
Scattering
Diffraction
Copyright © Erdal Cayirci , 201054/326
FadingA
mpl
itude
(dB
m)
Position (m)
-80
-1300 30
slow
fast
In flat (nonselective) fading,effects equally the different spectral components.Selective fading effects unequally.
Copyright © Erdal Cayirci , 201055/326
Directional and Smart Antennas
a. Switched beam.
b. Adaptive.
mobile node
mobile node
Copyright © Erdal Cayirci , 201056/326
Software Radios
• Analog to digital conversion (ADC) as close to the antenna as possible
• Generic hardware
• Software implementation of the digital processes
Copyright © Erdal Cayirci , 201057/326
Cognitive Radios
Software radios provide the base to realize cognitive radios that can
- observe the available spectrum and
- choose dynamically the frequency and other parameters to operate.
Copyright © Erdal Cayirci , 201058/326
Data Link Layer
Medium Access and Error Control
Copyright © Erdal Cayirci , 201059/326
Multiple Access Schemes
Contention Based Schemes Conflict Free Schemes
- Aloha- Slotted Aloha- Carrier Sense Multiple Access (CSMA)- CSMA / Collision Detection- CSMA / Collision Avoidance
Hybrid
Reservation BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Token BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Fixed AllocationFrequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA)Code Division Multiple Access (CDMA)
Copyright © Erdal Cayirci , 201060/326
ALOHA and Slotted ALOHA• ALOHA
• Start transmitting whenever you have a frame to send.• Retransmit if the transmission is unsuccessful.
• Slotted ALOHA• Wait until the beginning of the first time slot for
transmission.
time
time slots
Copyright © Erdal Cayirci , 201061/326
Carrier Sense Multiple Access(CSMA)
• Non persistent CSMA• Sense the media, and access if there is no other transmission
on the media.• If the channel is already in use, wait a random period and then
repeat the algorithm.
• P-Persistent CSMA• The probability that a node accesses the media when no other
transmission is sensed is equal to p.• If the channel is already in use, the probability that the node
accesses the media in the next time slot is again equal to p.
Copyright © Erdal Cayirci , 201062/326
Hidden and Exposed Terminals
a b c
a b cdata data
hidden terminal,primary interference,
a b c d
a b cdata data
exposed terminal,overhearing,
Copyright © Erdal Cayirci , 201063/326
a b c
hdf
eg
a b
Request to Send (RTS)
Clear to Send (CTS)
Data
Acknowledgement
Multiple Access with Collision Avoidance Wireless (MACAW)
V.Bharghavan, AV.Bharghavan, A..Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM SIGCOMM’94, pp. 212-225, 1994.SIGCOMM’94, pp. 212-225, 1994.
MACAW
Copyright © Erdal Cayirci , 201064/326
IEEE 802.11IEEE 802.11 Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA)
Distributed Coordination Function (DCF)
source
destination
DIFS RTS
SIFS
CTS SIFS DATA ACK
SIFSNetwork Allocation Vector (NAV): Defer access
DIFS: DCF Interframe SpaceSIFS: Short Interframe Space
Copyright © Erdal Cayirci , 201065/326
IEEE 802.11 (Cont’d)IEEE 802.11 Distributed Coordination Function (DCF)
transmission range
carrier sensingrange
carriersensing zone
Extended Interframe Space
RTS, CTS frames and inter frame spaces introduce:
• additional overhead and• additional delay.
Copyright © Erdal Cayirci , 201066/326
Multiple Access Schemes
Contention Based Schemes Conflict Free Schemes
- Aloha- Slotted Aloha- Carrier Sense Multiple Access (CSMA)- CSMA / Collision Detection- CSMA / Collision Avoidance
Hybrid
Reservation BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Token BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Fixed AllocationFrequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA)Code Division Multiple Access (CDMA)
Copyright © Erdal Cayirci , 201067/326
Conflict Free Multiple Access Schemes
1. Frequency Division Multiple Access:
Channel = Frequency
2. Time Division Multiple Access:
Channel = Frequency + Time Slice
3. Code Division Multiple Access :
Channel = Code
CDMAFDMA
spectrum
1 3 2 1 3 2 1 3 2 1
4 6 5 4 6 5 4 6 5 4
7 9 8 7 9 8 7 9 8 7
TDMA
Copyright © Erdal Cayirci , 201068/326
CDMA
1. Frequency Hopping CDMA,
a. Slow Hopping,
b. Fast Hopping,
2. Direct Sequence CDMA
FH-CDMA
Copyright © Erdal Cayirci , 201069/326
FH-CDMA
Process Gain
PG = 10 logN (db)
where N is the number of frequency channels used.
Copyright © Erdal Cayirci , 201070/326
DS-CDMA spreading process
Data
PNPN
Data
Noise
Data
Spreaded data
Data
Noise
Copyright © Erdal Cayirci , 201071/326
DS-CDMA spreading process
Data
PNPN
Data
Spreaded Data
Data
PN
Spreaded Data
Data
in data (bit) rate
in chip rate
in chip rate
in data (bit) rate
Copyright © Erdal Cayirci , 201072/326
DS-CDMA Spreading Process
Tx St(t)
f0
Rb
Data x(t)S(t)
Spreading Code G(t)
Rp = CHIP transfer rate
Rv ST(t-Td)
F
S(t-Td)
f0
Data x(t)
Correlator
Bc = Rb
Bss = Rp
Spreading Code G(t-Td)
Copyright © Erdal Cayirci , 201073/326
DS-CDMA
Process Gain
PG = 10 log(Bss/B) (db)where B is the bandwidth required for the data rate,
Bss is the bandwidth where the signal is spreaded.
Copyright © Erdal Cayirci , 201074/326
CDMA CodesA spread spectrum code on DS-CDMA is a bit sequence (a sequence of 1s and -1s). -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1
CDMA sequences can be categorized as - Pseudo Noise (PN) sequences
- Short codes- Long codes
- Orthogonal codes
Copyright © Erdal Cayirci , 201075/326
Properties of Pseudo Noise Sequences Balance property : The difference in the number of 1s and -1s in a pseudonoise cannot be higher than one. -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 (15 chips, 7 of them are -1s, and 8 of them are 1s.)
Run property: 50% of runs must be -1 runs, and the other 50% must be 1 runs, and 1/2n of runs must be n length runs.
-1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1
(8 runs, 4 of them are -1 runs, and 4 of them are 1 runs.)
Auto-correlation property: The number of chips that are the same differs from those that are different by at most 1 when a pseudonoise is compared chip by chip with any cycle of shift of itself.
Copyright © Erdal Cayirci , 201076/326
Auto-correlationAuto-correlation is the correlation of a code with any cycle of shift of itself.
Example: -1 -1 1 1 -1 1 -1 N=7
C0=7 and C7=7
C1= 1 -1 1 -1 -1 -1 1= -1
C2= -1 -1 -1 1 1 -1 1= -1
C3= -1 1 1 -1 1 -1 -1= -1
C4= 1 -1 -1 -1 1 1 -1= -1
C5= -1 1 -1 -1 -1 1 1= -1
C6= 1 1 -1 1 -1 -1 -1= -1
N
nknnk aaC
1
Copyright © Erdal Cayirci , 201077/326
Linear Maximal Length Sequence Generator
1 -1 -1 -1
OUTPUTX1 X2 X3 X4
OUTPUT : -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1
p = 2n -1where p is the length of the sequence and
n is the number of bits in the shift register.
Copyright © Erdal Cayirci , 201078/326
Short and Long Codes
• Short codes can generally be transfered in the duration of a symbol. In IS-95, the length of short codes is 215-1, and they can be transferred in 26.67 seconds when chip rate is 1.2888 Mcps. They are generally used in downlink to identify cells or location areas in cellular networks.
• In IS-95, the length of long codes is 242-1, and they can
be transferred in 44.5 days when chip rate is 1.2888 Mcps. They are generally used in uplink to identify mobile terminals.
Copyright © Erdal Cayirci , 201079/326
# of Terminals that can Share a Sequence• A good pseudonoise is different enough from any shifted version of itself. Shifting only one chip is enough to obtain a different pseudonoise from the original. However, the difference between the pseudonoises assigned to different terminals must be high enough to compensate the differences in propagation delays.
15.6 km
Chiprate = 3.6864 Mcps# of bits in maximal lengthcode generator n = 15
Example:
The length of sequence p=215-1=32767The delay for 15.6 km td=15.6/300000=0.052 msec# of chips that can betransferred in td s=0.0523,686.4=192 chips
# of available codes d= 32,767/192 = 170
Copyright © Erdal Cayirci , 201080/326
Orthogonal Codes
• Orthogonal codes are used for channelization in downlink.
• Their autocorrelation are generally very low.
• However, their cross correlation is 0.
Copyright © Erdal Cayirci , 201081/326
Cross-correlationCross-correlation is the correlation of a code with all of the shifted versions of another code.
Example: a={ -1 1 -1 1} N=4
b={ -1 -1 1 1} N=4
R0= 0 and R4= 0
R1= 1 1 -1 -1 = 0
R2= -1 1 1 -1 = 0
R3= -1 -1 1 1 = 0
N
nknnk baR
1
Copyright © Erdal Cayirci , 201082/326
Walsh Hadamard Codes
01 H
10
002H
nn
nnn HH
HHH 2
01
11
10
0010
00
10
00
4H
Copyright © Erdal Cayirci , 201083/326
Variable Length Orthogonal Codes
TT
TTT
1111
111111
1111
111111
1
Copyright © Erdal Cayirci , 201084/326
The Advantages of CDMA• CDMA has a soft capacity limited by interference. The decrease in
interference will directly increase the capacity:• Voice channels are generally utilized 3/8 of time.• Multi-beamed and multisectored antennas can reduce the interference.
• In FDMA and TDMA, some capacity between frequency channels is wasted.
• In CDMA, all the frequencies can be reused in the neighboring cells.
• In FDMA and CDMA, the frequency channel must be changed during handoff, i.e., hard handoff. This is not necessary in CDMA, i.e.,soft handoff.
• CDMA needs power control which actually decreases the interference, and increases the capacity.
• CDMA naturally provides frequency diversity which means additional security and reliability especially for military systems.
Copyright © Erdal Cayirci , 201085/326
The Capacity of CDMA
BSMSN
RS
NEb
)(0
whereS is the power of the signal at the receiverR is the bit rate of the channel (bps)N is the number of channels used for the voice traffic is the voice activity factor for the voice channelsM is the number of channels used for the constant bit rate traffic is all the other noise over the mediaB is the bandwidth of the channels (Hz).
Copyright © Erdal Cayirci , 201086/326
The Capacity of CDMA
SMNR
B
NEb
)(0
N+M = (B/R) / (Eb/N0)
N = (((B/R) / (Eb/N0)) -1) / when only voice
N = (((B/R) / (Eb/N0)) -1) / ( + 0.247) when remote cell interference applied
Copyright © Erdal Cayirci , 201087/326
Example
B: 5 MHz, BFDMA: 30 KHz, BTDMA= 200 KHz
Eb/N0: 5, =3/8, R: 9.6 kbps
nt: 8 (# of time slots in each TDMA frame)
: 4 (frequency reuse factor)
no gaps between frequency channels, all voice channels,
SOFT
For CDMA N = (((5000000/9600) / 5) – 1) / (3/8 + 0.247) = 166 voice channels
For TDMA N = ((5000000/200000)/4)8 = 50 voice channels
For FDMA N = (5000000/30000)/4 = 42 voice channels
Copyright © Erdal Cayirci , 201088/326
Token Based Dynamic Conflict Free Schemes
token
token
Copyright © Erdal Cayirci , 201089/326
Multiple Access Schemes
Contention Based Schemes Conflict Free Schemes
- Aloha- Slotted Aloha- Carrier Sense Multiple Access (CSMA)- CSMA / Collision Detection- CSMA / Collision Avoidance
Hybrid
Reservation BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Token BasedPacket Reservation Multiple AccessResource Auction Multiple AccessDynamic TDMA
Fixed AllocationFrequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA)Code Division Multiple Access (CDMA)
Copyright © Erdal Cayirci , 201090/326
Reservation Based Dynamic Conflict Free Schemes
- Packet Reservation Multiple Access – PRMA
- Dynamic TDMA – DTDMA
- Resource Auction Multiple Access – RAMA
Copyright © Erdal Cayirci , 201091/326
PRMA
Reservation Based Hybrid Schemes
R A A ............................. R
S slots (R: reserved slots, A: available slots)
........ 1 2 3 ................ Sv ........
