SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network...

SeRLoc: Secure Range-Independent Localization for Wireless Sensor

Networks

Radha Poovendran

Network Security Lab

University of Washington

Protocol Exchange Meeting Feb 1-2, Naval Postgraduate School

Graduate Student: Loukas Lazos

Radha Poovendran Seattle, Washington 2

• Motivation• Secure Localization Problem • SeRLoc• Threats and defenses• Performance Evaluation• Conclusions

Outline


Why do we need location in WSN?

Access Control

Location-dependent services

Networkfunctions

Monitoring Apps


Localization Problem

• Choice of localization algorithm is based on:• Resolution required• Region of deployment• Resource constraints of the devices

Localization: Sensor Location Estimation

• How do sensors become aware of their position under non-deterministic deployment?


Classification of Loc. Schemes• Indoors vs. Outdoors:

• GPS, Centroid (outdoors). • RADAR, Active Bat, AhLos (indoors).

• Infrastructureless (I-L) vs. Infrastructure based (I-B):• AhLos, Amorphous, DV-Hop (I-L).• RADAR, Active Bat, AVL (I-B).

• Range-based (R-B) vs. Range-Independent (R-I):• RADAR, Ahlos, GPS, Active Bat (R-B).• APIT, DV-Hop, Amorphous, Centroid (R-I).

• Active vs. Passive• Dv-hop, APIT (Active).• RADAR (Passive).


Localization in un-trusted environment• WSN may be deployed in hostile

environments.

• Threats in sensor localization:•External

•Replay attacks.•Node Impersonation attacks.

• Internal•Compromise of network entities.•False location claims.


• Secure Verification of Location Claims[Sastry et al. WISE 2002].

• Location Privacy Privacy-aware Location Sensor Networks

[Gruteser et al. USENIX 2003].• Secure Localization: Ensure robust

location estimation even in the presence of adversaries.SeRLoc: [Lazos and Poovendran, WISE

2004].S-GPS: [Kuhn 2004].SPINE: [Capkun & Hubeaux, Infocom

2005].

Secure Location Services


• Motivation• Problem Description• SeRLoc• Threats and defense• Performance • Conclusions

Outline


• SeRLoc: SEcure Range-independent

LOCalization.

• SeRLoc features

• Passive Localization.

• No ranging hardware required.

• Decentralized Implementation,

Scalable.

• Robust against attacks -

Lightweight security.

Our Approach: SeRLoc


Locators: Randomly deployed

Known Location, OrientationDirectional Antennas

(X1, Y1)

(X3, Y3)

(X4, Y4)

(X5, Y5)

(X2, Y2)

N

S

EW

Network Model Assumptions (1)Two-tier network

architectureSensors: Randomly deployed, unknown location

r

R

Locator range R

Beamwidth θ

θ

Omnidirectional AntennasSensor range r

Locator Sensor


Network Model Assumptions (2)

•Locator deployment: Homogeneous

Poisson point process of rate ρL (ρL:

Locator density).

•Sensor deployment: Poisson point

process of rate ρs independent of locator

deployment (ρs: sensor density).

•Or can be seen as random sampling of

the deployment area with rate ρs (ρs >>

ρL). 2

!

2R

k

Ls

Lek

RkLHP

LHs: Locators heard at a sensor s.


Locator Sensor

L1

L4

L3

(0, 0)

s

L3

ROI

The Idea of SeRLoc

• Each locator Li transmits

information that defines

the sector Si, covered by

each transmission.

• Sensor defines the region of intersection (ROI) from all locators it hears.

sLH

iiSROI

1


• Motivation• Problem • SeRLoc• Threats and defense• Performance • High resolution localization:

HiRLoc• Conclusions

Outline


Threats

•Attacker aims at displacing the sensors (false info is worse than no info).

•We do not address DoS attacks.

•We do not address jamming of the communication medium. [Lazos & Poovendran, IPSN 2005]

Jamming

f

L1

s


How can a sensor be displaced?

•In SeRLoc: Sensor gets false localization information.

• A) Replay beacons from a far-away region.

• B) Impersonate locators and fabricate beacons.

How can we protect broadcasted localization

information?


SeRLoc - Security mechanisms•Message Encryption: Messages encrypted with a

symmetric key K0.

•Beacon Format:

Locator’s coordinates Slopes of the sector

ID authentication

Shared symmetric key

Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j } K0

• Every sensor stores the values Hn(PWi) for all the

locators.

• A sensor can authenticate all locators that are within its range (one-hop authentication).

PWiH0(Pwi)

H H1(Pwi) Hn(Pwi)H H H

one-way hash functionHash chain

Synchronization var


SeRLoc – Wormhole Attack

L1

L4

L3

L2

L5

L8L7

L6

THREAT MODEL• The attacker records beacon

information at region A

• No compromise of integrity,

authenticity of the communication

or crypto protocols.

• Direct link allows replay of the

beacons in a timely fashion.

sensorLocator

Attacker

Region B

Region A

Record beacons

Wormhole link

•Tunnels it via the wormhole link at region B, and replays the beacons.•Sensor is misled to believe it hears the set of locators LHs: {L1 - L8}.


