Tech Report NWU-EECS-11-05: Security of Electrostatic Field Persistent Routing: Taxonomy of Attacks...

8/6/2019 Tech Report NWU-EECS-11-05: Security of Electrostatic Field Persistent Routing: Taxonomy of Attacks and Defense

1/34

Electrical Enginee

Security of ElTaxonomy o

Oliviu C. Ghica 1 Cristin

(1) Depart

{o

Electrostatic field-based rowhere packets are routedelectrostatic charges associaand scalable solution to thenodes behave in a cooperatiadversarial environments, EIn this article, we investigatspecifically, we focus on an(MP-FPR), for which we i

components of the protocolmechanisms. We are motivattacks can be mounted wisystem performance and iexperimental evaluations of the proposed defense mecha

Keywords : Wireless Sensor

ring and Computer Science De

Technical ReportNWU-EECS-11-05

May 2, 2011ectrostatic Field Persistent Routif Attacks and Defense Mechanis

a Nita-Rotaru 2 Goce Trajcevski 1 Peter Sch

ent of Electrical Engineering and Computer ScNorthwestern University, Evanston, IL

cg474,goce,peters }@eecs.northwestern.edu

(2) Department of Computer Science,Purdue University, West Lafayette, IN

[email protected]

Abstractting (EFR) is a form of geographical multilong a collection of electrostatic field lines

ted with source and sink nodes. EFR provideworkload-balancing problem. However, it asse manner. Since wireless sensor nodes may bR-based routing protocols can be subject to var the security aspects of EFR-based routing pr

instance of EFR, called Multi-Pole Field Persidentify the categories of attacks that can ta

, and propose a set of corresponding lightwated by the observation that, while certainh little resource-effort, they can be highlyts workload balanced operation. We presethe impact of the different attacks and the ef isms for various components of the MP-FPR p

Networks, Multipath Routing, Security.

artment

g:s

euermann 1

ience

-path routing, defined by

an efficientmes that thedeployed in

ious attacks.tocols. More

stent Routingget different

ight defensecategories of estructive tont extensiveectiveness of otocol.


2/34

Security of Electrostatic Field Persistent Routing:Taxonomy of Attacks and Defense Mechanisms

Oliviu C. Ghica Cristina Nita-Rotaru Goce Trajcevski Peter Scheuermann

Abstract Electrostatic eld-based routing (EFR) is a form of geographical multi-path routing where packets are routed alonga collection of electrostatic eld lines, dened by electrostaticcharges associated with source and sink nodes. EFR providesan efcient and scalable solution to the workload balancingproblem. However, it assumes that the nodes behave in acooperative manner. Since wireless sensor nodes may be deployedin adversarial environments, EFR-based routing protocols can besubject to various attacks.

In this article, we investigate the security aspects of EFR-basedrouting protocols. More specically, we focus on an instanceof EFR, called Multi-Pole Field Persistent Routing (MP-FPR),for which we identify the categories of attacks that can targetdifferent components of the protocol, and propose a set of corresponding lightweight defense mechanisms. We are motivatedby the observation that, while certain categories of attacks can bemounted with little resource-effort, they can be highly destructiveto system performance and its workload balanced operation. Wepresent extensive experimental evaluations of the impact of thedifferent attacks and the effectiveness of the proposed defensemechanisms for various components of the MP-FPR protocol.

I. INTRODUCTION

Wireless Sensor Networks (WSN) [11] have emerged as apromising paradigm for many application domains that requirecombined capabilities of sensing, processing, and communi-cation in different physical environments. Given the resource-

constraints of the individual nodes (energy, bandwidth, etc),one of the problems that has generated a large number of research results in the recent years is the problem of efcientrouting in WSN settings [10].

In a typical WSN application, a user-initiated query isdisseminated to the appropriate source nodes where the data of interest is locally collected. The resulting point-to-point data-stream is relayed back to a remote sink node which, in turn,interfaces with the user. Many routing protocols for WSNare designed under the location-aware assumption and relyon the geography -based (greedy) routing principle, accordingto which packets are forwarded to nodes that are physicallycloser to a given destination [46]. A specic type of geographicrouting is trajectory based forwarding (TBF) [57], in whichpackets are routed towards the intended destinations along pre-dened virtual trajectories. Such trajectories resemble thebehavior of various physical elds [72].

Electrostatic Field-based Routing (EFR) [56] is a multi-pathrouting protocol that reduces the complexity of determiningand managing the collection of underlying trajectories by rep-resenting them as electrostatic eld lines, rather than relyingon geometric models. The eld lines originate at source nodes,where the data is produced, and lead towards a designated sink

node, where the data is being consumed. The main advantageof EFR as a multi-path routing protocol is that it createsimplicitly spatially disjoint trajectories a consequence of the disjointness property of electrostatic eld lines. EFR hassmall computational and communication overheads which areassociated with performing local forwarding decisions. EFR isalso a form of gradient-based routing, inspired by several eld-based approaches [47], [43] in the context of sensor networks[48] and mesh networks [17]. EFR achieves workload balanc-ing in dense and uniformly distributed networks. In networkswhere this assumption does not hold, path-merging can occur

reducing the workload balancing capabilities. Multi-Pole FieldPersistent Routing (MP-FPR) protocol [73] extends EFRsapplicability to less-dense and often non-uniform network distributions by actively seeking to separate any merged paths,whenever network conditions allow.

MP-FPR is based on the assumption that nodes in thenetwork always operate correctly. Such assumption is nolonger valid when MP-FPR is deployed in an adversarialenvironment. As many applications for WSNs require de-ployment in adversarial environments, it is critical to providemechanisms to ensure that routing protocols operate correctlyand securely.

In this article we analyze the resilience of the MP-FPR pro-

tocol in adversarial environments and identify the main data-and control- level components that can be exploited by anattacker. We study not only disruptions to the users datastreams, but also disruptions to the system-wide performanceand resource-utilization as a result of a network attack. Forexample, we are interested in the disruption of the load-balancing performance that MP-FPR is designed to provideif certain protocol components are compromised. We quantifythe severity and likelihood of different attacks by takinginto consideration the relative easiness of their staging, andwe identify solutions to prevent or mitigate their effects. Insummary, our main contributions are:

We identify a set of potential security risks factors inMP-FPR and assess their impact on the entire system.Specically, we rst identify a set of control-level at-tacks: path deection , path diversity deation , family pathintersection wild-path and eld-line hopping attacks, allof which are specic to electrostatic-eld based routing.These attacks are carried through the control messages inMP-FPR, and can lead to quality of service degradationby disrupting the workload-balancing operation. We nextidentify a set of data-level attacks: data denial of ser-vice (DoS), data pollution , and data stream invalidation


3/34

attacks, which directly target users payload-data.

We evaluate analytically and empirically the resilienceof MP-FPR to adversarial scenarios and observe theepidemic character of several attacks as a primary focusfor the defense mechanisms. Epidemic attacks can yieldsignicant performance degradation with minimal stagingefforts. For example, a single attack consisting of insert-ing eight forged charges in the system via a sink nodecan nearly double the standard deviation of the residualenergy levels a representative metric for describing theworkload balancing performance.

We propose two classes of defense mechanisms, oneaddressing the integrity and authentication of the MP-FPR messages, and the second one providing resilienceagainst selective forwarding of various protocol mes-sages. Specically, we analyze and compare the cost-effectiveness of three types of cryptographic solutions:PIKE, DS/ECC and TESLA, and justify our selectionfor the MP-FPR protocol. Subsequently, we propose twomulti-path solutions, k-EF and k-RPEF, in the electro-

static context, to address the selective forwarding prob-lem, and a complementary path diversity monitoringscheme (PDMS) to provide closed-loop control overpath diversity. We report the quantitative observationsregarding the effectiveness of the proposed approachesbased on an extensive set of experimental evaluations.

Outline. The rest of the article is organized as follows.In Section II we overview the main aspects of the EFRand MP-FPR multipath routing protocols. The details of theadversarial model are presented in Section III and an outlineof the proposed countermeasures is discussed in Section IV.Section V overviews several cryptographic approaches thatcan provide integrity verication support to MP-FPR, and a

corresponding overhead and feasibility analysis is providedin Section VI. Resilience mechanisms against attacks carriedthrough selective message forwarding is presented in SectionVII. The results of our experimental investigation are presentedin Section VIII. We overview the related work in Section IXand conclude the article in Section X.

I I . M ULTI -P OL E F IELD PERSISTENT ROUTING

In this section we rst describe the network and applicationmodels we assume in this work. We then present an overviewof the EFR routing protocol and provide a detailed descriptionof the improved MP-FPR protocol in the context of WSNs.

