Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © Erdal Cayirci, 2010 1/326 Security in Wireless Ad Hoc and Sensor Networks Erdal Cayirci Electrical Engineering & Computer Science Department.

Similar presentations

Presentation on theme: "Copyright © Erdal Cayirci, 2010 1/326 Security in Wireless Ad Hoc and Sensor Networks Erdal Cayirci Electrical Engineering & Computer Science Department."— Presentation transcript:

1 Copyright © Erdal Cayirci, 2010 1/326 Security in Wireless Ad Hoc and Sensor Networks Erdal Cayirci Electrical Engineering & Computer Science Department University of Stavanger Stavanger, Norway Head, CAX Support Branch NATO Joint Warfare Centre SMC4 Division Stavanger, Norway

2 Copyright © Erdal Cayirci, 2010 2/326 Introduction Wireless Ad Hoc, Sensor and Mesh Networks Security Mechanisms Conclusion Outline

3 Copyright © Erdal Cayirci, 2010 3/326 Text Book Security in Wireless Ad Hoc and Mesh Networks Erdal Cayirci, Chunming Rong ISBN: 978-0-470-02748-6 Publisher: Wiley and Sons Copyright: 2009 Published: March/23/2009

4 Copyright © Erdal Cayirci, 2010 4/326 Introduction

5 Copyright © Erdal Cayirci, 2010 5/326 Taxonomy Infrastructureless Infrastructured Ad hoc Sensor Mesh Local Wide area

6 Copyright © Erdal Cayirci, 2010 6/326 Taxonomy High Tier Low Tier Terrestrial Satellite Aerial Another approach licensed vs unlicensed

7 Copyright © Erdal Cayirci, 2010 7/326 Cellular Paradigm - infrastructured - single hop source destination

8 Copyright © Erdal Cayirci, 2010 8/326 Ad Hoc Paradigm source destination - infrastructureless - multihop

9 Copyright © Erdal Cayirci, 2010 9/326 Ad Hoc Network Applications Temporary network deployment Disaster relief operations Smart buildings Cooperative objects (COs) Health care

10 Copyright © Erdal Cayirci, 2010 10/326 Ad Hoc Networking Challenges Wireless medium Interference, Hidden Terminal and Exposed Terminal Mobility, Node Failures, Self-forming, Self-configuration, Topology Maintenance, Routing and Self-healing Node Localization and Time Synchronization End-to-end Reliability and Congestion Control

11 Copyright © Erdal Cayirci, 2010 11/326 Hidden and Exposed Terminals abc abc data hidden terminal, primary interference, abcd abc data exposed terminal, overhearing,

12 Copyright © Erdal Cayirci, 2010 12/326 sensor node (snode) actuator (anode) collector (cnode) gateway (gnode) wireless link TaskManager Users Proxy Server Internet, Satellite, etc Wireless Sensor and Actuator Networks

13 Copyright © Erdal Cayirci, 2010 13/326 Military Environmental Health Home Disaster relief Space exploration Chemical processing Other commercial Wireless sensor and actuator network applications

14 Copyright © Erdal Cayirci, 2010 14/326 Ability to sustain sensor network functionality without any interruption. Protocols and schemes should be designed with the target level of fault tolerance. Fault Tolerance

15 Copyright © Erdal Cayirci, 2010 15/326 May reach millions of sensor nodes in studying a phenomenon or stimuli, Schemes tend to form clusters, Each cluster may have a coverage area of less than 10 meter. Each cluster may have several to hundred sensor nodes. Density of sensor nodes is high, Scalability

16 Copyright © Erdal Cayirci, 2010 16/326 Scalability (Cont’d) Cluster density: N. Bulusu, D. Estrin, L. Girod, and J. Heidemann, “Scalable Coordination for Wireless Sensor Networks: Self-Configuring Localization Systems,” International Symposium on Communication Theory and Applications, Ambleside, UK, July 2001. N : total number of sensor nodes R : the range of a sensor A : the area covered by a sensor

17 Copyright © Erdal Cayirci, 2010 17/326 Scalability (Cont’d) Military Force Tracking System: Less than 50 sensor nodes in a squad, up to 500 nodes in a company. Crises Response Management System: Up to 20 million nodes in a city like Istanbul. Underwater Surveillance System: Up to 5 hundred nodes for a region 500m×500m.

18 Copyright © Erdal Cayirci, 2010 18/326 Nodes must be cheap enough to be scalable. Production Cost

19 Copyright © Erdal Cayirci, 2010 19/326 Power Unit Power Generator Sensors ADC Processor Memory Transceiver Location Finding System Mobilizer Small, Low cost (dispensable), Low power, Low bit rate, Low memory capacity, Limited computational power. Other Interfaces Sensor Node Hardware

20 Copyright © Erdal Cayirci, 2010 20/326 Sensor Nodes Mica2 Telos Genetlab SenseNode 

21 Copyright © Erdal Cayirci, 2010 21/326 1980’s-1990’s2000-20032010 Manufacturercustom contractorsCrossbow, Sensoria,Dust, Inc, and Ember, Genetlab, etcothers Sizelarge shoe boxsmall shoe boxdust particle Weightkilogramsgramsnegligible Architectureseparate sensing, proc.,integratedintegrated comm. units Topologypoint-to-point, starclient server, peer-to-peerpeer-to-peer Power supplylarge batteriesAA batteriessolar hours, days, longerdays-to-weeksmonths-to-years Deploymentvehicle placed or airhand-emplacedembedded, drop single sensorssprinkled left behind C. Chong, S.P. Kumar, “Sensor Networks: Evolution, Opportunities, and Chalenges,” Proceedings of IEEE, Vol. 91, No. 8, August 2003. Sensor Nodes

22 Copyright © Erdal Cayirci, 2010 22/326 sensor nodeactuator collector gateway wireless link b c d a b c d a b c d a Sensor networks Semi-automated sensor & actuator networks Automated sensor & actuator networks many-to-one one-to-many many-to-one one-to-many many-to-many Topology in sensor and actuator networks

23 Copyright © Erdal Cayirci, 2010 23/326 Network lifetime depends on battery lifetime Generally irreplaceable Limited battery (~1 V) Power Consumption

24 Copyright © Erdal Cayirci, 2010 24/326 In sensor networks, power conservation is of utmost importance. Hence, novel power-aware protocols and algorithms needed. In sensor & actuator networks end-to-end propagation delay may become a parameter conflicting with power consumption in some real time applications. Hence tradeoff mechanisms between power consumption and end-to-end delay are needed for some sensor&actuator network applications. Issues related to battery recovery rate must also be taken into account. Power Consumption

25 Copyright © Erdal Cayirci, 2010 25/326 Communications Data Processing Sensing Three Domains of Power Consumption

26 Copyright © Erdal Cayirci, 2010 26/326 Transmission and reception energy costs are nearly the same. Transceiver circuitry has both active and start-up power consumption Sensors communicate in short data packets. Start-up power starts dominating as packet size is reduced. Cannot blindly turn off the transceiver during idling. Path-loss slope is around four due to low lying antenna. Power Consumption in Communications

27 Copyright © Erdal Cayirci, 2010 27/326 This is much less than the power consumption in communications. For example a 100 million instructions per second processor can execute 3 million instructions by the energy cost of transmitting 1 KB a distance of 100 m. Therefore, local data processing is crucial in minimizing power consumption in a wireless sensor network. However, the energy cost of data processing is not negligible. Power Consumption in Data Processing

28 Copyright © Erdal Cayirci, 2010 28/326 Depends on The type of sensor: - microsensors: active or passive - cameras, etc. Nature of sensing : Sporadic or Constant Detection complexity The interface between the processor and sensors Power Consumption in Sensing

29 Copyright © Erdal Cayirci, 2010 29/326 Mesh Networks Cellular Wireless LAN Internet Mesh Client Mesh Router Backbone Mesh Access Mesh

30 Copyright © Erdal Cayirci, 2010 30/326 Mesh Network Applications Broadband home networking Community and neighborhood networking Enterprise networking Transportation systems Building automation and control networks

31 Copyright © Erdal Cayirci, 2010 31/326 Mesh Networking Challenges Broadband communications Quality of service requirements

32 Copyright © Erdal Cayirci, 2010 32/326 Tactical Communications radio access point mobile radio local area subsystem terminal wide area subsystem node wireless communications non-wireless communications

33 Copyright © Erdal Cayirci, 2010 33/326 Mobile Subsystem mobile radio (MR) cluster head MR relaying MR SATTSAT tier UAVTUAV tier RAPTRAP tier MRTMR tier radio access point (RAP) unmanned aerial vehicle (UAV) satellite (SAT) satellite ground terminal antenna MRT RAPT SATT UAVT

34 Copyright © Erdal Cayirci, 2010 34/326 Tactical Communications Challenges Multimedia communications Multi-tier networking Mobile networking Mobile and rapidly deployable infrastructure Survivable infrastructure Tailorable infrastructure Multi-functional infrastructure

35 Copyright © Erdal Cayirci, 2010 35/326 Tactical Communications Challenges Modular infrastructure Flexible infrastructure Both terrestrial and non-terrestrial networking Horizontal and vertical communications ability High circuit quality and wide bandwidth Secure networking Real-time and batch networking Ability to operate in every weather and terrain conditions

36 Copyright © Erdal Cayirci, 2010 36/326 Factors Influencing the Design FactorAd HocMeshSensor & Actuator Wireless mediumISM ISM, acoustic, low lying antenna Networking regimerandom one-to-one Random one-to-one, gateway nodes one-to-many, many-to-one, many-to-many Trafficrandom, multimediaRandom, multimedia temporally and spatially correlated, data QoS requirements bandwidth, delay, jitter, reliability power consumption, delay, reliability MobilityMobiletypically fixed generally fixed, network mobility Fault tolerance typically no critical point of failure critical points of failure critical points of failures, high fault tolerance requirements Operating environment typical day to day environment hostile and harsh, often unreachable Power efficiencynot very criticalnot criticalvery critical Scalabilityorder of hundredsorder of tensorder of thousands Hardware constraintslaptops, PDAsno constraint tiny, low processing and memory capacity Production costno hard constraints must be cost effective

37 Copyright © Erdal Cayirci, 2010 37/326 37 Solar Panel High Gain GPRS Antenna Outdoor PIR’s Outdoor Panel Challenges in Practice

38 Copyright © Erdal Cayirci, 2010 38/326 Challenges in Practice

39 Copyright © Erdal Cayirci, 2010 39/326 Wireless Medium

40 Copyright © Erdal Cayirci, 2010 40/326 Channel Capacity Nyquist C = 2 B log 2 M where C is capacity in bit per second (bps), B is bandwidth in hertz (Hz), M is discrete signal levels. Shannon C = B log 2 (1 +SNR) SNR dB = 10 log 10 (SNR)

41 Copyright © Erdal Cayirci, 2010 41/326 Electromagnetic Spectrum 10 2 10 3 10 4 10 5 10 6 10 7 10 8 10 9 10 10 10 11 10 12 10 13 10 14 10 15 ELF VF VLF LF MF HF VHF UHF SHF EHF Frequency (Hertz) Wavelength (meters) Power and Telephone 10 6 10 5 10 4 10 3 10 2 10 1 10 0 10 -1 10 -2 10 -3 10 -4 10 -5 10 -6 Radio MicrowaveInfraredVisible light Twisted pair Coaxial cable AM radioFM radio and TV Terrestrial and satellite Optical fiber Wavelength = c / f Hertz KilohertzMegahertzGigahertzTerahertz

42 Copyright © Erdal Cayirci, 2010 42/326 Antennas Omnidirectional (isotropic) Antenna A B A B Directional (isotropic) Antenna Antenna gain is a measure of the directionality of an antenna. Antenna gain is defined as the power output, in a particular direction, compared to that produced in any direction, compared to that in any direction by a perfect omnidirectional antenna.

43 Copyright © Erdal Cayirci, 2010 43/326 Antennas /4 /2 feeding gap Half-wave dipole (Hertz antenna) collinear conductor Quarter-wave dipole (Marconi antenna) Parabolic reflective antenna

44 Copyright © Erdal Cayirci, 2010 44/326 Propagation Modes Ground wave f < 2 MHz Sky wave 2 MHz < f <30MHz Line of sight 30 MHz < f Ionosphere

45 Copyright © Erdal Cayirci, 2010 45/326 Line of Sight h1h1 d1d1 d2d2 r h2h2 where k is an adjustment factor and generally assumed to be 4/3

46 Copyright © Erdal Cayirci, 2010 46/326 Satellite Orbits 35,800 20,000 15,000 5,000 0 Upper Van Allen belt Lower Van Allen belt Altitude (km) Type Latency (ms) Satellites needed GEO MEO LEO 2703 35-8510 1-750 Van Allen belts

47 Copyright © Erdal Cayirci, 2010 47/326 The Principal Satellite Bands Band Frequency range User L - band 1530 - 1650 MHz Inmarsat, air and sea traffic. Meteorological services. S - band 2535 - 2655 MHz Downlink for communication satellites. For example ArabSat and Insat. C - band 3700 - 4200 MHz Downlink for communication satellites. Most satellite in America, Asia and Africa. C - band 4500 - 4800 MHz Downlink for military satellites. C - band 5900 - 7000 MHz Uplink[ii] for military and communication satellites.

