Security in Wireless Ad Hoc and Sensor Networks

Security in Wireless Ad Hoc and Sensor Networks
Erdal Cayirci Electrical Engineering & Computer Science Department University of Stavanger Stavanger, Norway Head, CAX Support Branch NATO Joint Warfare Centre SMC4 Division Stavanger, Norway

Outline Introduction Wireless Ad Hoc, Sensor and Mesh Networks
Security Mechanisms Conclusion

Text Book Security in Wireless Ad Hoc and Mesh Networks
Erdal Cayirci, Chunming Rong ISBN: Publisher: Wiley and Sons Copyright: 2009 Published: March/23/2009

Introduction

Taxonomy Infrastructureless Infrastructured Ad hoc Sensor Mesh Local
Wide area

Taxonomy Another approach licensed vs unlicensed High Tier Low Tier
Terrestrial Satellite Aerial Another approach licensed vs unlicensed

Cellular Paradigm source destination infrastructured single hop

Ad Hoc Paradigm source destination infrastructureless multihop

Ad Hoc Network Applications
Temporary network deployment Disaster relief operations Smart buildings Cooperative objects (COs) Health care Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Ad Hoc Networking Challenges
Wireless medium Interference, Hidden Terminal and Exposed Terminal Mobility, Node Failures, Self-forming, Self-configuration, Topology Maintenance, Routing and Self-healing Node Localization and Time Synchronization End-to-end Reliability and Congestion Control Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Hidden and Exposed Terminals
b c data hidden terminal, primary interference, d exposed terminal, overhearing, Sensor networks also experience hidden terminal and exposed terminal problems because they are ad hoc networks. Because of hidden terminal problem collisions may not be detected. For example nodes a and c in the slide are hidden to each other, therefore if both of them try to send a frame to Node b at the same instant, their transmissions are collided and they cannot detect this collision. On the other hand, if Node b tries to send a frame to Node a, this is also overheard by Node c because it is an exposed terminal. Then Node c waits until Node b completes this transmission even if it has a frame to send to Node d, and the transmission of its frame does not collide with the transmission of Node b.

Wireless Sensor and Actuator Networks
Internet, Satellite, etc Users Proxy Server Task Manager sensor node (snode) actuator (anode) collector (cnode) gateway (gnode) wireless link As we explained before these nodes are scattered in a sensor field and they self organize themselves into a multihop network such that the sensed data are conveyed to a collecting node which is often called sink. The collecting node needs also to be in the transmission range of sensor nodes, and itmay be more capable then a typical sensor node so that it can transmit and receive from a gateway node in a distance. This gateway node may be a labtop computer with wireless communications capability carried by a human, an access point ported in a tank, an unmanned aerial vehicle or a satellite. Actuators may also be deployed together with sensor nodes, and this may change this many-to-one regime. We will discuss this in more detail later. [Tick] The system administrator can manage or query this sensor network through the gateway and the collector node. Of course there may be many sensor networks deployed in various places. It is possible to connect them through the Internet or satellite networks. We can also expect they are directly connected to each other through the gateways. Multiple networks can be managed by the same administrator as they are a part of the same system. In some cases sensor networks may overlap, and if one of the collecting nodes or gateways fail, they may be merged together. There may be also sensor networks connected to nowhere. Data collecting nodes will move through these networks and gather the data from them periodically or as it is required, and download this data to the external proxy servers.These servers may also be used to store the historic data obtained also from the on line sensor networks. We think that an Internet user will have many sensor networks available to query, and this will be realized soon.

Wireless sensor and actuator network applications
Military Environmental Health Home Disaster relief Space exploration Chemical processing Other commercial Wireless sensor and actuator networks have many application areas including the ones shown in the slide: Among these Military, Environmental, and Health applications are the most trivial ones. We think that sensor and actuator networks will be used ubiquitously in these areas soon, if they are not already. Apart from them, there are many more applications related to Home, Disaster relief, Space exploration, Chemical processing, and Other commercial fields.

Fault Tolerance Ability to sustain sensor network functionality without any interruption. Protocols and schemes should be designed with the target level of fault tolerance. Since many sensor and actuator networks are supposed to run in harsh environments, and sensor nodes are prone to failures, fault tolerance is an important factor when designing protocols and schemes for wireless sensor and actuator networks. Fault tolerance can be defined as the ability to sustain sensor network functionality without any interruption although some of the components fails. There is an important issue related to sensor and actuator networks. We will explain you a number of factors and how stringent constraints some of them introduces. There are also often tradeoffs among these factors. Therefore, “one size fits all” approach is not applicable for wireless sensor and actuator networks. In an application, one of the constraints can be emphasized in the expense of a relaxation in another one while the opposite can be done for another application. This is also the case for fault tolerance. Protocols and schemes should be designed with the target level of fault tolerance. For example, the importance of the fault tolerence isnot the same for a military application and a habitat monitoring application.

Scalability May reach millions of sensor nodes in studying a phenomenon or stimuli, Schemes tend to form clusters, Each cluster may have a coverage area of less than 10 meter. Each cluster may have several to hundred sensor nodes. Density of sensor nodes is high, Scalability is another important consideration when designing sensor and actuator network schemes. The number of sensor nodes may reach millions in studying a phenomenon or stimuli. Therefore cluster based and hierarchical schemes are popular in sensor and actuator networks. Density of sensor nodes may be as high as 20 sensors in a cubic meter.

Scalability (Cont’d) Cluster density:
N. Bulusu, D. Estrin, L. Girod, and J. Heidemann, “Scalable Coordination for Wireless Sensor Networks: Self-Configuring Localization Systems,” International Symposium on Communication Theory and Applications, Ambleside, UK, July 2001. N : total number of sensor nodes R : the range of a sensor A : the area covered by a sensor However, the number of nodes in a unit space is less important then the average number of neighboring nodes of a single sensor node because the former has a larger impact on designing a protocol in any layer. Therefore cluster density in sensor networks is often given as the number of nodes within the transmission or sensing range of a single sensor. In this slide you see a simple formulation for this perception where nodes are assumed to be deployed randomly according to the Uniform distribution.

Scalability (Cont’d) Military Force Tracking System:
Less than 50 sensor nodes in a squad, up to 500 nodes in a company. Crises Response Management System: Up to 20 million nodes in a city like Istanbul. Underwater Surveillance System: Up to 5 hundred nodes for a region 500m×500m. We would like to give you some numbers on scalability for the applications that we are working on. They may provide you with a better insight about the scalability constraints of sensor and actuator networks. For a Military Logistics System, up to 50 sensor nodes are required for a squad, and up to 500 nodes are required for a company. A squad has approximately 10 troops, and a company has around 15 squads. For SENDROM which is the disaster relief operations management application, we expect that up to 20 million nodes will be deployed in a city like Istanbul, For an Underwater Survelliance System to detect submerged targets such as submarines, divers and mines, up to 5 hundred nodes will be deployed in a region as big as 500m×500m.

Production Cost Nodes must be cheap enough to be scalable.
Since the number of nodes required in an application is high, the production cost of a node is very important. The targeted cost for sensor nodes for large scale applications is less then a US dollar. When you compare this with the cost of a simple Bluetooth node which is more than 5 US dollars, you can see how challenging this target is. Nowadays the price of a commercial on the shelf sensor node product varies between 25 and 250 US dolor. We also produce our own nodes for our experiments, and the cost of a node is less then 20 Euro for us. Scale of economics is very important here. For example, we produced only 30 nodes. When the number nodes that we produce is higher, we expect considerable reduction in the production cost.

Location Finding System
Sensor Node Hardware Power Unit Power Generator Sensors ADC Processor Memory Transceiver Location Finding System Mobilizer Small, Low cost (dispensable), Low power, Low bit rate, Low memory capacity, Limited computational power. Other Interfaces In this slide you see components of a sensor node. The blue color components are essential at a sensor node, and the others shown by using red color are the application dependent optional components. The core of a sensor node is a processor. This is often a microprocessor that has limited memory such as 256 KB of flash RAM, and tens of RAM. ATMEL is commonly used in many sensor nodes. The other important part is the transceiver. The RF chips in 400, 900 and 2400 MHz ISM bands that can transmit up to 50 meters are often used for this purpose. Microsensors and analog to digital converters are the other essential parts of a sensor node. These may be replaced by actuators or both actuators and sensors can be available in some nodes. Power unit is often a 2 V battery. In some cases, power scavenging tools such as solar cells can be used to extend the lifetime of the node. In many applications location awareness of nodes is required. For example, in a target detection and tracking application the sensed data is almost meaningless without associating it with location information. Therefore, some nodes may have location finding systems such as a global positioning system or a node localization scheme may be implemented and run in the processor. Sometimes mobilizers may be required to move nodes or sensors. For example, we work on an underwater surveillance system where our nodes can lower their sensors into a depth such that they provide the maximum coverage of a three dimensional sensor space. Lastly interfaces for other peripherals such as additional sensors, and systems for example to interact with a computer to download new software may be available in nodes. All these need to be fitted into a matchbox size. The size of a node may be as small as a cubic millimeter so light that it can float in the air.

Sensor Nodes Genetlab SenseNode Mica2 Telos
We also have some examples from Europe. The left most one is the node that we developed for our test beds. We found it not too difficult to integrate commercially available chips into a sensor node. As we noted before one node costs us less than 20 Euro, and we produced only 30 of them. Genetlab SenseNode

Sensor Nodes 1980’s-1990’s Manufacturer custom contractors Crossbow, Sensoria, Dust, Inc, and Ember, Genetlab, etc others Size large shoe box small shoe box dust particle Weight kilograms grams negligible Architecture separate sensing, proc., integrated integrated comm. units Topology point-to-point, star client server, peer-to-peer peer-to-peer Power supply large batteries AA batteries solar hours, days, longer days-to-weeks months-to-years Deployment vehicle placed or air hand-emplaced embedded, drop single sensors sprinkled left behind C. Chong, S.P. Kumar, “Sensor Networks: Evolution, Opportunities, and Chalenges,” Proceedings of IEEE, Vol. 91, No. 8, August 2003. The table in this slide summarizes Chong and Kumar’s vision about the characteristics of the three generations of sensor nodes. I will wait for you to read this table.

Topology in sensor and actuator networks
Semi-automated sensor & actuator networks Automated sensor & actuator networks Sensor networks b c d a b c d a b c d a many-to-one one-to-many many-to-one one-to-many many-to-many We can categorize sensor network topologies into three classes as Sensor networks, Semi-automated sensor and actuator networks, and Automated sensor and actuator networks. [Tick] In sensor networks the data is conveyed from multiple sources to a collecting node. On the other hand, the tasks and interests are disseminated from a single node which is the data collecting node to theother nodes in the network. Therefore, a sensor network has a simple many-to-one and one-to-many dissemination regime. The difference in semi-automated sensor and actuator networks is not much.The only difference is that the collecting node collects and fuses the sensed data, and Then forward them to the related actuators. It still keeps many-to-one and one-to-many natures of sensor networks. However,this is diferent in automated sensor and actuator networks where The sensed data is directly forwarded from source nodes to the related actuators. Therefore, automated sensor and actuator networks has a many-to-many regime. sensor node actuator collector gateway wireless link

Power Consumption Network lifetime depends on battery lifetime
Generally irreplaceable Limited battery (~1 V) One of the most important design factors in wireless sensor and actuator networks is power consumption because Network lifetime depends on the lifetime of Generally irreplaceable batteries boarded on nodes. Moreover power available in these batteries is limited because they are tiny.

Power Consumption In sensor networks, power conservation is of utmost importance. Hence, novel power-aware protocols and algorithms needed. In sensor & actuator networks end-to-end propagation delay may become a parameter conflicting with power consumption in some real time applications. Hence tradeoff mechanisms between power consumption and end-to-end delay are needed for some sensor&actuator network applications. Issues related to battery recovery rate must also be taken into account. Therefore especially in sensor networks, power conservation is of utmost importance. and novel power-aware protocols and algorithms needed. In sensor&actuator networks end-to-end propagation delay may become a parameter conflicting with power consumption in some real time applications. Hence tradeoff mechanisms between power consumption and end-to-end delay are also needed for some sensor&actuator network applications. Moreover, issues related to battery recovery rate must also be taken into account. Battery lifetime is longer if they are not used continuously but have the opportunity to recover after being used for a duration.