Sr reservation slots
Sv voice slots
Sd data slots
variable border
D - TDMA
........ 1 2 3 ................ Sv ........
Sa auction slots
Sv voice slots
Sd data slots
variable border
RAMA
Copyright © Erdal Cayirci , 201092/326
Reservation Based Hybrid Schemes
TsTs
Td
Auction Slot
Auction Allocation
time
Ts
Td
Uplink
Downlink
Bit transfer time
Propagation and processing delay
Copyright © Erdal Cayirci , 201093/326
MAC for Ad Hoc and Sensor Networks
Copyright © Erdal Cayirci , 201094/326
• Contention based medium access
• Traditional CSMA schemes are inappropriate
•Assume stochastically distributed traffic
•Support point-to-point independent flows• Traffic in sensor networks is
• Highly correlated • Dominantly periodic• Variable
CSMA-based MACs
Copyright © Erdal Cayirci , 201095/326
Other CSMA-based MACs for Ad Hoc Networks
PiconetF.Bennett, D.Clarke, J.B. Evans, A.Hopper, A.Jones, and D.Leask, “Piconet: Embedded mobile networking”, IEEE Personal Communications Magazine, vol. 4, no. 5, pp. 8–15, Oct. 1997.
Tseng et al.Y.Tseng, C.Hsu, and T.Hsieh, “Power-saving protocols for IEEE 802.11-based multi-hop ad hoc networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 200–209.
SEEDEXR.Rozovsky and P.R.Kumar, “Seedex: A MAC protocol for ad hoc networks”, In Proceedings of the 2nd ACM International Symposium on Mobile ad hoc networking and computing, pages 67-75, New York, NY, USA, 2001. ACM Press.
RBARG.Holland, N.Vaidya, and P.Bahl, “A rate-adaptive MAC protocol for multi-hop wireless networks. In Proceedings of ACM MOBICOM'01, Rome, Italy, 2001.
OARB.Sadeghi, V.Kanodia, A.Sabharwal, and E.Knighlty, “Opportunistic Media Access for Multirate Ad Hoc Networks”, in Proceedings of ACM MobiCom'02 , Atlanta, GA, September 2002.
Woo & CullerA.Woo and D.Culler, “A transmission control scheme for media access in sensor networks”, in Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking, Rome, Italy, July 2001, pp. 221–235, ACM.
Copyright © Erdal Cayirci , 201096/326
Sensor MAC (S-MAC)
WW..Ye, JYe, J..Heidemann, and DHeidemann, and D..Estrin, “An energy-efficient mac protocol for wireless sensor networks”Estrin, “An energy-efficient mac protocol for wireless sensor networks”,, in Proceedings of the IEEE in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 1567–1576.Infocom, New York, NY, June 2002, pp. 1567–1576.
• Each node obeys its neighbors’ schedule if one was heard, otherwise chooses and broadcasts one
• Schedule table is maintained locally and updated after receiving SYNC packets
• Sleep period does not hinder a transmission
SleepListen Listen Sleep
SYNC RTS, CTS SYNC RTS, CTS
Copyright © Erdal Cayirci , 201097/326
• Collision avoidance : similar to 802.11 DCF
• Overhearing : duration field of the packets
• Idle listening : low-duty cycle and virtual clusters
• Required synchronization is embedded at the start of the listen interval
• Message passing and adaptive listening techniques for optimizing the latency
Sensor MAC (S-MAC)
SleepListen Listen Sleep
SYNC RTS, CTS SYNC RTS, CTS
Copyright © Erdal Cayirci , 201098/326
Timeout MAC (T-MAC)
TT..van Dam and Kvan Dam and K..Langendoen, Langendoen, ““An Adaptive Energy-Efficient MAC Protocol for Wireless Sensor NetworksAn Adaptive Energy-Efficient MAC Protocol for Wireless Sensor Networks””, , ACM SenSys, Los Angeles, CA, November, 2003.ACM SenSys, Los Angeles, CA, November, 2003.
• Clustering and synchronization as in S-MAC
• Adaptive duty cycle to handle load variations in time and location (i.e. near the sink)
• Fixed contention interval
SleepActive Time Sleep
TA TX/RX TA
Active Time
TA
Active TimeSleep
Copyright © Erdal Cayirci , 201099/326
• Buffer capacity and time-out period “TA” are the key properties
• Solutions to early sleeping problem;
• Future RTS packet: to get an appointment from the intended receiver for the next available moment
• Full buffer priority scheme: refuse an RTS and issue own RTS to empty the buffer
Timeout- MAC (T-MAC)
SleepActive Time Sleep
TA TX/RX TA
Active Time
TA
Active TimeSleep
Copyright © Erdal Cayirci , 2010100/326
Power Control
Power control schemes can be classified as:
• Open Loop / Closed Loop / Combined Open and Closed Loop
• Centralized / Distributed
• RSSI-based / SIR-based / BER-based
• Continuous Power / Discrete Power
• Fixed Step Size / Adaptive Step Size
• Common Power Control / Independent Power Control
Copyright © Erdal Cayirci , 2010101/326
BASIC
E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002, , SeptemberSeptember 200 20022..
a b c
hdf
eg
rmax
rmax
rmin
• RTS and CTS are transmitted at the maximum power (rmax).
• DATA and ACK are transmitted at the minimum power required (rmin).
• To improve the performance of BASIC scheme, the transmission power is periodically increased while a DATA frame is being transmitted.
Copyright © Erdal Cayirci , 2010102/326
Power Controlled S-MAC (PCSMAC)
a b c
df
e
rmax
rmax
rab
rae
raf
rbc
rbd
Active Sleep
SYNC RTS SDSH, DATACTS ACK
Both open loop and closed loop, distributed, RSSI-based, fixed step size, discrete and independent.
SYNC: rmax
RTS: open loop, max(rab, rae, raf).CTS, ACK: open loop, max(rab, rbc, rbd).SDSH: open loop, max(rab, rae, raf).DATA: closed loop, rab.
P.C.Nar, E.Cayirci , “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSNP.C.Nar, E.Cayirci , “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSN 200 20055..
Copyright © Erdal Cayirci , 2010103/326
SMACS and EARSMACS and EAR
(K.Sohrabi et al., “Protocols for Self-Organization of a Wireless Sensor Network”, IEEE Personal Communications, October 2000.)
• Each node maintains its own frame (superframe).
• Time slots are wasted if nothing to transmit.
• Uses FDMA or CDMA for multiple access.• Neighbor discovery and channel assignment combined.• Random wake up during connection phase.
TA
TB
fX
fX
Transmitting slot Receiving slot
Connection messaging
Copyright © Erdal Cayirci , 2010104/326
• Contention resolution schemes for packet radio networks.
• 2-hop neighborhood awareness is essential which requires a random access period for distributing one-hop neighbor information.
• Nodes unelected during a time slot switch to receive mode
L.Bao and J.J.Garcia-Luna-AcevesL.Bao and J.J.Garcia-Luna-Aceves, “, “A new approach to channel access scheduling for ad hoc networksA new approach to channel access scheduling for ad hoc networks”, ”, In In The seventh annual international conference on Mobile computing and networking 2001, pages 210-221, The seventh annual international conference on Mobile computing and networking 2001, pages 210-221, 2001.2001.
NAMA, LAMA, PAMA
Wireless Tactical Underwater Surveillance NetworksErdal CAYIRCI104
Copyright © Erdal Cayirci , 2010105/326
• Contention resolution scheme for wireless sensor networks inspired from NAMA/LAMA/PAMA
• Nodes unelected during a time slot switch to sleep mode, instead of receive mode
V. Rajendran, K. Obraczka, and J.J. Garcia-Luna-Aceves, “Energy-Efficient, Collision-Free Medium Access Control for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003.
TRAMA
Copyright © Erdal Cayirci , 2010106/326
• Assumes a clustering scheme exists in the WSN.
• Each time slot = CR + TC + Data parts.
• CR (Communication Request) TC (Traffic Control)
• Sleeping nodes do not own a timeslot.
• Two types of sleep mode; standby and dormant.
• Integrated, collaborative approach that is part of the EYES project.
S.Dulman, L. van Hoesel, T.Nieberg, and P.Havinga, “Collaborative communication protocols for wireless sensor networks”, European research on middleware and architectures for complex and embedded cooperative systems, workshop held in conjunction with IEEE ISADS 2003, Pisa, Italy, pp. 3-7, ISBN- 0-7695-1876-1, April 2003.
EMACS
Copyright © Erdal Cayirci , 2010107/326
Ad Hoc Networks and Network Layer
Copyright © Erdal Cayirci , 2010108/326
Routing
• Flooding
• Distance Vector
• Link State
sr
a
b c
d e
f
g
h
i
k
l
m
router
routeror
switch
Copyright © Erdal Cayirci , 2010109/326
Distance Vector
g
h
i
k
l
m
router
53
3
5
4
4
6
4
Dest. Gateway Costh h 4i h 10l h 12k h 9m h 13
Dest. Gateway Costg g 5h h 16l l 3k l 6m l 7
Dest. Gateway Costh h 4i i 5l i 8k h 9m i 12
Table of g(previous)
Table of i(previous)
Table of g(modified)
Copyright © Erdal Cayirci , 2010110/326
Count to Infinity Problem for Distance Vector
A B C D E
A is down at the beginning. A comes up. 1 after 1 exc. 1 2 after 2 exc. 1 2 3 after 3 exc. 1 2 3 4 after 4 exc.
Algorithm rapidly reacts to good news.In N exchanges, everyone knows about the new router where the longest path is N hop.
A B C D E
A is up at the beginning. 1 2 3 4A goes down. 3 2 3 4 after 1 exc. 3 4 3 4 after 2 exc. 5 4 5 4 after 3 exc. 5 6 5 6 after 4 exc. 7 6 7 6 after 5 exc. 7 8 7 8 after 6 exc. 9 8 9 8 after 6 exc.It repeats until What is infinitive?It is the highest number of hop plus 1, if the paths are measured according to the number of hops.What if we use delay?
Copyright © Erdal Cayirci , 2010111/326
Link State
g
h
i
router
5
4
g’s link stateNeighbor Cost h 4 i 5
m3
4
l’s link stateNeighbor Cost i 3 m 4 k 3
4
k’s link stateNeighbor Cost l 3 m 4 h 5
l3
6
i’s link stateNeighbor Cost h 6 g 5 l 3
k
5
h’s link stateNeighbor Cost i 6 g 4 k 5
Copyright © Erdal Cayirci , 2010112/326
Routing in the Internet
• Interior Gateway Protocols• RIP (distance vector)• OSPF (link state)• IS-IS (link state)
• Exterior Gateway Protocols• BGP
Network 1 Network 2
Network 3
Network 4
Network 5
Copyright © Erdal Cayirci , 2010113/326
Mobile IP
• Addressing is themain issue.• Care-of address avertisements vs requests.• Address bindings that need periodical refresh .• Secure authentication.
Home LANForeign LAN
tunnelinghome agent
foreign agent
care-of address
home address
Copyright © Erdal Cayirci , 2010114/326
Quality of Service
Application Reliability Delay Jitter Bandwidth
E-mail High Low Low Low
File transfer High Low Low Medium
Web access High Medium Low Medium
Remote login High Medium Medium Low
Audio on demand Low Low High Medium
Video on demand Low Low High High
Telephony Low High High Low
Videoconferencing Low High High High
Copyright © Erdal Cayirci , 2010115/326
Quality of Service
• Techniques• Overprovisioning• Buffering• Traffic shaping
– Leaky bucket– Token bucket
• Resource reservation• Admission control• Proportional routing• Packet scheduling
Copyright © Erdal Cayirci , 2010116/326
Quality of Service
• Protocols– Integrated Services (IntServ)– Resource reSerVation Protocol (RSVP)– Differentiated Services– MultiProtocol Label Switching (MPLS)
Copyright © Erdal Cayirci , 2010117/326
Ad Hoc Networks
- no fixed infrastructure- multihop- no centralized administration- nodes act both as a host and a router - wireless medium- topology changes- resources are limited
source
Copyright © Erdal Cayirci , 2010118/326
Ad Hoc Network Architectures
tier-1
tier-2
Flat Architectures(not scalable)
Hierarchical architectures (cluster-based)
Copyright © Erdal Cayirci , 2010119/326
Scheduling in Ad Hoc Networks
• A MAC layer related challenge.