48 Copyright © Erdal Cayirci, 2010 48/326 The Principal Satellite Bands X - band 7200 - 7750 MHz Military satellites, NATO. X - band 7900 - 8400 MHz Uplink military satellites. Ku - band 1 10.700 - 11.750 GHz Downlink for FSS [iii] Ku - band 2 11.750 - 12.500 GHz Downlink DBS [iv] Ku - band 3 12.500 - 12.750 GHz Downlink for Telecom range [v]

49 Copyright © Erdal Cayirci, 2010 49/326 The Principal Satellite Bands Ku - band 12.750 - 13.250 GHz Uplink for telecommunication satellites. Ku - band 14.000 - 14.800 GHz Uplink for telecommunication satellites. Ku - band 17.300 - 18.100 GHz Uplink for telecommunication satellites. Ka - band 18.300 - 21.200 GHz Rarely used. Kopernicus satellites have one of these transponders. Used for some transmissions. In the future it will be more in use because the whole KU band will be used completely. K - band 27.500 - 31.000 GHz Uplink for future telecommunication satellites.

50 Copyright © Erdal Cayirci, 2010 50/326 Free Space Loss where P t = signal power at the transmitting antenna P r = signal power at the receiving antenna = carrier wavelength d = propagation distance between antennas c = speed of light (3  10 8 m/s)

51 Copyright © Erdal Cayirci, 2010 51/326 Noise Thermal noise N o =kT (W/Hz) where k is Boltzman’s constant (1.3803  10 - 23 J/K) T is absolute temperature in Kelvins. N=kTB N dBW =-228.6+10logT+10logB dBW Intermodulation noise Crosstalk Impulse noise

52 Copyright © Erdal Cayirci, 2010 52/326 Atmospheric Absorption Water vapour and oxygen contribute to attenuation. A peak attenuation occurs in the vicinity of 22 GHz. At frequencies less than 15 GHz, the attenuation is less. Rain and fog cause scattering.

53 Copyright © Erdal Cayirci, 2010 53/326 Multipath Reflection Scattering Diffraction

54 Copyright © Erdal Cayirci, 2010 54/326 Fading Amplitude (dBm) Position (m) -80 -130 030 slow fast In flat (nonselective) fading, effects equally the different spectral components. Selective fading effects unequally.

55 Copyright © Erdal Cayirci, 2010 55/326 Directional and Smart Antennas a. Switched beam. b. Adaptive. mobile node

56 Copyright © Erdal Cayirci, 2010 56/326 Software Radios Analog to digital conversion (ADC) as close to the antenna as possible Generic hardware Software implementation of the digital processes

57 Copyright © Erdal Cayirci, 2010 57/326 Cognitive Radios Software radios provide the base to realize cognitive radios that can - observe the available spectrum and - choose dynamically the frequency and other parameters to operate.

58 Copyright © Erdal Cayirci, 2010 58/326 Data Link Layer Medium Access and Error Control

59 Copyright © Erdal Cayirci, 2010 59/326 Multiple Access Schemes Contention Based Schemes Conflict Free Schemes - Aloha - Slotted Aloha - Carrier Sense Multiple Access (CSMA) - CSMA / Collision Detection - CSMA / Collision Avoidance Hybrid Reservation Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Token Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Fixed Allocation Frequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA) Code Division Multiple Access (CDMA)

60 Copyright © Erdal Cayirci, 2010 60/326 ALOHA and Slotted ALOHA ALOHA Start transmitting whenever you have a frame to send. Retransmit if the transmission is unsuccessful. Slotted ALOHA Wait until the beginning of the first time slot for transmission. time time slots

61 Copyright © Erdal Cayirci, 2010 61/326 Carrier Sense Multiple Access (CSMA) Non persistent CSMA Sense the media, and access if there is no other transmission on the media. If the channel is already in use, wait a random period and then repeat the algorithm. P-Persistent CSMA The probability that a node accesses the media when no other transmission is sensed is equal to p. If the channel is already in use, the probability that the node accesses the media in the next time slot is again equal to p.

62 Copyright © Erdal Cayirci, 2010 62/326 Hidden and Exposed Terminals abc abc data hidden terminal, primary interference, abcd abc data exposed terminal, overhearing,

63 Copyright © Erdal Cayirci, 2010 63/326 abc h d f e g a b Request to Send (RTS) Clear to Send (CTS) Data Acknowledgement Multiple Access with Collision Avoidance Wireless (MACAW) V.Bharghavan, A.Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM SIGCOMM’94, pp. 212-225, 1994. MACAW

64 Copyright © Erdal Cayirci, 2010 64/326 IEEE 802.11 IEEE 802.11 Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) Distributed Coordination Function (DCF) source destination DIFSRTS SIFS CTSSIFSDATAACK SIFS Network Allocation Vector (NAV): Defer access DIFS: DCF Interframe Space SIFS: Short Interframe Space

65 Copyright © Erdal Cayirci, 2010 65/326 IEEE 802.11 (Cont’d) IEEE 802.11 Distributed Coordination Function (DCF) transmission range carrier sensing range carrier sensing zone Extended Interframe Space RTS, CTS frames and inter frame spaces introduce: additional overhead and additional delay.

66 Copyright © Erdal Cayirci, 2010 66/326 Multiple Access Schemes Contention Based Schemes Conflict Free Schemes - Aloha - Slotted Aloha - Carrier Sense Multiple Access (CSMA) - CSMA / Collision Detection - CSMA / Collision Avoidance Hybrid Reservation Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Token Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Fixed Allocation Frequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA) Code Division Multiple Access (CDMA)

67 Copyright © Erdal Cayirci, 2010 67/326 Conflict Free Multiple Access Schemes 1. Frequency Division Multiple Access: Channel = Frequency 2. Time Division Multiple Access: Channel = Frequency + Time Slice 3. Code Division Multiple Access : Channel = Code CDMAFDMA spectrum 1321321321 4654654654 7987987987 TDMA

68 Copyright © Erdal Cayirci, 2010 68/326 CDMA 1.Frequency Hopping CDMA, a. Slow Hopping, b. Fast Hopping, 2.Direct Sequence CDMA FH-CDMA

69 Copyright © Erdal Cayirci, 2010 69/326 FH-CDMA Process Gain PG = 10 logN (db) where N is the number of frequency channels used.

70 Copyright © Erdal Cayirci, 2010 70/326 DS-CDMA spreading process Data PN Data Noise Data Spreaded data Data Noise

71 Copyright © Erdal Cayirci, 2010 71/326 DS-CDMA spreading process Data PN Data Spreaded Data Data PN Spreaded Data Data in data (bit) rate in chip rate in data (bit) rate

72 Copyright © Erdal Cayirci, 2010 72/326 DS-CDMA Spreading Process TxTx S t (t) f0f0 RbRb Data x(t) S(t) Spreading Code G(t) R p = CHIP transfer rate RvRv S T (t-T d ) F S(t-T d ) f0f0 Data x(t) Correlator B c = R b B ss = R p Spreading Code G(t-T d )

73 Copyright © Erdal Cayirci, 2010 73/326 DS-CDMA Process Gain PG = 10 log(B ss /B) (db) where B is the bandwidth required for the data rate, B ss is the bandwidth where the signal is spreaded.

74 Copyright © Erdal Cayirci, 2010 74/326 CDMA Codes A spread spectrum code on DS-CDMA is a bit sequence (a sequence of 1 s and -1 s). -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 CDMA sequences can be categorized as - Pseudo Noise (PN) sequences -Short codes -Long codes - Orthogonal codes

75 Copyright © Erdal Cayirci, 2010 75/326 Properties of Pseudo Noise Sequences Balance property : The difference in the number of 1s and -1s in a pseudonoise cannot be higher than one. -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 (15 chips, 7 of them are -1 s, and 8 of them are 1 s.) Run property: 50% of runs must be -1 runs, and the other 50% must be 1 runs, and 1/2 n of runs must be n length runs. -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 (8 runs, 4 of them are -1 runs, and 4 of them are 1 runs.) Auto-correlation property: The number of chips that are the same differs from those that are different by at most 1 when a pseudonoise is compared chip by chip with any cycle of shift of itself.

76 Copyright © Erdal Cayirci, 2010 76/326 Auto-correlation Auto-correlation is the correlation of a code with any cycle of shift of itself. Example: -1 -1 1 1 -1 1 -1 N=7 C 0 =7 and C 7 =7 C 1 = 1 -1 1 -1 -1 -1 1 = -1 C 2 = -1 -1 -1 1 1 -1 1 = -1 C 3 = -1 1 1 -1 1 -1 -1 = -1 C 4 = 1 -1 -1 -1 1 1 -1 = -1 C 5 = -1 1 -1 -1 -1 1 1 = -1 C 6 = 1 1 -1 1 -1 -1 -1 = -1

77 Copyright © Erdal Cayirci, 2010 77/326 Linear Maximal Length Sequence Generator 1 -1 -1 -1 OUTPUT X1X1 X2X2 X3X3 X4X4 OUTPUT : -1 -1 -1 1 -1 -1 1 1 -1 1 -1 1 1 1 1 p = 2 n -1 where p is the length of the sequence and n is the number of bits in the shift register.

78 Copyright © Erdal Cayirci, 2010 78/326 Short and Long Codes Short codes can generally be transfered in the duration of a symbol. In IS-95, the length of short codes is 2 15 -1, and they can be transferred in 26.67 seconds when chip rate is 1.2888 Mcps. They are generally used in downlink to identify cells or location areas in cellular networks. In IS-95, the length of long codes is 2 42 -1, and they can be transferred in 44.5 days when chip rate is 1.2888 Mcps. They are generally used in uplink to identify mobile terminals.

79 Copyright © Erdal Cayirci, 2010 79/326 # of Terminals that can Share a Sequence A good pseudonoise is different enough from any shifted version of itself. Shifting only one chip is enough to obtain a different pseudonoise from the original. However, the difference between the pseudonoises assigned to different terminals must be high enough to compensate the differences in propagation delays. 15.6 km Chiprate = 3.6864 Mcps # of bits in maximal length code generator n = 15 Example: The length of sequencep=2 15 -1=32767 The delay for 15.6 kmt d =15.6/300000=0.052 msec # of chips that can be transferred in t d s=0.052  3,686.4=192 chips # of available codesd= 32,767/192 = 170

80 Copyright © Erdal Cayirci, 2010 80/326 Orthogonal Codes Orthogonal codes are used for channelization in downlink. Their autocorrelation are generally very low. However, their cross correlation is 0.

81 Copyright © Erdal Cayirci, 2010 81/326 Cross-correlation Cross-correlation is the correlation of a code with all of the shifted versions of another code. Example: a={ -1 1 -1 1} N=4 b={ -1 -1 1 1} N=4 R 0 = 0 and R 4 = 0 R 1 = 1 1 -1 -1 = 0 R 2 = -1 1 1 -1 = 0 R 3 = -1 -1 1 1 = 0

82 Copyright © Erdal Cayirci, 2010 82/326 Walsh Hadamard Codes

83 Copyright © Erdal Cayirci, 2010 83/326 Variable Length Orthogonal Codes

84 Copyright © Erdal Cayirci, 2010 84/326 The Advantages of CDMA CDMA has a soft capacity limited by interference. The decrease in interference will directly increase the capacity: Voice channels are generally utilized 3/8 of time. Multi-beamed and multisectored antennas can reduce the interference. In FDMA and TDMA, some capacity between frequency channels is wasted. In CDMA, all the frequencies can be reused in the neighboring cells. In FDMA and CDMA, the frequency channel must be changed during handoff, i.e., hard handoff. This is not necessary in CDMA, i.e.,soft handoff. CDMA needs power control which actually decreases the interference, and increases the capacity. CDMA naturally provides frequency diversity which means additional security and reliability especially for military systems.

85 Copyright © Erdal Cayirci, 2010 85/326 The Capacity of CDMA where S is the power of the signal at the receiver R is the bit rate of the channel (bps) N is the number of channels used for the voice traffic  is the voice activity factor for the voice channels M is the number of channels used for the constant bit rate traffic  is all the other noise over the media B is the bandwidth of the channels (Hz).