Three Domains of Power Consumption
Communications Data Processing Sensing There are three domains of power consumption which are Communications Data Processing Sensing

Power Consumption in Communications
Transmission and reception energy costs are nearly the same. Transceiver circuitry has both active and start-up power consumption Sensors communicate in short data packets. Start-up power starts dominating as packet size is reduced. Cannot blindly turn off the transceiver during idling. Path-loss slope is around four due to low lying antenna. Some important considerations related to power consumption can be enumerated as follows: Transmission and reception energy costs are nearly the same because the distance between the transmitter and receiver is often limited to a few meters. Transceiver circuitry has both active and start-up power consumption, therefore the length of idle time durations and the startup frequency of the circuitry must be taken into account while designing the related schemes. Sensors communicate in short data packets. For example nodes may report a temperature which can fit into a couple of bytes. Start-up power starts dominating as packet size is reduced. Therefore we cannot blindly turn off the transceiver during idling as we explained before. Lastly path-loss slope is around four due to low lying antenna. In other words signals attenuated quicker in sensor networks.

Power Consumption in Data Processing
This is much less than the power consumption in communications. For example a 100 million instructions per second processor can execute 3 million instructions by the energy cost of transmitting 1 KB a distance of 100 m. Therefore, local data processing is crucial in minimizing power consumption in a wireless sensor network. However, the energy cost of data processing is not negligible. Power consumption in data processing is much less than the power consumptions in communications. For example a 100 million instructions per second processor can execute 3 million instructions by the energy cost of transmitting 1 KB to a distance of 100 m. Therefore, local data processing is crucial in minimizing power consumption in a wireless sensor and actuator networks. However, the energy cost of data processing is not negligible. When we were designing an authentication scheme, we found out that the energy cost of a simple hash function used for the authentication may incur more than 10% energy overhead comparing it to the power consumed for transmitting the related data packet. Therefore, the complexity of algorithms is also important, and data processing must also be carefully engineered.

Power Consumption in Sensing
Depends on The type of sensor: - microsensors: active or passive - cameras, etc. Nature of sensing : Sporadic or Constant Detection complexity The interface between the processor and sensors Power consumption in sensing depends on many factors For example passive microsensors produce analog signals from the ambient conditions of the environment, therefore they do not need energy except for the energy required to amplify this analog signal. On the other hand the energy required for active sensors may be much higher then the one for the communications. The nature of sensing and the detection complexity are other important parameters that impact on the power consumption for sensing. Lastly the interface between the processor and sensors are also important. For example if the sensor is on board passive sensor and directly attached to one of the analog to digital converters of the processor, its power consumption is negligible. However if the sensor is in a distance from the node as it is the case in our underwater surveillance system project, the power consumption for sensing is considerable.

Mesh Networks Internet Cellular Wireless LAN Mesh Router Mesh Client
Backbone Mesh Access As we explained before these nodes are scattered in a sensor field and they self organize themselves into a multihop network such that the sensed data are conveyed to a collecting node which is often called sink. The collecting node needs also to be in the transmission range of sensor nodes, and itmay be more capable then a typical sensor node so that it can transmit and receive from a gateway node in a distance. This gateway node may be a labtop computer with wireless communications capability carried by a human, an access point ported in a tank, an unmanned aerial vehicle or a satellite. Actuators may also be deployed together with sensor nodes, and this may change this many-to-one regime. We will discuss this in more detail later. [Tick] The system administrator can manage or query this sensor network through the gateway and the collector node. Of course there may be many sensor networks deployed in various places. It is possible to connect them through the Internet or satellite networks. We can also expect they are directly connected to each other through the gateways. Multiple networks can be managed by the same administrator as they are a part of the same system. In some cases sensor networks may overlap, and if one of the collecting nodes or gateways fail, they may be merged together. There may be also sensor networks connected to nowhere. Data collecting nodes will move through these networks and gather the data from them periodically or as it is required, and download this data to the external proxy servers.These servers may also be used to store the historic data obtained also from the on line sensor networks. We think that an Internet user will have many sensor networks available to query, and this will be realized soon.

Mesh Network Applications
Broadband home networking Community and neighborhood networking Enterprise networking Transportation systems Building automation and control networks Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Mesh Networking Challenges
Broadband communications Quality of service requirements Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Tactical Communications
external network mobile subsystem local area wide area radio access point Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced. local area subsystem terminal wireless communications mobile radio non-wireless communications wide area subsystem node mobile radio

Mobile Subsystem mobile radio (MR) cluster head MR relaying MR
SATT SAT tier UAVT UAV tier RAPT RAP tier MRT MR tier radio access point (RAP) unmanned aerial vehicle (UAV) satellite (SAT) satellite ground terminal antenna MRT RAPT SATT UAVT Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Tactical Communications Challenges
Multimedia communications Multi-tier networking Mobile networking Mobile and rapidly deployable infrastructure Survivable infrastructure Tailorable infrastructure Multi-functional infrastructure Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Tactical Communications Challenges
Modular infrastructure Flexible infrastructure Both terrestrial and non-terrestrial networking Horizontal and vertical communications ability High circuit quality and wide bandwidth Secure networking Real-time and batch networking Ability to operate in every weather and terrain conditions Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Factors Influencing the Design
Ad Hoc Mesh Sensor & Actuator Wireless medium ISM ISM, acoustic, low lying antenna Networking regime random one-to-one Random one-to-one, gateway nodes one-to-many, many-to-one, many-to-many Traffic random, multimedia Random, multimedia temporally and spatially correlated, data QoS requirements bandwidth, delay, jitter, reliability power consumption, delay, reliability Mobility Mobile typically fixed generally fixed, network mobility Fault tolerance typically no critical point of failure critical points of failure critical points of failures, high fault tolerance requirements Operating environment typical day to day environment hostile and harsh, often unreachable Power efficiency not very critical not critical very critical Scalability order of hundreds order of tens order of thousands Hardware constraints laptops, PDAs no constraint tiny, low processing and memory capacity Production cost no hard constraints must be cost effective Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Challenges in Practice
Challenges in Practice High Gain GPRS Antenna Solar Panel Outdoor PIR’s Outdoor Panel

Challenges in Practice
38

Wireless Medium

Channel Capacity Nyquist C = 2 B log2 M where
C is capacity in bit per second (bps), B is bandwidth in hertz (Hz), M is discrete signal levels. Shannon C = B log2 (1 +SNR) SNRdB= 10 log10 (SNR)

Electromagnetic Spectrum
Hertz Kilohertz Megahertz Gigahertz Terahertz ELF VF VLF LF MF HF VHF UHF SHF EHF Frequency (Hertz) Wavelength (meters) Power and Telephone Radio Microwave Infrared Visible light Twisted pair Coaxial cable AM radio FM radio and TV Terrestrial and satellite Optical fiber Wavelength  = c / f

Omnidirectional (isotropic) Directional (isotropic)
Antennas Omnidirectional (isotropic) Antenna A B Directional (isotropic) Antenna gain is a measure of the directionality of an antenna. Antenna gain is defined as the power output, in a particular direction, compared to that produced in any direction, compared to that in any direction by a perfect omnidirectional antenna.

Antennas /4 /2 feeding gap Half-wave dipole (Hertz antenna)
collinear conductor Quarter-wave dipole (Marconi antenna) Parabolic reflective antenna

Propagation Modes Ionosphere Ground wave f < 2 MHz Sky wave
2 MHz < f <30MHz Line of sight 30 MHz < f

Line of Sight h1 d1 d2 r h2 where k is an adjustment factor and generally assumed to be 4/3

Satellite Orbits Van Allen belts 35,800 20,000 15,000 5,000 Altitude
Upper Van Allen belt Lower Van Allen belt Altitude (km) Type Latency (ms) Satellites needed GEO MEO LEO 270 3 35-85 10 1-7 50 Van Allen belts

The Principal Satellite Bands
Frequency range User L - band MHz Inmarsat, air and sea traffic. Meteorological services. S - band MHz Downlink for communication satellites. For example ArabSat and Insat. C - band MHz Downlink for communication satellites. Most satellite in America, Asia and Africa. MHz Downlink for military satellites. MHz Uplink[ii] for military and communication satellites.

X - band MHz Military satellites, NATO. MHz Uplink military satellites. Ku - band 1 GHz Downlink for FSS [iii] Ku - band 2 GHz Downlink DBS [iv] Ku - band 3 GHz Downlink for Telecom range [v]

Ku - band GHz Uplink for telecommunication satellites. GHz GHz Ka - band GHz Rarely used. Kopernicus satellites have one of these transponders. Used for some transmissions. In the future it will be more in use because the whole KU band will be used completely. K - band GHz Uplink for future telecommunication satellites.

Free Space Loss where Pt = signal power at the transmitting antenna
Pr = signal power at the receiving antenna  = carrier wavelength d = propagation distance between antennas c = speed of light (3  108 m/s)

Noise Thermal noise Intermodulation noise Crosstalk Impulse noise
No=kT (W/Hz) where k is Boltzman’s constant (1.380310-23 J/K) T is absolute temperature in Kelvins. N=kTB NdBW= logT+10logB dBW Intermodulation noise Crosstalk Impulse noise

Atmospheric Absorption
Water vapour and oxygen contribute to attenuation. A peak attenuation occurs in the vicinity of 22 GHz. At frequencies less than 15 GHz, the attenuation is less. Rain and fog cause scattering.

Multipath Reflection Scattering Diffraction

Fading slow fast In flat (nonselective) fading,
Amplitude (dBm) Position (m) -80 -130 30 slow fast In flat (nonselective) fading, effects equally the different spectral components. Selective fading effects unequally.

Directional and Smart Antennas
a. Switched beam. b. Adaptive. mobile node

Software Radios Analog to digital conversion (ADC) as close to the antenna as possible Generic hardware Software implementation of the digital processes

Cognitive Radios Software radios provide the base to realize cognitive radios that can observe the available spectrum and choose dynamically the frequency and other parameters to operate.

Data Link Layer Medium Access and Error Control

Multiple Access Schemes
Contention Based Schemes Conflict Free Schemes - Aloha Slotted Aloha Carrier Sense Multiple Access (CSMA) CSMA / Collision Detection CSMA / Collision Avoidance Hybrid Reservation Based Packet Reservation Multiple Access Resource Auction Multiple Access Dynamic TDMA Token Based Fixed Allocation Frequency Division Multiple Access (FDMA) Time Division Multiple Access (TDMA) Code Division Multiple Access (CDMA)

ALOHA and Slotted ALOHA
Start transmitting whenever you have a frame to send. Retransmit if the transmission is unsuccessful. Slotted ALOHA Wait until the beginning of the first time slot for transmission. time time slots

Carrier Sense Multiple Access (CSMA)
Non persistent CSMA Sense the media, and access if there is no other transmission on the media. If the channel is already in use, wait a random period and then repeat the algorithm. P-Persistent CSMA The probability that a node accesses the media when no other transmission is sensed is equal to p. If the channel is already in use, the probability that the node accesses the media in the next time slot is again equal to p.

Hidden and Exposed Terminals
b c data hidden terminal, primary interference, d exposed terminal, overhearing, Sensor networks also experience hidden terminal and exposed terminal problems because they are ad hoc networks. Because of hidden terminal problem collisions may not be detected. For example nodes a and c in the slide are hidden to each other, therefore if both of them try to send a frame to Node b at the same instant, their transmissions are collided and they cannot detect this collision. On the other hand, if Node b tries to send a frame to Node a, this is also overheard by Node c because it is an exposed terminal. Then Node c waits until Node b completes this transmission even if it has a frame to send to Node d, and the transmission of its frame does not collide with the transmission of Node b.