• Important when TDMA is used.
• Can be defined as:
“schedule a time slot ti for every node i such that is minimized
where n is the total number of nodes that have something to transmit.
• Must tackle with the interference problem.
n
iit
1
a b c
Primary Interference
a b c
Secondary Interference
d
Copyright © Erdal Cayirci , 2010120/326
Topology Maintenance in Ad Hoc Networks
Topology maintenance schemes can be classified as:
1. According to control packet traffic generated for topology maintenance:
- Active
- Passive
2. According to the frequency of control packets
- On demand (event driven)
- Continuous (time driven)
3. According to the storage of topology data
- Central
- Distributed
Copyright © Erdal Cayirci , 2010121/326
Ad Hoc Routing Algorithms
Table Driven(Proactive)
On demand(Reactive)
DSDV WRP AODV DSR LMR ABR
CGSR TORA SSR
Destination sequenced distance vectorCluster-head gateway switching routingWireless routing protocol
Adhoc on demand distance vectorDynamic source routingLightweight mobile routingTemporally ordered routingAssociativity based routingSignal stability routing
Copyright © Erdal Cayirci , 2010122/326
Fisheye Approach
sa
b
c
d
e
g
f
The accuracy of the topology data is higher for the nodes closer.
Copyright © Erdal Cayirci , 2010123/326
Wireless Routing Protocol (WRP)
• DSDV and CGRS are based on Bellman-Ford algorithm and they suffer from count-to-infinity problem.
• WRP is a table-based proactive routing protocol that is based on path-finding algorithm.
• In WRP each node in the network maintains four tables:• Distance table
• Routing table
• Link-cost table
• Message retransmission list
Copyright © Erdal Cayirci , 2010124/326
Wireless Routing Protocol (WRP)
• WRP uses both periodic and event triggered (in case of a link status change) update messages for topology maintenance. Update messages are exchanged among the neighboring nodes.
• Every node broadcasts a periodic update (HELLO message) reporting no changes if it does not report an update for a specific time period. Periodic updates are not acknowledged.
• Event triggered updates are broadcasted when topology changes are detected, and acknowledged by the related nodes.
Copyright © Erdal Cayirci , 2010125/326
Ad Hoc On Demand Distance Vector (AODV)
• AODV is an improved version of DSDV and CGSR:
– AODV is based on a route discovery process whereas DSDV is based on periodic update messages.
– DSDV maintains all the routes whereas AODV maintains a route only when needed.
Copyright © Erdal Cayirci , 2010126/326
Ad Hoc On Demand Distance Vector (AODV)
• Path discovery is initiated by a route request (RREQ) packet:
Source addr Source seq # Broadcast id Destination addr Destination seq # Hop count
RREQ Packet
Destination Destination seq # Next hop Active neighbors # of hops Expiration time
Routing Table
s
d
a
b
c
e
f
gh
Copyright © Erdal Cayirci , 2010127/326
Dynamic Source Routing (DSR)
• Route discovery and route maintenance modes.• It is based on source routing.
s
d
a
b
c
e
f
gh
Copyright © Erdal Cayirci , 2010128/326
Temporally Ordered Routing Algorithm (TORA)
• TORA has three basic functions:• Route creation• Route maintenance• Route erasure
• A height metric is used by the nodes in route creation and maintenance in order to establish a directed acyclic graph. The height metric is related with the logical time of link failure.
• Route erasure function uses a clear (CLR) packet throughout the network to erase invalid routes.
Copyright © Erdal Cayirci , 2010129/326
Temporally Ordered Routing Algorithm (TORA)
source
destination
node
heightmetric
b
ac
d g
fe
The link between nodes d and f fails.
b
ac
dg
fe
b
ac
dg
fe
b
ac
dg
fe
Step 1 Step 2 Step 3
Copyright © Erdal Cayirci , 2010130/326
Categorization of Routing Protocols for Wireless Sensor Networks:(K. Akkaya, M. Younis, “A Survey on Routing Protocols for Wireless Sensor Networks,” Elsevier AdHoc Networks)
• Data centric protocolsFlooding, Gossiping, SPIN, SAR, Directed Diffusion, Energy Aware Routing, Rumor Routing, TEEN, APTEEN, CADR
• HierarchicalLEACH, PEGASIS, Self organizing protocol
• Location basedMECN, SMECN, GAF
Routing Protocols for Sensor Networks
Copyright © Erdal Cayirci , 2010131/326
• Flooding: Broadcast data to all neighbor nodes.
• Gossiping: Sends data to one randomly selected neighbor.
Although these techniques are simple and reactive, they have some disadvantages including the following:
- Implosion,
- Data Overlap,
- Resource blindness.
Flooding and Gossiping
Copyright © Erdal Cayirci , 2010132/326
Implosion
s
d
a b
Data Overlap
d
a b
t1 t2
Resource Blindness
They are not resource aware protocols.
Implosion, Data Overlap, Resource Blindness
Copyright © Erdal Cayirci , 2010133/326
• Uses three types of messages: ADV, REQ, and DATA.
• When a sensor node has something new, it broadcasts an advertisement (ADV) packet that defines the new data by using meta data.
• Interested nodes send a request (REQ) packet.
• Data is sent to the nodes that request by DATA packets.
W.R. Heinzelman, et.al., “Adaptive Protocols for Information Dissemination in Wireless Sensor Networks”, MobiCom’99.
Sensor Protocols for Information via Negotiation (SPIN)
Copyright © Erdal Cayirci , 2010134/326
ADVADV sa
b
c
d REQREQ
sa
b
c
d
DATADATA sa
b
c
d
Sensor Protocols for Information via Negotiation (SPIN)
Copyright © Erdal Cayirci , 2010135/326
ADVADV sa
b
c
dREQREQ
sa
b
c
d
DATADATA sa
b
c
d
Sensor Protocols for Information via Negotiation (SPIN)
Copyright © Erdal Cayirci , 2010136/326
•SAR algorithm creates multiple trees that are routed from one hop neighbors of the sink.
•Each tree grows outward from the sink by avoiding nodes with very low QoS and energy reserves.
•At the end of this procedure, most nodes belong to multiple trees.
K. Sohrabi, et.al., “Protocols for Self Organization of a Wireless Sensor Network”, IEEE Personal Communications Mag., pp. 16-27, October 2000.
Sequential Assignment Routing (SAR)
Copyright © Erdal Cayirci , 2010137/326
•The sink sends out task descriptors (interest).
•Task descriptors are named by assigning attribute-value pairs that describe the task.
•If a sensor node has data for that interest, the data is routed along the reverse path of interest propagation.
•The interest and data propagation and aggregation are determined locally.
C. Intanagonwiwat, et.al., “Directed Diffusion: A Scalable and Robust Communication Paradigm for Sensor Networks”, MobiCom’00.
Directed Diffusion
Copyright © Erdal Cayirci , 2010138/326
Source Sink
Directed Diffusion
Copyright © Erdal Cayirci , 2010139/326
Interest PropagationInterest Propagation
Source Sink
Directed Diffusion
Copyright © Erdal Cayirci , 2010140/326
Source Sink
Gradient SetupGradient Setup
Directed Diffusion
Copyright © Erdal Cayirci , 2010141/326
Source Sink
Data DeliveryData Delivery
Directed Diffusion
Copyright © Erdal Cayirci , 2010142/326
•In LEACH, the nodes organize themselves into clusters.
•Sensors may elect themselves to be a local cluster head at any time with a certain probability.
•Each node access the network through the cluster head that requires minimum energy to reach.
W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energy-Efficient Communication Protocol for Wireless Microsensor Networks,'' IEEE Proceedings of the Hawaii International Conference on System Sciences, pp. 1-10, January, 2000.
Low Energy Adaptive Clustering Hierarchy (LEACH)
Copyright © Erdal Cayirci , 2010143/326
• Uses graph theory,
• Each node knows its exact location,
• Network is represented by a graph G’, and it is assumed that the resulting graph is connected.
L. Li and J.Y. Halpern, “Minimum-Energy Mobile Wireless Networks Revisited”, ICC’01.)
Minimum Energy Communication Network (MECN)
Copyright © Erdal Cayirci , 2010144/326
• A sub-graph G of G’ is computed. G connects all nodes with minimum energy cost.
AA
BB
Connection A requires less energy than connection B because the power required to transmit between a pair of nodes increases as the nth power of the distance between them (n>=2).
Minimum Energy Communication Network (MECN)
Copyright © Erdal Cayirci , 2010145/326
E. Cayirci, T.Coplu, O.Emiroglu, “Power Aware Many-to-many Routing in Wireless Sensor and Actuator Networks”, EWSN’05.
b
c
d
a
• Actuators register for the sensed data by disseminating a registration message.
• Every node maintains a registration table according to the registration messages.
• Every node derives a routing table from the registration table.
• Incoming sensed data packets are forwarded according to the routing table.
A B
C
Power Controlled and Power Aware Routing in Sensor & Actuator Networks
Copyright © Erdal Cayirci , 2010146/326
ActuatorId
Uplink Node Id
Echelon minPA totalPA totalPU Task
A a 2 5 5 2 t1
A d 2 4 4 3 t1
B b 2 7 7 2 t1,t2
C b 3 3 10 5 t1,t3
Task Uplink Node Id
t1 a
t1 b
t2 b
t3 b
Registration Table
Routing TableRoute Selection Functionfi=(1)+(2)+(3)+(4)
Power Controlled and Power Aware Routing in Sensor & Actuator Networks
n
kk
n
kik
e
ee
1
1
Copyright © Erdal Cayirci , 2010147/326
• Energy Aware RoutingR.Shah, J. Rabaey, “Energy Aware Routing for Low Energy Ad Hoc Sensor Networks,” IEEE WCNC’02, Orlando, March 2002.
• Rumor RoutingD. Braginsky, D. Estrin, “Rumor Routing Algorithm for Sensor Networks,” ACM WSNA’02, Atlanta, October 2002.
• Threshold sensitive Energy Efficient sensor Network (TEEN)A. Manjeshwar, D.P. Agrawal, “TEEN: A Protocol for Enhanced Efficiency in Wireless Sensor Networks,” IEEE WCNC’02, Orlando, March 2002.
• Constrained Anisotropic Diffusion Routing (CADR)M. Chu, H.Hausecker, F.Zhao, “Scalable Information-Driven Sensor Querying and Routing for Ad Hoc Heterogeneous Sensor Networks,” International Journal of High Performance Computing Applications, Vol. 16, No. 3, August 2002.
Other Routing Protocols
Copyright © Erdal Cayirci , 2010148/326
• Power Efficient Gathering in Sensor Information Systems (PEGASIS)S. Lindsey, C.S. Raghavendra, “PEGASIS: Power Efficient Gathering in Sensor Information Systems,” IEEE Aerospace Conference, Montana, March 2002.
• Self Organizing ProtocolL. Subramanian, R.H. Katz, “An Architecture for Building Self Configurable Systems,” IEEE/ACM Workshop on Mobile Ad Hoc Networking and Computing, Boston, August 2000.
• Geographic Adaptive Fidelity (GAF)Y. Yu, J. Heideman, D. Estrin, “Geography-informed energy conservation for ad hoc routing,” MobiCom’01, Rome, July 2001.
Other Routing Protocols
Copyright © Erdal Cayirci , 2010149/326
3D Routing
• Underwater acoustic
• Geographic routing protocol
• Cross layer (MAC + Network)
• Latency is an important QoS metric
• Techniques that monitor layers and avoid them
Copyright © Erdal Cayirci , 2010150/326
Transport layer for wireless networks
Reliability Flow and Congestion Control
Copyright © Erdal Cayirci , 2010151/326
SinkSink
rr
aa
bb
cc
dd
rr
event regionevent region
sensor coveragesensor coverage
sensor rangesensor range
•Source to sink reliability.Source to sink reliability.•Sink to source reliability.Sink to source reliability.