86 Copyright © Erdal Cayirci, 2010 86/326 The Capacity of CDMA N  +M = (B/R) / (E b /N 0 ) N = (((B/R) / (E b /N 0 )) -1) /  when only voice N = (((B/R) / (E b /N 0 )) -1) / (  + 0.247) when remote cell interference applied

87 Copyright © Erdal Cayirci, 2010 87/326 Example B: 5 MHz, B FDMA : 30 KHz, B TDMA = 200 KHz E b /N 0 : 5,  =3/8, R: 9.6 kbps n t : 8 (# of time slots in each TDMA frame)  : 4 (frequency reuse factor) no gaps between frequency channels, all voice channels, SOFT For CDMA N = (((5000000/9600) / 5) – 1) / (3/8 + 0.247) = 166 voice channels For TDMA N = ((5000000/200000)/4)  8 = 50 voice channels For FDMA N = (5000000/30000)/4 = 42 voice channels

88 Copyright © Erdal Cayirci, 2010 88/326 Token Based Dynamic Conflict Free Schemes token

89 Copyright © Erdal Cayirci, 2010 89/326 Multiple Access Schemes Contention Based Schemes Conflict Free Schemes - Aloha - Slotted Aloha - Carrier Sense Multiple Access (CSMA) - CSMA / Collision Detection - CSMA / Collision Avoidance Hybrid Reservation Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Token Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Fixed Allocation Frequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA) Code Division Multiple Access (CDMA)

90 Copyright © Erdal Cayirci, 2010 90/326 Reservation Based Dynamic Conflict Free Schemes - Packet Reservation Multiple Access – PRMA - Dynamic TDMA – DTDMA - Resource Auction Multiple Access – RAMA

91 Copyright © Erdal Cayirci, 2010 91/326 PRMA Reservation Based Hybrid Schemes R AA............................. R S slots (R: reserved slots, A: available slots)........ 1 2 3................ S v........ S r reservation slots S v voice slots S d data slots variable border D - TDMA........ 1 2 3................ S v........ S a auction slots S v voice slots S d data slots variable border RAMA

92 Copyright © Erdal Cayirci, 2010 92/326 Reservation Based Hybrid Schemes TsTs TsTs TdTd Auction Slot AuctionAllocation time TsTs TdTd Uplink Downlink Bit transfer time Propagation and processing delay

93 Copyright © Erdal Cayirci, 2010 93/326 MAC for Ad Hoc and Sensor Networks

94 Copyright © Erdal Cayirci, 2010 94/326 Contention based medium access Traditional CSMA schemes are inappropriate Assume stochastically distributed traffic Support point-to-point independent flows Traffic in sensor networks is Highly correlated Dominantly periodic Variable CSMA-based MACs

95 Copyright © Erdal Cayirci, 2010 95/326 Other CSMA-based MACs for Ad Hoc Networks Piconet F.Bennett, D.Clarke, J.B. Evans, A.Hopper, A.Jones, and D.Leask, “Piconet: Embedded mobile networking”, IEEE Personal Communications Magazine, vol. 4, no. 5, pp. 8–15, Oct. 1997. Tseng et al. Y.Tseng, C.Hsu, and T.Hsieh, “Power-saving protocols for IEEE 802.11-based multi-hop ad hoc networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 200–209. SEEDEX R.Rozovsky and P.R.Kumar, “Seedex: A MAC protocol for ad hoc networks”, In Proceedings of the 2nd ACM International Symposium on Mobile ad hoc networking and computing, pages 67-75, New York, NY, USA, 2001. ACM Press. RBAR G.Holland, N.Vaidya, and P.Bahl, “A rate-adaptive MAC protocol for multi-hop wireless networks. In Proceedings of ACM MOBICOM'01, Rome, Italy, 2001. OAR B.Sadeghi, V.Kanodia, A.Sabharwal, and E.Knighlty, “Opportunistic Media Access for Multirate Ad Hoc Networks”, in Proceedings of ACM MobiCom'02, Atlanta, GA, September 2002. Woo & Culler A.Woo and D.Culler, “A transmission control scheme for media access in sensor networks”, in Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking, Rome, Italy, July 2001, pp. 221–235, ACM.

96 Copyright © Erdal Cayirci, 2010 96/326 Sensor MAC (S-MAC) W.Ye, J.Heidemann, and D.Estrin, “An energy-efficient mac protocol for wireless sensor networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 1567–1576. Each node obeys its neighbors’ schedule if one was heard, otherwise chooses and broadcasts one Schedule table is maintained locally and updated after receiving SYNC packets Sleep period does not hinder a transmission SleepListen Sleep SYNCRTS, CTSSYNCRTS, CTS

97 Copyright © Erdal Cayirci, 2010 97/326 Collision avoidance : similar to 802.11 DCF Overhearing : duration field of the packets Idle listening : low-duty cycle and virtual clusters Required synchronization is embedded at the start of the listen interval Message passing and adaptive listening techniques for optimizing the latency Sensor MAC (S-MAC) SleepListen Sleep SYNCRTS, CTSSYNCRTS, CTS

98 Copyright © Erdal Cayirci, 2010 98/326 Timeout MAC (T-MAC) T.van Dam and K.Langendoen, “An Adaptive Energy-Efficient MAC Protocol for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003. Clustering and synchronization as in S-MAC Adaptive duty cycle to handle load variations in time and location (i.e. near the sink) Fixed contention interval Sleep Active Time Sleep TATX/RXTA Active Time TA Active Time Sleep

99 Copyright © Erdal Cayirci, 2010 99/326 Buffer capacity and time-out period “TA” are the key properties Solutions to early sleeping problem; Future RTS packet: to get an appointment from the intended receiver for the next available moment Full buffer priority scheme: refuse an RTS and issue own RTS to empty the buffer Timeout- MAC (T-MAC) Sleep Active Time Sleep TATX/RXTA Active Time TA Active Time Sleep

100 Copyright © Erdal Cayirci, 2010 100/326 Power Control Power control schemes can be classified as: Open Loop / Closed Loop / Combined Open and Closed Loop Centralized / Distributed RSSI-based / SIR-based / BER-based Continuous Power / Discrete Power Fixed Step Size / Adaptive Step Size Common Power Control / Independent Power Control

101 Copyright © Erdal Cayirci, 2010 101/326 BASIC E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002, September 2002. a b c h d f e g r max r min RTS and CTS are transmitted at the maximum power (r max ). DATA and ACK are transmitted at the minimum power required (r min ). To improve the performance of BASIC scheme, the transmission power is periodically increased while a DATA frame is being transmitted.

102 Copyright © Erdal Cayirci, 2010 102/326 Power Controlled S-MAC (PCSMAC) a b c d f e r max r ab r ae r af r bc r bd ActiveSleep SYNCRTSSDSH, DATACTSACK Both open loop and closed loop, distributed, RSSI-based, fixed step size, discrete and independent. SYNC: r max RTS: open loop, max(rab, r ae, r af ). CTS, ACK: open loop, max(r ab, r bc, r bd ). SDSH: open loop, max(r ab, r ae, r af ). DATA: closed loop, r ab. P.C.Nar, E.Cayirci, “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSN 2005.

103 Copyright © Erdal Cayirci, 2010 103/326 SMACS and EAR (K.Sohrabi et al., “Protocols for Self-Organization of a Wireless Sensor Network”, IEEE Personal Communications, October 2000.) Each node maintains its own frame (superframe). Time slots are wasted if nothing to transmit. Uses FDMA or CDMA for multiple access. Neighbor discovery and channel assignment combined. Random wake up during connection phase. TATA TBTB fXfX fXfX Transmitting slot Receiving slot Connection messaging

104 Copyright © Erdal Cayirci, 2010 104/326 Contention resolution schemes for packet radio networks. 2-hop neighborhood awareness is essential which requires a random access period for distributing one-hop neighbor information. Nodes unelected during a time slot switch to receive mode L.Bao and J.J.Garcia-Luna-Aceves, “A new approach to channel access scheduling for ad hoc networks”, In The seventh annual international conference on Mobile computing and networking 2001, pages 210-221, 2001. NAMA, LAMA, PAMA Wireless Tactical Underwater Surveillance Networks Erdal CAYIRCI 104

105 Copyright © Erdal Cayirci, 2010 105/326 Contention resolution scheme for wireless sensor networks inspired from NAMA/LAMA/PAMA Nodes unelected during a time slot switch to sleep mode, instead of receive mode V. Rajendran, K. Obraczka, and J.J. Garcia-Luna-Aceves, “Energy-Efficient, Collision-Free Medium Access Control for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003. TRAMA

106 Copyright © Erdal Cayirci, 2010 106/326 Assumes a clustering scheme exists in the WSN. Each time slot = CR + TC + Data parts. CR (Communication Request) TC (Traffic Control) Sleeping nodes do not own a timeslot. Two types of sleep mode; standby and dormant. Integrated, collaborative approach that is part of the EYES project. S.Dulman, L. van Hoesel, T.Nieberg, and P.Havinga, “Collaborative communication protocols for wireless sensor networks”, European research on middleware and architectures for complex and embedded cooperative systems, workshop held in conjunction with IEEE ISADS 2003, Pisa, Italy, pp. 3-7, ISBN- 0-7695-1876-1, April 2003. EMACS

107 Copyright © Erdal Cayirci, 2010 107/326 Ad Hoc Networks and Network Layer

108 Copyright © Erdal Cayirci, 2010 108/326 Routing Flooding Distance Vector Link State s r a bc de f g h i k l m router or switch

109 Copyright © Erdal Cayirci, 2010 109/326 Distance Vector g h i k l m router 5 3 3 5 4 4 6 4 Dest. Gateway Cost hh4 ih10 lh12 kh9 mh13 Dest. Gateway Cost gg5 hh16 ll3 kl6 ml7 Dest. Gateway Cost hh4 ii5 li8 kh9 mi12 Table of g (previous) Table of i (previous) Table of g (modified)

110 Copyright © Erdal Cayirci, 2010 110/326 Count to Infinity Problem for Distance Vector A B C D E A is down at the beginning.     A comes up. 1    after 1 exc. 1 2   after 2 exc. 1 2 3  after 3 exc. 1 2 3 4 after 4 exc. Algorithm rapidly reacts to good news. In N exchanges, everyone knows about the new router where the longest path is N hop. A B C D E A is up at the beginning. 1 2 3 4 A goes down. 3 2 3 4 after 1 exc. 3 4 3 4 after 2 exc. 5 4 5 4 after 3 exc. 5 6 5 6 after 4 exc. 7 6 7 6 after 5 exc. 7 8 7 8 after 6 exc. 9 8 9 8 after 6 exc. It repeats until     What is infinitive? It is the highest number of hop plus 1, if the paths are measured according to the number of hops. What if we use delay?

111 Copyright © Erdal Cayirci, 2010 111/326 Link State g h i router 5 4 g’s link state Neighbor Cost h 4 i 5 m 3 4 l’s link state Neighbor Cost i 3 m 4 k 3 4 k’s link state Neighbor Cost l 3 m 4 h 5 l 3 6 i’s link state Neighbor Cost h 6 g 5 l 3 k 5 h’s link state Neighbor Cost i 6 g 4 k 5

112 Copyright © Erdal Cayirci, 2010 112/326 Routing in the Internet Interior Gateway Protocols RIP (distance vector) OSPF (link state) IS-IS (link state) Exterior Gateway Protocols BGP Network 1 Network 2 Network 3 Network 4 Network 5

113 Copyright © Erdal Cayirci, 2010 113/326 Mobile IP Addressing is themain issue. Care-of address avertisements vs requests. Address bindings that need periodical refresh. Secure authentication. Home LAN Foreign LAN tunneling home agent foreign agent care-of address home address

114 Copyright © Erdal Cayirci, 2010 114/326 Quality of Service ApplicationReliabilityDelayJitterBandwidth E-mailHighLow File transferHighLow Medium Web accessHighMediumLowMedium Remote loginHighMedium Low Audio on demandLow HighMedium Video on demandLow High TelephonyLowHigh Low VideoconferencingLowHigh

115 Copyright © Erdal Cayirci, 2010 115/326 Quality of Service Techniques Overprovisioning Buffering Traffic shaping –Leaky bucket –Token bucket Resource reservation Admission control Proportional routing Packet scheduling

116 Copyright © Erdal Cayirci, 2010 116/326 Quality of Service Protocols –Integrated Services (IntServ) –Resource reSerVation Protocol (RSVP) –Differentiated Services –MultiProtocol Label Switching (MPLS)

117 Copyright © Erdal Cayirci, 2010 117/326 Ad Hoc Networks - no fixed infrastructure - multihop - no centralized administration - nodes act both as a host and a router - wireless medium - topology changes - resources are limited source

118 Copyright © Erdal Cayirci, 2010 118/326 Ad Hoc Network Architectures tier-1 tier-2 Flat Architectures (not scalable) Hierarchical architectures (cluster-based)

119 Copyright © Erdal Cayirci, 2010 119/326 Scheduling in Ad Hoc Networks A MAC layer related challenge. Important when TDMA is used. Can be defined as: “schedule a time slot t i for every node i such that is minimized where n is the total number of nodes that have something to transmit. Must tackle with the interference problem. abc Primary Interference abc Secondary Interference d

120 Copyright © Erdal Cayirci, 2010 120/326 Topology Maintenance in Ad Hoc Networks Topology maintenance schemes can be classified as: 1. According to control packet traffic generated for topology maintenance: - Active - Passive 2. According to the frequency of control packets - On demand (event driven) - Continuous (time driven) 3. According to the storage of topology data - Central - Distributed

121 Copyright © Erdal Cayirci, 2010 121/326 Ad Hoc Routing Algorithms Table Driven (Proactive) On demand (Reactive) DSDVWRPAODVDSRLMRABR CGSRTORASSR Destination sequenced distance vector Cluster-head gateway switching routing Wireless routing protocol Adhoc on demand distance vector Dynamic source routing Lightweight mobile routing Temporally ordered routing Associativity based routing Signal stability routing

122 Copyright © Erdal Cayirci, 2010 122/326 Fisheye Approach s a b c d e g f The accuracy of the topology data is higher for the nodes closer.

123 Copyright © Erdal Cayirci, 2010 123/326 Wireless Routing Protocol (WRP) DSDV and CGRS are based on Bellman-Ford algorithm and they suffer from count-to-infinity problem. WRP is a table-based proactive routing protocol that is based on path-finding algorithm. In WRP each node in the network maintains four tables: Distance table Routing table Link-cost table Message retransmission list

124 Copyright © Erdal Cayirci, 2010 124/326 Wireless Routing Protocol (WRP) WRP uses both periodic and event triggered (in case of a link status change) update messages for topology maintenance. Update messages are exchanged among the neighboring nodes. Every node broadcasts a periodic update (HELLO message) reporting no changes if it does not report an update for a specific time period. Periodic updates are not acknowledged. Event triggered updates are broadcasted when topology changes are detected, and acknowledged by the related nodes.