Multiple Access with Collision Avoidance Wireless (MACAW)
b Request to Send (RTS) Clear to Send (CTS) Data Acknowledgement Multiple Access with Collision Avoidance Wireless (MACAW) a b c h d f e g Since the data collisions caused by the hidden terminal problem leads to retransmissions, and overhearing the data transmissions as a result of exposed terminal problem consumes power; it is obvious that both hidden terminal and exposed terminal problems result in the loss of energy which is a scarce resource in wireless sensor networks. Multiple access with collision avoidance (MACA) is the first scheme that addresses hidden terminal and exposed terminal problems. In MACA, the node that needs to transmit a message sends a small Request-To-Send (RTS) message to the receiver. The receiver immediately responds with a Clear-To-Send (CTS) message. After receiving the CTS, the sender will transmit the data message. Both the RTS and the CTS messages have a field that indicates the length of the data message. During this time period the nodes that receive either RTS or CTS frame does not access the media. The MACA Wireless (MACAW) protocol improves the MACA protocol by adding a fourth frame to the control sequence in order to cope with the unreliability of the wireless channel and to guarantee delivery. When the data is received correctly, an explicit ACKnowledgement is sent back to the sender node. If the sender node fails to receive an ACK in due time it retransmits the DATA. V.Bharghavan, A.Demers, S.Shenker, L.Zhang, "MACAW: A Media Access Protocol for wireless LAN’s", in Proceedings of ACM SIGCOMM’94, pp , 1994.

Network Allocation Vector (NAV): Defer access
IEEE IEEE Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) Distributed Coordination Function (DCF) source destination DIFS RTS SIFS CTS DATA ACK Network Allocation Vector (NAV): Defer access The Distributed Coordination Function(DCF) of the IEEE standard is mainly built on MACAW, following the “carrier sense multiple access with collision avoidance (CSMA/CA)” competition mechanism composed of four frames RTS, CTS, DATA, ACK. IEEE performs both physical (at the air interface) and virtual carrier sensing (at the MAC layer). Physical carrier sensing detects activity in the channel via relative signal strength from other sources. Virtual carrier sensing is achieved by sending MAC protocol data unit duration information of each frame in the header of RTS/CTS and DATA frames. Duration field indicates the amount of time required to complete frame transmission. A local Network Allocation Vector (NAV) is updated with the value of other terminals’ transmission duration. Using the NAV, a node’s MAC knows when current transmission ends. NAV is updated upon hearing an RTS from the sender and/or CTS from the receiver, so the hidden terminal problem is avoided. DIFS: DCF Interframe Space SIFS: Short Interframe Space

IEEE 802.11 Distributed Coordination Function (DCF)
IEEE (Cont’d) IEEE Distributed Coordination Function (DCF) transmission range carrier sensing sensing zone RTS, CTS frames and inter frame spaces introduce: additional overhead and additional delay. Although the transmission of a node is sensed, it may not be decoded if the signal to noise ratio in the received signal is below a certain level. In IEEE the zone where the signals of a terminal is received but not decoded is called as carrier sensing zone. The nodes in the transmission range set their Network Allocation Vectors according to the received RTS or CTS signals while the nodes in the carrier sensing zone set their Network Allocation Vectors for the Extended Interframe Space duration; which is a quite long timer. Channel is considered to be busy if either virtual or physical carrier sensing mechanisms indicates so. RTS, CTS signaling and interframe durations can introduce too long propagation delay for especially real time wireless sensor and actuator networks. Extended Interframe Space

Conflict Free Multiple Access Schemes
FDMA 1 3 2 4 6 5 7 9 8 TDMA CDMA spectrum 1. Frequency Division Multiple Access: Channel = Frequency 2. Time Division Multiple Access: Channel = Frequency + Time Slice 3. Code Division Multiple Access : Channel = Code

CDMA Frequency Hopping CDMA, a. Slow Hopping, b. Fast Hopping,
2. Direct Sequence CDMA FH-CDMA

FH-CDMA Process Gain PG = 10 logN (db)
where N is the number of frequency channels used.

DS-CDMA spreading process
Data Spreaded data Noise Data PN Noise

DS-CDMA spreading process
Data PN Spreaded Data in data (bit) rate in chip rate Spreaded Data Data PN

DS-CDMA Spreading Process
Tx St(t) f0 Rb Data x(t) S(t) Spreading Code G(t) Rp = CHIP transfer rate Rv ST(t-Td) F S(t-Td) Correlator Bc = Rb Bss = Rp Code G(t-Td)

DS-CDMA Process Gain PG = 10 log(Bss/B) (db) where
B is the bandwidth required for the data rate, Bss is the bandwidth where the signal is spreaded.

CDMA Codes A spread spectrum code on DS-CDMA is a bit sequence (a sequence of 1s and -1s). CDMA sequences can be categorized as - Pseudo Noise (PN) sequences Short codes Long codes - Orthogonal codes

Properties of Pseudo Noise Sequences
Balance property : The difference in the number of 1s and -1s in a pseudonoise cannot be higher than one. (15 chips, 7 of them are -1s, and 8 of them are 1s.) Run property: 50% of runs must be -1 runs, and the other 50% must be 1 runs, and 1/2n of runs must be n length runs. (8 runs, 4 of them are -1 runs, and 4 of them are 1 runs.) Auto-correlation property: The number of chips that are the same differs from those that are different by at most 1 when a pseudonoise is compared chip by chip with any cycle of shift of itself.

Auto-correlation Auto-correlation is the correlation of a code with any cycle of shift of itself. Example: N=7 C0=7 and C7=7 C1= = -1 C2= = -1 C3= = -1 C4= = -1 C5= = -1 C6= = -1

Linear Maximal Length Sequence Generator
X1 X2 X3 X4 OUTPUT OUTPUT : p = 2n -1 where p is the length of the sequence and n is the number of bits in the shift register.

Short and Long Codes Short codes can generally be transfered in the duration of a symbol. In IS-95, the length of short codes is 215-1, and they can be transferred in seconds when chip rate is Mcps. They are generally used in downlink to identify cells or location areas in cellular networks. In IS-95, the length of long codes is 242-1, and they can be transferred in 44.5 days when chip rate is Mcps. They are generally used in uplink to identify mobile terminals.

# of Terminals that can Share a Sequence
A good pseudonoise is different enough from any shifted version of itself. Shifting only one chip is enough to obtain a different pseudonoise from the original. However, the difference between the pseudonoises assigned to different terminals must be high enough to compensate the differences in propagation delays. 15.6 km Example: The length of sequence p=215-1=32767 The delay for 15.6 km td=15.6/300000=0.052 msec # of chips that can be transferred in td s=0.0523,686.4=192 chips # of available codes d= 32,767/192 = 170 Chiprate = Mcps # of bits in maximal length code generator n = 15

Orthogonal Codes Orthogonal codes are used for channelization in downlink. Their autocorrelation are generally very low. However, their cross correlation is 0.

Cross-correlation Cross-correlation is the correlation of a code with all of the shifted versions of another code. Example: a={ } N=4 b={ } N=4 R0= 0 and R4= 0 R1= = 0 R2= = 0 R3= = 0

Walsh Hadamard Codes

Variable Length Orthogonal Codes

The Advantages of CDMA CDMA has a soft capacity limited by interference. The decrease in interference will directly increase the capacity: Voice channels are generally utilized 3/8 of time. Multi-beamed and multisectored antennas can reduce the interference. In FDMA and TDMA, some capacity between frequency channels is wasted. In CDMA, all the frequencies can be reused in the neighboring cells. In FDMA and CDMA, the frequency channel must be changed during handoff, i.e., hard handoff. This is not necessary in CDMA, i.e.,soft handoff. CDMA needs power control which actually decreases the interference, and increases the capacity. CDMA naturally provides frequency diversity which means additional security and reliability especially for military systems.

The Capacity of CDMA where
S is the power of the signal at the receiver R is the bit rate of the channel (bps) N is the number of channels used for the voice traffic  is the voice activity factor for the voice channels M is the number of channels used for the constant bit rate traffic  is all the other noise over the media B is the bandwidth of the channels (Hz).

The Capacity of CDMA N+M = (B/R) / (Eb/N0)
N = (((B/R) / (Eb/N0)) -1) /  when only voice N = (((B/R) / (Eb/N0)) -1) / ( ) when remote cell interference applied

Example B: 5 MHz, BFDMA: 30 KHz, BTDMA= 200 KHz
Eb/N0: 5, =3/8, R: 9.6 kbps nt: 8 (# of time slots in each TDMA frame) : 4 (frequency reuse factor) no gaps between frequency channels, all voice channels, SOFT For CDMA N = ((( /9600) / 5) – 1) / (3/ ) = 166 voice channels For TDMA N = (( /200000)/4)8 = 50 voice channels For FDMA N = ( /30000)/4 = 42 voice channels

Token Based Dynamic Conflict Free Schemes

Reservation Based Dynamic Conflict Free Schemes
- Packet Reservation Multiple Access – PRMA - Dynamic TDMA – DTDMA - Resource Auction Multiple Access – RAMA

Reservation Based Hybrid Schemes
PRMA R A A R S slots (R: reserved slots, A: available slots) D - TDMA Sv Sr reservation slots Sv voice slots Sd data slots variable border RAMA Sv Sa auction slots Sv voice slots Sd data slots variable border

Reservation Based Hybrid Schemes
Ts Td Auction Slot Auction Allocation time Ts Td Uplink Downlink Bit transfer time Propagation and processing delay

MAC for Ad Hoc and Sensor Networks
This table provides a chronological list of power-efficient MAC protocols which can be classified into two categories as contention-based protocols and conflict free protocols. The protocols above the yellow line are originally designed for ad hoc networks, while the ones in the lower part are implemented specifically for wireless sensor networks. In the following slides we briefly explain these protocols.

CSMA-based MACs Contention based medium access
Traditional CSMA schemes are inappropriate Assume stochastically distributed traffic Support point-to-point independent flows Traffic in sensor networks is Highly correlated Dominantly periodic Variable Contention based protocols in sensor networks are mainly derivations of carrier sense multiple access. However, they should consider that the traffic in sensor networks has high spatial and temporal correlation because an event occurs at a point in sensor field can stimulate a number of sensors in that part of the sensor field. Another issue is that the traffic has a periodical nature because of periodic queries. Therefore, sensor networks does not fit well the characteristics of carrier sense multiple access type contention based protocols that assume random traffic.

Other CSMA-based MACs for Ad Hoc Networks
Piconet F.Bennett, D.Clarke, J.B. Evans, A.Hopper, A.Jones, and D.Leask, “Piconet: Embedded mobile networking”, IEEE Personal Communications Magazine, vol. 4, no. 5, pp. 8–15, Oct Tseng et al. Y.Tseng, C.Hsu, and T.Hsieh, “Power-saving protocols for IEEE based multi-hop ad hoc networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 200–209. SEEDEX R.Rozovsky and P.R.Kumar, “Seedex: A MAC protocol for ad hoc networks”, In Proceedings of the 2nd ACM International Symposium on Mobile ad hoc networking and computing, pages 67-75, New York, NY, USA, ACM Press. RBAR G.Holland, N.Vaidya, and P.Bahl, “A rate-adaptive MAC protocol for multi-hop wireless networks. In Proceedings of ACM MOBICOM'01, Rome, Italy, 2001. OAR B.Sadeghi, V.Kanodia, A.Sabharwal, and E.Knighlty, “Opportunistic Media Access for Multirate Ad Hoc Networks”, in Proceedings of ACM MobiCom'02 , Atlanta, GA, September 2002. Woo & Culler A.Woo and D.Culler, “A transmission control scheme for media access in sensor networks”, in Proceedings of the ACM/IEEE International Conference on Mobile Computing and Networking, Rome, Italy, July 2001, pp. 221–235, ACM. In this slide you see some other CSMA based MAC protocols for ad hoc networks.

Sensor MAC (S-MAC) Sleep Listen SYNC RTS, CTS
Each node obeys its neighbors’ schedule if one was heard, otherwise chooses and broadcasts one Schedule table is maintained locally and updated after receiving SYNC packets Sleep period does not hinder a transmission The Sensor MAC protocol SMAC addresses collisions, protocol overhead, and overhearing as well as reducing idle listening. It is designed for a simple radio providing just a single channel. In SMAC; nodes agree on a common slot structure and receiver nodes listen continuously to handle an incoming message at any time although the radio is switched on and off periodically according to a duty cycle. S-MAC protocol consists of three major components: periodic listen and sleep, collision and overhearing avoidance, and message passing. A listen period consists of synchronization and data transmission period. In synchronization period, nodes broadcast their sleeping schedule. When nodes receive this schedule from their neighbors, they adjust their own sleeping schedule so that all nodes sleep at the same time. During data transmission periods, nodes exchange data using RTS/CTS/DATA/ACK signaling scheme. If a node does not have data to transmit or receive, it sleeps. The scheme of periodic listen and sleep helps in reducing energy consumption by avoiding idle listening. W.Ye, J.Heidemann, and D.Estrin, “An energy-efficient mac protocol for wireless sensor networks”, in Proceedings of the IEEE Infocom, New York, NY, June 2002, pp. 1567–1576.