End-to-end Reliable Event Transfer
Copyright © Erdal Cayirci , 2010152/326
• RMST is a transport layer protocol for directed diffusion.• RMST provides end-to-end data-packet transfer reliability.• RMST is a selective NACK-based protocol that can be configured for in-network caching and repair.• There are two modes for RMST: caching mode, non-caching mode.• In caching mode, a number of nodes along a reinforced path, path being used to convey the data to the sink by directed diffusion, are assigned as RMST nodes.
F. Stann, J.Wagner, “RMST: Reliable Data Transport in Sensor Networks,” SNPA 2003.
Reliable Multi-Segment Transport (RMST)
Copyright © Erdal Cayirci , 2010153/326
• Each RMST node caches the fragments identified by FragNo of a flow identified by RmstNo.• When a fragment is not received before the watchdog timer for the flow expires, a negative acknowledgement is sent backward.• The first RMST node that has the required fragment along the path retransmits the fragment.• In non-caching mode, sink is the only RMST node.• RMST relies on directed diffusion scheme for recovery from the failed reinforced paths.
RMST NodeRMST NodeSource NodeSource Node
SinkSink
Reliable Multi-Segment Transport (RMST)
Copyright © Erdal Cayirci , 2010154/326
• Three functions: pump, fetch, and report operations.• Every intermediate node maintains a data cache.• A node that receives a packet check its content against its local cache, and discards any duplicates.• If the received packet is new, the TTL field in the packet is decremented.• If the TTL field is higher than 0 after being decremented, and there is no gap in the packet sequence numbers, the packet is relayed after being delayed a random period.• A node goes to fetch mode once a sequence number gap is detected.• The node in fetch mode requests a retransmission from neighboring nodes.
C-Y Wan, A.T. Campbell, L. Krishnamurty, “PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks,” WSNA’02
Pump Slowly Fetch Quickly (PSFQ)
Copyright © Erdal Cayirci , 2010155/326
• ESRT is the first scheme that focuses on the end-to-end reliable event transfer.• The end-to-end event transfer reliability is controlled based on the reporting frequencies of sensor nodes.
Y. Sankarasubramaniam, O.B. Akan, I.F. Akyildiz, “ESRT: Event-to-Sink Reliable Transport in Wireless Sensor Networks,” Mobihoc’03
SinkSink
aa
bb
cc
dd
Event-to-Sink Reliable Transport (ESRT)
Copyright © Erdal Cayirci , 2010156/326
Congestion Detection Mechanism:• local buffer level monitoring
Mark Congestion Notification Field when
bk + b > Bwhere
bk is buffer fullness at interval k,b is buffer length increment,B is buffer size.
bk-1bk
b
Event-to-Sink Reliable Transport (ESRT)
Copyright © Erdal Cayirci , 2010157/326
N.Tezcan, E. Cayirci, U. Caglayan, “End-to-end reliable event transfer in wireless sensor networks,” PIMRC 2004.
temperaturetemperature
timetime11 22 33 44 55 66 77 88 99 1010 1111 1212 1313 1414
thresholdthreshold
End-to-end Acknowledgements for Events
Copyright © Erdal Cayirci , 2010158/326
• Both ends know the threshold.• When the receiver finds out that the difference between the value in a new sensed data packet and in the previous packet is higher than the threshold, this indicates a critical data packet, and it acknowledges the receipt of the critical packet.• If the sender does not receive an acknowledgement for a critical packet during the timeout period, it retransmits the critical packet.
Selective Acknowledgements
Copyright © Erdal Cayirci , 2010159/326
• Two parameters: tmax, tavg
• A critical packet is retransmitted tmax after its transmission if it is not acknowledged.
• If (numberOfEventsintheList>listSize-n)for(allEventsintheList)
if(eventTimetmax || eventTimetavg)retransmit(event);
• tavg = tavg + (1 - ) tack
Timeout Period
Copyright © Erdal Cayirci , 2010160/326
• The source node marks the critical packet.
• The receiver acknowledges the marked packet.
• If the sender does not receive an acknowledgement for the critical packet during the timeout period, it retransmits the critical packet.
Enforced Acknowledgement
Copyright © Erdal Cayirci , 2010161/326
Blanket Acknowledgement is used in SENDROM.
A. Erdogan, E. Cayirci, V. Coskun, “Sectoral Sweepers for Sensor Node Management and Location Estimation in AdHoc Sensor Networks,” MILCOM 2003.
E.Cayirci, T.Coplu, “Sensor Networks for Disaster Relief Operations Management,” MedHocNet 2004.
S Depth
Rm
ax
SS
ENGAGE
TASK
REGIO
N
Rmin
ENGAGE : { Task
_id, Rmin, R
max, Task
_descrip
tions }
RESPO
NSERESPO
NSE : { T
ask_
id, N
ode_
id, D
ata
}
Border for ROUTING nodes
via the ROUTING
node
s
Blanket Acknowledgement
Copyright © Erdal Cayirci , 2010162/326
Localization and Positioning
Copyright © Erdal Cayirci , 2010163/326
Localization
Localization
GPS Based (Direct) Indirect
Global Positioning System (GPS)
Manual Configuration
Absolute
Range-free
Copyright © Erdal Cayirci , 2010164/326
Localization can be done: • Centralized,Centralized,
• Locally centralized,Locally centralized,
• Distributed.Distributed.
Localization in Sensor Networks
Copyright © Erdal Cayirci , 2010165/326
GPS-less techniques typically use one of the following techniques for location estimation:
• Received signal strength (RSS),
• Time of arrival (TOA),
• Time difference of arrival (TDOA),
• Angle of arrival (AOA).
Localization in Sensor Networks
Copyright © Erdal Cayirci , 2010166/326
11
2233
xx1 1 ,y,y11
xx2 2 ,y,y22
xx3 3 ,y,y33
beaconbeacon
sensorsensor
Three or more beacon location and their direction according to the node location are known.
Three or more beacon location and their distance to the node location are known.
dd11 xx1 1 ,y,y
11
xx2 2 ,y,y
22
xx3 3 ,y,y
33
dd22
dd33
(x-x1)2 + (y-y1)2 d1
(x-x2)2 + (y-y2)2 = d2
(x-x3)2 + (y-y3)2 d3
Triangulation or Trilateration
Copyright © Erdal Cayirci , 2010167/326
The following information is used to estimate the distance to a transmitter:
• Received power,• Transmitted power,• Path loss model.
RSSI method may be unreliable and inaccurate due to:• Multi-path effects,• Shadowing, scattering, and other impairments,• Non line of sight conditions.
Received signal strength
Copyright © Erdal Cayirci , 2010168/326
The following information is used to estimate the distance to a transmitter:
• Reception time,• Transmition time,• Propagation speed.
Time of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions.
The beacon and the node needs to be synchronized.
The propagation speed of RF signals is too high for beacon based localization in sensor networks. Therefore signals with lower propagation speed such as ultrasound should be used.
Time of arrival
Copyright © Erdal Cayirci , 2010169/326
The following information is used to estimate the distance to a transmitter:
• Arrival time of an RF signal,• Arrival time of an ultrasound signal,• Propagation speed of these signals.
The difference between the propagation delays of RF and ultrasound signals gives the distance.
Time difference of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions.
Time difference of arrival
Copyright © Erdal Cayirci , 2010170/326
Special antenna configurations are used to estimate the angle of arrival of the received signal.
Angle of arrival method may also be unreliable and inaccurate due to:
• Multi-path effects,• Shadowing, scattering, and other impairments,• Non line of sight conditions.
Angle of arrival
Copyright © Erdal Cayirci , 2010171/326
beaconbeacon
sensorsensor
One-hop multilateration. Two-hop collaborative multilateration.
Use at least n equations to estimate n variables. The solution uniqueness is required.
Collaborative Multilateration
Copyright © Erdal Cayirci , 2010172/326
beaconbeacon
sensorsensor
receiverreceiver
the location forthe location forprevious readingprevious reading
Using Previous Measurements from Fixed Locations
Copyright © Erdal Cayirci , 2010173/326
target
lighthouse
Lighthouse
Copyright © Erdal Cayirci , 2010174/326
Range Free Techniques
a. Sectoral sweepers. b. Centroid.
x1, y1x2, y2
x3, y3x4, y4
Copyright © Erdal Cayirci , 2010175/326
rubble
20 – 25 meters
20 – 25 meters
directional antenna
2–3 m location of adetected person
coverage area of a transmitted task
Range Free Techniques
Cayirci, E., Coplu T., “SENDROM: Sensor Networks for Disaster Relief Operations Management,” ACM/Kluwer Wireless Networks (to appear).
Copyright © Erdal Cayirci , 2010176/326
Time Synchronization
Copyright © Erdal Cayirci , 2010177/326
Nodes need to maintain the same time frame for:
time synchronization for communications protocols
data fusion• associating the sensed data,• aggregating the sensed data,• target tracking, • finding out the direction and speed of a target.
Time Synchronization
Copyright © Erdal Cayirci , 2010178/326
• Temperature: Temperature variations during day may cause the clock speed up or down (a few microseconds per day). • Phase noise: Access fluctuation at the hardware interface, response variation of the operating system to interrupts, jitter in delay, etc.• Frequency noise: The frequency spectrum of a crystal has large sidebands on adjacent frequencies.• Asymmetric delay: The delay of a path may be different for each direction.• Clock glitches: Hardware or software anomalies may cause sudden jumps in time.
Factors Influencing Time Synchronization
Copyright © Erdal Cayirci , 2010179/326
Offset (ο): Nodes may be started at different times. Therefore, Node A may have a clock CA different from the clock CB that Node B has when the network starts at time t0.
Skew (s): The factors like frequency noise and hardware may make the crystals of nodes are running at different frequencies. This causes clock skew, which may be ±30-40 part per million (ppm) for sensor node hardware. Skew may make times of two nodes get closer or further based on the offset. The skew related change per unit time t is constant.
Drift (d): The factors like temperature, phase, asymmetric delay and clock glitches may change the offset between two nodes in time. Since these factors are temporarily variable, the change in clock, called drift, per unit time is not a fixed value.
Time Synchronization
Copyright © Erdal Cayirci , 2010180/326
Time Synchronization
Clustered
Synchronization
Accuracy
Exact
Loose
Distribution
Centralized
Distributed
Procedure
Pair-wise (Sender/Receiver)
Broadcast (Receiver/Receiver)
Copyright © Erdal Cayirci , 2010181/326
Data Querying
Copyright © Erdal Cayirci , 2010182/326
• Continuous (persistent) queries or one time (snap shot) queries,
• Historical or real-time queries,
• Aggregate or simple queries,
• Complex or simple queries,
• Spatial or temporal queries.
Data Querying in Sensor Networks
Copyright © Erdal Cayirci , 2010183/326
Select [ task, time, location, [distinct | all], amplitude, [[avg | min |max | count | sum ] (amplitude)]]
from [any , every , aggregate m , dilute m] where [ power available [<|>] PA | location [in | not in] RECT | tmin < time < tmax |
task = t | amplitude [<|==|>] a ]
group by task based on [time limit = lt | packet limit = lp |
resolution = r | region = xy]Virtual Local Sensor Node Table
Sensor Network Database View
External Sensor Network Database Table
TaskTask AmplitudeAmplitudeLocationLocationTimeTime
TaskTask AmplitudeAmplitudeLocationLocation
TaskTask AmplitudeAmplitude
E.Cayirci, “Data Aggregation and Dilution by Modulus Addressing in WSNs,” IEEE Communications Letters, August, 2003.
DADMA: Data Aggregation and Dilution by Modulus Addressing
Copyright © Erdal Cayirci , 2010184/326
• SQTL is a procedural scripting language.
• It provides interfaces to access sensor hardware:
- getTemperature, turnOn
for location awareness:
- isNeighbor, getPosition
and for communication:
- tell, execute.