125 Copyright © Erdal Cayirci, 2010 125/326 Ad Hoc On Demand Distance Vector (AODV) AODV is an improved version of DSDV and CGSR: –AODV is based on a route discovery process whereas DSDV is based on periodic update messages. –DSDV maintains all the routes whereas AODV maintains a route only when needed.

126 Copyright © Erdal Cayirci, 2010 126/326 Ad Hoc On Demand Distance Vector (AODV) Path discovery is initiated by a route request (RREQ) packet: Source addr Source seq # Broadcast id Destination addr Destination seq # Hop count RREQ Packet Destination Destination seq # Next hop Active neighbors # of hops Expiration time Routing Table s d a b c e f g h

127 Copyright © Erdal Cayirci, 2010 127/326 Dynamic Source Routing (DSR) Route discovery and route maintenance modes. It is based on source routing. s d a b c e f g h

128 Copyright © Erdal Cayirci, 2010 128/326 Temporally Ordered Routing Algorithm (TORA) TORA has three basic functions: Route creation Route maintenance Route erasure A height metric is used by the nodes in route creation and maintenance in order to establish a directed acyclic graph. The height metric is related with the logical time of link failure. Route erasure function uses a clear (CLR) packet throughout the network to erase invalid routes.

129 Copyright © Erdal Cayirci, 2010 129/326 Temporally Ordered Routing Algorithm (TORA) source destination node height metric b a c dg f e The link between nodes d and f fails. b a c d g f e b a c d g f e b a c d g f e Step 1Step 2Step 3

130 Copyright © Erdal Cayirci, 2010 130/326 Categorization of Routing Protocols for Wireless Sensor Networks: (K. Akkaya, M. Younis, “A Survey on Routing Protocols for Wireless Sensor Networks,” Elsevier AdHoc Networks) Data centric protocols Flooding, Gossiping, SPIN, SAR, Directed Diffusion, Energy Aware Routing, Rumor Routing, TEEN, APTEEN, CADR Hierarchical LEACH, PEGASIS, Self organizing protocol Location based MECN, SMECN, GAF Routing Protocols for Sensor Networks

131 Copyright © Erdal Cayirci, 2010 131/326 Flooding: Broadcast data to all neighbor nodes. Gossiping: Sends data to one randomly selected neighbor. Although these techniques are simple and reactive, they have some disadvantages including the following: - Implosion, - Data Overlap, - Resource blindness. Flooding and Gossiping

132 Copyright © Erdal Cayirci, 2010 132/326 Implosion s d ab Data Overlap d ab t1t1 t2t2 Resource Blindness They are not resource aware protocols. Implosion, Data Overlap, Resource Blindness

133 Copyright © Erdal Cayirci, 2010 133/326 Uses three types of messages: ADV, REQ, and DATA. When a sensor node has something new, it broadcasts an advertisement (ADV) packet that defines the new data by using meta data. Interested nodes send a request (REQ) packet. Data is sent to the nodes that request by DATA packets. W.R. Heinzelman,, “Adaptive Protocols for Information Dissemination in Wireless Sensor Networks”, MobiCom’99. Sensor Protocols for Information via Negotiation (SPIN)

134 Copyright © Erdal Cayirci, 2010 134/326 ADV s a b c d REQ s a b c d DATA s a b c d Sensor Protocols for Information via Negotiation (SPIN)

135 Copyright © Erdal Cayirci, 2010 135/326 ADV s a b c d REQ s a b c d DATA s a b c d Sensor Protocols for Information via Negotiation (SPIN)

136 Copyright © Erdal Cayirci, 2010 136/326 SAR algorithm creates multiple trees that are routed from one hop neighbors of the sink. Each tree grows outward from the sink by avoiding nodes with very low QoS and energy reserves. At the end of this procedure, most nodes belong to multiple trees. K. Sohrabi,, “Protocols for Self Organization of a Wireless Sensor Network”, IEEE Personal Communications Mag., pp. 16-27, October 2000. Sequential Assignment Routing (SAR)

137 Copyright © Erdal Cayirci, 2010 137/326 The sink sends out task descriptors (interest). Task descriptors are named by assigning attribute-value pairs that describe the task. If a sensor node has data for that interest, the data is routed along the reverse path of interest propagation. The interest and data propagation and aggregation are determined locally. C. Intanagonwiwat,, “Directed Diffusion: A Scalable and Robust Communication Paradigm for Sensor Networks”, MobiCom’00. Directed Diffusion

138 Copyright © Erdal Cayirci, 2010 138/326 Source Sink Directed Diffusion

139 Copyright © Erdal Cayirci, 2010 139/326 Interest Propagation Source Sink Directed Diffusion

140 Copyright © Erdal Cayirci, 2010 140/326 Source Sink Gradient Setup Directed Diffusion

141 Copyright © Erdal Cayirci, 2010 141/326 Source Sink Data Delivery Directed Diffusion

142 Copyright © Erdal Cayirci, 2010 142/326 In LEACH, the nodes organize themselves into clusters. Sensors may elect themselves to be a local cluster head at any time with a certain probability. Each node access the network through the cluster head that requires minimum energy to reach. W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energy-Efficient Communication Protocol for Wireless Microsensor Networks,'' IEEE Proceedings of the Hawaii International Conference on System Sciences, pp. 1-10, January, 2000. Low Energy Adaptive Clustering Hierarchy (LEACH)

143 Copyright © Erdal Cayirci, 2010 143/326 Uses graph theory, Each node knows its exact location, Network is represented by a graph G’, and it is assumed that the resulting graph is connected. L. Li and J.Y. Halpern, “Minimum-Energy Mobile Wireless Networks Revisited”, ICC’01.) Minimum Energy Communication Network (MECN)

144 Copyright © Erdal Cayirci, 2010 144/326 A sub-graph G of G’ is computed. G connects all nodes with minimum energy cost. A B Connection A requires less energy than connection B because the power required to transmit between a pair of nodes increases as the n th power of the distance between them (n>=2). Minimum Energy Communication Network (MECN)

145 Copyright © Erdal Cayirci, 2010 145/326 E. Cayirci, T.Coplu, O.Emiroglu, “Power Aware Many-to-many Routing in Wireless Sensor and Actuator Networks”, EWSN’05. b c d a Actuators register for the sensed data by disseminating a registration message. Every node maintains a registration table according to the registration messages. Every node derives a routing table from the registration table. Incoming sensed data packets are forwarded according to the routing table. A B C Power Controlled and Power Aware Routing in Sensor & Actuator Networks

146 Copyright © Erdal Cayirci, 2010 146/326 Actuator Id Uplink Node Id EchelonminPAtotalPAtotalPUTask Aa2552t1t1 Ad2443t1t1 Bb2772t 1,t 2 Cb33105t 1,t 3 TaskUplink Node Id t1t1 a t1t1 b t2t2 b t3t3 b Registration Table Routing Table Route Selection Function f i =(  1  )+(  2  )+(  3  )+(  4 ) Power Controlled and Power Aware Routing in Sensor & Actuator Networks

147 Copyright © Erdal Cayirci, 2010 147/326 Energy Aware Routing R.Shah, J. Rabaey, “Energy Aware Routing for Low Energy Ad Hoc Sensor Networks,” IEEE WCNC’02, Orlando, March 2002. Rumor Routing D. Braginsky, D. Estrin, “Rumor Routing Algorithm for Sensor Networks,” ACM WSNA’02, Atlanta, October 2002. Threshold sensitive Energy Efficient sensor Network (TEEN) A. Manjeshwar, D.P. Agrawal, “TEEN: A Protocol for Enhanced Efficiency in Wireless Sensor Networks,” IEEE WCNC’02, Orlando, March 2002. Constrained Anisotropic Diffusion Routing (CADR) M. Chu, H.Hausecker, F.Zhao, “Scalable Information-Driven Sensor Querying and Routing for Ad Hoc Heterogeneous Sensor Networks,” International Journal of High Performance Computing Applications, Vol. 16, No. 3, August 2002. Other Routing Protocols

148 Copyright © Erdal Cayirci, 2010 148/326 Power Efficient Gathering in Sensor Information Systems (PEGASIS) S. Lindsey, C.S. Raghavendra, “PEGASIS: Power Efficient Gathering in Sensor Information Systems,” IEEE Aerospace Conference, Montana, March 2002. Self Organizing Protocol L. Subramanian, R.H. Katz, “An Architecture for Building Self Configurable Systems,” IEEE/ACM Workshop on Mobile Ad Hoc Networking and Computing, Boston, August 2000. Geographic Adaptive Fidelity (GAF) Y. Yu, J. Heideman, D. Estrin, “Geography-informed energy conservation for ad hoc routing,” MobiCom’01, Rome, July 2001. Other Routing Protocols

149 Copyright © Erdal Cayirci, 2010 149/326 3D Routing Underwater acoustic Geographic routing protocol Cross layer (MAC + Network) Latency is an important QoS metric Techniques that monitor layers and avoid them

150 Copyright © Erdal Cayirci, 2010 150/326 Transport layer for wireless networks Reliability Flow and Congestion Control

151 Copyright © Erdal Cayirci, 2010 151/326 Sink r a b c d r event region sensor coverage sensor range Source to sink reliability.Source to sink reliability. Sink to source reliability.Sink to source reliability. End-to-end Reliable Event Transfer

152 Copyright © Erdal Cayirci, 2010 152/326 RMST is a transport layer protocol for directed diffusion. RMST provides end-to-end data-packet transfer reliability. RMST is a selective NACK-based protocol that can be configured for in-network caching and repair. There are two modes for RMST: caching mode, non-caching mode. In caching mode, a number of nodes along a reinforced path, path being used to convey the data to the sink by directed diffusion, are assigned as RMST nodes. F. Stann, J.Wagner, “RMST: Reliable Data Transport in Sensor Networks,” SNPA 2003. Reliable Multi-Segment Transport (RMST)

153 Copyright © Erdal Cayirci, 2010 153/326 Each RMST node caches the fragments identified by FragNo of a flow identified by RmstNo. When a fragment is not received before the watchdog timer for the flow expires, a negative acknowledgement is sent backward. The first RMST node that has the required fragment along the path retransmits the fragment. In non-caching mode, sink is the only RMST node. RMST relies on directed diffusion scheme for recovery from the failed reinforced paths. RMST Node Source Node Sink Reliable Multi-Segment Transport (RMST)

154 Copyright © Erdal Cayirci, 2010 154/326 Three functions: pump, fetch, and report operations. Every intermediate node maintains a data cache. A node that receives a packet check its content against its local cache, and discards any duplicates. If the received packet is new, the TTL field in the packet is decremented. If the TTL field is higher than 0 after being decremented, and there is no gap in the packet sequence numbers, the packet is relayed after being delayed a random period. A node goes to fetch mode once a sequence number gap is detected. The node in fetch mode requests a retransmission from neighboring nodes. C-Y Wan, A.T. Campbell, L. Krishnamurty, “PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks,” WSNA’02 Pump Slowly Fetch Quickly (PSFQ)

155 Copyright © Erdal Cayirci, 2010 155/326 ESRT is the first scheme that focuses on the end-to-end reliable event transfer. The end-to-end event transfer reliability is controlled based on the reporting frequencies of sensor nodes. Y. Sankarasubramaniam, O.B. Akan, I.F. Akyildiz, “ESRT: Event-to-Sink Reliable Transport in Wireless Sensor Networks,” Mobihoc’03 Sink a b c d Event-to-Sink Reliable Transport (ESRT)

156 Copyright © Erdal Cayirci, 2010 156/326 Congestion Detection Mechanism: local buffer level monitoring Mark Congestion Notification Field when b k +  b > B where b k is buffer fullness at interval k,  b is buffer length increment, B is buffer size. b k-1 bkbk bb Event-to-Sink Reliable Transport (ESRT)

157 Copyright © Erdal Cayirci, 2010 157/326 N.Tezcan, E. Cayirci, U. Caglayan, “End-to-end reliable event transfer in wireless sensor networks,” PIMRC 2004.temperaturetime 1234567891011121314 threshold End-to-end Acknowledgements for Events

158 Copyright © Erdal Cayirci, 2010 158/326  Both ends know the threshold. When the receiver finds out that the difference between the value in a new sensed data packet and in the previous packet is higher than the threshold, this indicates a critical data packet, and it acknowledges the receipt of the critical packet. If the sender does not receive an acknowledgement for a critical packet during the timeout period, it retransmits the critical packet. Selective Acknowledgements

159 Copyright © Erdal Cayirci, 2010 159/326 Two parameters: t max, t avg A critical packet is retransmitted t max after its transmission if it is not acknowledged. If (numberOfEventsintheList>listSize-n) for(allEventsintheList) if(eventTime  t max || eventTime  t avg ) retransmit(event); t avg =  t avg + (1 -  ) t ack Timeout Period

160 Copyright © Erdal Cayirci, 2010 160/326 The source node marks the critical packet. The receiver acknowledges the marked packet. If the sender does not receive an acknowledgement for the critical packet during the timeout period, it retransmits the critical packet.  Enforced Acknowledgement