Sensor MAC (S-MAC) Sleep Listen SYNC RTS, CTS
Collision avoidance : similar to DCF Overhearing : duration field of the packets Idle listening : low-duty cycle and virtual clusters Required synchronization is embedded at the start of the listen interval Message passing and adaptive listening techniques for optimizing the latency S-MAC protocol includes both virtual and physical carrier sense and RTS/CTS exchange procedures. RTS/CTS mechanism is adopted to address the hidden terminal problem. All immediate neighbors of both the sender and the receiver sleep after they hear the RTS or CTS frame until the current transmission is over. S-MAC also includes message passing support which means fragmenting a long message into many short fragments and sending them in burst. During this sequence only one RTS and one CTS frame is used thus protocol overhead is reduced.

Timeout MAC (T-MAC) Sleep TA TX/RX
Active Time TA TX/RX Clustering and synchronization as in S-MAC Adaptive duty cycle to handle load variations in time and location (i.e. near the sink) Fixed contention interval Timeout-MAC protocol (T-MAC) [12] improves S-MAC by introducing an active/sleep duty cycle which are adapted according to the network traffic through a simple time-out mechanism. Nodes communicate using RTS, CTS, DATA and ACK frames which provide collision avoidance and reliable transmission. The T-MAC protocol avoids idle-listening by transmitting all messages in bursts of variable lengths and sleeping between bursts. T.van Dam and K.Langendoen, “An Adaptive Energy-Efficient MAC Protocol for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003.

Timeout- MAC (T-MAC) Sleep TA TX/RX
Active Time TA TX/RX Buffer capacity and time-out period “TA” are the key properties Solutions to early sleeping problem; Future RTS packet: to get an appointment from the intended receiver for the next available moment Full buffer priority scheme: refuse an RTS and issue own RTS to empty the buffer In T-MAC a node listens and transmits as long as it is in an active duty cycle. An active duty cycle ends when no activation event such as data reception is detected for a certain time period. Therefore, the length of active periods which are the equivalent of listen periods in SMAC protocol is adaptive to the traffic.

Power Control Power control schemes can be classified as:
Open Loop / Closed Loop / Combined Open and Closed Loop Centralized / Distributed RSSI-based / SIR-based / BER-based Continuous Power / Discrete Power Fixed Step Size / Adaptive Step Size Common Power Control / Independent Power Control In the original IEEE MAC, all frames are transmitted at the same transmit power level. By applying power control it is possible for a transmitting node to use only the required power level to communicate with the intended receiver thus extending its battery life. There are several power control mechanisms proposed for IEEE MAC protocol based on (RTS-CTS-DATA-ACK) signaling mechanism. We can categorize them as shown in this slide: For open loop power control a node adjusts its transmission power level inversely proportional to the averaged received power. In closed loop power control mechanism, the receiver node sends a measurement of the received power back to the sender node, and the sender node adjusts its transmission power based on the feedback provided by the receiver node. Both open loop and closed loop power control mechanisms help to combat with path loss and shadowing while only closed loop mechanisms overcomes multipath fading. In the centralized power control mechanism a centralized controller manages the transmission power level of the nodes in the network. In the distributed case nodes adjust their transmission power. The measured quantity for power control can be the received signal strength indicator (RSSI), the signal to interference ratio (SIR) or the bit error rate (BER). Transmission power level can be controlled in the continuous or discrete power domain. The transmission power update strategy can be either fixed (fixed step size algorithm) or can be made adaptive to the channel variations. Power control command in fixed step size algorithms is a simple 1-bit command while with the adaptive step size approach it is possible to increase or decrease the transmission power by the actual difference between the received signal power and the desired received signal power. Lastly in Common power control all nodes use the same transmission power while Independent Power Control allows nodes to use independent transmission powers.

BASIC e g a b c rmin d f h rmax
RTS and CTS are transmitted at the maximum power (rmax). DATA and ACK are transmitted at the minimum power required (rmin). To improve the performance of BASIC scheme, the transmission power is periodically increased while a DATA frame is being transmitted. Assigning different transmission power levels to different nodes for power control purpose result in asymmetrical link problem; where a node A can reach node B, but B cannot reach A; which consequently cause serious collisions. To combat with these collisions caused by the asymmetrical link phenomenon RTS and CTS is transmitted at the highest possible power level while DATA and ACK is transmitted at the minimum power level necessary to reach the destination. This mechanism is referred as the BASIC scheme shown in this slide. Power Control MAC is proposed to improve BASIC scheme. The difference between Power Control MAC and BASIC scheme is that Power Control MAC periodically increases the transmission power level to maximal during DATA frame transmission. E.-S.Jungand N.H.Vaidya, “A Power Control MAC Protocol for Ad Hoc Networks,” MOBICOM2002, September 2002.

Power Controlled S-MAC (PCSMAC)
Active Sleep SYNC RTS SDSH, DATA CTS ACK Both open loop and closed loop, distributed, RSSI-based, fixed step size, discrete and independent. a b c d f e rmax rab rae raf rbc rbd SYNC: rmax RTS: open loop, max(rab, rae, raf). CTS, ACK: open loop, max(rab, rbc, rbd). SDSH: open loop, max(rab, rae, raf). DATA: closed loop, rab. We also work on a power controlled sensor MAC protocol PCSMAC. PCSMAC has the same components like listen and idle states, and RTS-CTS-DATA and ACK frames. On top of these, PCSMAC provides a combined; both open-loop and closed-loop; distributed, RSSI-based, fixed-step size, discrete and independent power control mechanism; and improves S-MAC in terms of energy efficiency. The main idea of PCSMAC is to send RTS, CTS, DATA and ACK frames with appropriate transmission power levels instead of maximum. While reducing the power consumption PCSMAC preserves the collision and overhearing avoidance properties of the original S-MAC protocol. In PCSMAC RTS, CTS, ACK frames are transmitted by the transmission power that can reach all of the neighbors. This transmission power is calculated by an open loop power control mechanism based on SYNC frames transmitted at the maximum power level. The transmission power for data frames is determined closed loop such that the frame can be received in a distance no longer than the intended receiving node. Only a part of the headers in data frames is transmitted as it can be received by all neighbors. P.C.Nar, E.Cayirci , “PCSMAC: A Power Controlled Sensor MAC Protocol for Wireless Sensor Networks,” EWSN 2005.

SMACS and EAR fX fX Each node maintains its own frame (superframe).
Receiving slot Transmitting slot fX TA Connection messaging fX TB Each node maintains its own frame (superframe). Time slots are wasted if nothing to transmit. Uses FDMA or CDMA for multiple access. Neighbor discovery and channel assignment combined. Random wake up during connection phase. SMACS and EAR are combined neighbor discovery and channel assignment techniques proposed for wireless sensor networks. (K.Sohrabi et al., “Protocols for Self-Organization of a Wireless Sensor Network”, IEEE Personal Communications, October 2000.)

NAMA, LAMA, PAMA Contention resolution schemes for packet radio networks. 2-hop neighborhood awareness is essential which requires a random access period for distributing one-hop neighbor information. Nodes unelected during a time slot switch to receive mode There are also other MAC layer protocols such as NAMA, LAMA and PAMA. L.Bao and J.J.Garcia-Luna-Aceves, “A new approach to channel access scheduling for ad hoc networks”, In The seventh annual international conference on Mobile computing and networking 2001, pages , 2001. Wireless Tactical Underwater Surveillance Networks Erdal CAYIRCI 104

TRAMA Contention resolution scheme for wireless sensor networks inspired from NAMA/LAMA/PAMA Nodes unelected during a time slot switch to sleep mode, instead of receive mode TRAMA is another example. V. Rajendran, K. Obraczka, and J.J. Garcia-Luna-Aceves, “Energy-Efficient, Collision-Free Medium Access Control for Wireless Sensor Networks”, ACM SenSys, Los Angeles, CA, November, 2003.

EMACS Assumes a clustering scheme exists in the WSN.
Each time slot = CR + TC + Data parts. CR (Communication Request) TC (Traffic Control) Sleeping nodes do not own a timeslot. Two types of sleep mode; standby and dormant. Integrated, collaborative approach that is part of the EYES project. And EMACS can be another example. S.Dulman, L. van Hoesel, T.Nieberg, and P.Havinga, “Collaborative communication protocols for wireless sensor networks”, European research on middleware and architectures for complex and embedded cooperative systems, workshop held in conjunction with IEEE ISADS 2003, Pisa, Italy, pp. 3-7, ISBN , April 2003.

Ad Hoc Networks and Network Layer

Routing Flooding Distance Vector Link State i l g m h k f s r a b c d
router or switch Flooding Distance Vector Link State

Distance Vector i l g m h k router 5 3 4 6 Dest. Gateway Cost h h 4
i h 10 l h 12 k h 9 m h 13 Dest. Gateway Cost g g 5 h h 16 l l 3 k l 6 m l 7 Dest. Gateway Cost h h 4 i i 5 l i 8 k h 9 m i 12 Table of g (previous) Table of i (previous) Table of g (modified)

Count to Infinity Problem for Distance Vector
A B C D E A B C D E A is down at the beginning.     A comes up.    after 1 exc.   after 2 exc.  after 3 exc. after 4 exc. Algorithm rapidly reacts to good news. In N exchanges, everyone knows about the new router where the longest path is N hop. A is up at the beginning. A goes down. after 1 exc. after 2 exc. after 3 exc. after 4 exc. after 5 exc. after 6 exc. after 6 exc. It repeats until     What is infinitive? It is the highest number of hop plus 1, if the paths are measured according to the number of hops. What if we use delay?

Link State i l g m h k router 5 4 g’s link state Neighbor Cost h 4 i 5
3 6 i’s link state Neighbor Cost h g l m 3 4 l’s link state Neighbor Cost i m k k 5 h’s link state Neighbor Cost i g k 4 k’s link state Neighbor Cost l m h

Routing in the Internet
Network 1 Network 2 Network 3 Network 4 Network 5 Interior Gateway Protocols RIP (distance vector) OSPF (link state) IS-IS (link state) Exterior Gateway Protocols BGP

Mobile IP Addressing is themain issue.
Home LAN Foreign LAN tunneling home agent foreign agent care-of address home address Addressing is themain issue. Care-of address avertisements vs requests. Address bindings that need periodical refresh . Secure authentication.

Quality of Service Application Reliability Delay Jitter Bandwidth
High Low File transfer Medium Web access Remote login Audio on demand Video on demand Telephony Videoconferencing

Quality of Service Techniques Overprovisioning Buffering
Traffic shaping Leaky bucket Token bucket Resource reservation Admission control Proportional routing Packet scheduling

Quality of Service Protocols Integrated Services (IntServ)
Resource reSerVation Protocol (RSVP) Differentiated Services MultiProtocol Label Switching (MPLS)

Ad Hoc Networks no fixed infrastructure multihop
no centralized administration nodes act both as a host and a router wireless medium topology changes resources are limited source

Ad Hoc Network Architectures
tier-1 tier-2 Flat Architectures (not scalable) Hierarchical architectures (cluster-based)

Scheduling in Ad Hoc Networks
A MAC layer related challenge. Important when TDMA is used. Can be defined as: “schedule a time slot ti for every node i such that is minimized where n is the total number of nodes that have something to transmit. Must tackle with the interference problem. a b c Secondary Interference d a b c Primary Interference

Topology Maintenance in Ad Hoc Networks
Topology maintenance schemes can be classified as: 1. According to control packet traffic generated for topology maintenance: - Active - Passive 2. According to the frequency of control packets - On demand (event driven) - Continuous (time driven) 3. According to the storage of topology data - Central - Distributed

Ad Hoc Routing Algorithms
Table Driven (Proactive) On demand (Reactive) DSDV WRP AODV DSR LMR ABR CGSR TORA SSR Destination sequenced distance vector Cluster-head gateway switching routing Wireless routing protocol Adhoc on demand distance vector Dynamic source routing Lightweight mobile routing Temporally ordered routing Associativity based routing Signal stability routing

Fisheye Approach e c f s a d b g
The accuracy of the topology data is higher for the nodes closer.