A. Network and Application ModelWe assume that a given network consists of a set SN =

{sn 1 , sn 2 , . . . , sn n }of n wireless sensor nodes, each capableof acting both as a relay and a source of sensed data. Usersformulate queries specifying properties of the data stream thatis to be collected from a particular geographic location, andsubmit them via sink nodes, which act as gateways betweenthe user and the sensor network. Queries are relayed to specicnodes in charge of their processing, i.e. the source nodes,and the resulting, possibly long-term, data stream is collected

Sink

Source

Electrostatic Field Lines

Actual Mapped Route

Fig. 1. Mapping of routes to electrostatic eld lines with EFR routing. Dueto nite distributions, the actual route cannot be precisely mapped to a eldline and, in reality, it can deviate

and relayed back to the sink. In order to promote workloadbalancing, multiple paths are established between the sourceand sink end-points and the transmission of individual packetsalternates among the different paths.

B. Electrostatic Field-based Routing

Electrostatic eld-based routing is a form of trajectory-based routing where the spatial trajectories are representedvia electrostatic eld lines . The eld lines originate at sourcenodes, which are assigned a positive charge, and terminate atdesignated sink nodes which are assigned a negative charge.In order for a particular relay-node to know how to route apacket towards the sink, all it needs to know is the location

and the electrostatic charge information of the source and sink nodes, as well as its own location.

In essence, EFR works as follows. Given the position andthe assigned charge of the sink, a source node probes severalpaths, each of which is constructed on-the-y along differentelectrostatic eld lines between that source and the sink. Thesink will acknowledge certain paths that meet a particularcriteria, i.e. length and/or measured delay incurred along apath. Each acknowledgement identies a different path (alonga different electrostatic eld line) and only acknowledgedpaths will be subsequently used by the source node to transmitdata-packets towards the sink. A given current relay nodein the multi-hop sequence from the source towards the sink needs to select a subsequent relay node from among its1-hop neighbors. The selection criteria amounts to ndinga neighbor which has the smallest deviation, if any, fromthe eld line the current relay node belongs to, as well asproviding the maximum advancement of the packets towardsthe sink. Figure 1 depicts an instance of a route built along aspecic electrostatic eld line.

One characteristic present in EFR is that permanent pathdeviations may occur when a given relay node cannot ndsubsequent relay node(s) that are along or in the immediate

2


4/34

vicinity of a particular electrostatic eld line. As a conse-quence, two or more adjacent paths may intersect and/ormerge, resulting in overloading a subset of the downstreamrelay nodes. While this phenomenon cannot be avoided, es-pecially in sparser networks, a particular drawback of EFR isthat it cannot recover from this condition once it occurred,i.e. it does not attempt redistributing previously-merged pathswhen the network conditions allow.

C. Multi-Pole Field Persistent Routing

MP-FPR is an extension of EFR, which overcomes thelimitation of re-creating spatially disjoint routes via splittingpreviously merged routes. Unlike EFR where packets travelonly along eld lines that the current relay node resides on,in MP-FPR packets will travel along the original eld linefrom which a packet may have been diverted. MP-FPR piggy-backs the identity of a given eld line on data-packets. This,in turn, is subsequently used by the relay nodes to determinethe original eld line which will be given priority for thatparticular packet. Figure 2(b) and 2(c) illustrate the path

merging and recovery process. Figures 3(a) and 3(b) illustratethe benets in terms of diversity of routes obtained via MP-FPR in comparison to EFR.

All messages used by MP-FPR are sent using two basicforwarding mechanisms: Electrostatic Field (EF) forwardingwhich relies on electrostatic elds and Shortest GeographicalPath (SGP) which is a greedy based geographical routing.

EF forwarding : MP-FPR uses for routing a discrete subsetof eld lines out of the innite number of eld lines thatcan be established between a given (source, sink) pair. Werefer to this set S f as a family of paths. Figure 2(a) illustratesa family of eld lines established between a source and asink node. Each eld line in S f is uniquely identied bythe value of the angle j , determined by the tangent to agiven/chosen eld line at the source, and the line segmentbetween the source and the sink 1 . For example, assuminga uniform selection of the tangential-angle from the interval[0, ], a particular eld line j can be chosen from a eld lineset S f = {k 2N r | k = 1 , N r }, where N r represents the desiredcardinality of the family of routes S f .

Every node sn i in the network can determine the tangentangle j S f of the eld line that it actually belongs tobased on the (1) location and charge information of thesource(s), (2) location and charge information of the sink,and (3) its own location. Once sn

ireceives a packet, the

information about the eld line that the packet is supposed tobe forwarded along, i.e. j , is piggy-backed to the packet aspart of the eld line persistency mechanism. From a routingperspective, each route built along a particular eld line jis uniquely identied by a route index parameter, denoted r j .For simplicity, we assume r j = j . Given this information,a particular relay node will select, as its subsequent relay

1Note that the cardinality of the S f , as well as the criteria for selecting aparticular j can be user-specied.

node, one of its 1-hop neighbors which exhibits the smallesteld line deviation |j i |, where i represents the actualeld line a downstream relay sn i actually resides on, and itis furthest away towards the sink (cf. [73]).

SGP forwarding : MP-FPR partly relies on a greedygeographic routing mechanism similar to BVR [27], wherepackets are sent via a geographically shortest path towards aknown physical destination. In MP-FPR nodes determine theirown position via a lightweight localization service externalto the routing protocol (see [34] for a survey), as well as theposition of their 1-hop neighbors through a periodic locationinformation exchange.

MP-FPR consists of the following protocol components:query dissemination and charge allocation , routeestablishment , and data forwarding . Below we providean overview of each component and summarize the type andcontent of the messages used by the protocol in Table I.

Query dissemination and charge allocation: This protocolcomponent consists of messages generated by the sink and hasseveral goals. First is to forward the user query towards thesource and is achieved through a QUERY message sent bythe sink with SGP forwarding towards Lsrc the locationwithin the area where data relevant to the query should becollected from. A sensor node which is geographically closestto Lsrc will assume the role of the source for the givenQUERY message and initiate its processing. Second goal is todisseminate electrostatic charges information, which consistsof a set of (location, magnitude and expiration) informationassociated with each routing end-point, i.e. source or sink node, in the network. For example, if there are m source nodes

relaying data-streams to a common sink, the QUERY messagecontains a set C e = {esnk } {ei |i 1, m}of electrostaticcharges. Third goal is to limit the number of alternative pathsto be built in order to correspondingly bound the durationof the route establishment protocol component. We refer tothis limit as the path diversity quota , and it can be eitheruser specied or system predened. Path diversity quota iscontrolled via a numerical parameter N r = |S f | embedded inthe body of the QUERY message.

Whenever a new data source is added to the existingset of source-nodes, a new corresponding charge is addedto the virtual electrostatic eld. The charge information isbeing updated at each of the source nodes via an UPDATEmessage. For example, if there were m different sources inthe network, excluding the newest activated one by the lastQUERY message, then m UPDATE messages are sent via theSGP forwarding mechanism to each of the m existing sourcenodes. Upon receiving an UPDATE, the route establishingprocess is re-initiated by the source nodes in order to establishnew families of routes that are consistent with the new chargedistribution.

By convention, positive charges are associated with sourcenodes and negative charges with sink nodes. Thus, the

3


5/34

sourcenode

F

sinknode

reference fieldline indexed

by

S f

(a) Field line selection from eld line family

sn 1x

1

2

sn 2

sn 3sn 4

pathmerging

sn 6

sn 5

(b) Permanent merging of routes in EFR

sn 1x

1

2

sn 2

sn 3sn 4

pathmerging

sn 6

sn 5path

splitting

(c) Field-persistency in MP-FPR

Fig. 2. MP-FPR mechanism. (a) Sample family of multiple eld lines between a source and a sink node, used for alternate path routing; selection of anarbitrary angle and associated incidental reference eld line that is followed by the corresponding indexed route; (b) Path merging in sparser areas: nodesn 1 is unable to reach node sn 2 and redirects the route to node sn 3 , which is already servicing another route r 2 associated to eld line 2 (c) Un-mergingpreviously merged paths in MP-FPR: node sn 4 redirects the route r 1 that went through sn 1 to sn 5 to resume routing along 1

(a) EFR (b) MP-FPR

Fig. 3. Path merging and boundary effects in EFR vs. MP-FPR in low density networks. MP-FPR consistently achieves richer and more evenly distributedfamilies of routes. As it may be observed at the arrowed pointers, path merging effects are not permanent in MP-FPR, as path splitting does occur whenpossible. Path merging effects are also visible in the circled area, where a coverage hole at the bottom of the network leads to a larger un-utilized relay areain EFR

direction of the data ow is consistent with the directionof the electrostatic eld vectors, i.e. originating at a sourceand converging towards a sink node. Conform [73], the sink nodes charge magnitude is equated to the sum of magnitudesof the all charges associated with the source nodes, i.e.

|esnk | = | mi =1 ei |.