161 Copyright © Erdal Cayirci, 2010 161/326 Blanket Acknowledgement is used in SENDROM. A. Erdogan, E. Cayirci, V. Coskun, “Sectoral Sweepers for Sensor Node Management and Location Estimation in AdHoc Sensor Networks,” MILCOM 2003. E.Cayirci, T.Coplu, “Sensor Networks for Disaster Relief Operations Management,” MedHocNet 2004. Blanket Acknowledgement

162 Copyright © Erdal Cayirci, 2010 162/326 Localization and Positioning

163 Copyright © Erdal Cayirci, 2010 163/326 Localization GPS Based (Direct)Indirect Global Positioning System (GPS) Manual Configuration Absolute Range-free

164 Copyright © Erdal Cayirci, 2010 164/326 Localization can be done: Centralized, Centralized, Locally centralized, Locally centralized, Distributed. Distributed. Localization in Sensor Networks

165 Copyright © Erdal Cayirci, 2010 165/326 GPS-less techniques typically use one of the following techniques for location estimation: Received signal strength (RSS), Time of arrival (TOA), Time difference of arrival (TDOA), Angle of arrival (AOA). Localization in Sensor Networks

166 Copyright © Erdal Cayirci, 2010 166/326 1111 2222 3333 x 1,y 1 x 2,y 2 x 3,y 3 beaconsensor Three or more beacon location and their direction according to the node location are known. Three or more beacon location and their distance to the node location are known. d1d1d1d1 x 1,y 1 x 2,y 2 x 3,y 3 d2d2d2d2 d3d3d3d3 (x-x 1 ) 2 + (y-y 1 ) 2 d 1 (x-x 2 ) 2 + (y-y 2 ) 2 = d 2 (x-x 3 ) 2 + (y-y 3 ) 2 d 3 Triangulation or Trilateration

167 Copyright © Erdal Cayirci, 2010 167/326 The following information is used to estimate the distance to a transmitter: Received power, Transmitted power, Path loss model. RSSI method may be unreliable and inaccurate due to: Multi-path effects, Shadowing, scattering, and other impairments, Non line of sight conditions. Received signal strength

168 Copyright © Erdal Cayirci, 2010 168/326 The following information is used to estimate the distance to a transmitter: Reception time, Transmition time, Propagation speed. Time of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions. The beacon and the node needs to be synchronized. The propagation speed of RF signals is too high for beacon based localization in sensor networks. Therefore signals with lower propagation speed such as ultrasound should be used. Time of arrival

169 Copyright © Erdal Cayirci, 2010 169/326 The following information is used to estimate the distance to a transmitter: Arrival time of an RF signal, Arrival time of an ultrasound signal, Propagation speed of these signals. The difference between the propagation delays of RF and ultrasound signals gives the distance. Time difference of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions. Time difference of arrival

170 Copyright © Erdal Cayirci, 2010 170/326 Special antenna configurations are used to estimate the angle of arrival of the received signal. Angle of arrival method may also be unreliable and inaccurate due to: Multi-path effects, Shadowing, scattering, and other impairments, Non line of sight conditions. Angle of arrival

171 Copyright © Erdal Cayirci, 2010 171/326beaconsensor One-hop multilateration. Two-hop collaborative multilateration. Use at least n equations to estimate n variables. The solution uniqueness is required. Collaborative Multilateration

172 Copyright © Erdal Cayirci, 2010 172/326 beacon sensorreceiver the location for previous reading Using Previous Measurements from Fixed Locations

173 Copyright © Erdal Cayirci, 2010 173/326 target lighthouse Lighthouse

174 Copyright © Erdal Cayirci, 2010 174/326 Range Free Techniques a. Sectoral sweepers.b. Centroid. x 1, y 1 x 2, y 2 x 3, y 3 x 4, y 4

175 Copyright © Erdal Cayirci, 2010 175/326 rubble 20 – 25 meters directional antenna 2–3 m location of a detected person coverage area of a transmitted task Range Free Techniques Cayirci, E., Coplu T., “SENDROM: Sensor Networks for Disaster Relief Operations Management,” ACM/Kluwer Wireless Networks (to appear).

176 Copyright © Erdal Cayirci, 2010 176/326 Time Synchronization

177 Copyright © Erdal Cayirci, 2010 177/326 Nodes need to maintain the same time frame for:  time synchronization for communications protocols  data fusion associating the sensed data, aggregating the sensed data, target tracking, finding out the direction and speed of a target. Time Synchronization

178 Copyright © Erdal Cayirci, 2010 178/326 Temperature: Temperature variations during day may cause the clock speed up or down (a few microseconds per day). Phase noise: Access fluctuation at the hardware interface, response variation of the operating system to interrupts, jitter in delay, etc. Frequency noise: The frequency spectrum of a crystal has large sidebands on adjacent frequencies. Asymmetric delay: The delay of a path may be different for each direction. Clock glitches: Hardware or software anomalies may cause sudden jumps in time. Factors Influencing Time Synchronization

179 Copyright © Erdal Cayirci, 2010 179/326 Offset (ο): Nodes may be started at different times. Therefore, Node A may have a clock C A different from the clock C B that Node B has when the network starts at time t 0. Skew (s): The factors like frequency noise and hardware may make the crystals of nodes are running at different frequencies. This causes clock skew, which may be ±30-40 part per million (ppm) for sensor node hardware. Skew may make times of two nodes get closer or further based on the offset. The skew related change per unit time t is constant. Drift (d): The factors like temperature, phase, asymmetric delay and clock glitches may change the offset between two nodes in time. Since these factors are temporarily variable, the change in clock, called drift, per unit time is not a fixed value. Time Synchronization

180 Copyright © Erdal Cayirci, 2010 180/326 Time Synchronization Clustered Synchronization Accuracy Exact Loose Distribution Centralized Distributed Procedure Pair-wise (Sender/Receiver) Broadcast (Receiver/Receiver)

181 Copyright © Erdal Cayirci, 2010 181/326 Data Querying

182 Copyright © Erdal Cayirci, 2010 182/326 Continuous (persistent) queries or one time (snap shot) queries, Historical or real-time queries, Aggregate or simple queries, Complex or simple queries, Spatial or temporal queries. Data Querying in Sensor Networks

183 Copyright © Erdal Cayirci, 2010 183/326 Select [ task, time, location, [distinct | all], amplitude, [[avg | min |max | count | sum ] (amplitude)]] from [any, every, aggregate m, dilute m] where [ power available [ ] PA | location [in | not in] RECT | t min < time < t max | task = t | amplitude [ ] a ] group by task based on [time limit = l t | packet limit = l p | resolution = r | region = xy] Virtual Local Sensor Node Table Sensor Network Database View External Sensor Network Database Table TaskAmplitudeLocationTime TaskAmplitudeLocation TaskAmplitude E.Cayirci, “Data Aggregation and Dilution by Modulus Addressing in WSNs,” IEEE Communications Letters, August, 2003. DADMA: Data Aggregation and Dilution by Modulus Addressing

184 Copyright © Erdal Cayirci, 2010 184/326 SQTL is a procedural scripting language. It provides interfaces to access sensor hardware: - getTemperature, turnOn for location awareness: - isNeighbor, getPosition and for communication: - tell, execute. C-C Shen,, “Sensor Information Networking Architecture and Applications”, IEEE Personal Communications Magazine, pp. 52-59, August 2001.) Sensor Query and Tasking Language (SQTL)

185 Copyright © Erdal Cayirci, 2010 185/326 By using the upon construct, a programmer can create an event handling block for three kinds of event: - Events generated when a message is received by a sensor node, - Events triggered periodically, - Events caused by the expiration of a timer. These types of events are defined by SQTL keywords receive, every and expire, respectively. Sensor Query and Tasking Language (SQTL)

186 Copyright © Erdal Cayirci, 2010 186/326 E. Cayirci, C.Cimen, V. Coskun, “Querying Sensor Networks By Using Dynamic Task Sets,” Computer Networks (Elsevier), 2006. Task Sets Quadtree Sensor Power Task Address Type Available Set 00 1 0.95 2 00 1 0.98 1 00 1 0.93 2 00 1 0.96 2 00 01 11 10 Task Set 1 00 Task Set 2 00 sensor node event status table

187 Copyright © Erdal Cayirci, 2010 187/326 query node active node sensor node active query sensed data complete data N. Sadagopan, B. Krishnamachari, A. Helmy, “The Acquire Mechanism for Efficient Querying in Sensor Networks,” Elsevier Ad Hoc and Sensor Networks, 2004. ACQUIRE

188 Copyright © Erdal Cayirci, 2010 188/326 S Selector Node R zone radius (in hops) A. Helmy, “Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks” Special Issue Computer Networks (Elsevier) on Wireless Sensor Networks, 2003. Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks

189 Copyright © Erdal Cayirci, 2010 189/326 Coverage

190 Copyright © Erdal Cayirci, 2010 190/326 - Node deployment scheme - Sensing and communications range - Energy efficiency and connectivity requirements - Algorithm paradigm, i.e., centralized or distributed Factors for Node Coverage

191 Copyright © Erdal Cayirci, 2010 191/326 In area coverage the objective is to cover an area, which means for the sensing coverage problem to ensure every point in a given area can be observed, and for the communications coverage problem a node at any point in the area can access the network. In point coverage the objective is to ensure that a given set of points are covered by the network. In barrier coverage the objective is to ensure that there is no hidden path through the network, i.e., an intruder cannot go through the network without crossing the coverage area of at least one node. Coverage Problem

192 Copyright © Erdal Cayirci, 2010 192/326 -The nodes are assumed to be deployed randomly according to a distribution, and the minimum number of nodes that satisfies a given probability of coverage is determined. -It is assumed that the nodes can be deployed at certain locations, and the location for each node is determined such that the maximum coverage for the given number of nodes can be achieved. Approaches for Coverage Problem

193 Copyright © Erdal Cayirci, 2010 193/326 Security in Wireless Communications

194 Copyright © Erdal Cayirci, 2010 194/326 Security Challenges Specific to Wireless Networks Easier to tap Limited resources and stringent constraints Self forming, self organization and self healing algorithms Hidden and exposed terminal Jamming and the other denial of service attacks

195 Copyright © Erdal Cayirci, 2010 195/326 Information Security Computer SecurityCommunications Security Hardware Security Software Security Transmission Security Emanation Security

196 Copyright © Erdal Cayirci, 2010 196/326 Security Attacks Security attacks can be classified into two broad classes: Passive: no emission to conduct the attack Active: emit, interfere or tamper

197 Copyright © Erdal Cayirci, 2010 197/326 Passive Attacks EavesdroppingTraffic Analysis Eavesdrop: Tap the communication lines - wireless links are easier to tap - signals are sent to shorter distances in wireless ad hoc networks - challenges when multiple networks with different classification - privacy challenges - collection vs analysis Traffic analysis: Traffic patterns and rates - friendship trees

198 Copyright © Erdal Cayirci, 2010 198/326 Traffic Analysis - Traffic analysis at the physical layer: In this attack only the carrier is sensed and the traffic rates are analyzed for the nodes at a location. - Traffic analysis in MAC and higher layers: MAC frames and data packets can be de-multiplexed and the headers can be analyzed. This can reveal the routing information, topology of the network and friendship trees. - Traffic analysis by event correlation: Events like a detection in sensor network or transmission by an end user can be correlated with the traffic and more detailed information, e.g., routes, etc., can be derived. - Active traffic analysis: For example, certain number of nodes can be destroyed, which stimulates the self organization in the network, and valuable data about the topology can be gathered.

199 Copyright © Erdal Cayirci, 2010 199/326 Active Attacks Physical Active Attacks Masquerade, Replay, Message Modification - Integrity - Unauthorized Access - Confidentiality - Privacy Denial of Service - Physical Layer - MAC Layer - Network Layer - Transport Layer - Application Layer - Destruction - EMP - Tampering Misbehaving - Selfishness - Attacks against charging scheme

200 Copyright © Erdal Cayirci, 2010 200/326 Tampering Invasive (unlimited access) Traffic Analysis (analyze the behaviour) Example attacks: - micro probing - laser cutting - focused ion-beam manipulation - glitch attacks - power analysis

201 Copyright © Erdal Cayirci, 2010 201/326 Masquerade, Modify, Replay A masquerading node acts as if it is another node. Messages can be captured and replayed by the masquerading nodes. The content of the captured messages can be modified before being replayed.

202 Copyright © Erdal Cayirci, 2010 202/326 Masquerade, Modify, Replay Attacks can be organized against - Node localization - Time synchronization - Data aggregation and fusion - Data correlation and association - Event and event boundary detection - Node management

203 Copyright © Erdal Cayirci, 2010 203/326 Masquerade, Modify, Replay - Sybil attack: introduce multiple identities - Unauthorized access - Phishing: Password fishing - Preserve anonymity of the attacker

204 Copyright © Erdal Cayirci, 2010 204/326 Denial of Service Attack Any event that diminishes a network capacity to perform its expected function correctly or in a timely manner A DOS attack is characterized by: - Malicious: It is carried out to prevent the network from fulfilling its intended functions. It is not accidental. Otherwise it is not in the domain of security but reliability and fault tolerance. - Disruptive: It degrades the quality of services by the network. - Asymmetric: The attacker puts much less effort comparing to the impact made on the network.