Wormhole attack detection (1)

cL

c

AA eLHPSMP 11

Accept only single message per locator

Multiple messages from the same locator are heard due to: –Multi-path effects;–Imperfect sectorization.–Replay attack.

sensorLocator

Ac

Wormhole link

Attacker

obstacle

R

R

R: locator-to-sensor communication range.


jLiLAA eeCRP 11

Locators heard by a sensor cannot be more than 2R apart

sensorLocator

Ai

RLL ji 2Aj


Wormhole link

Attacker

2R

Li Lj

R: locator-to-sensor communication range.

R

R


2

det

11

)()(

iLcLcL AAA eee

CRPSMPCRPSMPCRSMPP

Probability of wormhole detection

The events of a locator being within any region Ai, Aj, Ac are inde-pendent (Regions do not overlap).

sensorLocator

Ai Aj

Ac


Wormhole link

Attacker

2R


Wormhole attack detection (4)Probability of wormhole detection

L

99.48%


Attach to Closest Locator Algorithm

(ACLA)

Resolution of location ambiguity

L1

L4

L3

L2

L5

L8

L7

L6

Region B

Region A

A sensor needs to distinguish the valid set of locators from the replayed ones.

Wormhole link

1. Sensor s : Broadcasts a nonce η.2. Locator Li : Reply with a beacon

+ the nonce η, encrypted with the

pair-wise key Ks,Li.3. Sensor s : Identify the locator

Lc with the first authentic reply.4. Sensor s : A locator Li belongs to

the valid set, only if it overlaps with the sector defined by the beacon of Lc.

Closest Locator


THREAT MODEL

•The attacker impersonates multiple locators

(compromise of the globally shared key K0).

SeRLoc – Sybil Attack

L1

L2L3

L4

Impersonator

• Hence, compromise the majority-based scheme,

if more than |LHs| locators impersonated.

Collect hash values

• Attacker can fabricate arbitrary beacons.


•In a Sybil attack, the sensor hears at least twice the

number of locators it would normally hear.

•Define a threshold Lmax as the maximum allowable number

of locators heard, such that:

Sybil Attack detection (1)

,)|(| max LLHP s 1)

2|(| maxL

LHP s

Probability of false

alarm

Probability of Sybil

attack detection

•Design goal: Given security requirement δ, minimize false

alarm probability ε.


Sybil Attack detection (2)

k

i

R

i

Ls

Lei

RkLHP

1

22

!1

• Random locator deployment we can derive the Lmax

value:

26 locators

5%

52 locators

99%

Detectionprobability

False alarmProbability

1


Sybil Attack defense•Once a Sybil attack is detected, i.e.

More than Lmax locators are heard:•Execute ACLA to attach sensor’s position to the closest locator.

•Attacker needs to compromise the pairwise key between a locator and the sensor under attack to compromise ACLA.

What if a locator is compromised?


SeRLoc – Compromised Locators

• Compromise of a locator Li reveals K0,

seed PWi to the hash chain of the

locator.

• Attacker can

• Impersonate the Closest Locator.

• Compromise the ACLA algorithm.

• Displace any sensor that uses ACLA.

• Need an Enhanced version of ACLA


Enhanced location determination algorithm

L2

L3

L4

L5

L6

L1 L7

L8

L9

1. The sensor transmits a nonce with its

ID and set LHs

2. Locators within r

from the sensor relay

the nonce.

3. Locators within R

reply with a beacon

+ the nonce.

4. Sensor accepts

first Lmax replies.

• Attacker has to

compromise more than

Lmax/2 locators, AND

• Replay before

authentic replies arrive

at s.


• Motivation• Secure Localization Problem • SeRLoc• Threats and defenses• Performance Evaluation• Conclusions

Outline


• Simulation setup:

―Random locator distribution with density ρL.

―Random sensor distribution with density 0.5.• Performance evaluation metric:

• : Sensor location estimation.

• si : Sensor actual location.

• r : Sensor-to-sensor communication range.• |S| : Number of sensors.

Performance Evaluation

S

i

iesti

r

ss

SLE

1

1

estis


Localization Error vs. Avg. LH

• M number of antenna

sectors.

•Each locator is

equivalent to M

reference points.

•In our simulation set

up, SeRLoc

outperforms most of

the schemes.

LH: Locators Heard


Localization error vs. sector error

•Sector error:

Fraction of sectors

falsely estimated at

each sensor.

• Even when 50% of the

sectors are falsely

estimated, LE < r for

LH 6

•SeRLoc is resilient

against sector error

due to the majority

vote scheme.


Localization error vs. GPS error

• GPS Error (GPSE):

Error in the locators’

coordinates.

• For GPSE = 1.8r and

LH = 3, LE = 1.1r.

• DV-hop/Amorphous:

LE = 1.1r requires LH

= 5 with no GPSE.

• APIT: LE = 1.1r

requires LH = 15 with

no GPSE.


Summary and Conclusions SeRLoc is a two-tier network architecture:

Locators: Known coordinates, sectored antennas,

fixed transmission range. Sensors: Passively determine their position, by

intersecting the antenna sectors heard.

Resistance to attacks in WSN using: Cryptographic primitives (encryption, hashing). Geometric properties (Range of transmission).

Analytically evaluated level of security via

spatial statistics. Current developments:

Characterize wormhole Problem [UW+NRL; WCNC

2005] Resistance to jamming attacks, analytical

evaluation of error bounds [Lazos & Poovendran;

ROPE 2005]


Workshop on Secure Localization of

Wireless Sensor Networks: June 2005,

University of Washington.

Workshop Announcement

SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network...

Documents

Transcript of SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Network...