Route establishment: Initiated upon receiving a QUERYor UPDATE message at a source node, the route establishment is a two-phase, request-acknowledgment process. During therequesting phase , the source transmits a set of RREQ messagesalong distinct electrostatic eld lines towards the sink. ARREQ message carries a list of networks current chargesC e as well as the eld line index (equivalently route index)r i S f identifying the eld line a specic RREQ message isto be sent along. To amortize the associated transmission costof the charges, this information is sent only once along RREQmessages, and cached locally by the relay nodes along a route;subsequent DATA messages will not carry them. The sourcenode will also incorporate its actual location information Lsrcin the RREQ message such that sinks maintains a more

accurate representation of the actual sources. Note that theactual sources location may not coincide with the user-specied location within the QUERY message due to nitecoverage of the deployment area. A timestamp tsent is alsoincluded in the RREQ message to assist in determining thequality (e.g. latency) of a specic route. We assume that nodeshave loosely synchronized clocks [70].

If, upon receiving a RREQ message, it is determined thatRREQs route exhibited an admissible latency, the routeis acknowledged, during the acknowledgment phase , bysending back a corresponding ACK message to the specicsource. The route index r i corresponding to the route that isbeing acknowledged is included in the ACK message. Notethat ACK messages are sent back via the SGP mechanismtowards the actual location of the source Lsrc , and not viaEF mechanism the corresponding RREQ message was sent.The reason for which ACK messages are using the SGPmechanism comes from a simplicity and energy-efciencyperspective: SGP provides the smallest energy overhead andthe fastest packet delivery; ACK messages are infrequentlyused, thus the energy imbalance caused by ACK messages is

4


6/34

TABLE IMP-FPR M ESSAGES

Type Originator Recipient Functionality Protocol Phase Forwarding Mechanism Fields of Interest

QUERY Sink Sources Query Specicat ion Wrapper Query Dissemination and Charge Allocat ion SGP L src , C e , N r ,UPDATE Sink Sources Charge Information Update Query Dissemination and Charge Allocat ion SGP L src , C eRREQ Sources Sink Route Request (Probe) Route Establishment EF L src , C e , r i , t sentACK Sink Sources Route Acknowledgment Route Establishment SGP L src , r iDATA Sources Sink User Data-Payload Wrapper Data Forwarding EF r i , Data

negligible and does not justify building multiple paths underthe original MP-FPRs assumptions. Every acknowledgedroute is added to a source-maintained set of acknowledgedroutes S ackf S f , i.e., a pool of routes that are available fordata forwarding.

Data forwarding: The DATA messages pertaining to a data-stream as a result of query processing are forwarded back tothe sink node. DATA messages, which contain user speciedinformation as payload, are forwarded in an alternating manneramong the individual routes r i from the set of acknowledgedroutes S ackf , via the EF mechanism.

III . T AXONOMY OF ATTACKS

In this section we identify a representative set of attacksthat can be carried against the MP-FPR protocol. In particular,we focus on attacks that exploit vulnerabilities introduced bythe use of electrostatic eld lines and by the eld persistencymechanism. Several attacks require minimal effort from theattacker, but can severely impact the performance, user expe-rience, and energy efciency/consumption patterns.

MP-FPR is a network-layer protocol, consequently weconsider only attacks carried at this layer. We proceed withpresenting MP-FPRs goals and the network-level adversarial

model, followed by the details of each identied attacks.

A. MP-EFR System Goals

MP-FPR has two main system goals that can be compro-mised by attacks:

Increase network lifetime by promoting delivery of thedata stream in a workload balanced manner.

Ensure certain soft QoS guarantees, such as boundedend-to-end data stream delivery latencies, with respectto users data stream.

MP-FPR promotes workload balancing by route alternation,as well as maintaining rich path diversities between two end-points of a data-stream. Balancing the load correlates to bal-ancing in-network energy consumption, equivalently reducingboth the likelihood and severity of hot-spots, with a net resultobserved in network overall operational lifetime. When itcomes to performance of the data-stream deliverability, theMP-FPR protocol does not impose a policy for handling partsof the data stream that violate QoS contracts. However, inthis work we assume that such data is treated by the user asoutdated and subsequently discarded, i.e. considering that thedata-stream may feed into a user-level real-time application

outside of the network. Consequently, from an user perspec-tive, any compromise to the timely-deliverability of the data-stream is considered in this work as a compromise of thedata-stream.

B. Adversarial Model

We assume that the only trusted nodes in the network are thesink and the source nodes. We also assume that honest nodesparticipate correctly in the routing protocol, whereas maliciousnodes may act alone or in collusion with other maliciousnodes. We refer to any arbitrary action of authenticated nodesresulting in the disruption of the routing service as Byzantine

behavior, and to such an adversary as a Byzantine adversary.Examples of Byzantine behavior include: dropping, delaying,modifying or replaying packets.

We assume the forwarding mechanisms employed by MP-FPR, i.e. EF and SGP are not secure. However, since therealready exists a body of work addressing the security aspectsof the SGP mechanism [23], we focus mainly on the EFmechanism, and only touch-base with the vulnerabilities of SGP when necessary.

Both EF and SGP rely on a localization service. Weassume security mechanisms [76], [68] are in place to protectthe localization service. Similarly, we assume that the timesynchronization mechanism is also secure [28], [16]. Any node

in the network can be subject to an attack - such as DoS duringhop-by-hop forwarding. We assume that an attacker can alteronly the transient information (i.e. contents of the data andmessage buffers), but it cannot alter the binary representationof any program containing algorithmic implementation. Nodesare not required to be tamper resistant and an attacker thatcompromises a node can extract data and/or code stored onthat node.

C. Attack Classication

In the sequel, we detail the suite of attacks that can bemounted against individual components of the MP-FPR pro-tocol. We classify the attacks as data-level and control-levelattacks based on their target, the user-data or the network operation, respectively. For example, some attacks againstquery dissemination, charge allocation and data-forwardingqualify as data-level since they primarily focus on preventingthe execution of a users query or the delivery of the associateddata-stream to the user. Attacks against route-establishment qualify as control-level attacks since their primarily focus isdisrupting the effectiveness of the MP-FPRs energy man-agement and workload balancing. Note that there are certainattacks against query dissemination and charge allocation that

5


7/34


8/34


9/34

Source 1

Sink

PathCrossing

Source 2

Attack!

r10r11

r12r13

r14

r20r21r22

r23r24

(a) Wild path . If electric charges information is alteredwithin a RREQ message at one relay node along a route,the affected route can deviate severely from its prescribedeld line and begin intersecting other routes, both withinthe same family of routes as well as ones pertaining toother families; for example, path r 14 connecting source1 to the sink, deviates from its original route as a resultof an attack and intersects with other paths.

Source 1

Sink

+Source 2

r10r11

r12r13

r14

r20r21

r22r23r24

Family ofPaths #2

+

+Forged

Electrostatic Charge

-

(b) Path deection . Inserting forged charge informationin the network, e.g. via compromising UPDATE mes-sages, can lead to geographical shifts of existing familiesof routes, increasing the overall route-length of all routeswithin; for example, consider adding one fake charge tothe charge-set information of source node 1: routes r 10through r 14 will be detoured around the area where theadded charge resides, due to the repulsive effect of thecharge

Source 1

Sink

Source 2

r10r11

r12r13

r14

r20r21

r22r23r24

Family ofPaths #2

Family ofPaths #1

(c) Family path intersection . LetS f 1 = {r 10 , . . . , r 14 } and S f 2 = {r 20 , . . . , r 24 }be two families of routes, corresponding to two distinctsource nodes. If network-wide charge informationinconsistencies occur among the two distinct sourcenodes, such as dropping one UPDATE message, thedisjointness property of the routes can no longer beguaranteed, and families of routes will start intersectingwith each-other, even though paths within the samefamily of routes continue to be disjoint; for example,if source node 1 is unaware of the electrostatic chargeassociated with source 2, S f

1routes will intersect S f

2.

Source

Sink

Attack!

PathMerging

Point

PathCrossing

r1r2

r3r4

r5r6

(d) Field line hopping . If path-identication informationr i within RREQ or DATA messages is maliciouslyaltered, some of these paths may begin violating thedisjointness property and merge with other paths withinthe same family; for example, if the identication infor-mation r 5 is maliciously changed to r 3 , the original pathr 5 deviates, intersecting r 4 before it merges with r 3 ,doubling the load downstream from the merging pointon r 3 .

Source

Sink

Attack!

R R E Q

( r 0 , L s

r c )

ACK(r 1,2,3,4 )

ACK(r 0)

X

R R E Q

( r 1 , L s

r c )

R R E Q

( r 1 , L s

r c )

R R E Q

( r 2 , L s

r c )

R R E Q

( r 3 , L s

r c )

R R E Q

( r 0, L * s r c

)

(Lsrc ) (L*src )

(e) Path diversity deation . ACK messages are for-warded via SGP towards the corresponding source nodeusing its actual location. Altering this information L srcto L src through an RREQ message will prevent theACK message from being routed back to the correctsource at L src . For example, path r 0 will never beused for data-forwarding since its never acknowledged:its corresponding ACK message never reaches the sourcelocated at L src .

Source

Sink

Attack!

D A T A

( r 4 )

D A T A

( r 3 )

D A T A

( r 2 )

D A T A

( r 1 )

D A T A

( r 0 )

X

XAttack!

(f) Data DoS . Selective forwarding of DATA messagessent along routes r 2 and r 4 nullies those routes; userwill receive an incomplete data-stream at the sink node.