205 Copyright © Erdal Cayirci, 2010 205/326 Denial of Service Attack - In physical layer (jamming) either continuous or temporary and random - In MAC layer: - Whenever an RTS signal is received, a signal that collides with the CTS signal is transmitted. - If the MAC scheme is based on the sleep and active periods, jamming only the active periods can continuously block the channel. - False RTS or CTS signals with long data transmission parameters are continuously sent out. - Acknowledgement spoofing, where an adversary sends false link layer acknowledgements.

206 Copyright © Erdal Cayirci, 2010 206/326 DOS Against Routing  Spoofed, altered, or replayed routing information  Hello flood  Wormhole  Detour m aw1 e f c b d w2 Hello Flood Wormhole

207 Copyright © Erdal Cayirci, 2010 207/326 DOS Against Routing  Sinkhole: attractive malicious node  Blackhole: malicious node drops every packet  Selective forwarding: malicious node does not forward every packet - Routing loop attack: Detour or sinkhole attacks to create routing loops - Sybil attack: A single node presents multiple identities - Rushing attack: An attacker disseminates route request and reply messages quickly throughout the network. - Attacks that exploit node penalizing schemes - Attacks to deplete network resources

208 Copyright © Erdal Cayirci, 2010 208/326 DOS Against Transport Layer - Transport layer acknowledgement spoofing - Replaying acknowledgement - Jamming acknowledgements - Changing sequence number - Connection request spoofing

209 Copyright © Erdal Cayirci, 2010 209/326 Misbehaving - Selfishness - Attacks against payment schemes - Refusal to pay - Dishonest rewards - Free riding source destination infrastructure routing node routing node routing node routing node

210 Copyright © Erdal Cayirci, 2010 210/326 Attackers Motivation - Confidentiality - Integrity - Privacy - Unauthorized Access - DoS - Selfishness - Charging - Rewarding Emission - Active - Passive Location - Insider - Outsider Quantity - Single - Multiple - Coordinating Multiple Rationality - Naive - Irrational - Rational Mobility - Fixed - Mobile

211 Copyright © Erdal Cayirci, 2010 211/326 Security Goals Authentication Access control Confidentiality to protect content Confidentiality to prevent traffic analysis Privacy Integrity Authorization Anonymity Non-repudiation Freshness Availability Resilience against attacks

212 Copyright © Erdal Cayirci, 2010 212/326 Challenges and Solutions: Basic Issues

213 Copyright © Erdal Cayirci, 2010 213/326 Security challenges and solutions in wireless networks Bootstrapping security in Ad Hoc networks Bootstrapping security in sensor networks Key distribution, exchange and management Authentication issues Integrity

214 Copyright © Erdal Cayirci, 2010 214/326 Bootstrapping security in Ad Hoc networks Build a security infrastructure between the nodes during the bootstrapping phase new nodes that can join the network can form a secure association with the nodes already in the network the trust infrastructure can be set up without the knowledge of the network topology the credential verification scheme should be strong enough to resist DoS attack and at the same time do not need large computational ability and memory

215 Copyright © Erdal Cayirci, 2010 215/326 Building security infrastructure in Ad Hoc networks Prior context can be used Trusted third party can be used to facilitate the establishment More natural to self-organize the trust infrastructure

216 Copyright © Erdal Cayirci, 2010 216/326 Bootstrapping security in sensor networks Resilience against node capture Resistance against node replication Revocation Scalability

217 Copyright © Erdal Cayirci, 2010 217/326 Key distribution, exchange and management Desirable features of ad hoc network key management scheme: applicability security Robustness scalability simplicity

218 Copyright © Erdal Cayirci, 2010 218/326 Key distribution, exchange and management Standards None MANET internet drafts and RFCs has thus part IEEE 802.11i assumes keys are preshared or established with the aid of fixed infrastructure ZigBee, IEEE 802.15.4, Bluetooth are infrastructure-based networks and do not apply to MANETs

219 Copyright © Erdal Cayirci, 2010 219/326 Key distribution, exchange and management Classification of key management schemes Key management schemes Contributory Schemes key agreement Distributive schemes key distribution Z-H MOCA SEKM UBIQ AKM PGP-A COMP MOB-a/MoB-so D-H ING B-D H&O CLIQ PSGK SKIMPy S-HEAL LKH GKMPAN Symmetric schemes MANET schemes PRE SPINS PEBL INF LEAP WSN schemes Public key schemes Certificate based IBC-K Identity based

220 Copyright © Erdal Cayirci, 2010 220/326 Contributory key management schemes D-H ING B-D H&O A-G CLIQ

221 Copyright © Erdal Cayirci, 2010 221/326 Distributive key management schemes Public key schemes: Certificate based - Z-H - MOCA - SEKM - UBIQ - AKM - PGP-A - COMP - MoB-a/MoB-so Identity based - IBC-K Symmetric key schemes

222 Copyright © Erdal Cayirci, 2010 222/326 Partially distributed Threshold CA Scheme (Z-H ) Provide an available, intrusion tolerant, and robust CA functionality for ad hoc networks Private CA key distributed over a set of server nodes Using share refreshing to counter mobile adversaries synchronization needed

223 Copyright © Erdal Cayirci, 2010 223/326 MOCA An extension to Z-H Nodes that exhibit best physical security and computational resources serve as MOCAs Moves the combiner function of Z-H from CA servers to requesting end-nodes MOCA certification protocol

224 Copyright © Erdal Cayirci, 2010 224/326 SEKM Servers of MOCA form a multicast group Efficient updating of secret shares and certificates

225 Copyright © Erdal Cayirci, 2010 225/326 UBIQ Fully distributed threshold CA scheme All nodes get a share of the private CA key Certification service is delivered within 1- hop neighborhoods Bandwidth efficient and good for the scalability Possible requirement of human involvement

226 Copyright © Erdal Cayirci, 2010 226/326 AKM R R R GH N1N1 N1N1 N2N2 N3N3 N2N2 N4N4 N6N6 N5N5 N3N3 N2N2 N3N3 H4H4 N1N1 H6H6 H5H5 Initialization f(N 1 )f(N 2 )f(N 3 ) S1S1 S2S2 S3S3 (k,n) = (3,3) New node added f(N 1 )f(N 2 )f(N 3 )f(N 4 )f(N 5 )f(N 6 ) (k,n) = (3,6) S1S1 S2S2 S3S3 Split g(N 1 )g(N 2 )g(N 3 )h(N 4 )h(N 5 )h(N 6 ) (k,n) = (3,3) S’=f(N 1 )+f(N 2 )+f(N 3 ) g()=S”+b 1 +b 2 S”=f(N 4 )+f(N 5 )+f(N 6 ) g()=S”+c 1 +c 2 S=S 1 +S 2 +S 3 f()=S+a 1 +a 2 Autonomous key management (AKM)

227 Copyright © Erdal Cayirci, 2010 227/326 PGP-A CA functionality completely distributed,all nodes have equal roles Assumes trust is transitive Certificates exchanged periodically Renewals require contact with the issuer

228 Copyright © Erdal Cayirci, 2010 228/326 COMP Combines MOCA’s partially distributed threshold CA with PGP-A certificate- chaining Each certificate includes a confidence value reflecting the level of confidence Higher security than obtainable with PGP- A Increased availability of CA service compared to MOCA

229 Copyright © Erdal Cayirci, 2010 229/326 MOB Seeks to mimic human behavior Can be fully self-organizing (MOB-so) or rely on an off-line authority (MOB-a) Bandwidth efficient with limited scalability Long delay to establish security associations with all communication partners

230 Copyright © Erdal Cayirci, 2010 230/326 IBC-K PKG 1 SETUP PKG chooses two large primes as private maser key, and publishes the chosen and calulated public system parameters as shown Private Master Key : p, q (two large primes) Public system params: n = p·q (factorization is kept secret) e = large prime, gdc (e,φ(n)) = 1 f = hash function PKG 2 EXTRACTION 3 SIGNING PKG use r The user presents its identity, to PKG PKG returns the corresponding private key:g The identity is related to g in the following way g =i (mod n) e g Alice Bob e f(t,m) (i, m, t, s) 4 VERIFICATION The signature (s,t) of the message m is verified by checking: ef(t,m) S = i·t (mod n) The security of Shamir’s IBS schem relies the difficulty of deciding g given g mod n when the factorization of n is unknown e secure channel The signature (s,t) of the message m is caculated as follows: t = r, s =g·r (mod n) i : user id m : message s,t : signatrue r : random

231 Copyright © Erdal Cayirci, 2010 231/326 Symmetric key schemes Public key schemes: MANETschemes - PSGK - SKIMPy - S-HEAL - LKH - GKMPAN Identity based - PRE - SPINS - PEBL - INF - LEAP

232 Copyright © Erdal Cayirci, 2010 232/326 PSGK Key distribution centre pre-distributing a symmetric key to all members of the group Lacks intrusion tolerance in the sense that security succumbs to a single captured node Not designed specially for ad hoc networks

233 Copyright © Erdal Cayirci, 2010 233/326 SKiMPy Designed for MANETs to protect network layer routing information or application layer user data Periodical updates group key to counter cryptoanalysis Bandwidth efficient Adds complexity compared to PSGK

234 Copyright © Erdal Cayirci, 2010 234/326 S-HEAL Key distribution scheme with revocation, for networks with unreliable links Demands pre-shared secrets and group manager Self-healing Inapplicable for protection of routing information

235 Copyright © Erdal Cayirci, 2010 235/326 LKH K 12345678 K 1234 K1K1 K 12 K2K2 K3K3 K 34 K4K4 K 5678 K5K5 K 56 K6K6 K7K7 K 78 K8K8 N1N2N3N7N5N8N4N6

236 Copyright © Erdal Cayirci, 2010 236/326 GKMPAN Designed for secure multicast in ad hoc networks Assumes a pre-distributed group key plus a pre-distributed commitment Increases intrusion tolerance compared to PSGK

237 Copyright © Erdal Cayirci, 2010 237/326 PRE Assumes WSN nodes outfitted with a pre- installed key ring A number of PRE schemes for WSNs have been proposed The idea of the key ring of PRE is intrusion tolerance Intrusion resistance comparable to PSGK

238 Copyright © Erdal Cayirci, 2010 238/326 SPINS Assume pre-installed individual (pairwise) keys between sensor nodes and base station Demands routing protocol and reliable access to the base station Includes a scheme for authenticated broadcast

239 Copyright © Erdal Cayirci, 2010 239/326 PEBL Refer to large ad hoc networks with small size and large number nodes An extension to PSGK Protection of application data Offers no protection against replay or intrusion attacks Bandwidth consuming, needs synchronization

240 Copyright © Erdal Cayirci, 2010 240/326 INF Intended for WSNs Assumes static sensor nodes and mass deployment A key whispering approach is used Simple, self-organizing, and robust to Byzantine behavior and faulty nodes Bandwidth efficient, scales well Vulnerable to eavesdropping during key whispering

241 Copyright © Erdal Cayirci, 2010 241/326 LEAP Designed for static WSNs Different keys for different purposes Pre-distributed individual keys are used for communication between sensor nodes and the base station Pre-shared group key is applied for protection of broadcast information from the base station

242 Copyright © Erdal Cayirci, 2010 242/326 Authentication issues Authentication needed in wireless networks MAC (message authentication code) used to provide authentication Asymmetric mechanisms adopted for multi-party communication

243 Copyright © Erdal Cayirci, 2010 243/326 Integrity Data integrity needed in wireless networks CRC and MAC can be used to provide data integrity

244 Copyright © Erdal Cayirci, 2010 244/326 Challenges and Solutions: Protection

245 Copyright © Erdal Cayirci, 2010 245/326 Privacy and anonymity There is conflict between the need for public information and the demand of personal privacy in wireless networks Anonymity techniques are needed to provide privacy Information flooding is an efficient way to provide anonymity Policy-based access control decision and authentication can also help

246 Copyright © Erdal Cayirci, 2010 246/326 Privacy and anonymity Anonymity approaches to provide privacy Decentralize sensitive data Using secure communication protocols, SPINS De-patterning data transmission Increasing sensor node mobility

247 Copyright © Erdal Cayirci, 2010 247/326 Intrusion detection Intrusion detection is the first line of defense Intrusion detection techniques Abnormality detection Misuse detection Specification based detection

248 Copyright © Erdal Cayirci, 2010 248/326 Intrusion detection Architectures for IDS in wireless ad hoc networks Stand-alone IDS Distributed and Cooperative IDS Hierarchical IDS Mobile Agent for IDS IDS for sensor networks

249 Copyright © Erdal Cayirci, 2010 249/326 Defense against traffic analysis Rate monitoring attack Method against rate monitoring attack Time correlation attack Method against time correlation attack

250 Copyright © Erdal Cayirci, 2010 250/326 Access control and secure human computer interaction Problems related with password mechanism Characteristics should be considered for password design Different methods for access control and strange password design

251 Copyright © Erdal Cayirci, 2010 251/326 Software based anti-tamper techniques Software based anti-tamper techniques is efficient for software cracking attacks Encryption wrappers Code obfuscation Software watermarking and fingerprinting Guarding

252 Copyright © Erdal Cayirci, 2010 252/326 Software based anti-tamper techniques Encryption wrappers Software is encrypted and has to be decrypted before use Only the codes that will execute in the system should be decrypted Decryption keys have to be protected Add overhead for decryption in run time.

