SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network...
-
date post
20-Dec-2015 -
Category
Documents
-
view
212 -
download
0
Transcript of SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network...
SeRLoc: Secure Range-Independent Localization for Wireless Sensor
Networks
Radha Poovendran
Network Security Lab
University of Washington
Protocol Exchange Meeting Feb 1-2, Naval Postgraduate School
Graduate Student: Loukas Lazos
Radha Poovendran Seattle, Washington 2
• Motivation• Secure Localization Problem • SeRLoc• Threats and defenses• Performance Evaluation• Conclusions
Outline
Radha Poovendran Seattle, Washington 3
Why do we need location in WSN?
Access Control
Location-dependent services
Networkfunctions
Monitoring Apps
Radha Poovendran Seattle, Washington 7
Localization Problem
• Choice of localization algorithm is based on:• Resolution required• Region of deployment• Resource constraints of the devices
Localization: Sensor Location Estimation
• How do sensors become aware of their position under non-deterministic deployment?
Radha Poovendran Seattle, Washington 8
Classification of Loc. Schemes• Indoors vs. Outdoors:
• GPS, Centroid (outdoors). • RADAR, Active Bat, AhLos (indoors).
• Infrastructureless (I-L) vs. Infrastructure based (I-B):• AhLos, Amorphous, DV-Hop (I-L).• RADAR, Active Bat, AVL (I-B).
• Range-based (R-B) vs. Range-Independent (R-I):• RADAR, Ahlos, GPS, Active Bat (R-B).• APIT, DV-Hop, Amorphous, Centroid (R-I).
• Active vs. Passive• Dv-hop, APIT (Active).• RADAR (Passive).
Radha Poovendran Seattle, Washington 9
Localization in un-trusted environment• WSN may be deployed in hostile
environments.
• Threats in sensor localization:•External
•Replay attacks.•Node Impersonation attacks.
• Internal•Compromise of network entities.•False location claims.
Radha Poovendran Seattle, Washington 10
• Secure Verification of Location Claims[Sastry et al. WISE 2002].
• Location Privacy Privacy-aware Location Sensor Networks
[Gruteser et al. USENIX 2003].• Secure Localization: Ensure robust
location estimation even in the presence of adversaries.SeRLoc: [Lazos and Poovendran, WISE
2004].S-GPS: [Kuhn 2004].SPINE: [Capkun & Hubeaux, Infocom
2005].
Secure Location Services
Radha Poovendran Seattle, Washington 11
• Motivation• Problem Description• SeRLoc• Threats and defense• Performance • Conclusions
Outline
Radha Poovendran Seattle, Washington 12
• SeRLoc: SEcure Range-independent
LOCalization.
• SeRLoc features
• Passive Localization.
• No ranging hardware required.
• Decentralized Implementation,
Scalable.
• Robust against attacks -
Lightweight security.
Our Approach: SeRLoc
Radha Poovendran Seattle, Washington 13
Locators: Randomly deployed
Known Location, OrientationDirectional Antennas
(X1, Y1)
(X3, Y3)
(X4, Y4)
(X5, Y5)
(X2, Y2)
N
S
EW
Network Model Assumptions (1)Two-tier network
architectureSensors: Randomly deployed, unknown location
r
R
Locator range R
Beamwidth θ
θ
Omnidirectional AntennasSensor range r
Locator Sensor
Radha Poovendran Seattle, Washington 14
Network Model Assumptions (2)
•Locator deployment: Homogeneous
Poisson point process of rate ρL (ρL:
Locator density).
•Sensor deployment: Poisson point
process of rate ρs independent of locator
deployment (ρs: sensor density).
•Or can be seen as random sampling of
the deployment area with rate ρs (ρs >>
ρL). 2
!
2R
k
Ls
Lek
RkLHP
LHs: Locators heard at a sensor s.
Radha Poovendran Seattle, Washington 15
Locator Sensor
L1
L4
L3
(0, 0)
s
L3
ROI
The Idea of SeRLoc
• Each locator Li transmits
information that defines
the sector Si, covered by
each transmission.