C-C Shen, et.al., “Sensor Information Networking Architecture and Applications”, C-C Shen, et.al., “Sensor Information Networking Architecture and Applications”, IEEE Personal Communications MagazineIEEE Personal Communications Magazine, pp. 52-59, , pp. 52-59, August 2001.)August 2001.)
Sensor Query and Tasking Language (SQTL)
Copyright © Erdal Cayirci , 2010185/326
By using the upon construct, a programmer can create an event handling block for three kinds of event:
- Events generated when a message is received by a sensor node,
- Events triggered periodically,
- Events caused by the expiration of a timer.
• These types of events are defined by SQTL keywords receive, every and expire, respectively.
Sensor Query and Tasking Language (SQTL)
Copyright © Erdal Cayirci , 2010186/326
E. Cayirci, C.Cimen, V. Coskun, “Querying Sensor Networks By Using Dynamic Task Sets,” Computer Networks (Elsevier), 2006.
Task Sets
Quadtree Sensor Power TaskAddress Type Available Set
00 1 0.95 2 00 1 0.98 1 00 1 0.93 2 00 1 0.96 2
0000 0101
1111 1010
Task Set 1Task Set 1
0000
Task Set 2Task Set 2
0000
sensor nodesensor node
eventevent
status table
Copyright © Erdal Cayirci , 2010187/326
query nodequery node
active nodeactive node
sensor nodesensor node
active queryactive query
sensed datasensed data
complete datacomplete data
N. Sadagopan, B. Krishnamachari, A. Helmy, “The Acquire Mechanism for Efficient Querying in Sensor Networks,” Elsevier Ad Hoc and Sensor Networks, 2004.
ACQUIRE
Copyright © Erdal Cayirci , 2010188/326
S Selector NodeR zone radius (in hops)
R
R
R
R
S
contact
contact
contact
A. Helmy, “Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks” Special Issue Computer Networks (Elsevier) on Wireless Sensor Networks, 2003.
Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks
Copyright © Erdal Cayirci , 2010189/326
Coverage
Copyright © Erdal Cayirci , 2010190/326
- Node deployment scheme
- Sensing and communications range
- Energy efficiency and connectivity requirements
- Algorithm paradigm, i.e., centralized or distributed
Factors for Node Coverage
Copyright © Erdal Cayirci , 2010191/326
In area coverage the objective is to cover an area, which means for the sensing coverage problem to ensure every point in a given area can be observed, and for the communications coverage problem a node at any point in the area can access the network.
In point coverage the objective is to ensure that a given set of points are covered by the network.
In barrier coverage the objective is to ensure that there is no hidden path through the network, i.e., an intruder cannot go through the network without crossing the coverage area of at least one node.
Coverage Problem
Copyright © Erdal Cayirci , 2010192/326
-The nodes are assumed to be deployed randomly according to a distribution, and the minimum number of nodes that satisfies a given probability of coverage is determined.
-It is assumed that the nodes can be deployed at certain locations, and the location for each node is determined such that the maximum coverage for the given number of nodes can be achieved.
Approaches for Coverage Problem
Copyright © Erdal Cayirci , 2010193/326
Security in Wireless Communications
Copyright © Erdal Cayirci , 2010194/326
Security Challenges Specific to Wireless Networks
• Easier to tap
• Limited resources and stringent constraints
• Self forming, self organization and self healing algorithms
• Hidden and exposed terminal
• Jamming and the other denial of service attacks
Copyright © Erdal Cayirci , 2010195/326
Information Security
Information Security
Computer Security Communications Security
Hardware Security
Software Security
Transmission Security
Emanation Security
Copyright © Erdal Cayirci , 2010196/326
Security Attacks
Security attacks can be classified into two broad classes:•Passive: no emission to conduct the attack•Active: emit, interfere or tamper
Copyright © Erdal Cayirci , 2010197/326
Passive Attacks
Passive Attacks
Eavesdropping Traffic Analysis
Eavesdrop: Tap the communication lines - wireless links are easier to tap- signals are sent to shorter distances in wireless ad hoc networks- challenges when multiple networks with different classification- privacy challenges- collection vs analysis
Traffic analysis: Traffic patterns and rates- friendship trees
Copyright © Erdal Cayirci , 2010198/326
Traffic Analysis
- Traffic analysis at the physical layer: In this attack only the carrier is sensed and the traffic rates are analyzed for the nodes at a location.
- Traffic analysis in MAC and higher layers: MAC frames and data packets can be de-multiplexed and the headers can be analyzed. This can reveal the routing information, topology of the network and friendship trees.
- Traffic analysis by event correlation: Events like a detection in sensor network or transmission by an end user can be correlated with the traffic and more detailed information, e.g., routes, etc., can be derived.
- Active traffic analysis: For example, certain number of nodes can be destroyed, which stimulates the self organization in the network, and valuable data about the topology can be gathered.
Copyright © Erdal Cayirci , 2010199/326
Active Attacks
Physical
Active Attacks
Masquerade, Replay, Message Modification
- Integrity- Unauthorized Access- Confidentiality- Privacy
Denial of Service
- Physical Layer- MAC Layer- Network Layer- Transport Layer - Application Layer
- Destruction- EMP- Tampering
Misbehaving
- Selfishness- Attacks against charging scheme
Copyright © Erdal Cayirci , 2010200/326
Tampering
Invasive(unlimited access)
Traffic Analysis(analyze the behaviour)
Example attacks:- micro probing - laser cutting- focused ion-beam manipulation- glitch attacks- power analysis
Copyright © Erdal Cayirci , 2010201/326
Masquerade, Modify, Replay
A masquerading node acts as if it is another node.
Messages can be captured and replayed by the masquerading nodes.
The content of the captured messages can be modified before being replayed.
Copyright © Erdal Cayirci , 2010202/326
Masquerade, Modify, Replay
Attacks can be organized against
- Node localization- Time synchronization- Data aggregation and fusion- Data correlation and association- Event and event boundary detection- Node management
Copyright © Erdal Cayirci , 2010203/326
Masquerade, Modify, Replay
- Sybil attack: introduce multiple identities
- Unauthorized access
- Phishing: Password fishing
- Preserve anonymity of the attacker
Copyright © Erdal Cayirci , 2010204/326
Denial of Service Attack
Any event that diminishes a network capacity to perform its expected function correctly or in a timely manner
A DOS attack is characterized by:
- Malicious: It is carried out to prevent the network from fulfilling its intended functions. It is not accidental. Otherwise it is not in the domain of security but reliability and fault tolerance.
- Disruptive: It degrades the quality of services by the network.
- Asymmetric: The attacker puts much less effort comparing to the impact made on the network.
Copyright © Erdal Cayirci , 2010205/326
Denial of Service Attack
- In physical layer (jamming) either continuous or temporary and random
- In MAC layer:- Whenever an RTS signal is received, a signal that collides with the CTS signal is transmitted.- If the MAC scheme is based on the sleep and active periods, jamming only the active periods can continuously block the channel.- False RTS or CTS signals with long data transmission parameters are continuously sent out.- Acknowledgement spoofing, where an adversary sends false link layer acknowledgements.
Copyright © Erdal Cayirci , 2010206/326
DOS Against Routing Spoofed, altered, or replayed routing information Hello flood Wormhole Detour
m
a w1
ef
cb
d
w2
Hello Flood Wormhole
Copyright © Erdal Cayirci , 2010207/326
DOS Against Routing Sinkhole: attractive malicious node
Blackhole: malicious node drops every packet Selective forwarding: malicious node does not forward every packet - Routing loop attack: Detour or sinkhole attacks to create routing loops - Sybil attack: A single node presents multiple identities - Rushing attack: An attacker disseminates route request and reply messages quickly throughout the network. - Attacks that exploit node penalizing schemes - Attacks to deplete network resources
Copyright © Erdal Cayirci , 2010208/326
DOS Against Transport Layer
- Transport layer acknowledgement spoofing
- Replaying acknowledgement
- Jamming acknowledgements
- Changing sequence number
- Connection request spoofing
Copyright © Erdal Cayirci , 2010209/326
Misbehaving- Selfishness
- Attacks against payment schemes- Refusal to pay- Dishonest rewards- Free riding
source
destination
infrastructure
routingnode
routingnode
routingnode
routingnode
Copyright © Erdal Cayirci , 2010210/326
Attackers
Motivation - Confidentiality- Integrity- Privacy- Unauthorized Access - DoS- Selfishness- Charging- Rewarding
Emission- Active- Passive
Location - Insider- Outsider
Quantity - Single- Multiple- Coordinating Multiple
Rationality - Naive- Irrational- Rational
Mobility - Fixed- Mobile
Copyright © Erdal Cayirci , 2010211/326
Security Goals
• Authentication• Access control• Confidentiality to protect content • Confidentiality to prevent traffic analysis• Privacy• Integrity• Authorization• Anonymity• Non-repudiation• Freshness• Availability• Resilience against attacks
Copyright © Erdal Cayirci , 2010212/326
Challenges and Solutions: Basic Issues
Copyright © Erdal Cayirci , 2010213/326
Security challenges and solutions in wireless networks
• Bootstrapping security in Ad Hoc networks
• Bootstrapping security in sensor networks
• Key distribution, exchange and management
• Authentication issues
• Integrity
Copyright © Erdal Cayirci , 2010214/326
Bootstrapping security in Ad Hoc networks
• Build a security infrastructure between the nodes during the bootstrapping phase
• new nodes that can join the network can form a secure association with the nodes already in the network
• the trust infrastructure can be set up without the knowledge of the network topology
• the credential verification scheme should be strong enough to resist DoS attack and at the same time do not need large computational ability and memory
Copyright © Erdal Cayirci , 2010215/326
Building security infrastructure in Ad Hoc networks
• Prior context can be used
• Trusted third party can be used to facilitate the establishment
• More natural to self-organize the trust infrastructure
Copyright © Erdal Cayirci , 2010216/326
Bootstrapping security in sensor networks
• Resilience against node capture
• Resistance against node replication
• Revocation
• Scalability
Copyright © Erdal Cayirci , 2010217/326
Key distribution, exchange and management
• Desirable features of ad hoc network key management scheme:
• applicability • security • Robustness• scalability• simplicity
Copyright © Erdal Cayirci , 2010218/326
Key distribution, exchange and management
• Standards• None MANET internet drafts and RFCs has thus
part• IEEE 802.11i assumes keys are preshared or
established with the aid of fixed infrastructure
• ZigBee, IEEE 802.15.4, Bluetooth are infrastructure-based networks and do not apply to
MANETs
Copyright © Erdal Cayirci , 2010219/326
Key distribution, exchange and management
• Classification of key management schemes
Key management schemes
Contributory Schemeskey agreement
Distributive schemeskey distribution
Z-HMOCASEKMUBIQAKM
PGP-ACOMP
MOB-a/MoB-so
D-HINGB-DH&OCLIQ
PSGKSKIMPyS-HEAL
LKHGKMPAN
Symmetric schemes
MANET schemes
PRESPINSPEBLINF
LEAP
WSN schemes
Public key schemes
Certificate based
IBC-K
Identity based
Copyright © Erdal Cayirci , 2010220/326
Contributory key management schemes
• D-H
• ING
• B-D
• H&O
• A-G
• CLIQ
Copyright © Erdal Cayirci , 2010221/326
Distributive key management schemes
• Public key schemes:• Certificate based - Z-H - MOCA - SEKM - UBIQ - AKM - PGP-A - COMP - MoB-a/MoB-so• Identity based
- IBC-K• Symmetric key schemes
Copyright © Erdal Cayirci , 2010222/326
Partially distributed Threshold CA Scheme (Z-H )
• Provide an available, intrusion tolerant, and robust CA functionality for ad hoc networks
• Private CA key distributed over a set of server nodes
• Using share refreshing to counter mobile adversaries
• synchronization needed
Copyright © Erdal Cayirci , 2010223/326
MOCA
• An extension to Z-H
• Nodes that exhibit best physical security and computational resources serve as MOCAs
• Moves the combiner function of Z-H from CA servers to requesting end-nodes
• MOCA certification protocol
Copyright © Erdal Cayirci , 2010224/326
SEKM
• Servers of MOCA form a multicast group
• Efficient updating of secret shares and certificates