Fig. 4. Examples of attacks against the MP-FPR protocol

portant differences from the family path intersection attack: (1)a wild path attack targets a single route, rather than an entirefamily of routes, and (2) the compromised route intersects

not only other routes within the same family, but also routespertaining to other families. The wild path attack is carriedvia altering charge information within a relay node along aparticular route. Recall that charge information transmitted viaRREQ messages are cached by the relay nodes for subsequentuse. Consequently, the attack can be carried by altering theRREQ messages before their contents are cached. The entirepath downstream of the compromised node will exhibit anabrupt deviation from the designated eld line. Figure 4(a)illustrates an instance of a wild path attack.

Field Line Hopping . Consider a route indexed by r j , whichis built along a reference eld line j . If the route indexinformation embedded in the RREQ message is altered, the

original route will suddenly change its reference eld line,i.e. will hop to a different one within the same family. Theimmediate consequence is path intersection or merging. Thissituation is different from a wild path situation, because eldlines do not change; rather the actual route changes eld lines.Figure 4(d) shows an example of eld line hopping attack.Field line hopping creates relay node overload, resulting indegraded energy consumption balancing and reduction of lifetime expectancy.

8


10/34

F. Data Forwarding

DATA messages carry the information-load resulting fromprocessing a user-submitted query. Since DATA messagesfollow probed and acknowledged paths, they are virtuallysusceptible to the same likelihood and means of attack ascarried against RREQ messages.

Data DoS . This attack blocks (parts of) a user data-stream.

It can be mounted by selectively dropping DATA messagesalong a particular path, i.e. if one of the relay nodes along thepath is compromised. Figure 4(f) illustrates this scenario, inwhich two different compromised nodes along different routesdrop all incoming DATA messages, effectively nullifying thosepaths. In some instances, altering the route index informationr i in the DATA messages, which can redirect the messagealong non-probed and possibly long paths, or simply delayingthese messages, may similarly lead to a data DoS attack. Inboth cases, it is likely that the message will be discarded atthe sink node if not received within certain admissible delaytolerances.

Field Line Hopping . Analogous to the attacks carriedthrough RREQ messages, DATA messages can be maliciouslyre-routed along different routes than the originally pre-scribed ones, resulting in path merging and overloading of some of the downstream relay nodes. The net effect consistsof energy consumption balancing disruption and a reduction of networks lifetime. This attack can be achieved by modifyingthe route index r i embedded in the DATA message.

Data Pollution . Lastly, the attacker may directly alter theuser-payload within the DATA message itself. This attack canbe severe, since the user may not be able to distinguish validdata from faux, and it may require advanced data analysis todetect anomalies in the data-stream.

IV. D EFENSE OVERVIEW

In this section we present the basic assumptions and expec-tations with respect to the cost-effectiveness of the proposeddefense mechanism and the feasibility domain in terms of sen-sor network platforms considered. Subsequently, we identifythe areas in which secure solutions are readily available, aswell as the areas in which complementary solutions need to bedevised. In this sense, we outline the main authentication andintegrity mechanisms considered for analytical comparison,as well as the set of resilience mechanisms proposed againstselective forwarding of MP-FPR protocol messages.

A. Assumptions

All the proposed solutions need to have a reasonable costthat will: (1) not outweigh the benets provided and (2)not limit their applicability with respect to realistic platformlimitations.

We assume that the only trusted entities in the sensornetwork are the source and sink nodes. We refer to the sourceand sink nodes as the trusted end-points with respect to agiven route. The relay nodes, which represent the vast majority

of sensor nodes in the network, have a high-risk of beingcompromised and are consequently not trusted.

We design defense mechanisms that will not reduce thescope and applicability of MP-FPR protocol, i.e. it needsto fully comply with MP-FPRs system settings: (1) verylarge sensor networks typically consisting of thousands of nodes, and (2) possibly non-uniform network distributionsof various densities. Also, the solutions need to account forthe resource limitations of real motes, such as memory andprocessing capabilities. We evaluate the candidate solutionsagainst several popular mote platforms: Mica2Dot [5], MicaZ[6], TelosB [7], Tmote Sky [8] and Imote2 [4]. A summaryof the relevant specications of these sensors is outlined inTable IV. We note that, with the exception of the small-sized Mica2Dot , which is representative for large-scale distributions,the selection is consistent with the one made in [50], where anactual implementation of a cryptographic solution on variousplatforms is tested.

The SGP and EF message forwarding mechanisms in MP-FPR require a separate, lightweight, and trusted localization

service. In this work, we assume that a localization servicewhich meets this criteria is readily available, as existing workshave thoroughly addressed this problem [34], [78], [12]. Asecure time synchronization service is required to looselymaintain time consistency across the entire network. MP-FPR relies on temporal dimension in order to estimate thequality of paths by time-stamping certain protocol messages,for example, RREQ messages. For this, we rely on solutionssuch as [16], [28] to provide security guarantees over the timesynchronization services. We assume that the localization andtime synchronization services are robust to abuses towardsresource depletion via link and physical layer jamming [33].

B. Overview the Defense Mechanisms in MP-FPRAs seen in Table II there are two main fundamental causes

of the identied attacks: (1) the lack of message authentica-tion and integrity mechanisms, and (2) the lack of a robustdelivery mechanism resilient to malicious message dropping.Specically, attacks that rely on modication of control ordata messages can be prevented by enabling detection of such modications with the help of message authenticationand integrity cryptographic mechanisms. Attacks that manifestthrough selective forwarding or delaying of messages can beprevented by providing redundancy in the forwarding mecha-nism, which reduces the likelihood of dropping all copies of a given message.

In Section V we present three message authentication andintegrity mechanisms, namely PIKE, DS/ECC, and TESLA,and assess the trade-off between security properties and costsin Section VI. They are primarily considered to address theattacks carried out via message-forging as outlined in Table II,by enabling nodes to detect and lter out modied messages.Additionally, they enable detection of adversarial activity forwhich isolation mechanisms can be employed. Specically,path deection, diversity deation, family path intersectionand wild-path carried through forging electrostatic charges

9


11/34


12/34


13/34

B. End-to-End Path Security Requirements

In MP-FPR, it is required to secure the end-points com-munication routes, in order to enable sensor nodes to dis-cern bogus information from valid data. Additionally, froman energy stand-point, it would also be more efcient todiscard bogus information as soon as possible, ideally beforeit reaches destination nodes, in order to prevent wasteful

energy spending of relaying such information over long routes.Thus, we explore the feasibility of performing early detectionof unauthenticated information on-route. Under this scheme,each relay node will perform authenticity and integrity checksand discard those messages for which the verication doesnot succeed. We refer to this scheme as the Hop-by-Hop Authentication (HHA).

C. HMAC via PIKE

HMAC is a hash-based message authentication code whichrelies on symmetric keys. Security of a communication link re-lies on the secrecy of the symmetric key. PIKE implements thekey pre-distribution and establishment mechanism that enables

the use of HMAC. PIKE is compatible with both low and highdensity networks as well as non-uniform distributions, whichcomplies with the context under which MP-FPR operates.

The basic idea in PIKE is to devise and pre-distribute a setof n keys to guarantee connectivity initially to a subset of nodes. These nodes form a basis for further key establishmentvia intermediaries . A key intermediary is a node that shareskeys with two other nodes in the network, through which asecure communication path can be established. In fact, eachnode in the network will act as an intermediary for two othernodes. The key shared between two arbitrary pairs of nodes isunique hence the security is maximized. The (possibly) largebody of intermediaries limits the scope of an attack to the few

links managed by the compromised intermediaries.Secure Path Establishment . In order to establish a securepath to another node, the initiating node generates a new path-key and sends it encrypted to one (of possible two) intermedi-ary node with whom both end-nodes share independent keys.The intermediary decrypts and re-encrypts the path-key usingthe other end-nodes shared key, before sending it through. Anonce message is sent back to the initiating node to conrm theestablishment of the path. Duplex secure paths can be achievedby the same procedure but in reverse order.

To provide HHA authentication, symmetric path-keys needto be established between an initiating node and each of therelay nodes along a particular route towards the other end of the route. The keys should be distinct, since the security levelprovided by sharing an otherwise common path-key along theentire route is very weak: capturing one node along a pathwill compromise the security of the entire path. For sink-to-source secure path establishment, an additional SCOUTmessage will be sent before MP-FPRs QUERY message.The purpose of the SCOUT message is to trigger individualsymmetric key establishment between on-route relay nodesand the initiating sink node. A SCOUT-BACK message willbe returned to the sink conrming the completion of the path

establishment. The process is similar for the source-to-sink multi-path: it is triggered via S-RREQ messages, which willprecede MP-FPRs standard RREQ messages, thus providingauthentication of sensitive charge information within RREQ.To allow undistorted path-length estimation, RREQ packetsize can be increased articially to supersede the size of theDATA packets. Corresponding ACK messages will follow thesecure path established via SCOUT.Bootstrapping . While for each pair of nodes there exists atleast one intermediary node to leverage the path-key estab-lishment, its location is not known a priori. To enable quick discovery of such intermediaries without the need of controlledooding, PIKE relies on a distributed data structure for storingidentity and locations of peer intermediaries. Specically,PIKE employs an address lookup service such as GHT [63]to implement a distributed geographical hash table, where the(id , location ) information of the peer intermediaries are stored.GHT is supported by a subset of nodes to provide storage andlookup. The nodes that support the GHT structure are calledreplication points. GHT establishment takes place only once,

during bootstrapping phase, when information about the geo-location of the intermediaries is disseminated to the replicationnodes. According to PIKE, each node will send its identity andlocalization information to its nearest replication node, fromwhere it is forwarded to the correct replication node, whichin turn is determined by hashing the identity information of the intermediary.