253 Copyright © Erdal Cayirci, 2010 253/326 Software based anti-tamper techniques Code obfuscation Code obfuscation can prevent attacks of reverse engineering Quality of obfuscating transformations: potency, resilience,cost Different kinds of obfuscation transformations: layout transformation, data transformation, control transformation, preventive transformation

254 Copyright © Erdal Cayirci, 2010 254/326 Software based anti-tamper techniques Software watermarking and fingerprinting Software watermarking and fingerprinting can protect illegal copying of digital items Behavior of the watermarked program should be affected if the watermark is distorted or destroyed Fingerprinting embeds a unique message in the software for traitor tracing Static watermarking and dynamic watermarking

255 Copyright © Erdal Cayirci, 2010 255/326 Software based anti-tamper techniques Guarding Multiple (possibly simple) protection techniques provide robust protections Guard is a piece of code responsible for performing certain security-related actions Guards can provide multiple layers of defense

256 Copyright © Erdal Cayirci, 2010 256/326 Hardware protection Physical attacks toward the wireless sensor networks Hardware protection of physical attacks Using tamper-resistant processors and lightweight hardware Advantages and disadvantages of hardware based protection

257 Copyright © Erdal Cayirci, 2010 257/326 Availability and plausibility Network availability can be increased using security techniques Checking the plausibility is a useful method for defending against compromised nodes

258 Copyright © Erdal Cayirci, 2010 258/326 Secure Routing

259 Copyright © Erdal Cayirci, 2010 259/326 Secure Routing Approaches - attack prevention - attack detection and recovery from the attack - resilience against security attacks

260 Copyright © Erdal Cayirci, 2010 260/326 Defense Against Wormholes Geographical Leashes: The source node S includes its location l S and the packet transmission time t S as the geographical leash into its packet P S sent to destination D. S→D: l S, t S, P S The clocks are synchronized to within ±Δ. The upper bound for the distance is d b. The node localization error upper bound is δ. The upper bound for the velocity in transmitting signals is v The node i that forwards the packet, which is at location l i, and receives the packet at time t i can check the following condition: d b ≤ |l i – l S |+2v × (t i -t S + Δ) + δ

261 Copyright © Erdal Cayirci, 2010 261/326 Defense Against Wormholes Temporal Leashes: The transmission and reception times of the packets are used for detecting wormholes. When a node A sends or forwards a packet to another node B, it also includes the transmission time t A into the packet P A. A→B: t A, P A Node B checks the difference d AB between the transmission time t A and reception time t B of the packet. If d AB is larger than a given threshold θ, it may indicate a wormhole attack.

262 Copyright © Erdal Cayirci, 2010 262/326 Defense Against Wormholes a w1 e f c b d w2 2 1 3 6 4 5 3 6 5

263 Copyright © Erdal Cayirci, 2010 263/326 Defense Against Sybil Direct validation: A node directly verifies if the identity of a neighboring node is valid. For example, a node may assign each of its neighbors a separate channel to communicate, and ask them to transmit during a period. Then it checks these channels in a random order within that period. If a node is transmitting in its assigned channel, the node is a physical node. Indirect validation: Another trusted node provides the verification for the identity of the node. For example, every node may share a unique key with the base station. When two nodes need to establish a link between them, they verify each others identity through the base station by using these keys. Random key: Random keys assigned to nodes also provide security against sybil attacks.

264 Copyright © Erdal Cayirci, 2010 264/326 Defense Against Selective Forwarding Acknowledgements: Every intermediate node that forwards a packet waits for an acknowledgement from the next hope. If the next hope node does not return the same number of acknowledgements as the number of the packets sent, the node generates an alarm about the next hop node. Compromised nodes can generate acknowledgements also for the packets that they dropped which make this scheme fails. Moreover a malicious node can generate fake alarms to organize a DoS attack. Multipath routing: This requires at least link disjoint paths, where two paths may share some nodes but any link. Of course node disjoint paths, where two paths do not have any node in common, are better and reduce the risk of selective forwarding attack

265 Copyright © Erdal Cayirci, 2010 265/326 Secure Routing in Sensor Networks - Secure broadcasting for the downstream traffic. - Secure multicasting for the downstream traffic. - Secure data aggregation when routing from multiple nodes to a base station. - Secure data aggregation and multicasting when routing from multiple nodes to multiple base stations or actuators.

266 Copyright © Erdal Cayirci, 2010 266/326 Routing that Enhance Security - Random Walk - Greedy Random Walk - Flooding -Baseline flooding -Probabilistic flooding -Flooding with fake messages -Phantom flooding

267 Copyright © Erdal Cayirci, 2010 267/326 Secure Routing Protocols - Intrusion Tolerant Routing in Wireless Sensor Networks (INSENS) - Authenticated Routing for Ad Hoc Networking (ARAN) - On Demand Secure Ad Hoc Routing (ARIADNE) - Watchdog Pathrater - Secure Ad Hoc on Demand Distance Vector (SAODV) - Secure Link State Routing Protocol (SLSP)

268 Copyright © Erdal Cayirci, 2010 268/326 INSENS - Fixed sensor networks - Multipath link state routing - Base station computes and broadcasts the routes

269 Copyright © Erdal Cayirci, 2010 269/326 INSENS - Route Discovery Phase - Base station floods a route request message - Use TESLA for authentication - Everynode appends its id and a MAC by using a secret key before forwarding the route request - Everynode returns a route reply to the base station message after waiting t - Base station verifies MAC, computes the routes, and send them to nodes - Data Forwarding Phase Example: Route: S to D: S → a → b → c → D The forwarding table of a: The forwarding table of b: The forwarding table of b:.

270 Copyright © Erdal Cayirci, 2010 270/326 ARAN Dynamic source routing for ad hoc networks When a node A accesses the network first time or needs a certificate for route discovery, it requests the certificate from the trusted server T. The server T first authenticates the node A and sends a certificate to it: T → A: certificate A IP A is the IP address of Node A, K A+ is the public key of A, t is the time the certificate is created, e is the time that the certificate expires, K T- is the private key of T.

271 Copyright © Erdal Cayirci, 2010 271/326 ARAN A node S that has a valid certificate can start a route discovery for another node D by broadcasting a route discovery packet (RDP): where N S is a nonce, which is the sequence number, i.e., the source node S monotonically increase the nonce each time it performs a route discovery, to ensure the freshness of the reply message expected from the destination D.

272 Copyright © Erdal Cayirci, 2010 272/326 ARAN When a node receives an RDP message, it first decrypts the message, and then records the neighbor that sends the message as the next hop node for the source node of the message. If the node receives a reply message for this RDP, it just forwards the reply to the neighbor in this record. Finally, it encrypts the message by using its private key, appends its certificate and broadcasts the message.

273 Copyright © Erdal Cayirci, 2010 273/326 ARAN When destination node D receives the route discovery message from the last node in the route, i.e., let it be C for our example, it first verifies the source’s signature, and then prepares a reply (REP) message and unicasts it to C:

274 Copyright © Erdal Cayirci, 2010 274/326 ARIADNE ARIADNE route discovery process starts with a ‘route request’ that has the following fields: - Route request - Source node - Destination node - Route request Id - Time interval - Hash chain: The hash value created by all the nodes in the route - Node list: The list of nodes in the route - MAC list: The list of the MAC values calculated by every node in the route Hash chain is computed first by the source node S as follows: h 0 =MAC(K SD, REQUEST | S | D | id | t i ) After computing h 0, source node initializes node list and MAC list fields as empty lists and broadcasts the ‘route request’ message. S → broadcast:{REQUEST, S, D, id, t i, h 0, (), ()}

275 Copyright © Erdal Cayirci, 2010 275/326 ARIADNE Every node that receives route request first checks fields in its buffer. If this request has already been received, the new request is dropped. The node also checks the time interval. If it is too far in the future or the key associated with it is already disclosed, packet is discarded. Otherwise the receiving node modifies the hash chain h i. Assume that A is a node one hop from the source node S. It computes h 1 as follows: h 1 =H(A, h 0 ) It also calculates its MAC value by using the next key K Ati in the TESLA key chain, adds it’s address and the MAC value into the ‘route request’ message and broadcasts it: A → broadcast:{REQUEST, S, D, id, t i, h 1, (A), (M A )}

276 Copyright © Erdal Cayirci, 2010 276/326 ARIADNE When the destination node receives the ‘route request’, it checks the validity of the request by determining that the keys of the time interval are not disclosed yet, and the final hash chain is equal to H(a n, H(a n-1, H(…..,H(a 1, MAC(K SD, REQUEST | S | D | id | t i ))….))) where a n is the address of the node at position n and there are n nodes in the node list. If both of these conditions are hold, it indicates that the request is valid. Then the destination node D computes the destination MAC M D, prepares ‘route reply’ message and returns it along the source route that can be obtained by reversing the sequence of hops in the node list of the ‘route request’ message. D → C:{REPLY, D, S, t i,,(A, B, C), (M A, M B, M C ), M D, ()}

277 Copyright © Erdal Cayirci, 2010 277/326 ARIADNE In the reverse path, every node waits until it can disclose its TESLA key. After than it appends its TESLA key and forwards to the next hop in the reverse path. When source receives the ‘route reply’ message, it verifies that each key and each MAC are valid. If they are, it accepts the ‘route reply’ message. Otherwise it discards the message. After this the route is maintained in the ‘route cache’ until a ‘route error’ message is received. When an intermediate node B that tries to forward a message to the next node C in the route fails, it generates the following ‘route error’ message and sends it to source node S along the reverse path.

278 Copyright © Erdal Cayirci, 2010 278/326 WATCHDOG PATHRATER Pathrater rates the links based on the reliability of the links and misbehaving knowledge of the nodes. Every node rates every other node in the network. When a link used successfully, its rate increases. If a link break occurs, the rate of the link decreases. High negative numbers are assigned to the nodes suspected misbehaving. Paths are rated averaging the link ratings along the path. When the source node has multiple options to a destination, it selects the path with the highest path rate. Paths that contain misbehaving nodes are avoided. When there is no misbehaving link free path to the destination, the source node initiates a ‘route request’ process.

279 Copyright © Erdal Cayirci, 2010 279/326 SAODV To secure the integrity of hop count, a hash chain is formed by applying one way hash function H to a randomly selected seed value s. Before transmitting a route request (RREQ) or route reply (RREP) message the source sets hash value h to seed s. The maximum hop count is assigned the time to live value ttl, and then top hash value T is computed by applying hash function ttl times to seed s. h=s T=H ttl (s) When a node i receives a message after i hops from the source node, it first checks if the following condition holds: T = H ttl-i (h)

280 Copyright © Erdal Cayirci, 2010 280/326 SAODV Since every intermediate node applies hash function H once to the hash value h in the message before relaying it, when H is applied ttl-i times to the current h, it should give top hash value T. Otherwise it indicates either the hash value h or hop count i is not correct. After this check, node i applies H to h and forwards it. h=H(h) To protect the integrity of the other fields in the message the source node signs every thing but the hop count and hash value h fields, which are modified by every intermediate node.

281 Copyright © Erdal Cayirci, 2010 281/326 SLSP A node V broadcasts its link state data by using an LSU packet. V → broadcast:{TYPE, R, Zone_R, LSU_Seq, LSU_signature, Hops_Traversed, LS_Data} where Type is the packet type, R is the number of hops from the node to the zone boundary, Zone_R=H R (X), Hops_Traversed=H(X), X is a random number, H is the hash function that every node knows, LSU_Seq is the sequence number of the LSU packet,

282 Copyright © Erdal Cayirci, 2010 282/326 SLSP Receiving nodes first validate the signature. If the LSU packet is valid, they can derive the link state information in the packet. Then they hash Hops_Traversed value in the LSU packet. Hop_Traversed=H(Hop_Traversed) If the new Hop_Traversed value is equal to Zone_R value after hashing, it indicates that the packet is reached to the boundary of zone, and should not be forwarded further.

283 Copyright © Erdal Cayirci, 2010 283/326 Specific Challenges

284 Copyright © Erdal Cayirci, 2010 284/326 Security Protocols for Sensor Networks - Sensor Network Encryption Protocol (SNEP) Data confidentiality Authentication Integrity Freshness - µTESLA Authenticated Broadcast (Perrig A, Szewczyk R, Wen V, Culler D, Tygar J D, ‘SPINS: Security Protocols for Sensor Networks,’ MOBICOM, 2001.)

285 Copyright © Erdal Cayirci, 2010 285/326 Sensor Network Encryption Protocol SNEP In SNEP, A sends the following message to B to transmit a data fragment D: A→B: є, м where є is the encrypted data fragment, i.e., є ={D} м is the MAC, i.e., м =MAC( Κ mac, с│є ) с is the counter value.