Copyright © Erdal Cayirci , 2010225/326
UBIQ
• Fully distributed threshold CA scheme
• All nodes get a share of the private CA key
• Certification service is delivered within 1-hop neighborhoods
• Bandwidth efficient and good for the scalability
• Possible requirement of human involvement
Copyright © Erdal Cayirci , 2010226/326
AKM
R
R
R
G H
N1
N1
N2 N3
N2
N4 N6N5N3N2
N3 H4N1 H6H5
Initialization
f(N1) f(N2) f(N3)S1 S2 S3
(k,n) = (3,3)
New node added
f(N1) f(N2) f(N3) f(N4) f(N5) f(N6)(k,n) = (3,6)S1 S2 S3
Split
g(N1) g(N2) g(N3) h(N4) h(N5) h(N6)(k,n) = (3,3) (k,n) = (3,3)
S’=f(N1)+f(N2)+f(N3)
g()=S”+b1+b2 S”=f(N4)+f(N5)+f(N6) g()=S”+c1+c2
S=S1+S2+S3 f()=S+a1+a2
Autonomous key management (AKM)
Copyright © Erdal Cayirci , 2010227/326
PGP-A
• CA functionality completely distributed,all nodes have equal roles
• Assumes trust is transitive
• Certificates exchanged periodically
• Renewals require contact with the issuer
Copyright © Erdal Cayirci , 2010228/326
COMP
• Combines MOCA’s partially distributed threshold CA with PGP-A certificate-chaining
• Each certificate includes a confidence value reflecting the level of confidence
• Higher security than obtainable with PGP-A
• Increased availability of CA service compared to MOCA
Copyright © Erdal Cayirci , 2010229/326
MOB
• Seeks to mimic human behavior
• Can be fully self-organizing (MOB-so) or rely on an off-line authority (MOB-a)
• Bandwidth efficient with limited scalability
• Long delay to establish security associations with all communication partners
Copyright © Erdal Cayirci , 2010230/326
IBC-K
PKG
1 SETUP
PKG chooses two large primes as private maser key, and publishesthe chosen and calulated public system parameters as shownPrivate Master Key : p, q (two large primes)Public system params:n = p·q (factorization is kept secret)e = large prime, gdc (e,φ(n)) = 1f = hash function
PKG
2 EXTRACTION
3 SIGNING
PKG
user
The user presents its identity, to PKGPKG returns the corresponding private key:gThe identity is related to g in the following wayg =i (mod n)
e
g
Alice Bob
e
f(t,m) (i, m, t, s)
4 VERIFICATION
The signature (s,t) of themessage m is verified by checking:
e f(t,m)S = i·t (mod n)
The security of Shamir’s IBS schem relies the difficulty of deciding g given g mod n when the factorization of n is unknowne
securechannel
The signature (s,t) of the message mis caculated as follows:
t = r , s =g·r (mod n) i : user id m : message s,t : signatrue r : random
Copyright © Erdal Cayirci , 2010231/326
Symmetric key schemes
• Public key schemes:• MANETschemes - PSGK - SKIMPy - S-HEAL - LKH - GKMPAN• Identity based
- PRE - SPINS - PEBL - INF - LEAP
Copyright © Erdal Cayirci , 2010232/326
PSGK
• Key distribution centre pre-distributing a symmetric key to all members of the group
• Lacks intrusion tolerance in the sense that security succumbs to a single captured node
• Not designed specially for ad hoc networks
Copyright © Erdal Cayirci , 2010233/326
SKiMPy
• Designed for MANETs to protect network layer routing information or application layer user data
• Periodical updates group key to counter cryptoanalysis
• Bandwidth efficient
• Adds complexity compared to PSGK
Copyright © Erdal Cayirci , 2010234/326
S-HEAL
• Key distribution scheme with revocation, for networks with unreliable links
• Demands pre-shared secrets and group manager
• Self-healing
• Inapplicable for protection of routing information
Copyright © Erdal Cayirci , 2010235/326
LKH
K12345678
K1234
K1
K12
K2 K3
K34
K4
K5678
K5
K56
K6 K7
K78
K8
N1 N2 N3 N7N5 N8N4 N6
Copyright © Erdal Cayirci , 2010236/326
GKMPAN
• Designed for secure multicast in ad hoc networks
• Assumes a pre-distributed group key plus a pre-distributed commitment
• Increases intrusion tolerance compared to PSGK
Copyright © Erdal Cayirci , 2010237/326
PRE
• Assumes WSN nodes outfitted with a pre-installed key ring
• A number of PRE schemes for WSNs have been proposed
• The idea of the key ring of PRE is intrusion tolerance
• Intrusion resistance comparable to PSGK
Copyright © Erdal Cayirci , 2010238/326
SPINS
• Assume pre-installed individual (pairwise) keys between sensor nodes and base station
• Demands routing protocol and reliable access to the base station
• Includes a scheme for authenticated broadcast
Copyright © Erdal Cayirci , 2010239/326
PEBL
• Refer to large ad hoc networks with small size and large number nodes
• An extension to PSGK
• Protection of application data
• Offers no protection against replay or intrusion attacks
• Bandwidth consuming, needs synchronization
Copyright © Erdal Cayirci , 2010240/326
INF
• Intended for WSNs • Assumes static sensor nodes and mass
deployment • A key whispering approach is used• Simple, self-organizing, and robust to
Byzantine behavior and faulty nodes • Bandwidth efficient, scales well • Vulnerable to eavesdropping during key
whispering
Copyright © Erdal Cayirci , 2010241/326
LEAP
• Designed for static WSNs
• Different keys for different purposes
• Pre-distributed individual keys are used for communication between sensor nodes and the base station
• Pre-shared group key is applied for protection of broadcast information from the base station
Copyright © Erdal Cayirci , 2010242/326
Authentication issues
• Authentication needed in wireless networks
• MAC (message authentication code) used to provide authentication
• Asymmetric mechanisms adopted for multi-party communication
Copyright © Erdal Cayirci , 2010243/326
Integrity
• Data integrity needed in wireless networks
• CRC and MAC can be used to provide data integrity
Copyright © Erdal Cayirci , 2010244/326
Challenges and Solutions: Protection
Copyright © Erdal Cayirci , 2010245/326
Privacy and anonymity
• There is conflict between the need for public information and the demand of personal privacy in wireless networks
• Anonymity techniques are needed to provide privacy
• Information flooding is an efficient way to provide anonymity
• Policy-based access control decision and authentication can also help
Copyright © Erdal Cayirci , 2010246/326
Privacy and anonymity
• Anonymity approaches to provide privacy
• Decentralize sensitive data
• Using secure communication protocols, SPINS
• De-patterning data transmission
• Increasing sensor node mobility
Copyright © Erdal Cayirci , 2010247/326
Intrusion detection
• Intrusion detection is the first line of defense
• Intrusion detection techniques
• Abnormality detection
• Misuse detection
• Specification based detection
Copyright © Erdal Cayirci , 2010248/326
Intrusion detection
• Architectures for IDS in wireless ad hoc networks
• Stand-alone IDS
• Distributed and Cooperative IDS
• Hierarchical IDS
• Mobile Agent for IDS• IDS for sensor networks
Copyright © Erdal Cayirci , 2010249/326
Defense against traffic analysis
• Rate monitoring attack • Method against rate monitoring attack
• Time correlation attack• Method against time correlation attack
Copyright © Erdal Cayirci , 2010250/326
Access control and secure human computer interaction
• Problems related with password mechanism
• Characteristics should be considered for password design
• Different methods for access control and strange password design
Copyright © Erdal Cayirci , 2010251/326
Software based anti-tamper techniques
• Software based anti-tamper techniques is efficient for software cracking attacks
• Encryption wrappers• Code obfuscation• Software watermarking and fingerprinting• Guarding
Copyright © Erdal Cayirci , 2010252/326
Software based anti-tamper techniques
• Encryption wrappers • Software is encrypted and has to be decrypted
before use • Only the codes that will execute in the system
should be decrypted • Decryption keys have to be protected • Add overhead for decryption in run time.
Copyright © Erdal Cayirci , 2010253/326
Software based anti-tamper techniques
• Code obfuscation • Code obfuscation can prevent attacks of reverse
engineering • Quality of obfuscating transformations: potency,
resilience ,cost • Different kinds of obfuscation transformations:
layout transformation, data transformation, control transformation, preventive transformation
Copyright © Erdal Cayirci , 2010254/326
Software based anti-tamper techniques
• Software watermarking and fingerprinting • Software watermarking and fingerprinting can
protect illegal copying of digital items • Behavior of the watermarked program should be
affected if the watermark is distorted or destroyed • Fingerprinting embeds a unique message in the
software for traitor tracing • Static watermarking and dynamic watermarking
Copyright © Erdal Cayirci , 2010255/326
Software based anti-tamper techniques
• Guarding • Multiple (possibly simple) protection techniques
provide robust protections• Guard is a piece of code responsible for
performing certain security-related actions • Guards can provide multiple layers of defense
Copyright © Erdal Cayirci , 2010256/326
Hardware protection
• Physical attacks toward the wireless sensor networks
• Hardware protection of physical attacks
• Using tamper-resistant processors and lightweight hardware
• Advantages and disadvantages of hardware based protection
Copyright © Erdal Cayirci , 2010257/326
Availability and plausibility
• Network availability can be increased using security techniques
• Checking the plausibility is a useful method for defending against compromised nodes
Copyright © Erdal Cayirci , 2010258/326
Secure Routing
Copyright © Erdal Cayirci , 2010259/326
Secure Routing Approaches
- attack prevention
- attack detection and recovery from the attack
- resilience against security attacks
Copyright © Erdal Cayirci , 2010260/326
Defense Against Wormholes
Geographical Leashes: The source node S includes its location lS and the packet
transmission time tS as the geographical leash into its packet PS sent to
destination D.
S→D: lS, tS, PS
The clocks are synchronized to within ±Δ. The upper bound for the distance is db.
The node localization error upper bound is δ. The upper bound for the velocity in transmitting signals is v The node i that forwards the packet, which is at location li, and receives the
packet at time ti can check the following condition:
db ≤ |li – lS|+2v × (ti-tS + Δ) + δ
Copyright © Erdal Cayirci , 2010261/326
Defense Against Wormholes
Temporal Leashes: The transmission and reception times of the packets are used for detecting wormholes. When a node A sends or forwards a packet to another node B, it also includes the transmission time tA into the packet PA.
A→B: tA, PA
Node B checks the difference dAB between the transmission time tA and reception
time tB of the packet.
If dAB is larger than a given threshold θ, it may indicate a wormhole attack.
Copyright © Erdal Cayirci , 2010262/326
Defense Against Wormholes
a
w1
e f
c
b
d w2
2
1
3
6
4
5
3
6
5
Copyright © Erdal Cayirci , 2010263/326
Defense Against Sybil
Direct validation: A node directly verifies if the identity of a neighboring node is valid. For example, a node may assign each of its neighbors a separate channel to communicate, and ask them to transmit during a period. Then it checks these channels in a random order within that period. If a node is transmitting in its assigned channel, the node is a physical node. Indirect validation: Another trusted node provides the verification for the identity of the node. For example, every node may share a unique key with the base station. When two nodes need to establish a link between them, they verify each others identity through the base station by using these keys. Random key: Random keys assigned to nodes also provide security against sybil attacks.
Copyright © Erdal Cayirci , 2010264/326
Defense Against Selective Forwarding
Acknowledgements: Every intermediate node that forwards a packet waits for an acknowledgement from the next hope. If the next hope node does not return the same number of acknowledgements as the number of the packets sent, the node generates an alarm about the next hop node. Compromised nodes can generate acknowledgements also for the packets that they dropped which make this scheme fails. Moreover a malicious node can generate fake alarms to organize a DoS attack. Multipath routing: This requires at least link disjoint paths, where two paths may share some nodes but any link. Of course node disjoint paths, where two paths do not have any node in common, are better and reduce the risk of selective forwarding attack
Copyright © Erdal Cayirci , 2010265/326
Secure Routing in Sensor Networks
- Secure broadcasting for the downstream traffic.
- Secure multicasting for the downstream traffic.
- Secure data aggregation when routing from multiple nodes to a base station.