Wireless Routing Protocol (WRP)
DSDV and CGRS are based on Bellman-Ford algorithm and they suffer from count-to-infinity problem. WRP is a table-based proactive routing protocol that is based on path-finding algorithm. In WRP each node in the network maintains four tables: Distance table Routing table Link-cost table Message retransmission list

Wireless Routing Protocol (WRP)
WRP uses both periodic and event triggered (in case of a link status change) update messages for topology maintenance. Update messages are exchanged among the neighboring nodes. Every node broadcasts a periodic update (HELLO message) reporting no changes if it does not report an update for a specific time period. Periodic updates are not acknowledged. Event triggered updates are broadcasted when topology changes are detected, and acknowledged by the related nodes.

Ad Hoc On Demand Distance Vector (AODV)
AODV is an improved version of DSDV and CGSR: AODV is based on a route discovery process whereas DSDV is based on periodic update messages. DSDV maintains all the routes whereas AODV maintains a route only when needed.

Ad Hoc On Demand Distance Vector (AODV)
Path discovery is initiated by a route request (RREQ) packet: Source addr Source seq # Broadcast id Destination addr Destination seq # Hop count RREQ Packet Destination Destination seq # Next hop Active neighbors # of hops Expiration time Routing Table s d a b c e f g h

Dynamic Source Routing (DSR)
Route discovery and route maintenance modes. It is based on source routing. s d a b c e f g h

Temporally Ordered Routing Algorithm (TORA)
TORA has three basic functions: Route creation Route maintenance Route erasure A height metric is used by the nodes in route creation and maintenance in order to establish a directed acyclic graph. The height metric is related with the logical time of link failure. Route erasure function uses a clear (CLR) packet throughout the network to erase invalid routes.

Temporally Ordered Routing Algorithm (TORA)
source destination node height metric b The link between nodes d and f fails. c a d g e f b a c d g f e Step 1 Step 2 Step 3

Routing Protocols for Sensor Networks
Categorization of Routing Protocols for Wireless Sensor Networks: (K. Akkaya, M. Younis, “A Survey on Routing Protocols for Wireless Sensor Networks,” Elsevier AdHoc Networks) Data centric protocols Flooding, Gossiping, SPIN, SAR, Directed Diffusion, Energy Aware Routing, Rumor Routing, TEEN, APTEEN, CADR Hierarchical LEACH, PEGASIS, Self organizing protocol Location based MECN, SMECN, GAF The routing protocols in sensor and actuator networks can be broadly classified as data centric, hierarchical or location based . Flooding, gossiping, rumor routing, sensor protocols for information via negotiation (SPIN), sequential assignment routing (SAR), directed diffusion, energy aware routing, threshold sensitive energy efficient sensor network (TEEN), constraint anisotropic diffusion routing (CADR) are examples for the protocols that fall in data centric category. Low energy adaptive clustering hierarchy (LEACH), power efficient gathering in sensor information systems (PEGASIS) and self-organizing protocol are examples for the hierarchical category. These techniques tackle with scalability factor by clustering nodes for routing. Location based algorithms such as minimum energy communication network (MECN), small MECN (SMECN), and Geographic Adaptive Fidelity (GAF) makes routing decisions based on geographic locations of sensor nodes.

Flooding and Gossiping
Flooding: Broadcast data to all neighbor nodes. Gossiping: Sends data to one randomly selected neighbor. Although these techniques are simple and reactive, they have some disadvantages including the following: - Implosion, - Data Overlap, - Resource blindness. In Flooding a node broadcasts data to all neighbor nodes. In gossiping the sensed data are sent to one randomly selected neighbor. In both of these techniques measurements must be taken to prevent loops. Although these techniques are simple and reactive, they have some disadvantages including - Implosion, - Data Overlap, - Resource blindness.

Implosion, Data Overlap, Resource Blindness
They are not resource aware protocols. The same data packet coming from the same source can be received from multiple nodes because the same data packet can be repeated by more than one node. This is called implosion. A similar challenge is due to multiple nodes that observe the same phenomenon or target. This is possible because events cover an area which can be detected by multiple nodes. This is called data overlap. Moreover flooding and gossiping do not take the resources available in the nodes into account. The schemes such as SPIN and directed diffusion tackle with all of these issues.

Sensor Protocols for Information via Negotiation (SPIN)
Uses three types of messages: ADV, REQ, and DATA. When a sensor node has something new, it broadcasts an advertisement (ADV) packet that defines the new data by using meta data. Interested nodes send a request (REQ) packet. Data is sent to the nodes that request by DATA packets. SPIN is based on the advertisement of data available in sensor nodes. When a node has a data to send, it broadcasts an advertisement (ADV) packet. The nodes interested in this data reply back by a request (REQ) packet. Then the node disseminate the data to the interested nodes by using data (DATA) packets. When a node receives data, it also broadcasts an ADV, and relay DATA packets to the nodes that send REQ packets. Hence the data is delivered to every node that may have an interest. W.R. Heinzelman, et.al., “Adaptive Protocols for Information Dissemination in Wireless Sensor Networks”, MobiCom’99.

REQ s a b c d DATA s a b c d s a b c d ADV How SPIN runs is shown in this example. Source node s sends an advertisement packet. [TICK] Node a broadcasts an interest for the advertised data Then the source node s delivers the data to Node a.

DATA s a b c d REQ s a b c d s a b c d ADV Then node a advertises the data. [TICK] Nodes c and d declare their interest. The data are delivered to nodes c and d.

Sequential Assignment Routing (SAR)
SAR algorithm creates multiple trees that are routed from one hop neighbors of the sink. Each tree grows outward from the sink by avoiding nodes with very low QoS and energy reserves. At the end of this procedure, most nodes belong to multiple trees. K. Sohrabi, et.al., “Protocols for Self Organization of a Wireless Sensor Network”, IEEE Personal Communications Mag., pp , October 2000. SAR is a tree based algorithm. It creates multiple trees that are routed from one hop neighbors of the sink. Each tree grows outward from the sink by avoiding nodes with very low QoS and energy reserves. At the end of this procedure, most nodes belong to multiple trees.

Directed Diffusion The sink sends out task descriptors (interest).
Task descriptors are named by assigning attribute-value pairs that describe the task. If a sensor node has data for that interest, the data is routed along the reverse path of interest propagation. The interest and data propagation and aggregation are determined locally. C. Intanagonwiwat, et.al., “Directed Diffusion: A Scalable and Robust Communication Paradigm for Sensor Networks”, MobiCom’00. In SPIN routing process is stimulated by sensor nodes. Another approach, namely directed diffusion, is collecting node oriented. In directed diffusion the collecting node floods a task throughout the sensor network. While the task is being flooded, sensor nodes record the nodes which send the task to them as their gradient, and hence the alternative paths from sensor nodes to the collecting node are established. When there is a data to send to the collecting node, this is forwarded to the gradients. One of the paths established is reinforced by the collecting node. After that point, the packets are not forwarded to all of the gradients but to the gradient in the reinforced path.

Directed Diffusion Source Sink
We will illustrate directed diffusion by using the scenario in this slide.

Directed Diffusion Interest Propagation Source Sink
Sink node floods its interest.

Directed Diffusion Gradient Setup Source Sink
Gradients are established while the task is disseminated.

Directed Diffusion Data Delivery Source Sink
Data is routed back by using the reinforced gradients.

Low Energy Adaptive Clustering Hierarchy (LEACH)
In LEACH, the nodes organize themselves into clusters. Sensors may elect themselves to be a local cluster head at any time with a certain probability. Each node access the network through the cluster head that requires minimum energy to reach. W. R. Heinzelman, A. Chandrakasan, and H. Balakrishnan, “Energy-Efficient Communication Protocol for Wireless Microsensor Networks,'' IEEE Proceedings of the Hawaii International Conference on System Sciences, pp. 1-10, January, 2000. LEACH is a cluster based protocol. In LEACH any node can elect itself as a cluster head at any time with a certain probability. Sensor nodes access the network through the cluster head that requires minimum energy to reach.

Minimum Energy Communication Network (MECN)
Uses graph theory, Each node knows its exact location, Network is represented by a graph G’, and it is assumed that the resulting graph is connected. L. Li and J.Y. Halpern, “Minimum-Energy Mobile Wireless Networks Revisited”, ICC’01.) In minimum energy communication network protocol it is assumed that the exact locations of nodes are known. Based on these locations, a sensor network is represented as a graph.

Minimum Energy Communication Network (MECN)
A sub-graph G of G’ is computed. G connects all nodes with minimum energy cost. A B Connection A requires less energy than connection B because the power required to transmit between a pair of nodes increases as the nth power of the distance between them (n>=2). Then the sub-graph that connects all nodes with minimum energy cost is computed by using a graph theoretic approach.

Power Controlled and Power Aware Routing in Sensor & Actuator Networks
Actuators register for the sensed data by disseminating a registration message. Every node maintains a registration table according to the registration messages. Every node derives a routing table from the registration table. Incoming sensed data packets are forwarded according to the routing table. A B b c d a C We also have a routing protocol for wireless sensor and actuator networks. It is designed for many-to-many regime of wireless sensor networks and three power control scenarios which are no power control, common power control and distributed power control. In this protocol, Actuators register for the sensed data by disseminating a registration messsage. These registration messages are disseminated such that the preferences on propagation delay and power consumption are satisfied. During dissemination of registration messages everynode maintains a registration table. And then everynode derives a routing table from it’s registration table. Incomming sensed data packets are forwarded according to the routing table. E. Cayirci, T.Coplu, O.Emiroglu, “Power Aware Many-to-many Routing in Wireless Sensor and Actuator Networks”, EWSN’05.

Power Controlled and Power Aware Routing in Sensor & Actuator Networks
Registration Table Actuator Id Uplink Node Id Echelon minPA totalPA totalPU Task A a 2 5 t1 d 4 3 B b 7 t1,t2 C 10 t1,t3 Route Selection Function Routing Table fi=(1)+(2)+(3)+(4) Task Uplink Node Id t1 a b t2 t3 In this slide you see a registration table, a routing table and the route selection function for the distributed power control case. In registration table, alternative uplink nodes for actuator and task pairs are listed together with some parameters: Echelon gives the hop number to reach the related actuator through this route. minPA indicates the power available at the node that has minimum power along the route. totalPA is the total power available along the route. And totalPU is the required total power to route the registration message from the actuator to this node. These data are carried by registration messages and maintained by nodes in every relay. As you can see there may be multiple routes for the same task and actuator pair in the registration table. The function shown in this slide is used to select one of them. In this function alpha gives the weight value for the related parameter. For example alpha one is the weight value for echelon parameter. This weight factor is multiplied with the normalized parameter value. Also a normalization function for echelon field is shown in the slide. The route that has the maximum score from this function is selected and inserted into the routing table. In routing table there are task and uplink pairs. Task indicates a certain type of sensed data such as temperature. As it is shown in the slide the same task report can be forwarded to multiple uplink nodes. Therefore, a many to many routing can be carried out.

Other Routing Protocols
Energy Aware Routing R.Shah, J. Rabaey, “Energy Aware Routing for Low Energy Ad Hoc Sensor Networks,” IEEE WCNC’02, Orlando, March 2002. Rumor Routing D. Braginsky, D. Estrin, “Rumor Routing Algorithm for Sensor Networks,” ACM WSNA’02, Atlanta, October 2002. Threshold sensitive Energy Efficient sensor Network (TEEN) A. Manjeshwar, D.P. Agrawal, “TEEN: A Protocol for Enhanced Efficiency in Wireless Sensor Networks,” IEEE WCNC’02, Orlando, March 2002. Constrained Anisotropic Diffusion Routing (CADR) M. Chu, H.Hausecker, F.Zhao, “Scalable Information-Driven Sensor Querying and Routing for Ad Hoc Heterogeneous Sensor Networks,” International Journal of High Performance Computing Applications, Vol. 16, No. 3, August 2002. In this and the following slides you will see some other routing protocols and references for them.