D. Digital Signatures/ECC

The main difference between asymmetric and symmetrickey approaches is that keys are generated at run-time, ratherthan being pre-loaded off-line. Public keys can be generated by

each individual node post -deployment, during the operationalphase, in order to enable digital signature based authenticationof protocol messages exchanged in the network. In the follow-ings we iterate the MP-FPR modications based on public keyauthentication.Secure Path Establishment . When two end-nodes intend toestablish a secure path, the originating node needs to acquirethe public key of the terminus node in order to digitally signall subsequent outgoing messages. Conceptually, this is a twostep process: (1) the originating node announces its intentionto establish a secure channel to the terminus node; (2) theterminus replies to the originating node with the public keyto be used to perform the encryption. HHA can be easily

supported by public key cryptography, requiring the samemodications to the MP-FPR protocol as for HMAC/PIKE.However, instead of triggering path-key establishment betweenend points and intermediary relay nodes, the SCOUT and S-RREQ messages will contain the public key of the node wherethe route originates. The public key is stored at the destinationand cached by every relay node in between.Bootstrapping . There is no intrinsic bootstrapping overheadwhen using ECC-based public key cryptography scheme, withthe exception of the initialization and generation times of

12


14/34

individual public-keys for each node. DS/TinyECC does notrely on any other services to operate.

E. TESLA

Lastly, we present the implementation details of the TESLAmechanism for the MP-FPR protocol.Secure Path Establishment . Without loss of generality, weexplain this mechanism from the DATA forwarding perspec-tive. The path establishment process is identical with the onedescribed in PIKE considering the HHA, with one difference:the paths originating node, i.e. the source node, will includein S-RREQ messages an initial key commitment. This step iscritical in order to authenticate the entire stream of packetsthat will be carried and the subsequent keys and commitmentswithin.Bootstrapping . TESLA relies on TinyECC public-key mech-anism for sending the initial commitments, thus the bootstrap-ping overhead, just as in DS/TinyECC variant, is given bythe one-time generation of the public keys during TinyECCinitialization step, along with the corresponding memory re-quirement for TinyECC implementation. TESLA does requirethat sensors are loosely time-synchronized.

VI . A NALYTICAL COMPARISON

In this section we analyze the overhead of PIKE/HMAC,digital signature/ECC and TESLA by examining four systemmetrics, (memory, processing, communication and energy) andone user specic metric (latency). For each metric, we distin-guish between two phases of a typical sensor network deploy-ment: bootstrapping phase which concerns the immediatepost-deployment setup, including node discovery and initialsecure topology establishment, and operational phase the re-maining period of effective usage. We identify implementationpeculiarities and devise analytical expressions of the overheadfor each of the candidate solutions. We summarize the analysisin each dimension by providing real-world performance resultsand comparatively discuss the benets and drawbacks of eachof the candidate solutions.

A. Evaluation Metrics

We quantify the cost of the identied candidate solutionsusing the following metrics:

Memory Overhead analyzes the amount of RAM/ROMmemory, in kilobytes (KB), that is additionally required,per mote, for storing program code and run-time datastructures to provide authentication and integrity to MP-FPRs message system.

Communication Overhead quanties the amount of supplemental information, in kilobytes, that is transmit-ted through wireless medium on behalf of a speciccryptographic solution for a particular task (i.e. routeestablishment, data forwarding, etc).

Processing Overhead each cryptographic solution in-creases a nodes processor load and consequently process-ing times; because these processing times are often non-negligible, in the order of seconds, they are accounted foras well.

Latency Overhead summarizes the overall equivalentlatency introduced, expressed in seconds, due to commu-nication and processing overheads.

Energy Overhead each task a sensor node performsconsumes energy. We express the unit of energy inmilli-Joules (mJ). Accordingly, we outline the associatedenergy overhead of each cryptographic solution as a resultof communication and processing tasks.

It is expected that public key cryptography solutions, i.e.Digital Signatures via ECC to yield lower memory and com-munication overhead at the expense of processing times, asopposed to symmetric key cryptography where lower process-ing times could be achieved at a cost of higher memory andcommunication overhead. Energy-wise, communication-costsare generally one order of magnitude greater than processingcosts, as Table IV clearly demonstrates to be the case acrossthe platform, reason for which symmetric-key cryptography isalso expected to put more demand over the energy resourcesthan public key alternative. The hybrid approach is primarilydesigned to combine the benets of both public and symmetric

key cryptography without correspondingly combining theirdrawbacks. In subsequent sections, we present the in-depthperformance and overhead analysis to practically understandthe extent of these tradeoffs for each solution aside.

B. Memory Overhead

PIKE/HMAC uses n + 1 pre-distributed keys. Eachrelaying node needs to store one additional secret key knownby itself and the sensor node where the route begins (theinitiator ). Given that MP-FPR aims at achieving disjoint paths,under ideal conditions, a relay node is expected to carrymessages from only one initiator. Thus, the total expectedstorage overhead is n + 2 keys.

Considering HHA requirements, the source needs to storethe shared key with the sink to secure the sink-to-sourcecommunication, while the source nodes need to store N r RLkeys, to secure each of the ( N r ) paths, where RL is theaverage hop-count of a path. Assuming no restrictions overthe location of the source and sink nodes in MP-FPR, theexpected shortest-hop distance between any two nodes isguaranteed by PIKE to be n , where is a constantdependent on the range of nodes and shape of the deploymentarea. Considering the hop-count ratio between the longestadmissible alternate path and the shortest path, which modelsthe maximal path-length query-specied restrictions in MP-

FPR, the expression of the path-length in MP-FPR is given asRL = +12 n . However, because keys are pre-distributed,some of the nodes will already share keys with the sourcenode and no additional keys need to be shared. The probabilitythat a relay node already shares a key with the source nodeis nn N r R Ln = N r R Ln 3 (cf. [18]), where

nn represents the

probability that two arbitrary nodes share a key and N r R Lnis the probability that the respective node serves one of theN r multipaths. Consequently, the effective additional memoryoverhead is N r RL (1 N r R Ln 3 ).

13


15/34

PIKE has additional storage overhead due to the boot-strapping procedure that requires storage of localization in-formation of intermediary nodes at GHTs replication points.Throughout our analysis, in order to maintain the targetedscalability of O(n) from the perspective of GHTs overhead,and without loss of generality, we have considered the totalnumber of replication points in the network to be m = n ,where n is the total number of sensors in the network.For this, each GHTs replication node will store an equalshare of the network-wide id-location mapping. For example,assuming that bits are required for identication and locationinformation, the memory overhead of a replication node is nm = n bits.

In consequence, assuming K is the bit-size of a symmet-ric key, the upper bound of per-node memory overhead inPIKE/HMAC scheme is dictated by the source nodes and ithas the following expressions:

M keyPIKE K (n + 1) + KN r RL (1 N r RLn3 ) + n

Digital Signatures/ECC The ECC induced per-nodememory overhead with MP-FPR protocol is constant (i.e. orderO(1) ), and independent of the number of links that need to besecured. The sources K -bit size public key needs to be cachedat each relay node. Sink node incurs, in this case, the largestoverhead: given Qmax the maximum number of concomitantqueries the network can support, correspondingly the numberof source nodes that can exist at any time in the network, thesink needs to store all Qmax public keys of all the sourcenodes. Therefore, from the sinks perspective, the total per-node memory overhead under ECC scheme is given as:

M keyECC KQ max

TESLA TESLA does not incur any bootstrapping over-head. In the operational phase, the security of a path istriggered by sending an initial signed commitment, usingpublic key cryptography, along the prospective path. Withoutloss of generality, we focus on DATA forwarding mechanism.The security of the path is maintained during data forwardingby piggy-backing signed commitments on DATA message,using symmetric keys, to enable authentication for futuremessages. To support fast data-rates, TESLA requires a bufferof dR entries to be allocated, where R represents the packet-transmission rate and d represents the disclosure lag d. Eachbuffer entry consists of (1) signed commitment for a futuremessage, (2) the symmetric key used for authentication of the previous message, (3) keyed MAC codes of the currentmessage and (4) the current messages itself. Assuming that thesigned commitment, the symmetric key and the keyed MACcodes are equally sized to K bits and the payload size of thedata messages is p, then the memory overhead can be speciedas:

M keyTESLA dR(3K + p)

Practical Comparative Analysis. Table VII presents theRAM/ROM memory overhead, based on real implementations

of ECC in TinyECC and respectively HMAC in TinyHash, forvarious network sizes and densities. We remark that variousoptimization levels can be congured in TinyECC to trade-off processing vs. memory overhead, and we have considered thecases in which all optimizations are either enabled or disabled.Table VIII cumulates the memory overhead, based on specicmemory resources of various sensor motes, and highlights theplatforms which cannot accommodate the specic memorydemand.