- Secure data aggregation and multicasting when routing from multiple nodes to multiple base stations or actuators.
Copyright © Erdal Cayirci , 2010266/326
Routing that Enhance Security
- Random Walk
- Greedy Random Walk
- Flooding-Baseline flooding-Probabilistic flooding-Flooding with fake messages-Phantom flooding
Copyright © Erdal Cayirci , 2010267/326
Secure Routing Protocols
- Intrusion Tolerant Routing in Wireless Sensor Networks (INSENS)
- Authenticated Routing for Ad Hoc Networking (ARAN)
- On Demand Secure Ad Hoc Routing (ARIADNE)
- Watchdog Pathrater
- Secure Ad Hoc on Demand Distance Vector (SAODV)
- Secure Link State Routing Protocol (SLSP)
Copyright © Erdal Cayirci , 2010268/326
INSENS
- Fixed sensor networks
- Multipath link state routing
- Base station computes and broadcasts the routes
Copyright © Erdal Cayirci , 2010269/326
INSENS- Route Discovery Phase
- Base station floods a route request message- Use TESLA for authentication- Everynode appends its id and a MAC by using a secret key before forwarding the route request- Everynode returns a route reply to the base station message after waiting t- Base station verifies MAC, computes the routes, and send them to nodes
- Data Forwarding Phase<destination, source, immediate sender> Example:Route: S to D: S → a → b → c → D The forwarding table of a: <D, S, S> The forwarding table of b: <D, S, a> The forwarding table of b: <D, S, b>.
Copyright © Erdal Cayirci , 2010270/326
ARAN
Dynamic source routing for ad hoc networks
When a node A accesses the network first time or needs a certificate for route discovery, it requests the certificate from the trusted server T. The server T first authenticates the node A and sends a certificate to it:
T → A: certificateA
IPA is the IP address of Node A,
KA+ is the public key of A,
t is the time the certificate is created,e is the time that the certificate expires,
KT- is the private key of T.
TKAAA etKIPecertificat },,,{
Copyright © Erdal Cayirci , 2010271/326
ARAN
A node S that has a valid certificate can start a route discovery for another node D by broadcasting a route discovery packet (RDP):
where NS is a nonce, which is the sequence number, i.e., the source node S
monotonically increase the nonce each time it performs a route discovery, to ensure the freshness of the reply message expected from the destination D.
SKSSD tNecertificatIPRDPbroadcastS },,,,{:
Copyright © Erdal Cayirci , 2010272/326
ARAN
When a node receives an RDP message, it first decrypts the message, and then records the neighbor that sends the message as the next hop node for the source node of the message. If the node receives a reply message for this RDP, it just forwards the reply to the neighbor in this record. Finally, it encrypts the message by using its private key, appends its certificate and broadcasts the message.
BKKSSD ecertificattNecertificatIPRDPbroadcastBBS
,},,,,{:
Copyright © Erdal Cayirci , 2010273/326
ARAN
When destination node D receives the route discovery message from the last node in the route, i.e., let it be C for our example, it first verifies the source’s signature, and then prepares a reply (REP) message and unicasts it to C:
DKSDS tNecertificatIPREPCD },,,,{:
Copyright © Erdal Cayirci , 2010274/326
ARIADNEARIADNE route discovery process starts with a ‘route request’ that has the following fields: - Route request - Source node - Destination node - Route request Id - Time interval - Hash chain: The hash value created by all the nodes in the route - Node list: The list of nodes in the route - MAC list: The list of the MAC values calculated by every node in the route Hash chain is computed first by the source node S as follows:
h0=MAC(KSD, REQUEST | S | D | id | ti)
After computing h0, source node initializes node list and MAC list fields as empty lists
and broadcasts the ‘route request’ message.
S → broadcast:{REQUEST, S, D, id, ti, h0, (), ()}
Copyright © Erdal Cayirci , 2010275/326
ARIADNEEvery node that receives route request first checks <source, id> fields in its buffer. If this request has already been received, the new request is dropped. The node also checks the time interval. If it is too far in the future or the key associated with it is already disclosed, packet is discarded. Otherwise the receiving node modifies the hash chain hi. Assume that A is a node one hop from the source node S. It computes
h1 as follows:
h1=H(A, h0)
It also calculates its MAC value by using the next key KAti in the TESLA key chain,
adds it’s address and the MAC value into the ‘route request’ message and broadcasts it:
A → broadcast:{REQUEST, S, D, id, ti, h1, (A), (MA)}
Copyright © Erdal Cayirci , 2010276/326
ARIADNEWhen the destination node receives the ‘route request’, it checks the validity of the request by determining that the keys of the time interval are not disclosed yet, and the final hash chain is equal to
H(an, H(an-1, H(…..,H(a1, MAC(KSD, REQUEST | S | D | id | ti))….)))
where an is the address of the node at position n and there are n nodes in the node
list. If both of these conditions are hold, it indicates that the request is valid. Then the destination node D computes the destination MAC MD, prepares ‘route reply’
message and returns it along the source route that can be obtained by reversing the sequence of hops in the node list of the ‘route request’ message.
D → C:{REPLY, D, S, ti,,(A, B, C), (MA, MB, MC), MD, ()}
Copyright © Erdal Cayirci , 2010277/326
ARIADNE
In the reverse path, every node waits until it can disclose its TESLA key. After than it appends its TESLA key and forwards to the next hop in the reverse path. When source receives the ‘route reply’ message, it verifies that each key and each MAC are valid. If they are, it accepts the ‘route reply’ message. Otherwise it discards the message. After this the route is maintained in the ‘route cache’ until a ‘route error’ message is received. When an intermediate node B that tries to forward a message to the next node C in the route fails, it generates the following ‘route error’ message and sends it to source node S along the reverse path.
Copyright © Erdal Cayirci , 2010278/326
WATCHDOG PATHRATER
Pathrater rates the links based on the reliability of the links and misbehaving knowledge of the nodes. Every node rates every other node in the network. When a link used successfully, its rate increases. If a link break occurs, the rate of the link decreases. High negative numbers are assigned to the nodes suspected misbehaving. Paths are rated averaging the link ratings along the path. When the source node has multiple options to a destination, it selects the path with the highest path rate. Paths that contain misbehaving nodes are avoided. When there is no misbehaving link free path to the destination, the source node initiates a ‘route request’ process.
Copyright © Erdal Cayirci , 2010279/326
SAODV
To secure the integrity of hop count, a hash chain is formed by applying one way hash function H to a randomly selected seed value s. Before transmitting a route request (RREQ) or route reply (RREP) message the source sets hash value h to seed s. The maximum hop count is assigned the time to live value ttl, and then top hash value T is computed by applying hash function ttl times to seed s.
h=sT=Httl(s)
When a node i receives a message after i hops from the source node, it first checks if the following condition holds:
T = Httl-i(h)
Copyright © Erdal Cayirci , 2010280/326
SAODV
Since every intermediate node applies hash function H once to the hash value h in the message before relaying it, when H is applied ttl-i times to the current h, it should give top hash value T. Otherwise it indicates either the hash value h or hop count i is not correct. After this check, node i applies H to h and forwards it.
h=H(h) To protect the integrity of the other fields in the message the source node signs every thing but the hop count and hash value h fields, which are modified by every intermediate node.
Copyright © Erdal Cayirci , 2010281/326
SLSPA node V broadcasts its link state data by using an LSU packet.
V → broadcast:{TYPE, R, Zone_R, LSU_Seq, LSU_signature, Hops_Traversed, LS_Data} where Type is the packet type,R is the number of hops from the node to the zone boundary,Zone_R=HR(X),Hops_Traversed=H(X),X is a random number,H is the hash function that every node knows,LSU_Seq is the sequence number of the LSU packet,
Copyright © Erdal Cayirci , 2010282/326
SLSP
Receiving nodes first validate the signature. If the LSU packet is valid, they can derive the link state information in the packet. Then they hash Hops_Traversed value in the LSU packet.
Hop_Traversed=H(Hop_Traversed) If the new Hop_Traversed value is equal to Zone_R value after hashing, it indicates that the packet is reached to the boundary of zone, and should not be forwarded further.
Copyright © Erdal Cayirci , 2010283/326
Specific Challenges
Copyright © Erdal Cayirci , 2010284/326
Security Protocols for Sensor Networks
- Sensor Network Encryption Protocol (SNEP)Data confidentialityAuthenticationIntegrityFreshness
- µTESLA Authenticated Broadcast
(Perrig A, Szewczyk R, Wen V, Culler D, Tygar J D, ‘SPINS: Security Protocols for Sensor Networks,’ MOBICOM, 2001.)
Copyright © Erdal Cayirci , 2010285/326
Sensor Network Encryption ProtocolSNEP
In SNEP, A sends the following message to B to transmit a data fragment D:
A→B: є, м
whereє is the encrypted data fragment, i.e., є ={D}< Κencr, c> м is the MAC, i.e., м =MAC( Κmac , с│є )с is the counter value.
Copyright © Erdal Cayirci , 2010286/326
Sensor Network Encryption ProtocolSNEP
For strong freshness
-Node A generates a nonce ηA randomly and sends it along with a request message ρA.
A→B: ηA, ρA
- Node B returns the nonce ηA with a response message ρB after a MAC computation.
B→A: {ρB}< Κencr, c>, MAC(Κmac , ηA │c│{ρB}< Κencr, c>)
Copyright © Erdal Cayirci , 2010287/326
µTESLA
Ki = F(Ki +1)
timet1 t2 t3 t4 t5 tn
P1 P2 P3 P4 P5 P6 Pk
K1 K2 K3 K4 K5 KnK0
Copyright © Erdal Cayirci , 2010288/326
Quarantine region is the region in the coverage area of an anti-node.
anti-nodeanti-node
sensor nodesensor node
quarantine quarantine regionregion
quarantined sensor quarantined sensor nodenode
sensor sensor rangerange
Quarantine Region Scheme
(Coskun, V, Cayirci, E., Levi, A., Sancak, S., “Quarantine Region Scheme to Prevent Spam Attacks in Wireless Sensor Networks,” IEEE Transactions on Mobile Computing, Volume 5, No. 8, pp 1074-1086, August 2006.)
Copyright © Erdal Cayirci , 2010289/326
• d receives authenticated from b, and sends authenticated to j,
• o receives authenticated from l, and sends unauthenticated to p.
• o receives unauthenticated from n, and sends unauthenticated to p.
aa bbcc
ddee ffjjgg
hhii kk
ll mm
nn oocollectocollectorrpp
• Detecting an attack, and declaring a quarantine period,• Finding quarantined nodes,• Authentication in quarantine region,• Cancelling a quarantine period.
Authentication in a Quarantine Region
Copyright © Erdal Cayirci , 2010290/326
Quarantine Region
t t c2
a
t c1 t k1
b
k2
quarantinednot quarantined
c3 t
h
a
i
j
d
e
f
g
b
c
k
(a) Before displacement (b) After displacement
h
a
i
j
d
e
f
g
b
c
k
Copyright © Erdal Cayirci , 2010291/326
Quarantine Region
k x t k t c
a e
t c t k
b c d
not quarantinednode
antinode
quarantined node
quarantine region
bufferzone
Copyright © Erdal Cayirci , 2010292/326
Secure Charging and Rewarding
BConf
AB
infrastructureu f
AReq
AConf
BReq
BRep
BSA
BSB
(Salem N B, Buttyan N, Hubaux J, Jakobsson M, ‘A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks,’ MobiHoc, 2003.)
Copyright © Erdal Cayirci , 2010293/326
Secure Charging and Rewarding
- Authenticate the initiating node A, and charge A before its packets are delivered to prevent refusal to pay attacks.
- Authenticate the forwarding nodes to ensure that only the selected nodes can forward and nodes that do not forward cannot claim that they do.
- Reward upstream nodes when the packets from A reach BSA.
- Reward downstream nodes when B acknowledges.
- Charge B when the packets from A are forwarded to B by BSB. Reimburse this charge when B acknowledges.