• Sensor defines the region of intersection (ROI) from all locators it hears.
sLH
iiSROI
1
Radha Poovendran Seattle, Washington 21
• Motivation• Problem • SeRLoc• Threats and defense• Performance • High resolution localization:
HiRLoc• Conclusions
Outline
Radha Poovendran Seattle, Washington 22
Threats
•Attacker aims at displacing the sensors (false info is worse than no info).
•We do not address DoS attacks.
•We do not address jamming of the communication medium. [Lazos & Poovendran, IPSN 2005]
Jamming
f
L1
s
Radha Poovendran Seattle, Washington 23
How can a sensor be displaced?
•In SeRLoc: Sensor gets false localization information.
• A) Replay beacons from a far-away region.
• B) Impersonate locators and fabricate beacons.
How can we protect broadcasted localization
information?
Radha Poovendran Seattle, Washington 24
SeRLoc - Security mechanisms•Message Encryption: Messages encrypted with a
symmetric key K0.
•Beacon Format:
Locator’s coordinates Slopes of the sector
ID authentication
Shared symmetric key
Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j } K0
• Every sensor stores the values Hn(PWi) for all the
locators.
• A sensor can authenticate all locators that are within its range (one-hop authentication).
PWiH0(Pwi)
H H1(Pwi) Hn(Pwi)H H H
one-way hash functionHash chain
Synchronization var
Radha Poovendran Seattle, Washington 25
SeRLoc – Wormhole Attack
L1
L4
L3
L2
L5
L8L7
L6
THREAT MODEL• The attacker records beacon
information at region A
• No compromise of integrity,
authenticity of the communication
or crypto protocols.
• Direct link allows replay of the
beacons in a timely fashion.
sensorLocator
Attacker
Region B
Region A
Record beacons
Wormhole link
•Tunnels it via the wormhole link at region B, and replays the beacons.•Sensor is misled to believe it hears the set of locators LHs: {L1 - L8}.
Radha Poovendran Seattle, Washington 26
Wormhole attack detection (1)
cL
c
AA eLHPSMP 11
Accept only single message per locator
Multiple messages from the same locator are heard due to: –Multi-path effects;–Imperfect sectorization.–Replay attack.
sensorLocator
Ac
Wormhole link
Attacker
obstacle
R
R
R: locator-to-sensor communication range.
Radha Poovendran Seattle, Washington 27
jLiLAA eeCRP 11
Locators heard by a sensor cannot be more than 2R apart
sensorLocator
Ai
RLL ji 2Aj
Wormhole attack detection (2)
Wormhole link
Attacker
2R
Li Lj
R: locator-to-sensor communication range.
R
R
Radha Poovendran Seattle, Washington 28
2
det
11
)()(
iLcLcL AAA eee
CRPSMPCRPSMPCRSMPP
Probability of wormhole detection
The events of a locator being within any region Ai, Aj, Ac are inde-pendent (Regions do not overlap).
sensorLocator
Ai Aj
Ac
Wormhole attack detection (3)
Wormhole link
Attacker
2R
Radha Poovendran Seattle, Washington 29
Wormhole attack detection (4)Probability of wormhole detection
L
99.48%
Radha Poovendran Seattle, Washington 30
Attach to Closest Locator Algorithm
(ACLA)
Resolution of location ambiguity
L1
L4
L3
L2
L5
L8
L7
L6
Region B
Region A
A sensor needs to distinguish the valid set of locators from the replayed ones.
Wormhole link
1. Sensor s : Broadcasts a nonce η.2. Locator Li : Reply with a beacon
+ the nonce η, encrypted with the
pair-wise key Ks,Li.3. Sensor s : Identify the locator
Lc with the first authentic reply.4. Sensor s : A locator Li belongs to
the valid set, only if it overlaps with the sector defined by the beacon of Lc.
Closest Locator
Radha Poovendran Seattle, Washington 31
THREAT MODEL
•The attacker impersonates multiple locators
(compromise of the globally shared key K0).
SeRLoc – Sybil Attack
L1
L2L3
L4
Impersonator
• Hence, compromise the majority-based scheme,
if more than |LHs| locators impersonated.
Collect hash values
• Attacker can fabricate arbitrary beacons.
Radha Poovendran Seattle, Washington 32
•In a Sybil attack, the sensor hears at least twice the
number of locators it would normally hear.