Other Routing Protocols
Power Efficient Gathering in Sensor Information Systems (PEGASIS) S. Lindsey, C.S. Raghavendra, “PEGASIS: Power Efficient Gathering in Sensor Information Systems,” IEEE Aerospace Conference, Montana, March 2002. Self Organizing Protocol L. Subramanian, R.H. Katz, “An Architecture for Building Self Configurable Systems,” IEEE/ACM Workshop on Mobile Ad Hoc Networking and Computing, Boston, August 2000. Geographic Adaptive Fidelity (GAF) Y. Yu, J. Heideman, D. Estrin, “Geography-informed energy conservation for ad hoc routing,” MobiCom’01, Rome, July 2001.

3D Routing Underwater acoustic Geographic routing protocol
Cross layer (MAC + Network) Latency is an important QoS metric Techniques that monitor layers and avoid them

Transport layer for wireless networks Reliability Flow and Congestion Control

End-to-end Reliable Event Transfer
Sink r a b c d event region sensor coverage sensor range Source to sink reliability. Sink to source reliability. We focus on the problem of reporting the detected events by sensor nodes to the collecting node. Since the detection range of sensor nodes often overlaps and an event that stimulates sensors cover an area, the same event is usually reported by multiple nodes as shown in the slide. The ultimate goal of a sensor network is the detection of events and targets. Therefore, loss of a data packet may be tolerated if another sensor can successfully report the same event or target. However apart from occasional losses of data packets, all packets that report the same event information may be lost in some cases, and an event may be completely lost although multiple nodes report it. An end-to-end reliable event transfer scheme should be able to prevent the loss of an event

Reliable Multi-Segment Transport (RMST)
RMST is a transport layer protocol for directed diffusion. RMST provides end-to-end data-packet transfer reliability. RMST is a selective NACK-based protocol that can be configured for in-network caching and repair. There are two modes for RMST: caching mode, non-caching mode. In caching mode, a number of nodes along a reinforced path, path being used to convey the data to the sink by directed diffusion, are assigned as RMST nodes. The reliable multi-segment transport (RMST) scheme is designed to provide end-to-end reliable data packet transfer for directed diffusion. Directed diffusion is a network layer protocol, and we will explain it later. RMST is a selective negative acknowledgement (NACK)-based protocol that has two modes: caching mode and non-caching mode. In the caching mode, a number of nodes along a reinforced path which is the path that directed diffusion protocol uses to convey the data to the collecting node, are assigned as RMST nodes. F. Stann, J.Wagner, “RMST: Reliable Data Transport in Sensor Networks,” SNPA 2003.

Reliable Multi-Segment Transport (RMST)
Sink RMST Node Source Node Each RMST node caches the fragments identified by FragNo of a flow identified by RmstNo. When a fragment is not received before the watchdog timer for the flow expires, a negative acknowledgement is sent backward. The first RMST node that has the required fragment along the path retransmits the fragment. In non-caching mode, sink is the only RMST node. RMST relies on directed diffusion scheme for recovery from the failed reinforced paths. Each RMST node caches the fragments of a flow. Watchdog timers are maintained for each flow. When a fragment is not received before the timer expires, a negative acknowledgement is sent backward in the reinforced path. The first RMST node that has the required fragment along the path retransmits the fragment. The collecting node acts as the last RMST node, and it becomes the only RMST node in the non-caching mode.

Pump Slowly Fetch Quickly (PSFQ)
Three functions: pump, fetch, and report operations. Every intermediate node maintains a data cache. A node that receives a packet check its content against its local cache, and discards any duplicates. If the received packet is new, the TTL field in the packet is decremented. If the TTL field is higher than 0 after being decremented, and there is no gap in the packet sequence numbers, the packet is relayed after being delayed a random period. A node goes to fetch mode once a sequence number gap is detected. The node in fetch mode requests a retransmission from neighboring nodes. The pump slowly fetch quickly (PSFQ) scheme is similar to RMST. PSFQ comprises three functions: message relaying, called pump operation, relay initiated error recovery, called fetch operation and selective status reporting called report operation. Every intermediate node maintains a data cache in PSFQ. A node that receives a packet check it’s content against its local cache, and discards any duplicates. If the received packet is new, the TTL field in the packet is decremented. If the TTL field is higher than 0 after being decremented, and there is no gap in the packet sequence numbers, the packet is scheduled to be forwarded. The packets are delayed a random period, and then relayed. A node goes to fetch mode once a sequence number gap is detected. The node in fetch mode requests the retransmission of lost packets from neighboring nodes. C-Y Wan, A.T. Campbell, L. Krishnamurty, “PSFQ: A Reliable Transport Protocol for Wireless Sensor Networks,” WSNA’02

Event-to-Sink Reliable Transport (ESRT)
ESRT is the first scheme that focuses on the end-to-end reliable event transfer. The end-to-end event transfer reliability is controlled based on the reporting frequencies of sensor nodes. Sink a b c d PSFQ and RMST schemes are designed to enhance end-to-end data packet transfer reliability. Event-to-sink reliable transport (ESRT) protocol is the first transport layer protocol that focuses on end-to-end reliable event transfer in wireless sensor networks. In ESRT, reliable event transfer is not guaranteed but increased by controlling the event reporting frequencies of sensor nodes. Y. Sankarasubramaniam, O.B. Akan, I.F. Akyildiz, “ESRT: Event-to-Sink Reliable Transport in Wireless Sensor Networks,” Mobihoc’03

Event-to-Sink Reliable Transport (ESRT)
Congestion Detection Mechanism: local buffer level monitoring bk-1 bk b Mark Congestion Notification Field when bk + b > B where bk is buffer fullness at interval k, b is buffer length increment, B is buffer size. ESRT provides also a congestion detection scheme that fits well to sensor networks. In ESRT congestion control scheme, the fullness of relay buffers of nodes are monitored by the nodes periodically. At the end of each time interval, the increase in the amount of relay buffer usage is calculated by every node. This increase in buffer usage indicates the additional buffer space required by the end of the next time interval. If the predicted buffer space is larger than a threshold, a congestion is expected, and therefore congestion notification is made.

End-to-end Acknowledgements for Events
temperature time 1 2 3 4 5 6 7 8 9 10 11 12 13 14 threshold  As we explained before, the loss of data packets can be tolerated as long as the reported events are receivedby the collecting node. It is possible to design acknowledgement schemes that pursue this idea. For this, we first need to find out a way to quantify an event. Of course this quantification is highly related to the type of sensor. However, it can be commonly charecterized as a change above a certain level in measurements. For example, if we use a temperature sensor which sends a time series of temperature data, an event can be detected when the temperature readings makes a sudden increase over a threshold level comparing to the recent average readings. N.Tezcan, E. Cayirci, U. Caglayan, “End-to-end reliable event transfer in wireless sensor networks,” PIMRC 2004.

Selective Acknowledgements
Both ends know the threshold. When the receiver finds out that the difference between the value in a new sensed data packet and in the previous packet is higher than the threshold, this indicates a critical data packet, and it acknowledges the receipt of the critical packet. If the sender does not receive an acknowledgement for a critical packet during the timeout period, it retransmits the critical packet.  Since it ispossible to interpolate the sensed data except for the data that carries an event, we can design an end-to-end acknowledgement based reliability scheme for only the event data. Selective acknowledgement is an example for this approach. In selective acknowledgement, Both ends know the threshold. When the receiver finds out that the difference between the value in a new sensed data packet and in the previous packet is higher than the threshold, this indicates a critical data packet, and it acknowledges the receipt of the critical packet. If the sender does not receive an acknowledgement for a critical packet during the timeout period, it retransmits the critical packet.

Timeout Period Two parameters: tmax, tavg
A critical packet is retransmitted tmax after its transmission if it is not acknowledged. If (numberOfEventsintheList>listSize-n) for(allEventsintheList) if(eventTimetmax || eventTimetavg) retransmit(event); tavg =  tavg + (1 - ) tack The timeout procedure is based on two parameters which are tmaximum and taverage. Tmaximum is the maximum duration that can an application tolerate before receiving a reported event. In some applications this may be a long period. For example, in SENDROM this is as long as few minutes. Basically, the source node can start a watchdog timer, and retransmits the critical packets that carry event data if it cannot receive an acknowledgement for them by the watchdog timer becomes equal to tmaximum. However, buffer space in a sensor node is generally limited and the sensed data typically have temporal correlation as we explained before. Therefore, buffer space can become full before watchdog timers expire. When the buffer fullness is over a certain threshold, all packets that has a timer over taverage are retransmitted. The pseudocode in the slide is for this timeout algorithms. Taverage can be found the same as in TCP.

Enforced Acknowledgement
The source node marks the critical packet. The receiver acknowledges the marked packet. If the sender does not receive an acknowledgement for the critical packet during the timeout period, it retransmits the critical packet.  In enforced acknowledgement the basic idea is almost the same as the selective acknowledgement. The difference is that the collecting node does not compute whether the received data packet carries a critical data or not. Instead, sensor node computes this before sending the packet, and marks the packet if it carries critical data. The collecting node sends back an acknowledgement when it receives a marked packet.

Blanket Acknowledgement
Blanket Acknowledgement is used in SENDROM. A. Erdogan, E. Cayirci, V. Coskun, “Sectoral Sweepers for Sensor Node Management and Location Estimation in AdHoc Sensor Networks,” MILCOM 2003. E.Cayirci, T.Coplu, “Sensor Networks for Disaster Relief Operations Management,” MedHocNet 2004. Multiple sensor nodes reporting the same event may be acknowledged by a single acknowledgement packet. In this scheme a task is disseminated at a single hop by using a directional antenna whose transmission direction and range cover all the task region. Sensor nodes deliver their data by multihop. The acknowledgement of the task data is also broadcasted single hop. For example, the nodes under a ruble can be invoked by broadcasting a task in SENDROM. A node in the task region replies if it detects a human. A single acknowledgement can suffice for all nodes that detect a human because the point is the detection of the human. Therefore a single acknowledgement for the task is disseminated. Blanket acknowledgement can also be used in conjunction with selective or enforced acknowledgements.

Localization and Positioning

Localization Localization GPS Based (Direct) Indirect
Global Positioning System (GPS) Manual Configuration Absolute Range-free The first option for node localization is global positioning system (GPS). However, GPS is not always a viable option for sensor networks. Nodes may be located in places where signals coming from satellites are not received with the required strength. In addition to this GPS modules may be too expensive to attach every node in some applications. Therefore, GPS-less techniques are important for sensor networks. When GPS-less techniques are used “absolute locations” can be found out based on the relative locations according to the beacon nodes whose locations are known. Or nodes can find out their relative locations according to the other nodes in the vicinity.

Localization in Sensor Networks
Localization can be done: Centralized, Locally centralized, Distributed. There are three approaches to carry out node localization computations in sensor networks: centralized, distributed and locally centralized. In the centralized approach, all measurements are sent to a central node by sensor nodes. The central node find out the locations of the nodes by using these measurements, then disseminate the results. Since sensor nodes have limited computational power and memory space, this may be a viable option for some applications. Moreover, in some applications sensor nodes may not need localization information but the central node that carries out some tasks such as route optimization, optimal sensor field coverage computations, spatial data aggregation, etc., may need localization data. Also centralized approach may perform better for collaborative multilateration which we will explain later. In the distributed approach nodes find out their locations themselves. Clusters where a central node for each cluster computes the locations of the nodes in the cluster are established in the locally centralized approach.

Localization in Sensor Networks
GPS-less techniques typically use one of the following techniques for location estimation: Received signal strength (RSS), Time of arrival (TOA), Time difference of arrival (TDOA), Angle of arrival (AOA). For GPS-less techniques either the distance or the angle from beacon nodes should be estimated first. The distance from a beacon node can be estimated by using one of the received signal strength (RSS), time of arrival (TOA) or time difference of arrival (TDOA) techniques. The technique for estimating the direction of a beacon node is named as angle of arrival (AOA). All these techniques have pros and cons which we will examine soon.