286 Copyright © Erdal Cayirci, 2010 286/326 Sensor Network Encryption Protocol SNEP For strong freshness -Node A generates a nonce η A randomly and sends it along with a request message ρ A. A→B: η A, ρ A - Node B returns the nonce η A with a response message ρ B after a MAC computation. B→A: {ρ B }, MAC(Κ mac, η A │c│{ρ B } )

287 Copyright © Erdal Cayirci, 2010 287/326 µTESLA K i = F(K i +1 ) timet1t1 t2t2 t3t3 t4t4 t5t5 tntn P1P1 P2P2 P3P3 P4P4 P5P5 P6P6 PkPk K1K1 K2K2 K3K3 K4K4 K5K5 KnKn K0K0

288 Copyright © Erdal Cayirci, 2010 288/326 Quarantine region is the region in the coverage area of an anti-node. anti-node anti-node sensor node sensor node quarantine region quarantine region quarantined sensor node quarantined sensor node sensor range sensor range Quarantine Region Scheme (Coskun, V, Cayirci, E., Levi, A., Sancak, S., “Quarantine Region Scheme to Prevent Spam Attacks in Wireless Sensor Networks,” IEEE Transactions on Mobile Computing, Volume 5, No. 8, pp 1074-1086, August 2006.)

289 Copyright © Erdal Cayirci, 2010 289/326 d receives authenticated from b, and sends authenticated to j, o receives authenticated from l, and sends unauthenticated to p. o receives unauthenticated from n, and sends unauthenticated to p. a b c d e f j g h i k l m n ocollectorp Detecting an attack, and declaring a quarantine period, Finding quarantined nodes, Authentication in quarantine region, Cancelling a quarantine period. Authentication in a Quarantine Region

290 Copyright © Erdal Cayirci, 2010 290/326 Quarantine Region

291 Copyright © Erdal Cayirci, 2010 291/326 Quarantine Region

292 Copyright © Erdal Cayirci, 2010 292/326 Secure Charging and Rewarding BConf A B infrastructure u f AReq AConf BReq BRep BS A BS B (Salem N B, Buttyan N, Hubaux J, Jakobsson M, ‘A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks,’ MobiHoc, 2003.)

293 Copyright © Erdal Cayirci, 2010 293/326 Secure Charging and Rewarding - Authenticate the initiating node A, and charge A before its packets are delivered to prevent refusal to pay attacks. - Authenticate the forwarding nodes to ensure that only the selected nodes can forward and nodes that do not forward cannot claim that they do. - Reward upstream nodes when the packets from A reach BS A. - Reward downstream nodes when B acknowledges. - Charge B when the packets from A are forwarded to B by BSB. Reimburse this charge when B acknowledges.

294 Copyright © Erdal Cayirci, 2010 294/326 Secure Charging and Rewarding (Session Establishment -1) Source sends a request to BS A : A→BS A : AReq 0 AReq 0 = AReqID│oldASID│ARoute│TrafficInfo, MAC(K A, AReqID│oldASID│ARoute│TrafficInfo) Intermediate upstream nodes forwards AReq i = AReqID│oldASID│ARoute│TrafficInfo, MAC(K i, AReq i-1 ) BS B forwards the request to destination: BS B →B: BReq 0 BReq 0 = BReqID│oldBSID│BRoute│TrafficInfo Intermediate downstream nodes forwards BReq j = BReqID│oldBSID│BRoute│TrafficInfo, MAC(K i, BReq j-1 )

295 Copyright © Erdal Cayirci, 2010 295/326 Secure Charging and Rewarding (Session Establishment -2) Destination accepts BReq j = BReqID, MAC(K B, BReq B-1 ) Base stations confirms source and destinations A Conf = AReqID│ASID│AMAC A │AMAC 1 │…….│AMAC a AMAC i = MAC(K i, AReqID│ASID│oldASID│ARoute│TrafficInfo) B Conf = BReqID│BSID│BMAC A │BMAC 1 │…….│BMAC a BMAC j = MAC(K j, BReqID│BSID│oldBSID│BRoute│TrafficInfo)

296 Copyright © Erdal Cayirci, 2010 296/326 Secure Charging and Rewarding (Packet Delivery) Source prepares the packet SPkt 0,η = SSID│ Body 0,η Body 0,η = η│Payloadη │MAC(KS, SSID│η │Payloadη) η is the sequence number Intermediate nodes forward the packet SPkt i,η = SSID│ Body i,η Body i,η = PAD i,η  Body i-1,η Acknowledging delivery D Ack = DSID│Batch│LastPkt│LostPkts, MAC(K D, DSID│Batch│LastPkt│LostPkts)

297 Copyright © Erdal Cayirci, 2010 297/326 Secure Node Localization - Techniques against masquerading, replaying and node tampering - Secure routing techniques - Multimodal localization schemes, e.g., received signal strength indicator and time difference of arrival - Assessing the reliability of beacon nodes - Consistency checks by statistical methods - Attack resistant node localization schemes

298 Copyright © Erdal Cayirci, 2010 298/326 Malicious Beacon Node Detection - 1 - The detecting beacon, requests a beacon signal, i.e., B req, from another beacon node n a, the target beacon node. Detecting beacon acts as it is not a beacon node. n→n a : B req - Target beacon sends the beacon signal, i.e., B beacon, which includes the location (xa, ya) of the target beacon na. na →n: B beacon

299 Copyright © Erdal Cayirci, 2010 299/326 Malicious Beacon Node Detection - 2 - Detecting beacon estimates the distance d a to the location (x a, y a ) of the target beacon based on the RSSI calculation. -The detecting node knows its location, it can calculate the distance between itself and the target node location sent in B beacon. If the difference between the estimated distance d a, and the calculated distance d is higher than the threshold τ, this may indicate that the target node is malicious.

300 Copyright © Erdal Cayirci, 2010 300/326 Attack Resistant Location Estimation Inconsistency among the location data can be detected by inspecting the mean square error of estimation (MMSE) given by where ε is the mean square error, (x i, y i ) is the location of beacon node i, (x, y) is the estimated location, d i is the distance to beacon node i, m is the number of beacon nodes used in the location estimation.

301 Copyright © Erdal Cayirci, 2010 301/326 Voting Scheme for Location Estimation 3 a b c m a 2 2

302 Copyright © Erdal Cayirci, 2010 302/326 Secure Time Synchronization - Step 1: Node A sends Node B a synchronization message at t1, and the message is received by Node B at t2. A(t1)→(t2)B: A, B, NA, synch - Step 2: Node B replies Node A at t3, and the reply message is received by Node A at t4. B(t3)→(t4)A: B, A, NA, t2, t3, ack, MAC(KAB, B│A│NA│t2│t3│ack) -Step 3: Node A calculates RTT. If RTT is smaller than the maximum RTT threshold, the synchronization is accomplished. Otherwise it is aborted. If (t4-t1)-(t3- t1) < θ, proceed. (Ganeriwal S, Capcun S, Han C, Srivastava M B, ‘Secure Time Synchronization Service for Sensor Networks,‘ WiSE, 2005.)

303 Copyright © Erdal Cayirci, 2010 303/326 Secure Event & Event Boundary Detection (Ding M, Chen D, Xing K, and Cheng X, ‘Localized Fault Tolerant Event Boundary Detection in Sensor Networks’, INFOCOM, 2005.) N(S 1 ) N(S i ) N(S n ) S1S1 SiSi SnSn N * (S i ) d i = x i – med i N(S i )  N*(S i ) N*(S i )  (N(S 1 )  N(S i )  N(S n )) N*(S i )={S 1, …, S i, …, S n } 1. Faulty Node Detection

304 Copyright © Erdal Cayirci, 2010 304/326 Secure Event & Event Boundary Detection 2. Boundary Node Detection Sector A SiSi N(S i ) Event Region E Out of Event Region E Sector B Sector C 1. Construct the set of faulty nodes Ω 1. 2. For each sensor S i not in Ω 1, - Partition the N(S i ) into sectors. - Calculate the difference d ij for each sector. - Assign the largest d ij as the new d i for S i. - Recalculate the mean μ, standard deviation σ, and yi for N*(S i )-Ω 1 and the new d i. - If |yi|≥θ 2 after recalculation, S i goes into the set of boundary nodes denoted by Ω 2.

305 Copyright © Erdal Cayirci, 2010 305/326 Wireless Security Standards

306 Copyright © Erdal Cayirci, 2010 306/326 X.800 and IETF RFC2828 X.800 ITU-T recommendation Security architecture for OSI Define general security-related architectural elements Establishes guidelines and constraints to improve existing recommendations and/or to develop new recommendations IETF RFC2828 Internet Security Glossary Provides abbreviations, explanations, and recommendations for information system security

307 Copyright © Erdal Cayirci, 2010 307/326 Security threats and attacks Threats Accidental vs. intentional threats Passive vs. active threats Attacks Insider vs. outsider attacks Active vs. passive attacks

308 Copyright © Erdal Cayirci, 2010 308/326 Security services Authentication service Data origin authentication Peer entity authentication Access control Data confidentiality Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow confidentiality

309 Copyright © Erdal Cayirci, 2010 309/326 Security services Data integrity Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Non-repudiation Non-repudiation with proof of origin Non-repudiation with proof of delivery

310 Copyright © Erdal Cayirci, 2010 310/326 Security mechanisms Specific security mechanisms and pervasive security mechanism Specific security mechanisms Encipherment Digital signature Access control Data integrity Authentication exchange Traffic padding mechanism Routing control Notarization mechanism

311 Copyright © Erdal Cayirci, 2010 311/326 Security mechanisms Pervasive security mechanisms Trusted functionality Security labels Event detection Security audit trail Security recovery

312 Copyright © Erdal Cayirci, 2010 312/326 Relationships between security services and mechanisms signaturecontrolintegrityexchangepaddingcontrol Data origin authenticationYY------ Peer entity authenticationYY--Y--- Access control--Y----- Connection ConfidentialityY-----Y- Connectionless ConfidentialityY-----Y- Selective Field confidentialityY------- Traffic Flow ConfidentialityY----YY-

313 Copyright © Erdal Cayirci, 2010 313/326 Relationships between security services and mechanisms Connection Integrity with Recovery Y--Y---l- Connection Integrity without Recovery Y--Y---- Selective Field Connection Integrity Y--Y---- Connectionless IntegrityYY-Y---- Selective Field Connectionless Integrity YY-Y---- Non-repudiation with proof of origin -Y-Y---Y Non-repudiation with proof of delivery -Y-Y---Y Notes: Y: the mechanism is considered to be appropriate, either on its own or in combination with other mechanisms - : the mechanism is considered not to be appropriate

314 Copyright © Erdal Cayirci, 2010 314/326 Placements of security services and mechanisms ServiceLayers 1234567* Data origin authentication--YY--Y Peer entity authentication--YY--Y Access control--YY--Y Connection ConfidentialityYYYY-YY Connectionless Confidentiality-YYY-YY Selective Field confidentiality-----YY Traffic Flow ConfidentialityY-Y---Y

315 Copyright © Erdal Cayirci, 2010 315/326 Placements of security services and mechanisms Connection Integrity with Recovery ---Y--Y Connection Integrity without Recovery --YY--Y Selective Field Connection Integrity ------Y Connectionless Integrity--YY--Y Selective Field Connectionless Integrity ------Y Non-repudiation with proof of origin ------Y Non-repudiation with proof of delivery ------Y Y: Service is provided within the layer mentioned. - : Service is not provided within the layer mentioned * It should be noted, with respect to layer 7, that the application process may, itself, provide security services

316 Copyright © Erdal Cayirci, 2010 316/326 Wired equivalent privacy (WEP) WEP-based WLAN configuration

317 Copyright © Erdal Cayirci, 2010 317/326 Wired equivalent privacy (WEP) WEP encryption principle

318 Copyright © Erdal Cayirci, 2010 318/326 Wired equivalent privacy (WEP) WEP decryption principle

319 Copyright © Erdal Cayirci, 2010 319/326 WEP weakness Passive attacks to decrypt traffic Active attacks to inject traffic Active attack from both ends Table-based attack Monitoring

320 Copyright © Erdal Cayirci, 2010 320/326 Wi-Fi protected access (WPA) WPA enterprise mode

321 Copyright © Erdal Cayirci, 2010 321/326 Wi-Fi protected access (WPA) WPA personal mode

322 Copyright © Erdal Cayirci, 2010 322/326 Wi-Fi protected access (WPA) Authentication Encryption Using a longer IV (48 bits) Increasing the key size from 40 to 128 bits Renewing encryption key every 10,000 packets Using per packet key mixing of the IV Message integrity

323 Copyright © Erdal Cayirci, 2010 323/326 WEP and WPA comparison WEPWPA Encryption Flawed, cracked by scientists and hackers Fixes all WEP flaws 40-bit keys128-bit keys Static key – Same key used by everyone on the network Dynamic session keys, i.e., per user, per session, per packet keys Manual distribution of keys – Hand typed into each device Automatic distribution of keys Authentication Flawed, used WEP key itself for authentication Strong user authentication, utilizing 802.1X and EAP

324 Copyright © Erdal Cayirci, 2010 324/326 WPA2 Based on the Robust Security Network (RSN) mechanism Support for all mechanisms available in WPA Encryption mechanism different with WPA Using Advance Encryption Standard (AES) with CCMP

325 Copyright © Erdal Cayirci, 2010 325/326 Conclusion

326 Copyright © Erdal Cayirci, 2010 326/326 Introduction Physical Protection Wireless Medium MAC Layer Routing Protocols Transport Layer Node Localization and Time Synchronization Conclusion

Download ppt "Copyright © Erdal Cayirci, 2010 1/326 Security in Wireless Ad Hoc and Sensor Networks Erdal Cayirci Electrical Engineering & Computer Science Department."

Similar presentations

Ads by Google