•Define a threshold Lmax as the maximum allowable number
of locators heard, such that:
Sybil Attack detection (1)
,)|(| max LLHP s 1)
2|(| maxL
LHP s
Probability of false
alarm
Probability of Sybil
attack detection
•Design goal: Given security requirement δ, minimize false
alarm probability ε.
Radha Poovendran Seattle, Washington 33
Sybil Attack detection (2)
k
i
R
i
Ls
Lei
RkLHP
1
22
!1
• Random locator deployment we can derive the Lmax
value:
26 locators
5%
52 locators
99%
Detectionprobability
False alarmProbability
1
Radha Poovendran Seattle, Washington 34
Sybil Attack defense•Once a Sybil attack is detected, i.e.
More than Lmax locators are heard:•Execute ACLA to attach sensor’s position to the closest locator.
•Attacker needs to compromise the pairwise key between a locator and the sensor under attack to compromise ACLA.
What if a locator is compromised?
Radha Poovendran Seattle, Washington 35
SeRLoc – Compromised Locators
• Compromise of a locator Li reveals K0,
seed PWi to the hash chain of the
locator.
• Attacker can
• Impersonate the Closest Locator.
• Compromise the ACLA algorithm.
• Displace any sensor that uses ACLA.
• Need an Enhanced version of ACLA
Radha Poovendran Seattle, Washington 36
Enhanced location determination algorithm
L2
L3
L4
L5
L6
L1 L7
L8
L9
1. The sensor transmits a nonce with its
ID and set LHs
2. Locators within r
from the sensor relay
the nonce.
3. Locators within R
reply with a beacon
+ the nonce.
4. Sensor accepts
first Lmax replies.
• Attacker has to
compromise more than
Lmax/2 locators, AND
• Replay before
authentic replies arrive
at s.
Radha Poovendran Seattle, Washington 37
• Motivation• Secure Localization Problem • SeRLoc• Threats and defenses• Performance Evaluation• Conclusions
Outline
Radha Poovendran Seattle, Washington 38
• Simulation setup:
―Random locator distribution with density ρL.
―Random sensor distribution with density 0.5.• Performance evaluation metric:
• : Sensor location estimation.
• si : Sensor actual location.
• r : Sensor-to-sensor communication range.• |S| : Number of sensors.
Performance Evaluation
S
i
iesti
r
ss
SLE
1
1
estis
Radha Poovendran Seattle, Washington 39
Localization Error vs. Avg. LH
• M number of antenna
sectors.
•Each locator is
equivalent to M
reference points.
•In our simulation set
up, SeRLoc
outperforms most of
the schemes.
LH: Locators Heard
Radha Poovendran Seattle, Washington 41
Localization error vs. sector error
•Sector error:
Fraction of sectors
falsely estimated at
each sensor.
• Even when 50% of the
sectors are falsely
estimated, LE < r for
LH 6
•SeRLoc is resilient
against sector error
due to the majority
vote scheme.
Radha Poovendran Seattle, Washington 42
Localization error vs. GPS error
• GPS Error (GPSE):
Error in the locators’
coordinates.
• For GPSE = 1.8r and
LH = 3, LE = 1.1r.
• DV-hop/Amorphous:
LE = 1.1r requires LH
= 5 with no GPSE.
• APIT: LE = 1.1r
requires LH = 15 with
no GPSE.
Radha Poovendran Seattle, Washington 45
Summary and Conclusions SeRLoc is a two-tier network architecture:
Locators: Known coordinates, sectored antennas,
fixed transmission range. Sensors: Passively determine their position, by
intersecting the antenna sectors heard.
Resistance to attacks in WSN using: Cryptographic primitives (encryption, hashing). Geometric properties (Range of transmission).
Analytically evaluated level of security via
spatial statistics. Current developments:
Characterize wormhole Problem [UW+NRL; WCNC
2005] Resistance to jamming attacks, analytical
evaluation of error bounds [Lazos & Poovendran;
ROPE 2005]
Radha Poovendran Seattle, Washington 47
Workshop on Secure Localization of
Wireless Sensor Networks: June 2005,
University of Washington.
Workshop Announcement