Triangulation or Trilateration
d1 x1 ,y1 x2 ,y2 x3 ,y3 d2 d3 1 2 3 x1 ,y1 x2 ,y2 x3 ,y3 beacon sensor Three or more beacon location and their distance to the node location are known. Three or more beacon location and their direction according to the node location are known. When the distance or angle from the beacon nodes and the location of beacon nodes are known it is possible to localize the node by multilateration. When angle based multilateration technique is used, the intersection point of the lines drawn from beacon nodes at the estimated directions gives the location of the node as shown in the slide. In the distance based multilateration the intersection of the circles that has the related beacon nodes at their center and the radius equal to the distances from the beacon nodes is the estimated location of the node as shown in the slide. For computation, this geometric approach can easily be represented by a set of equations. (x-x1)2 + (y-y1)2 d1 (x-x2)2 + (y-y2)2 = d2 (x-x3)2 + (y-y3)2 d3

Received signal strength
The following information is used to estimate the distance to a transmitter: Received power, Transmitted power, Path loss model. RSSI method may be unreliable and inaccurate due to: Multi-path effects, Shadowing, scattering, and other impairments, Non line of sight conditions. In the received signal strength technique a node knows the location of the beacons and the strength of the signals transmitted by them. Then it estimates the distance of the beacons by using a propagation model and received signal strengths. The results may not be highly accurate due to multi-path effects, and other impairments such as shadowing, scattering, and non line of sight conditions.

Time of arrival The following information is used to estimate the distance to a transmitter: Reception time, Transmition time, Propagation speed. Time of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions. The beacon and the node needs to be synchronized. The propagation speed of RF signals is too high for beacon based localization in sensor networks. Therefore signals with lower propagation speed such as ultrasound should be used. In time of arrival technique the node is time synchronized with the beacon nodes. It knows the location of the beacons together with the transmission time of the signals. When the node also knows the reception time, it is a simple computation to find out the distance of the beacons based on the propagation speed of the signal. The propagation speed of the RF signals is too high for sensor networks where the distances between nodes are only limited to a few meters in most of the cases. Therefore, ultrasound signals that have lower propagation speed may be preferred for this technique.

Time difference of arrival
The following information is used to estimate the distance to a transmitter: Arrival time of an RF signal, Arrival time of an ultrasound signal, Propagation speed of these signals. The difference between the propagation delays of RF and ultrasound signals gives the distance. Time difference of arrival method may also be unreliable and inaccurate due to multi-path effects and non line of sight conditions. In time difference of arrival technique two signals, for example an RF and an ultrasound, are transmitted by the beacon. The difference in reception times and the propagation speed of these signals give the distance between the node and the beacon. The results obtained by time of arrival and time difference of arrival may also be impaired due to multi-path effects and non line of sight conditions.

Angle of arrival Special antenna configurations are used to estimate the angle of arrival of the received signal. Angle of arrival method may also be unreliable and inaccurate due to: Multi-path effects, Shadowing, scattering, and other impairments, Non line of sight conditions. Angle of arrival technique is based on the usage of special antenna configurations. It may also be inaccurate due to multipath effects, non line of sight conditions and other sources of impairments in wireless medium.

Collaborative Multilateration
beacon sensor One-hop multilateration. Two-hop collaborative multilateration. In collaborative multilateration, sensor nodes collaborate with the other sensor nodes for localization when they do not receive signals from enough number of beacons. For example, two nodes that can receive signals from two beacons can collaborate to alleviate the lack of the third beacon as shown in the slide. The basic idea is to have at least n equations to estimate n variables. Use at least n equations to estimate n variables. The solution uniqueness is required.

Using Previous Measurements from Fixed Locations
beacon sensor receiver the location for previous reading Another approach is having a database of previous measurements. By using these past data, and the measurements of a node, the node location can be estimated. However, this approach can be very inaccurate due to the changes in the propagation environment due to moving people, changed furniture, weather conditions and other sources of noise. Another approach may be deploying some transmitters to the known locations, and comparing the measurements made for the signals coming from them to the signals coming from the targeted node. This approach is resilient against the temporal changes in the propagation environment.

Lighthouse lighthouse target
Lighthouse scheme is another approach. An optical sensor reports the time when a light signal from a beacon is first received. This indicates the direction of the node from the beacon. [TICK] When there are two beacons it is possible to find out the node location in two dimensions. It is also possible to estimate three dimensional locations by using at least three beacons.

Range Free Techniques x1, y1 x2, y2 x3, y3 x4, y4
a. Sectoral sweepers. b. Centroid. In another simple approach the basic idea is based on task dissemination by using directional antennae. Each task is also associated with a minimum and maximum RSS values and a unique task identification. When a node reports for a task, the task identification implies also a specific region. Please note that the borders of the task region cannot be very well defined, but a little amorphous due to multipath and non line of sight effects as shown in the slide. Although the resolution of this scheme is not as high as the other techniques explained before, it is simple enough to be implemented without any additional hardware or software components in the nodes. Moreover the resolution of the scheme is high enough for many sensor network applications such as SENDROM where the localization of the detected person in a 20 square meter is needed under a rubble which is typically less than 500 square meter. Creating overlapping task regions for the same task can enhance the resolution of this scheme. When a node reports for multiple tasks, the intersecting area of the reported task regions is the location of the node.

Range Free Techniques 20 – 25 meters directional antenna location of a
detected person 20 – 25 meters rubble coverage area of a transmitted task In another simple approach the basic idea is based on task dissemination by using directional antennae. Each task is also associated with a minimum and maximum RSS values and a unique task identification. When a node reports for a task, the task identification implies also a specific region. Please note that the borders of the task region cannot be very well defined, but a little amorphous due to multipath and non line of sight effects as shown in the slide. Although the resolution of this scheme is not as high as the other techniques explained before, it is simple enough to be implemented without any additional hardware or software components in the nodes. Moreover the resolution of the scheme is high enough for many sensor network applications such as SENDROM where the localization of the detected person in a 20 square meter is needed under a rubble which is typically less than 500 square meter. Creating overlapping task regions for the same task can enhance the resolution of this scheme. When a node reports for multiple tasks, the intersecting area of the reported task regions is the location of the node. Cayirci, E., Coplu T., “SENDROM: Sensor Networks for Disaster Relief Operations Management,” ACM/Kluwer Wireless Networks (to appear).

Time Synchronization Time synchronization is another important task for sensor networks not only because of the requirements by the protocols in various layers such as medium access control and network layers for tasks such as scheduling, routing and aggregation, but also the sensed data are often needed to be related with time.

Time Synchronization Nodes need to maintain the same time frame for:
time synchronization for communications protocols data fusion associating the sensed data, aggregating the sensed data, target tracking, finding out the direction and speed of a target. In sensor networks sensor nodes may need to maintain the same time frame for the reasons related to the data fusion such as: - associating the sensed data, - aggregating the sensed data, - target tracking, and finding out the direction and speed of a target.

Factors Influencing Time Synchronization
Temperature: Temperature variations during day may cause the clock speed up or down (a few microseconds per day). Phase noise: Access fluctuation at the hardware interface, response variation of the operating system to interrupts, jitter in delay, etc. Frequency noise: The frequency spectrum of a crystal has large sidebands on adjacent frequencies. Asymmetric delay: The delay of a path may be different for each direction. Clock glitches: Hardware or software anomalies may cause sudden jumps in time. Time synchronization is a more challenging task in sensor networks comparing to the other ad hoc networking technologies. We can list the factors influencing time synchronization in large systems as temperature, phase noise, frequency noise, asymmetric delay and clock glitches. Temperature variations during day may cause the clock speed up or down. This may be a few microseconds per day. Access fluctuation can occur at the hardware interface, at the response variation of the operating system to interrupts, and jitter in delay, etc. This is called phase noise. The frequency spectrum of a crystal has large sidebands on adjacent frequencies. This frequency noise may also make the clocks of two nodes differ in time. The delay of a path may be different for each direction which is another challenge for time synchronization. Lastly hardware or software anomalies may cause sudden jumps in time.

Time Synchronization Offset (ο): Nodes may be started at different times. Therefore, Node A may have a clock CA different from the clock CB that Node B has when the network starts at time t0. Skew (s): The factors like frequency noise and hardware may make the crystals of nodes are running at different frequencies. This causes clock skew, which may be ±30-40 part per million (ppm) for sensor node hardware. Skew may make times of two nodes get closer or further based on the offset. The skew related change per unit time t is constant. Drift (d): The factors like temperature, phase, asymmetric delay and clock glitches may change the offset between two nodes in time. Since these factors are temporarily variable, the change in clock, called drift, per unit time is not a fixed value. Time synchronization algorithms for sensor networks can be categorized into three broad classes. The first category is the centralized time synchronization where nodes are synchronized to a central timeserver. Network time protocol falls in this category.

Time Synchronization Synchronization Accuracy Exact Loose Distribution
Centralized Distributed Procedure Pair-wise (Sender/Receiver) Broadcast (Receiver/Receiver) Reference broadcast synchronizations scheme is an example for the distributed approach where the time is translated hop by hop throughout the network. Clustered

Data Querying One of the most challenging tasks in sensor networks is to synthesize the information requested by users from the available data measured or sensed by a large number of nodes. Since there are a sheer number of nodes with stringent energy constraints in a sensor network, it may not be feasible to fetch every reading of nodes for central processing. Instead effective data querying and aggregation techniques are needed. In this section we focus on data querying in sensor networks.

Data Querying in Sensor Networks
Continuous (persistent) queries or one time (snap shot) queries, Historical or real-time queries, Aggregate or simple queries, Complex or simple queries, Spatial or temporal queries. Data queries in sensor networks can be Continuous or one time in other words snapshot queries. Continuous queries can be periodical or event driven. Queries can be made for the past time measurements or for the current ambient conditions. We can categorize sensor network queries also as aggregated or non-aggregated. Queries can also be complex or simple. Finally, queries can be based on the node locations or the timings of the measurements. Of course hybrid queries which are any combinations of these classes are also possible. The users should be able to carry out any of these types of queries by using the data-querying scheme for sensor networks. One approach to realize this is to perceive a sensor network as a distributed database.

DADMA: Data Aggregation and Dilution by Modulus Addressing
Task Amplitude Location Time External Sensor Network Database Table Select [ task, time, location, [distinct | all], amplitude, [[avg | min |max | count | sum ] (amplitude)]] from [any , every , aggregate m , dilute m] where [ power available [<|>] PA | location [in | not in] RECT | tmin < time < tmax | task = t | amplitude [<|==|>] a ] group by task based on [time limit = lt | packet limit = lp | resolution = r | region = xy] Task Amplitude Location Sensor Network Database View Task Amplitude A different data base perception is introduced in data aggregation and dilution by modulus addressing scheme where a sensor network is perceived as a distributed relational database composed of a single view that joins local tables located at nodes. Records in local tables are the measurements made upon a query arrival and consist of two fields, namely task and amplitude. The task field indicates the type of the sensor that makes the measurement. For example, temperature, humidity. Nodes have limited memory capacity and they do not store the results of measurements. Therefore, task field is the key field in the local tables created upon a query arrival. This perception makes relational algebra practical to retrieve the sensed data without much memory requirement. Sensor network database view can be created temporarily either at the collecting node or at an external proxy server. A sensor network database view record has three fields, i.e., location, task and amplitude. While data is being retrieved from a node, the sensed data is also joined with the location of the node. Since multiple nodes may have the same type of sensors, location and task fields become the key in a sensor network database view. If the location data is not available and not important for the application, the local identification field for the sensing node replaces the location field. It is also possible to maintain a database in a remote proxy server where the records obtained from queries, after being joined with a time label. For example a daemon can generate queries at specific time intervals, and insert the records in the sensor network database view resulting from these queries into the database after joining them with a time field. In this scheme a query is started by a statement that has the structure given in this slide. Note that the standard SQL notation is used in this statement except for the last field starting with “based on” keyword. Virtual Local Sensor Node Table E.Cayirci, “Data Aggregation and Dilution by Modulus Addressing in WSNs,” IEEE Communications Letters, August, 2003.