Copyright © Erdal Cayirci , 2010294/326
Secure Charging and Rewarding(Session Establishment -1)
Source sends a request to BSA: A→BSA: AReq0
AReq0 = AReqID│oldASID│ARoute│TrafficInfo, MAC(KA, AReqID│oldASID│ARoute│TrafficInfo)
Intermediate upstream nodes forwardsAReqi = AReqID│oldASID│ARoute│TrafficInfo, MAC(Ki, AReqi-1)
BSB forwards the request to destination: BSB→B: BReq0
BReq0 = BReqID│oldBSID│BRoute│TrafficInfo
Intermediate downstream nodes forwardsBReqj = BReqID│oldBSID│BRoute│TrafficInfo, MAC(Ki, BReqj-1)
Copyright © Erdal Cayirci , 2010295/326
Secure Charging and Rewarding(Session Establishment -2)
Destination acceptsBReqj = BReqID, MAC(KB, BReqB-1)
Base stations confirms source and destinations
AConf = AReqID│ASID│AMACA│AMAC1│…….│AMACa
AMACi = MAC(Ki, AReqID│ASID│oldASID│ARoute│TrafficInfo)
BConf = BReqID│BSID│BMACA│BMAC1│…….│BMACa
BMACj = MAC(Kj, BReqID│BSID│oldBSID│BRoute│TrafficInfo)
Copyright © Erdal Cayirci , 2010296/326
Secure Charging and Rewarding(Packet Delivery)
Source prepares the packetSPkt0,η = SSID│ Body0,η
Body0,η = η│Payloadη │MAC(KS, SSID│η │Payloadη)
η is the sequence number
Intermediate nodes forward the packet
SPkti,η = SSID│ Bodyi,η
Bodyi,η = PADi,η Bodyi-1,η
Acknowledging deliveryDAck = DSID│Batch│LastPkt│LostPkts,
MAC(KD, DSID│Batch│LastPkt│LostPkts)
Copyright © Erdal Cayirci , 2010297/326
Secure Node Localization
- Techniques against masquerading, replaying and node tampering
- Secure routing techniques
- Multimodal localization schemes, e.g., received signal strength indicator and time difference of arrival
- Assessing the reliability of beacon nodes
- Consistency checks by statistical methods
- Attack resistant node localization schemes
Copyright © Erdal Cayirci , 2010298/326
Malicious Beacon Node Detection - 1
- The detecting beacon, requests a beacon signal, i.e., Breq, from another beacon node na, the target beacon node. Detecting beacon acts as it is not a beacon node.
n→na: Breq
- Target beacon sends the beacon signal, i.e., Bbeacon, which includes the location (xa, ya) of the target beacon na.
na →n: Bbeacon
Copyright © Erdal Cayirci , 2010299/326
Malicious Beacon Node Detection - 2
- Detecting beacon estimates the distance da to the location (xa, ya) of the target beacon based on the RSSI calculation.
-The detecting node knows its location, it can calculate the distance between itself and the target node location sent in Bbeacon. If the difference between the estimated distance da, and the calculated distance d is higher than the threshold τ, this may indicate that the target node is malicious.
.,)()( 22 maliciousisitdyyxxif aaa
Copyright © Erdal Cayirci , 2010300/326
Attack Resistant Location Estimation
Inconsistency among the location data can be detected by inspecting the mean square error of estimation (MMSE) given by
m
yyxxdm
iiii
1
222 )()(
where ε is the mean square error,(xi, yi) is the location of beacon node i,
(x, y) is the estimated location,di is the distance to beacon node i,
m is the number of beacon nodes used in the location estimation.
Copyright © Erdal Cayirci , 2010301/326
Voting Scheme for Location Estimation
3a
b
c
m
a
22
Copyright © Erdal Cayirci , 2010302/326
Secure Time Synchronization
- Step 1: Node A sends Node B a synchronization message at t1, and the message is received by Node B at t2.
A(t1)→(t2)B: A, B, NA, synch
- Step 2: Node B replies Node A at t3, and the reply message is received by Node A at t4.
B(t3)→(t4)A: B, A, NA, t2, t3, ack, MAC(KAB, B│A│NA│t2│t3│ack)
-Step 3: Node A calculates RTT. If RTT is smaller than the maximum RTT threshold, the synchronization is accomplished. Otherwise it is aborted.
If (t4-t1)-(t3- t1) < θ, proceed.
(Ganeriwal S, Capcun S, Han C, Srivastava M B, ‘Secure Time Synchronization Service for Sensor Networks,‘ WiSE, 2005.)
Copyright © Erdal Cayirci , 2010303/326
Secure Event & Event Boundary Detection
(Ding M, Chen D, Xing K, and Cheng X, ‘Localized Fault Tolerant Event Boundary Detection in Sensor Networks’, INFOCOM, 2005.)
N(S1) N(Si)N(Sn)
S1 Si
Sn
N*(Si)
di = xi – medi
N(Si) N*(Si)N*(Si) (N(S1) N(Si) N(Sn))N*(Si)={S1, …, Si, …, Sn}
n
iid
n 1
1
2
1
)(1
1
n
iid
n
ii
dy
1. Faulty Node Detection
Copyright © Erdal Cayirci , 2010304/326
Secure Event & Event Boundary Detection
2. Boundary Node Detection
Sector A
Si
N(Si)
Event Region E
Out of Event Region E
Sector B
Sector C
1. Construct the set of faulty nodes Ω1.2. For each sensor Si not in Ω1, - Partition the N(Si) into sectors.- Calculate the difference dij for each sector.- Assign the largest dij as the new di for Si.- Recalculate the mean μ, standard deviation σ, and yi for N*(Si)-Ω1 and the new di.- If |yi|≥θ2 after recalculation, Si goes into the set of boundary nodes denoted by Ω2.
Copyright © Erdal Cayirci , 2010305/326
Wireless Security Standards
Copyright © Erdal Cayirci , 2010306/326
X.800 and IETF RFC2828
• X.800 • ITU-T recommendation• Security architecture for OSI• Define general security-related architectural elements • Establishes guidelines and constraints to improve existing
recommendations and/or to develop new recommendations
• IETF RFC2828 • Internet Security Glossary• Provides abbreviations, explanations, and recommendations
for information system security
Copyright © Erdal Cayirci , 2010307/326
Security threats and attacks
• Threats • Accidental vs. intentional threats• Passive vs. active threats
• Attacks • Insider vs. outsider attacks• Active vs. passive attacks
Copyright © Erdal Cayirci , 2010308/326
Security services
• Authentication service • Data origin authentication• Peer entity authentication
• Access control
• Data confidentiality• Connection confidentiality• Connectionless confidentiality• Selective field confidentiality• Traffic flow confidentiality
Copyright © Erdal Cayirci , 2010309/326
Security services
• Data integrity • Connection integrity with recovery• Connection integrity without recovery• Selective field connection integrity• Connectionless integrity• Selective field connectionless integrity
• Non-repudiation• Non-repudiation with proof of origin• Non-repudiation with proof of delivery
Copyright © Erdal Cayirci , 2010310/326
Security mechanisms
• Specific security mechanisms and pervasive security mechanism
• Specific security mechanisms • Encipherment• Digital signature• Access control• Data integrity• Authentication exchange• Traffic padding mechanism• Routing control• Notarization mechanism
Copyright © Erdal Cayirci , 2010311/326
Security mechanisms
• Pervasive security mechanisms • Trusted functionality• Security labels• Event detection• Security audit trail• Security recovery
Copyright © Erdal Cayirci , 2010312/326
Relationships between security services and mechanisms
signature control integrity exchange padding control
Data origin authentication Y Y - - - - - -
Peer entity authentication Y Y - - Y - - -
Access control - - Y - - - - -
Connection Confidentiality Y - - - - - Y -
Connectionless Confidentiality Y - - - - - Y -
Selective Field confidentiality Y - - - - - - -
Traffic Flow Confidentiality Y - - - - Y Y -
Copyright © Erdal Cayirci , 2010313/326
Relationships between security services and mechanisms
Connection Integrity with Recovery
Y - - Y - - -l -
Connection Integrity without Recovery
Y - - Y - - - -
Selective Field Connection Integrity
Y - - Y - - - -
Connectionless Integrity Y Y - Y - - - -
Selective Field Connectionless Integrity
Y Y - Y - - - -
Non-repudiation with proof of origin
- Y - Y - - - Y
Non-repudiation with proof of
delivery - Y - Y - - - Y
Notes:
Y: the mechanism is considered to be appropriate, either on its own or in combination with other mechanisms
- : the mechanism is considered not to be appropriate
Copyright © Erdal Cayirci , 2010314/326
Placements of security services and mechanisms
Service Layers
1 2 3 4 5 6 7*
Data origin authentication - - Y Y - - Y
Peer entity authentication - - Y Y - - Y
Access control - - Y Y - - Y
Connection Confidentiality Y Y Y Y - Y Y
Connectionless Confidentiality - Y Y Y - Y Y
Selective Field confidentiality - - - - - Y Y
Traffic Flow Confidentiality Y - Y - - - Y
Copyright © Erdal Cayirci , 2010315/326
Placements of security services and mechanisms
Connection Integrity with Recovery
- - - Y - - Y
Connection Integrity without Recovery
- - Y Y - - Y
Selective Field Connection Integrity
- - - - - - Y
Connectionless Integrity - - Y Y - - Y
Selective Field Connectionless Integrity
- - - - - - Y
Non-repudiation with proof of origin
- - - - - - Y
Non-repudiation with proof of
delivery - - - - - - Y
Y: Service is provided within the layer mentioned.
- : Service is not provided within the layer mentioned
* It should be noted, with respect to layer 7, that the application process may, itself, provide security services
Copyright © Erdal Cayirci , 2010316/326
Wired equivalent privacy (WEP)
• WEP-based WLAN configuration
Copyright © Erdal Cayirci , 2010317/326
Wired equivalent privacy (WEP)
• WEP encryption principle
||RC4
PRNG
Initialization Vector (IV)
WEP Key
||Plaintext
CRC-32
+
Integrity Check Value (ICV)
Seed Key Stream
Cipher-text
IV
Copyright © Erdal Cayirci , 2010318/326
Wired equivalent privacy (WEP)
• WEP decryption principle
||RC4
PRNG
WEP Key
Plaintext
Integrity Algorithm+
ICV
Seed Key Stream
Cipher-text
IV ICV’
ICV=ICV’?
Message
Copyright © Erdal Cayirci , 2010319/326
WEP weakness
• Passive attacks to decrypt traffic
• Active attacks to inject traffic
• Active attack from both ends
• Table-based attack
• Monitoring
Copyright © Erdal Cayirci , 2010320/326
Wi-Fi protected access (WPA)
• WPA enterprise mode
Access Point
LAN
WLAN Client
Authentication Server (RADIUS/LDAP)
Credentials check &Encryption key
distribution
Copyright © Erdal Cayirci , 2010321/326
Wi-Fi protected access (WPA)
• WPA personal mode
Access Point
LAN
WLAN Client
Password check & Encryption key
distribution
Copyright © Erdal Cayirci , 2010322/326
Wi-Fi protected access (WPA)
• Authentication
• Encryption • Using a longer IV (48 bits)• Increasing the key size from 40 to 128 bits• Renewing encryption key every 10,000 packets• Using per packet key mixing of the IV
• Message integrity
Copyright © Erdal Cayirci , 2010323/326
WEP and WPA comparison
WEP WPA
Encryption
Flawed, cracked by scientists and hackers
Fixes all WEP flaws
40-bit keys 128-bit keys
Static key – Same key used by everyone on the network
Dynamic session keys, i.e., per user, per session, per packet keys
Manual distribution of keys – Hand typed into each device
Automatic distribution of keys
Authentication
Flawed, used WEP key itself for authentication
Strong user authentication, utilizing 802.1X and EAP
Copyright © Erdal Cayirci , 2010324/326
WPA2
• Based on the Robust Security Network (RSN) mechanism
• Support for all mechanisms available in WPA
• Encryption mechanism different with WPA
• Using Advance Encryption Standard (AES) with CCMP
Copyright © Erdal Cayirci , 2010325/326
Conclusion
Copyright © Erdal Cayirci , 2010326/326
Introduction
Physical Protection
Wireless Medium
MAC Layer
Routing Protocols
Transport Layer
Node Localization and Time Synchronization
Conclusion