Based on these results, PIKEs memory demand is signi-cantly higher, outweighing both ECC and TESLA by up to twoorders of magnitude. Moreover, the memory demand for PIKEmakes this solution impractical for the TelosB and TmoteSky platforms, even when considering smaller networks. Al-ternatively, both ECC and TESLA provide reasonable memoryrequirements of below 2KB RAM and 3KB ROM whichmakes them applicable across all platforms, considering thespecications in Table IV. These results demonstrate ECCsand TESLAs excellent scalability properties, memory-wise.We nally remark that ECC is the most memory-efcient,

with an approximatively 50% lower memory footprint whencompared to TESLA.

C. Communication Overhead

PIKE/HMAC It is intractable to compute precisely thecommunication overhead during the bootstrapping phase foreach node that acts as a relay for GHTs localization infor-mation, as it may depend on the relative proximity of thereplication nodes, i.e. closer nodes will relay more informationto the replication nodes than distant ones. Instead, we evaluatean upper bound as it is dictated by the replication pointsthemselves: all GHT establishment trafc ows through them.Namely, a total of n/m + ( n n/m ) = n messages willbe carried through (receiving and transmitting) in the worstcase, where n/m accounts for the receival and disseminationof information from the local n/m nodes, i.e. nodes that arecloser to a particular replication point than any other node,and n n/m denotes the amount of location informationconcerning the remaining nodes, which is re-routed to theproper replication point. Recall that n represents the number of nodes in the network, whereas m = n is the total numberof replication points in the network. A hash function servesas an index to determine which replication point containsidentity/location information about a particular intermediary.The message overhead is given by the bit size of theidentity/location information along with any packet-header

overhead . The GHT-overhead is:

C GHT PIKE ( + )n

Path-key establishment consists of a lookup of the inter-mediarys location followed by a key-exchange between thetwo peer nodes for which the key is established and theircommon intermediary. According to PIKE, the communicationoverhead for a path-key establishment is 43 n messages,where is dened by PIKE as a constant dependent on therange of nodes and shape of deployment area. To provide HHA

14


16/34


17/34

with ECC or TESLA is small, namely 20 and 60 additionalbytes per data-message respectively, when compared to PIKE.From a feasibility standpoint, the range of 480 through 1,500bytes overhead incurred by using PIKE is prohibitive and im-practical, even if packet fragmentation is considered, since theMAC802.15.4s packet size is limited to 120 bytes. Since MP-FPR are designed for large scale sensor networks, long pathsare typically the norm, therefore, symmetric key cryptographyvia PIKE will not scale.

When comparing ECC and TESLA, the latter has a largermessage overhead, which is due to the additional inclusionof the commitment of the future message and the actualkey for the previous message. As we will shortly see inthe following sections, the benet of the additional 40 bytesper packet overhead far outweighs its cost, however, from apurely communication perspective, ECC seems to be the bestsolution. Scalability-wise, both ECC and TESLA demonstratelogarithmic performance, as increasing the network size by afactor of 10 increases the associated communication overheadby a factor of 3x for path-establishment.

D. Processing Overhead

We leveraged results of existing works, such as TinyECCand TinyHash implementations, to obtain estimated processingcosts associated with all the cryptographic techniquesanalyzed. Specically, the analysis concerns the processingtimes associated to the generation and verication of thedigital signatures or HMAC/codes. This analysis does notinclude the processing times required to perform lower-network stack operations such as routing and medium accesscontrol. We also assume the bootstrapping processing timesnegligible when compared to the security-related overhead.The processing timings that we report for DATA-messageforwarding are per-route basis, which is necessary todetermine correctly the additional delivery-latency incurredalong each route. We denote with P g the key and digitalsignatures/HMAC code generation time, assumed comparable,and with P v the validation time of incoming signatures/codes.

PIKE/HMAC The end-points of a route, i.e. either thesink of the source nodes, are the only nodes in charge withgenerating keys and HMAC codes in MP-FPR. Accordingly,in order to provide HHA, N r RL distinct keys need to begenerated to be individually shared with relay nodes acrossthe entire family of routes. The multi-path establishmentprocessing overhead is expressed as:

P multipathPIKE N r RL P g

For data forwarding, the processing overhead required tosuccessfully transmit a data-packet across an entire path takesinto the consideration the generation and validation of theHMAC codes, hence:

P dataPIKE (P g + P v )RL

where all on-route validation times are factored in, includingthe destination validation. The source node will need togenerate RL distinct HMAC codes for each packet sent.

Digital Signatures/ECC ECC distinguishes from PIKEin the sense that generation of a single digital signature issufcient to provide HHA-based data forwarding along N rroutes, hence the processing overhead incurred by TinyECCis reduced to:

P multipathECC P g N r

and, for each of the routes carrying DATA messages,

P dataECC P g + RL P v

which accounts for verication overhead at each of the RLnodes along a path and the key generation at the source.

TESLA In TESLA, the processing overhead associatedwith initial path establishment and path maintenance coulddiffer substantially. This is because each of the two phases relyon different cryptographic systems. As we have mentioned,initial path establishment relies on public key cryptography,hence the performance is similar with ECC, accounting for theinclusion of the signed commitment, while path maintenancerelies on HMACs. According to the experimental resultspresented in [60], the computational overhead associated withgeneration and verication of the commitments is insignicantwhen compared with the cost of generating an HMAC, adigital signature or performing authentication. Therefore, theprocessing overhead for securing a family of paths can beapproximated as:

P multipathTESLA N r P g( ECC )

where the subscript indicates that the generation times aredictated by ECC execution. When it comes to data-forwardingalong a path, the processing overhead is dominated by HMACgeneration timing at the source and one verication of thecode at the sink and at each RL 1 relay nodes. Therefore,the data-forwarding processing overhead along an entire pathis:

P dataTESLA P g( HMAC ) + RL P v( HMAC )

Practical Comparative Analysis. We report the processingtimes for TelosB platform, which is commonly 3 analyzed in

both TinyECC and TinyHASH. Based on the results in [44],for example, the execution time for HMAC+SHA1 algorithms,on TelosB motes, is approximatively P g P v = 105 ms forboth HMAC generation and verication. Table X completesthe processing timings for TelosB motes and serves as acomparative reference for the expected overhead differential.These results reafrm, however, the main drawback of using

3 We have used the results corresponding to Tmote Sky from TinyECCas representative for TelosB, since both platforms share the same MSP430processor clocked at the same 8Mhz frequency

16


18/34


19/34


20/34


21/34

munity, and generically these approaches employ one of thefollowing distinct mechanisms: proactive and reactive.

Proactive mechanisms are employed to provide transparencyto the user: during the interval of time between the occurrenceof an adversarial behavior and the detection/isolation of it, theuser is normally exposed to the effects of DoS attacks. Suchmechanisms aim at improving network resilience to attackscarried through message dropping, typically by relaying repli-cas of the message-streams along multiple paths. For example,k-redundant depender graphs [74] relies on graph-topology toprovide every node in a graph with k disjoint paths towardsthe root of the graph. This guarantees delivery even whenk 1 paths in between have failed, either due to poor link quality of malicious activity. The k-RIP [77] represents animprovement by providing probabilistic redundant forwardingto k randomly picked neighboring nodes; the advantage of probabilistic forwarding consists of decreasing the vulnerabil-ity to route discovery, such as Sybil attacks. Other methodsrely on a deterministic nite path-diversity model to increaserobustness by a priori discovering of a family of multi-path

routes [66], [36], [41], [15], then using these routes to provideredundancy in the data transmission between two end-points[58]. The MP-FPR approach natively adheres to a determin-istic path-diversity model since its core soft-guarantees onpacket-delivery performance cannot be maintained under anon-demand path model.

Reactive mechanisms typically employ detection and iso-lation techniques of misbehaving nodes. One approach con-sists of abstracting the adversarial activity as a link-qualitydeteriorations factor and addressing the problem from arobustness perspective. For example, in ODSSBR [14], B.Awerbuch et. al. proposes avoiding the under-performing linksby using a modied version of a secure route discovery

protocol that incorporates a link-quality metric. Similarly, [71]uses a weight-management scheme to quantify link-quality,but relies on a source-based routing algorithm to generatepaths. The net effect of these schemes is avoidance of thecompromised areas, allowing for a graceful degradation of service. In contrast, other schemes adopt a radical detectionand isolation model: nodes exhibiting unexpected behaviorare removed immediately and permanently from the networkstopology. Typical approaches consist of: (1) performing end-to-end monitoring and statistical analysis of trafc patterns the pathrater technique [52], and (2) exploiting topologicalproperties in sensor networks, i.e. multiple nodes are withincollision domain, which enables overhearing of nodes com-munication in a wireless channel for the purpose of detectingunexpected communication patterns [54], [62], [13], [39].

