Distributed Detection of Node Replication Attacks in Sensor

NetworksBryan Parno, Adrian perrig, Virgil GligorIEEE Symposium on Security and Privacy 2005

Xia WangCS610, Fall 2005

Outline• Introduction• Preliminary protocols• Randomized multicast• Line-selected multicast• Simulations• Conclusions and Future work

Introduction• Sensor nodes are small, low-cost and

usually hardware unprotected.• Unshielded sensor nodes are easily to be

captured, replicated in hostile environments.

• Node replication attacks: A legitimate node is captured and compromised by an adversary, then the adversary can replicate the node with the same ID and insert those nodes in the network.

• Using replicated nodes the adversary could subvert the whole network.

Existing Approaches• Centralized monitoring: all nodes

transfer a list of their neighbors’ claimed locations to a central base station that examines location conflicts. Single Point Failure

• Localized voting systems: nodes can revoke their neighbors. Can not detect distributed node replication.

Some assumptions and Goals

Assumptions:• The adversary cannot create new IDs for nodes or

simply guess a new ID.• The percentage of nodes captured are limited.• Any cloned node has at least one legitimate node

as a neighbor. (can be removed)• Each node knows its geographic position. Goal:• Provide schemes to detect node replication attack

without centralized monitoring and revoke the replicated nodes.

• Lower memory consumptions and communication costs

Preliminary approaches• Node-To-Network Broadcasting• Deterministic Multicast

Node-To-Network Broadcasting(1)

• Each node uses an authenticated broadcast message to flood the network with its location information.

• Each node stores the location information for its neighbors.

• If conflicting claim is detected, the offending node is revoked.

Node-To-Network Broadcasting(2)

• Simple and achieve 100% detection rate

• Each node stores location information for its d neighbors.

• Total communication cost is O(n2)

Deterministic Multicast• Each node broadcasts its location to its neighbors.• Neighbors forward location claim to a subset of the nodes “witnesses”

F(α) = W1, W2, …, Wg• Once the witness detects a location conflict, it revokes αby flooding.• If each node selects (glng)/d random destination from the set of witnesses. • Average path length is O( ), then communication cost is • F is a deterministic function, an adversary can also determine all witness nodes.

n)ln(

dnggO

Randomized Multicast(1)• Each nodeαbroadcasts its location to its neighbors β1 β2 ...βd with the format <IDα, lα, {H(IDα, lα)} >• Each neighbor verifies α’s signature and location lα• With probability p, each neighbor selects g random locations as witnesses.• Use geographic routing to forward α’s location.• Upon receiving a location claim, each witness verifies the signature, and check location conflicts.• If a node replication attack is detected, it floods through the network with the two conflicting locations. What’s the probability of a collision?

1K

Security Analysis of Randomized Multicast (1)

• Suppose malicious nodeαis replicated at location l1, l2, …, lL• At each location li, p.d nodes randomly select g witnesses. p – Probability a neighbor will replicate location informationd - Average degree of each nodeg - Number of witnesses selected by each neighbor• The probability that two conflicting location reports collide at some witness node.• Birthday paradox predicts at least one collision with high probability.(In a room with 23 persons, there is a chance of more than 50% that two persons have the same birthday).• Perfectly, α‘s location will be saved at p.d.g locations.

gdp

nc ngdpP

11

gdp

nc ngdpP

212

1

1

1L

i

gdp

nc ngdpiP

xyx y 1)1(xex )1(

2)1(222

LL

ngdp

nc eP

Pnc1 is the probability that the p.d.g recipients of claim l1 do not receive any of the p.d.g copies of claim l2

Pnc is the probability of no collision at all.

N = 10,000, g =100, d=20, p = 0.05, Probability to detect single replication is greater than 63%, Probability to detect two replication is greater than 95%

ncc PP 1

Not efficient, communication cost is O(n2)

Line-Selected Multicast• When a location claim travels from

one node to another node, all the intermediate nodes store the location and virtually form a line across the network.

• If a conflicting location claim ever crosses the line, then the node at the intersection will detect the conflict.

Analysis of Line-Selected Multicast

• The probability that two line-segments intersect

• Use the solution to Sylvester’s Four-Point Problem.

• The probability that four randomly selected points in a convex domain will form a re-entrant quadrilateral is

21235

235.012351

31

2sec

tinerP

Advanced Analysis of Line-Selected Multicast

• With only 2 random segments per point, the probability is >56%

• 5 segments per point, the probability is 95%

Simulations

Communication Overhead

Simulation(2)

The average probability of detecting a single node replicationusing Line-Selected Multicast in a variety of topologies.

Conclusions and Future Work

• Conclusions– Proposed randomized multicast scheme and line-selected

multicast scheme to detect distributed node replication attack– Line-selected multicast provides excellent resiliency while

achieving near optimal communication overhead.– Both primary protocols illustrate the power of emergent

properties in sensor networks.• Future work

– Consider misbehavior malicious nodes• Critique

– Once one location claim conflicting is detected, the revocation activity of the replicated nodes will be flooded through the whole network. As the node replication attack happens during certain time slot, the malicious node may get other nodes’ ID information before a detection starts. In that case, this malicious node can fabricate a location conflicting information and flood it into the network. The malicious node exhaust the energy of the network by flooding those conflicting information.