Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland.

Similar presentations


Presentation on theme: "Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland."— Presentation transcript:

1 Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland

2 Sensor Networks Thousands of nodes, each with a CPU, ~4 KB of RAM, a radio and one or more sensors (e.g., temperature, motion, sound) Applications: burglar alarms, emergency response, military uses Node Characteristics: –Low cost No tamper resistance Limited battery life –Easy to deploy

3 Attacks on Sensor Networks Replication Attacks –Capturing many nodes is hard –Instead, capture one node and copy it Other attacks not in scope of this work –Introducing nodes with new IDs - this is readily preventable: Admin provides each node with a certificate ID based on keys Other Sybil defenses [Newsome04] –Jamming attacks –Partitioning attacks We assume legitimate nodes form a connected component

4 Replication is Easy Only need to capture one node Offline attack to extract node’s secrets Transfer secrets to generic nodes Deploy clones

5 Repercussions Clones know everything compromised node knew Adversary can … –Inject false data or suppress legitimate data –Spread blame for abnormal behavior –Revoke legitimate nodes using aggregated voting –Monitor communication

6 Our Contributions Thwart replication attacks using entirely distributed mechanisms First use of emergent algorithms to provide robust security properties in sensor networks –Resilient even against an adaptive adversary (i.e. adversary knows the protocol and can selectively compromise additional sensors) –Relies on the Birthday Paradox and the network topology –No central points of failure Efficient Solutions –Comparable to centralized detection

7 Outline Introduction Problem Statement & Previous Work Our Solution Evaluation Discussion

8 Assumptions Public key infrastructure –Occasional elliptic curve cryptography is reasonable [Malan04] –Can be replaced with symmetric mechanisms Network employs geographic routing –Does not require GPS! [Doherty01] –Works with synthetic coordinates [Rao03, Newsome03] Nodes are primarily stationary

9 Goals Detect replication with high probability After protocol concludes, legitimate nodes have revoked replicas Secure against adaptive adversary –Unpredictable to adversary –No central points of failure Minimize communication overhead

10 Previous Approaches Insufficient Central Detection [EscGli02] –Each node sends neighbor list to a central base station –Base station searches lists for duplicates –Disadvantages Some applications may not use base stations Single point of failure Exhausts nodes near base station (and makes them attack targets)

11 Previous Approaches Insufficient Localized Detection [ChPeSo03] –Neighborhoods use local voting protocols to detect replicas –Disadvantage Replication is a global event that cannot be detected in a purely local fashion

12 Outline Introduction Problem Statement & Previous Work Our Solution –Overview –Randomized Multicast Protocol –Line-Selected Multicast Protocol Evaluation Discussion

13 Emergent Properties Properties that only emerge through collective action of multiple nodes Highly robust –No central point of failure –Difficult for adversary to attack Emergent behavior is an attractive approach for thwarting an unpredictable and adaptive adversary

14 Approach Overview Step 1: Announce locations –Each node signs and broadcasts its location to neighbors Location = (x,y), virtual coordinates, or neighbor list –Nodes must participate or neighbors will blacklist them Step 2: Detect replicas –Uses emergent protocol –Ensures at least one “witness” node receives two conflicting location claims Step 3: Revoke replicas –Witness floods network with conflicting location claims –Signatures prevent spoofing or framing

15 Randomized Multicast Protocol Each node signs and broadcasts its location to neighbors Each neighbor forwards location to “witness” nodes –Witness chosen at random by selecting random geographic point and forwarding message to node closest to the point –Each neighbor selects ~ witnesses for a total of Birthday Paradox implies location claims from a cloned node and its clone will collide with high probability Conflicting location claims are evidence for revoking clones Signatures prevent forgery of location claims

16 Randomized Multicast Detection ConflictDetected!

17 Randomized Multicast Analysis High probability of detection –2 replicas (R=2), w = n, P Detect ≥ 95%, Decentralized and randomized Moderate communication overhead –Each node’s location sent to n witnesses –Path between two random points in the network is O( n ) hops on average –Results in O(n) message hops per node P Detect > 1 – e -R

18 Line-Selected Multicast Protocol In a sensor network, nodes route data as well as collect it Again, neighbors forward location claim to “witness” nodes Each intermediate node checks for a conflict and forwards the location claim If any two “lines” intersect, the conflicting location claims provide evidence for revoking clones

19 Line-Selected Multicast Detection ConflictDetected!

20 Line-Selected Multicast Analysis High probability of intersection for two randomly drawn lines in the plane –Only need a constant number of lines (e.g. for 5 lines/node, P Detect ≥ 95%) Decentralized and randomized Minimal communication –Line segments O( n) on average –Only requires O( n) message hops per node