B. Our Approach

MP-FPR uses ve type of messages sent via two forwardingmechanisms, the EF mechanism and the SGP mechanism.Consequences of attacks carried through selective forwardingof the MP-FPR protocol messages are presented in Table II.The most intuitive way to protect against these attacks is toprovide a proactive approach for all these messages. However,

RREQ messages cannot benet from such redundancy mecha-nisms since RREQ messages are bound to the route they probeand implicitly construct, copies of RREQ messages cannot besent on different routes.

The proactive defense mechanism that we propose usesreplication of outgoing messages in order to improve resilienceto adversarial activities. The solution aims at providing redun-dancy in the forwarding mechanism. Instead of one message,a number of k-copies of a certain message may be sent alongk-distinct routes, signicantly reducing the probability that anattacker will successfully manage to drop all k such copies.We refer to the parameter k as the degree of replication . Thisapproach is appealing because the required underlying support,i.e. multi-path routing, is readily available in MP-FPR and thusrequires minimal changes.

Both source-to-sink and sink-to-source trafc must be aug-mented with resilient forwarding mechanisms. The source-to-sink trafc consists of DATA messages, for which resilientforwarding can be easily provided: these messages can be sentalong subsets of already constructed routes. We refer to this

mechanism as k-EF . Note that these subsets of routes are stillused in alternation for workload balancing purposes.Sink-to-source, reverse-trafc, comprises QUERY, UPDATE

and ACK messages. The challenge here is that these messagesrely on SGP forwarding mechanism and no routes are readilyavailable as in the EF mechanism. There are two possiblesolutions that can be considered to provide k-resilience toreverse-path selective forwarding in MP-FPR: (1) replacementof the standard SGP mechanism with a k-shortest path routing[29] (which we refer to as k-SGP), and (2) adapt MP-FPR protocol to rely directly on the eld-based forwardingprovided by EF to forward copies along multiple on-the-ybuilt routes, which we will refer to as k-RPEF (Reverse Path

Electrostatic Forwarding). In this work we adopt the secondaryapproach, i.e. k-RPEF, for the following three reasons: (1) itis relatively easy to implement since it relies on the sameforwarding mechanism as in EF, (2) it simplies the network-protocol stack by removing the SGP component altogether,and (3) its redundant paths inherit the non-braiding propertyof eld-based routing, which cannot be guaranteed with k-SGP.

In the case of RREQ messages, we propose a reactivemechanism, namely the Path Diversity Monitoring Scheme(PDMS). This monitoring scheme reactively attempts to com-pensate for any deciencies in path diversity by persisting inbuilding more routes until the user dened path diversity quotais met.

C. k-EF Defense Mechanism

The k-EF mechanism provides replication of DATA mes-sages using the set of active routes resulting from the routeestablishment phase. The degree of replication is given bythe value of k < N r , where N r represents the maximumnumber of routes that can be established. We use a randomselection scheme to select k paths from the total of N rpossible, we adopt a random selection scheme. We remind

20


22/34

that the N r routes are uniquely identied via a route indexr i N r = {1 2N r , 2 2N r . . . N r 2N r }, i.e. equally distributedacross the (0 . . . 2] domain, hence in a k-redundantscheme, the indexes of the k routes should be randomly pickedfrom the N r set without replacement.

D. k-RPEF Defense Mechanism

k-RPEF provides redundant forwarding of QUERY, UP-DATE and ACK messages towards the source nodes. Forward-ing will continue to be based on electrostatic eld lines, buttraversed in opposite direction of the eld vectors, towardsthe source. In order to enable reverse electrostatic eld linestraversal, a simple modication is due: reverse the algebraicsign of the charges magnitudes corresponding to the sink andspecic source charges for reverse path forwarding only. Forexample, if a sink and a source have charges of Qsrc =

1 1019 coulombs and Qsnk = +1 1019 coulombsrespectively, k-RPEFs eld lines will be built on the set of charges Qsrc = +1 1019 coulombs and Qsnk = 1 1019coulombs instead. We note here that only the sources chargetowards which we intend of forwarding the message getsthe magnitude reversed, whereas other source nodes remainunchanged this is required in order to prevent messages fromreaching other source nodes by hopping on their eld lines.Also, the algebraic magnitudes sign reversal is performedin isolation from other sources, i.e. such information is notbroadcasted and it is only used locally. Charge magnitudereversal forces the eld line vectors to point towards thesource node rather than the sink, guiding the associated routesaccordingly, without further modication of the forwardingalgorithm.

E. Path Diversity Monitoring Scheme (PDMS)

Dropping of RREQ messages critically affects path diversityand, consequently, the energy balancing. Although the k-RPEFmechanism addresses the path diversity deation problemfrom the perspective of attacks against ACK messages, itcannot be used for attacks against RREQ messages, becauseRREQ messages are uniquely associated to the routes theyare forwarded through, hence replicas of a RREQ messagecannot follow a different route. The idea in PDMS is toenable the source node to persist in probing for new routesuntil the user-specied path diversity quota , i.e. number of distinct routes N r the user demands, is being met. PDMS relieson the observation that distinct routes will map to distinctsets of nodes, hence bypassing of compromised nodes can beachieved in subsequent attempts.

Note that PDMS cannot be used as a standalone solutionfor path diversity deation attacks carried out via ACK mes-sages, for the following reason. Recall that, in the absenceof k-RPEF mechanism, ACK messages are sent via SGPforwarding, therefore compromising the single reverse pathwill block the acknowledgment phase completely. In this case,regardless of the number of attempted routes to be built, routeswill never get acknowledged. PDMS, however, can providecompensatory benets if the k-RPEF resilient mechanism is

already employed for ACK messages, and our experimentalresults will demonstrate this benet.

One of MP-FPR protocol goals is to evenly distributethe workload by building evenly distributed routes in thephysical eld. It is therefore desirable that this property iseither maintained or gracefully degraded under adversarialconditions. Accordingly, the sequence of routes that will beprobed must take into consideration the existing distributionof routes and attempt to ll any existing gaps. Recallthat MP-FPR adopts an angular model for route-indexing cf.Section II-C. Consequently, we rely on the assumption thatthe distribution of the routes indexes (i.e. distribution of radiiover a disk) is representative for the distribution of the actualroutes.

We propose the PDMS mechanism as a multi-phase process.The rst construction phase performs the same functions as inthe original MP-FPR protocol, namely a sequence S 1 of N revenly distributed route indexes are generated and iterativelyprobed, S 1 = r i |r i = 2N r i, i 1, N r . If the path diversityquota is not met during the rst phase, subsequent constructionphases are invoked. The followings apply to every phase j 1.We refer to S j as the base routing sequence of phase j . LetAj be the set of active routes that have been successfullyacknowledged up to phase j . If and only if the path diversityquota is not being met at a certain phase j , i.e. |Aj | < |N r |, asubsequent phase j + 1 is initiated. In each subsequent phase j > 1, a new distinct sequence S j is being generated such that

|S j | = N r (the generation method will be addressed shortly).As opposed to the very rst phase however, not all routesin S j need to be probed, and the probing process can beinterrupted at any time if the path diversity quota is being met.To prevent wasteful energy resources under severe adversarialconditions, we limit the number of phases that can be executed

to a predened value K 2.The base routing sequence at phase j > 1 is generated asa counter-clockwise rotation of the base sequence of angularindexed routes from previous phase, i.e. all route indexes fromcurrent phase are obtained by incrementing the route indexesof the previous phase by a xed amount . Considering themaximum number of admissible probing phases K , in theworst case scenario, the union of all base routing sequencesis j = Kj =1 S j = r i |r i = 2K N r i, i 1, N r , hence a totalof N p = K N r distinct and evenly distributed routes maybe probed by PDMS. Figure 5 illustrates the base routingsequences for K = 3 construction phases and N r = 8 routesper phase for which the calculated rotation is = 15 .

In order for the PDMS to ensure even distribution of theresulting routes, the base routing sequence generation mecha-nism is necessary, but not sufcient. Namely, since subsequentroute construction phases can be terminated immediately whenpath diversity quota is being met, priority must be givento routes situated in the vicinity of a failed route, whoseomissions has created a gap. The intuition is as follows:if originally the base routes led to evenly distributed routeswith the exception of one route, it is desirable to build areplacement route as close as possible to the original failing

21


23/34

S 1={0,45,90,135,180,225,270,315}

0

4590

135

180

225

270

315

+15

+15+15

+15

+15

+15+15

+15

SourceNode

SourceNode

S 2={15,60,105,150,195,240,295,330}

Phase 1 Phase 2S 3={30,75,120,165,210,

255,310,345}

SourceNode

Phase 3

Fig. 5. Base routing sequences for K = 3 route construction phases andN r = 8 routes per phase. Each phases routes indexes are obtained byapplying a rotational shift of routes indexes in previous phase by = K 2 /N r = 15

one, such that the deviation from the targeted distribution isminimized. This motivates the phased generation of the basesequence of routes, where represents the deviation added tothe routes from original location.

The advantage of the proposed PDMS scheme versus apurely random one, in which route indexes are randomly,with uniform distribution, generated, is twofold: (1) PDMSmaintains full control of the probed routes by primarilytargeting areas with lower densities of routes (i.e. in immediatevicinity of failed routes) to improve route distribution, and(2) it avoids route merging effects caused by new routes thatmay be randomly chosen too close to existing ones byguaranteeing a minimum path-spacing through . Also, froma users experience perspective, the current PDMS schemedoes not increase the interval of time until the rst data-stream path is established. This is also advantageous over

another possible path-generating mechanism in which a superset of KN r routes are generated as base routes in one phase,and subsequently retain a subset of N r routes that satisescertain distribution requirements the latter mechanism isalso wasteful, in terms of energy and bandwidth resources,as it requires a large number of routes to be built, even undernon-adversarial conditions, the majority of which not beingunused.

We present now the prioritization mechanism that is appliedto the base routing sequence of phase j , S j . The key idea is todetermine the angular-gap size between any two adjacent routeindexes from the ordered set of active routes Aj , and storethese gaps information in an ordered set Gj in descendingorder of the gap-size. Given a base routing sequence S j , wereorder the sequence such that the i th element in S j is situatedwithin the bounds of the i th gap in Gj . Algorithm 1 detailsthis mechanism.

An example of the priority base route generation in PDMSis presented in Figure 6, containing direct references to Algo-rithm 1. The key of this algorithm is found in lines #10 #12where an ordering of the route indexes is established based onthe gap-size a particular route lls. The role of line #5 is toalign the routes in S j from line #3 with the set of active routes

Algorithm 1 Priority Base Route Generation in PDMS

Input: j : current PDMS phase number ( j = 1 for 1st constructionphase generation)K : maximum number of phasesAj : set of active routes at phase j (Aj = if j = 1 )N r : targeted number of routes

Output:S j - sequence of base routes for phase j +11: Aj Aj 12: = K 2/N r3: S j = r i |r i = 2N r i + ( j 1), i1, N r4: S j = S j Aj 15: S j = Sort (S j ) // ascending order sequence6: first = 07: last = Max (0, |S j | 1);8: B = S j [last ], S j , S j [first ] // Wrap around sequence9: T = // sequence of key,value tuples

10: for i = first ; i last ; i = i + 1 do11: gapSize = (

|B [i +1]

B [i]

|+

|B [i +2]

B [i +1]

|)%

// Insert new key-value entry: gap size, route index // and order descendingly by key: gap size

12: T InsertionSort (T, gapSize, S j [i] )13: end for14: S j = // Clear for prioritized order15: for i = first ; i last ; i = i + 1 do16: // Build, in order, the prioritized sequence of routes17: S j S j , T [i].value // append route index at the end18: end for

//Remove active routes from base routes19: S j S j \ Aj

Aj 1 , from previous phase, such that proper gap evaluation isachieved.

F. Conclusion of Resilience Mechanisms in MP-FPR

Resilience mechanisms improve robustness of MP-FPR to attacks carried through selective forwarding (ordelaying) of MP-FPRs protocol messages. Specically,path deation attacks via dropping or delaying of RREQand ACK messages, family path intersection attacks viaUPDATE messages, data DoS attacks via targeting theDATA, QUERY or ACK messages, can all be prevented byadopting redundancy mechanisms. In addition, the robustnessmechanism may provide incidental benets to other typesof attacks. For example, path deation attacks via delayingRREQ messages can also benet, since paths that do not meetestablished quality levels are inherently discarded, but can becompensated for by building a replacement path, which is thecase with PDMS mechanism.

VIII. E XPERIMENTAL EVALUATION

In this section we evaluate the effectiveness of the proposeddefense mechanisms and demonstrate their viability. First, we

22


24/34

< 30 , 210 , 120 , 300 , 90 , 270 >

< 30 , 120 , 210 , 300 >

< , < 150, 210 > , , < 120 , 300 >, , < 90 , 270 > >

S 2 =

Phase 1

Phase 2

#3

#4 < 30 , 90 , 120 , 210 , 270 , 300 >S 2 =

#8 < 300 , 30 , 90 , 120 , 210 , 270 , 300 , 30 >B =

#10 gap sizes: 150 90 120 150 90 120

#13 T =|

#15

#18|

S 2 =

#19 < 30 , 210 , 120 , 300 >S 2 =

30120

210300

S2

S2

090

180

270

S 1

90

270

A1

Algorithm 1

Reference /Line #

PDMS1. Probe route '30'. Assume ACK-ed2. Probe route '210'. Assume ACK-ed3. Path diversity quota met.

No more routes are probedActiveRoutes

90

270

A2 30210

Fig. 6. Priority base route generation example. Settings: phase 1 completed,executing phase j = 2 , K = 3 , N r = 4 , = 30 . For clarity, we expressroute indexes in degrees, rather than radians. We assume that only two of the candidate routes in phase 1 were ACK-ed and the set of active routesis A1 = {90 , 270 } Algorithm 1 is being applied and a new sequence of route indexes to be probed is generated: S 2 = 30 , 210 , 120 , 300 .Observe that priority is given to routes 30 and 210 as they are rstelements in probing sequence S 2 , since these are in vicinity of the un-acknowledged routes from phase 1. Subsequently, routes 30 and 210

are probed iteratively. If both routes are ACK-ed, the set of active routesbecomes A2 = {30 , 90 , 210 , 270 } of cardinality 4, which meets thepath diversity quota and phase 2 is interrupted. Otherwise, phase 2 continueswith probing of routes 120 and 300 .

overview the experimental settings and outline the metricsused in this quantitative analysis. Next we present the experi-mental overhead analysis of the TESLA integrity mechanisms,which is the solution of choice conform Section VI. Lastly, wedetail the experimental ndings for the selective-forwarding

resilience mechanisms, i.e. k-RPEF, PDMS and k-EF.

A. Simulation Settings

The experiments were performed using the SIDnet-SWANSsimulator [30], [1] for WSN. SIDnet-SWANS is an open-source large scale sensor network simulator, which facilitatesfast algorithmic implementation on a sensor network compris-ing a large number of sensor nodes. SIDnet-SWANS is built onthe scalable architecture of JiST-SWANS [2], which in turn isbased on a high-performance JiST (Java in Simulation Time)

engine. When compared to other popular options for sensornetwork simulation such as ns-2, SIDnet-SWANS enabled usto prepare and perform a large body of experiments in arelatively short amount of time in an environment comprisinghundreds of simulated sensor nodes. On the other hand, as faras network stack correctness is concerned, it carries adaptedversion of ns-2s MAC802.15.4 protocol and same signalpropagation models.

Network Conguration. The simulated environment con-sists of a set of 750 homogeneous nodes having the followingconguration: (1) 20 kbps transmission/reception rate, (2)MAC802.15.4 protocol, (3) 5 seconds idle-to-sleep interval(i.e., nodes that are not actively involved in routing enter a lowenergy consumption state after 5 seconds of continuous idling,in order to preserve battery power), and (4) power consumptioncharacteristics based on Mica2 Motes specications [3]. Toreduce the simulation time while preserving the validity of the observations, nodes were congured to use a small batterywith an initial capacity of 35 mAh, for a projected lifespan of several tens of hours under moderate load.

Application Settings. The tested scenario consists of fourdistinct, long-term, continuous, point-to-point queries rootedat a common sink node. The sink is centrally located withinthe network. The four corresponding source nodes are evenlydistributed around the sink node, namely within the regionsA, C, G and respectively I of a grid-based partitioning of the network as shown in Figure 7. This conguration hastwo advantages: (1) it provides approximatively 90% spatialcoverage of the relay area to the network resources (nodes) and(2) it creates a context of four physically adjacent familiesof routes, which enables investigating of the family pathintersection attacks via selective forwarding of UPDATE-messages which violates the disjointness property of paths

pertaining to different source-sink families of routes. To furthersupport the latter advantage, the four queries are injected inthe network sequentially , in the order shown in Figure 7, at10 minute simulated time intervals. The path diversity quotahas been set to N r = 30 routes, and the PDMSs path offset = 4 for a maximum of N p = 90 pool of candidate routes.

Each experiment captures 8 hours of simulated time. Datatransmission interval of the point-to-point queries to the desig-nated sink is 4 seconds. As part of the experimental setup, wehave gradually increased the set of attacking nodes, which arerandomly and uniformly selected from the network, rangingfrom 5% to 30% of the total sensors in the network.

B. MetricsRecall that, according to the adversarial model presented in

Section III, attacks are classied as control-level and

Tech Report NWU-EECS-11-05: Security of Electrostatic Field Persistent Routing: Taxonomy of Attacks...

Documents

Transcript of Tech Report NWU-EECS-11-05: Security of Electrostatic Field Persistent Routing: Taxonomy of Attacks...