21 Theoretical Communication Overhead Detection Scheme Average # Messages / Node Centralized Detection O( n) Randomized Multicast O(n) Line-Selected Multicast O( n)

22 Outline Introduction Problem Statement & Previous Work Our Solution Evaluation Discussion

23 Evaluation Setup Simulated network of sensor nodes deployed uniformly at random Measured average communication per node and maximum communication of any node Varied # of nodes from 1,000 to 10,000 Varied density of nodes so average # neighbors varied from 10-70, with little effect

24 Communication Overhead

25 Detection in Irregular Topologies Line-selected Multicast relies on topology to detect replicas, so we ran simulations on irregular topologies

26 Probability of Detection in Irregular Topologies 2500 nodes, 1 duplicate 5 witnesses/node

27 2500 nodes, 1 duplicate 10 witnesses/node Probability of Detection in Irregular Topologies

28 2500 nodes, 2 duplicates 5 witnesses/node Probability of Detection in Irregular Topologies

29 Outline Introduction Problem Statement & Previous Work Our Solution Evaluation Discussion

30 Timing Issues Admin can select frequency of protocol activation Between runs, nodes only remember results Time Slots –Divide protocol run into slots and assign each a range of IDs –During each slot, nodes with IDs in the specified range announce their location IDs: t3t2t0T Time

31 Conclusion Node replication attacks pose a serious threat We address inherent limitations of centralized and localized solutions Our algorithms use emergent properties to detect global events in a distributed fashion –High probability of detection and revocation –Resilient to adaptive adversary –Minimal communication overhead Emergent solutions well adapted to provide security in sensor networks Algorithms generally applicable to other settings

32 Thank you!

33 Other Approaches Insufficient Deterministic Multicast –Witnesses chosen as a function of node ID Node X announces its location Neighbors forward location to witnesses: F(X) = {w 1, w 2,…,w k } –Disadvantage Adversary also knows F –Compromising all w i allows unlimited replication of X –Communication overhead grows with O(k log(k))

34 Theoretical Overhead Detection Scheme Average # Messages / Node Average Memory/Node Centralized Detection O( n)O(1) Randomized Multicast O(n) Line-Selected Multicast O( n)

35 Repercussions Revoke legitimate nodes using aggregated voting

36 Outline Motivation & Assumptions Attack Scenario Previous Protocols Our Solutions Evaluation Discussion

37 Outline Motivation & Assumptions Attack Scenario Previous Protocols Our Solutions Evaluation Discussion

38 Outline Motivation & Assumptions Attack Scenario Previous Protocols Our Solutions –Randomized Multicast –Line-Selected Multicast Evaluation Discussion

39 Outline Motivation & Assumptions Attack Scenario Previous Protocols Our Solutions Evaluation Discussion

40 Outline Motivation & Assumptions Attack Scenario Previous Protocols Our Solutions Evaluation Discussion

41 Outline Motivation & Assumptions Attack Scenario Background –Previous Protocols –Preliminary Approaches Our Solutions –Randomized Multicast –Line-Selected Multicast Results Discussion

42 Outline Introduction Problem Statement & Previous Work Our Solution –Overview –Randomized Multicast Protocol –Line-Selected Multicast Protocol Evaluation Discussion

43 Outline Introduction Problem Statement & Previous Work Our Solution –Overview –Randomized Multicast Protocol –Line-Selected Multicast Protocol Evaluation Discussion

44 Sensor Applications Environmental monitoring Intrusion detection Emergency Response Military

45 Sensor Node Characteristics Cheap –No tamper resistance –No secure coprocessors Easy to deploy Operate in unsupervised, hostile environments

46 Replication Attacks Capturing many nodes is hard Instead, capture one node and copy it

47 Repercussions Clones know everything compromised node knew Adversary can … –Inject false data or suppress legitimate data –Spread blame for abnormal behavior –Revoke legitimate nodes using aggregated voting –Monitor communication

48 Randomized Multicast Each node signs and broadcasts its location Each neighbor forwards the location to a set of “witness” nodes –Witnesses chosen at random by selecting random geographic point and forwarding message to node closest to the point –Each neighbor selects ~ witnesses for a total of

49 Randomized Multicast Birthday Paradox implies location claims from a cloned node and its clone will collide with high probability Conflicting claims are evidence for revoking clones Signatures prevent forgery of location claims

50 Line-Selected Multicast

51 Conflict!

52 Detection in Irregular Topologies


Download ppt "Distributed Detection of Node Replication Attacks in Sensor Networks Bryan Parno, Adrian Perrig Virgil Gligor Carnegie Mellon UniversityUniversity of Maryland."

Similar presentations


Ads by Google