Sensor Query and Tasking Language (SQTL)
SQTL is a procedural scripting language. It provides interfaces to access sensor hardware: - getTemperature, turnOn for location awareness: - isNeighbor, getPosition and for communication: - tell, execute. Sensor query and tasking language (SQTL) is a procedural scripting language introduced for wireless sensor networks. It provides interfaces to access sensor hardware. Some examples for these interfaces are in this slide. C-C Shen, et.al., “Sensor Information Networking Architecture and Applications”, IEEE Personal Communications Magazine, pp , August 2001.)

Sensor Query and Tasking Language (SQTL)
By using the upon construct, a programmer can create an event handling block for three kinds of event: - Events generated when a message is received by a sensor node, - Events triggered periodically, - Events caused by the expiration of a timer. These types of events are defined by SQTL keywords receive, every and expire, respectively. By using sensor query and tasking language, a user can send various types of queries to the network. These queries are resolved by the network based on the event handling block in the script. For example, queries may be replied as soon as it is received, or after a timer expires. It is also possible to sent continuous and periodic queries to the network by using sensor query and tasking language.

Task Sets status table Quadtree Sensor Power Task
Address Type Available Set 00 01 11 10 Task Set 1 Task Set 2 sensor node event status table The idea of task sets is based on dividing a sensor field into sub-regions, defining task sets, and assigning a specified number of nodes to every task sets in each sub-region. A viable option to define sub-regions is quadtree addressing which we will explain later. The number of nodes in each sub-region varies because of the non-homogenous distribution of nodes. Hence the cost of querying sensor field varies in different sub-regions. To balance this cost, forming task sets with a specific amount of nodes in each quadrant can be very useful. By task sets users have also an initiative to trade off between accuracy/reliability and communications cost. The number of nodes in a task set indicates the resolution of the data which can be collected by querying the task set. The higher number of nodes in a task set implies higher accuracy and reliability. On the other hand more power is consumed as the number of nodes in a task set increases. Task sets can be formed by maintaining a status table in every node. An example status table is shown in the slide. Lets assume that the node that owns this status table has 0.97 units of power available. If task set 1 is specified as two nodes that have highest power available in every sub-region, then the owner of this status table can easily find out that it is in task set 1, and it involves in the resolution of the queries sent to task set 1. E. Cayirci, C.Cimen, V. Coskun, “Querying Sensor Networks By Using Dynamic Task Sets,” Computer Networks (Elsevier), 2006.

ACQUIRE query node active node sensor node active query sensed data
complete data In active query forwarding in sensor networks (ACQUIRE) scheme, each node that forwards a query tries to resolve it. If the node resolves the query, it does not repeat it but send the result back. Nodes collaborate with their n hop neighbors to resolve a query. The parameter n is named as look ahead parameter. If a node cannot resolve a query after collaborating with n hop neighbors, it forwards it to another neighbor. When look ahead parameter n is 1, ACQUIRE performs as flooding in the worst case. N. Sadagopan, B. Krishnamachari, A. Helmy, “The Acquire Mechanism for Efficient Querying in Sensor Networks,” Elsevier Ad Hoc and Sensor Networks, 2004.

Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks
contact S Selector Node R zone radius (in hops) Mobility assisted resolution of queries in large-scale mobile sensor networks makes use of the mobile nodes to collect data from the sensor network. In this scheme every node has contacts that are some of the other nodes. When contacts move around, they interact with other nodes and collect data. Nodes collaborate with their contact to resolve the queries. A. Helmy, “Mobility-Assisted Resolution of Queries in Large-Scale Mobile Sensor Networks” Special Issue Computer Networks (Elsevier) on Wireless Sensor Networks, 2003.

Coverage

Factors for Node Coverage
- Node deployment scheme - Sensing and communications range - Energy efficiency and connectivity requirements - Algorithm paradigm, i.e., centralized or distributed By using sensor query and tasking language, a user can send various types of queries to the network. These queries are resolved by the network based on the event handling block in the script. For example, queries may be replied as soon as it is received, or after a timer expires. It is also possible to sent continuous and periodic queries to the network by using sensor query and tasking language.

Coverage Problem In area coverage the objective is to cover an area, which means for the sensing coverage problem to ensure every point in a given area can be observed, and for the communications coverage problem a node at any point in the area can access the network. In point coverage the objective is to ensure that a given set of points are covered by the network. In barrier coverage the objective is to ensure that there is no hidden path through the network, i.e., an intruder cannot go through the network without crossing the coverage area of at least one node. By using sensor query and tasking language, a user can send various types of queries to the network. These queries are resolved by the network based on the event handling block in the script. For example, queries may be replied as soon as it is received, or after a timer expires. It is also possible to sent continuous and periodic queries to the network by using sensor query and tasking language.

Approaches for Coverage Problem
The nodes are assumed to be deployed randomly according to a distribution, and the minimum number of nodes that satisfies a given probability of coverage is determined. It is assumed that the nodes can be deployed at certain locations, and the location for each node is determined such that the maximum coverage for the given number of nodes can be achieved. By using sensor query and tasking language, a user can send various types of queries to the network. These queries are resolved by the network based on the event handling block in the script. For example, queries may be replied as soon as it is received, or after a timer expires. It is also possible to sent continuous and periodic queries to the network by using sensor query and tasking language.

Security in Wireless Communications

Security Challenges Specific to Wireless Networks
Easier to tap Limited resources and stringent constraints Self forming, self organization and self healing algorithms Hidden and exposed terminal Jamming and the other denial of service attacks Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Information Security Information Security Computer Security
Communications Security Hardware Security Software Security Transmission Security Emanation Security Ourtutorial has the outline shown in this slide. We first introduce the wireless sensor and actuator networks concept. Then we list a number of application areas which provide a better insight about the motivation behind this concept. Factors, such as fault tolerance, Scalability, Production Cost, Hardware Constraints, Sensor Network Topology, Environment, Power Consumption, are examined later. They introduce stringent constraints which make wireless sensor and actuator networks a special field for the researchers. We then discuss the communications architecture for sensor networks which can be realized when we have protocols related to application, transport, network, data link and physical layers. During this discussion, we present asurvey ofprotocols and algorithms proposed thusfarfor sensor networks. Please note that thisisan introductory discussion. We give the key ideas but not the details related to the protocols and algorithms. Before conclusion we show a couple of slides where several simulation and testing tools for sensor and actuator networks are introduced.

Security Attacks Security attacks can be classified into two broad classes: Passive: no emission to conduct the attack Active: emit, interfere or tamper

Passive Attacks Passive Attacks Eavesdropping Traffic Analysis
Eavesdrop: Tap the communication lines - wireless links are easier to tap - signals are sent to shorter distances in wireless ad hoc networks - challenges when multiple networks with different classification - privacy challenges - collection vs analysis Traffic analysis: Traffic patterns and rates - friendship trees

Traffic Analysis Traffic analysis at the physical layer: In this attack only the carrier is sensed and the traffic rates are analyzed for the nodes at a location. Traffic analysis in MAC and higher layers: MAC frames and data packets can be de-multiplexed and the headers can be analyzed. This can reveal the routing information, topology of the network and friendship trees. Traffic analysis by event correlation: Events like a detection in sensor network or transmission by an end user can be correlated with the traffic and more detailed information, e.g., routes, etc., can be derived. - Active traffic analysis: For example, certain number of nodes can be destroyed, which stimulates the self organization in the network, and valuable data about the topology can be gathered.

Masquerade, Replay, Message Modification
Active Attacks Physical Active Attacks Masquerade, Replay, Message Modification - Integrity - Unauthorized Access - Confidentiality - Privacy Denial of Service - Physical Layer - MAC Layer - Network Layer - Transport Layer - Application Layer - Destruction - EMP - Tampering Misbehaving Selfishness Attacks against charging scheme

(analyze the behaviour)
Tampering Invasive (unlimited access) Traffic Analysis (analyze the behaviour) Example attacks: - micro probing - laser cutting - focused ion-beam manipulation - glitch attacks - power analysis

Masquerade, Modify, Replay
A masquerading node acts as if it is another node. Messages can be captured and replayed by the masquerading nodes. The content of the captured messages can be modified before being replayed.

Attacks can be organized against Node localization Time synchronization Data aggregation and fusion Data correlation and association Event and event boundary detection Node management

- Sybil attack: introduce multiple identities - Unauthorized access - Phishing: Password fishing - Preserve anonymity of the attacker

Denial of Service Attack
Any event that diminishes a network capacity to perform its expected function correctly or in a timely manner A DOS attack is characterized by: Malicious: It is carried out to prevent the network from fulfilling its intended functions. It is not accidental. Otherwise it is not in the domain of security but reliability and fault tolerance. Disruptive: It degrades the quality of services by the network. - Asymmetric: The attacker puts much less effort comparing to the impact made on the network.

Denial of Service Attack
- In physical layer (jamming) either continuous or temporary and random - In MAC layer: Whenever an RTS signal is received, a signal that collides with the CTS signal is transmitted. If the MAC scheme is based on the sleep and active periods, jamming only the active periods can continuously block the channel. False RTS or CTS signals with long data transmission parameters are continuously sent out. Acknowledgement spoofing, where an adversary sends false link layer acknowledgements.

DOS Against Routing Spoofed, altered, or replayed routing information
Hello flood Wormhole Detour m a w1 e f c b d w2 Hello Flood Wormhole

DOS Against Routing Sinkhole: attractive malicious node
Blackhole: malicious node drops every packet Selective forwarding: malicious node does not forward every packet - Routing loop attack: Detour or sinkhole attacks to create routing loops - Sybil attack: A single node presents multiple identities - Rushing attack: An attacker disseminates route request and reply messages quickly throughout the network. - Attacks that exploit node penalizing schemes - Attacks to deplete network resources

DOS Against Transport Layer
Transport layer acknowledgement spoofing Replaying acknowledgement Jamming acknowledgements Changing sequence number Connection request spoofing

Misbehaving Selfishness Attacks against payment schemes Refusal to pay
Dishonest rewards Free riding source destination infrastructure routing node

Attackers Motivation - Confidentiality - Integrity - Privacy
- Unauthorized Access - DoS - Selfishness - Charging - Rewarding Emission - Active - Passive Location - Insider - Outsider Quantity - Single - Multiple - Coordinating Multiple Rationality - Naive - Irrational - Rational Mobility - Fixed - Mobile

Security Goals Authentication Access control
Confidentiality to protect content Confidentiality to prevent traffic analysis Privacy Integrity Authorization Anonymity Non-repudiation Freshness Availability Resilience against attacks

Challenges and Solutions: Basic Issues

Security challenges and solutions in wireless networks
Bootstrapping security in Ad Hoc networks Bootstrapping security in sensor networks Key distribution, exchange and management Authentication issues Integrity

Bootstrapping security in Ad Hoc networks
Build a security infrastructure between the nodes during the bootstrapping phase new nodes that can join the network can form a secure association with the nodes already in the network the trust infrastructure can be set up without the knowledge of the network topology the credential verification scheme should be strong enough to resist DoS attack and at the same time do not need large computational ability and memory

Building security infrastructure in Ad Hoc networks
Prior context can be used Trusted third party can be used to facilitate the establishment More natural to self-organize the trust infrastructure

Bootstrapping security in sensor networks
Resilience against node capture Resistance against node replication Revocation Scalability

Key distribution, exchange and management
Desirable features of ad hoc network key management scheme: applicability security Robustness scalability simplicity

Standards None MANET internet drafts and RFCs has thus part IEEE i assumes keys are preshared or established with the aid of fixed infrastructure ZigBee, IEEE , Bluetooth are infrastructure-based networks and do not apply to MANETs

Classification of key management schemes Key management schemes Contributory Schemes key agreement Distributive schemes key distribution Z-H MOCA SEKM UBIQ AKM PGP-A COMP MOB-a/MoB-so D-H ING B-D H&O CLIQ PSGK SKIMPy S-HEAL LKH GKMPAN Symmetric schemes MANET schemes PRE SPINS PEBL INF LEAP WSN schemes Public key schemes Certificate based IBC-K Identity based

Contributory key management schemes
D-H ING B-D H&O A-G CLIQ

Distributive key management schemes
Public key schemes: Certificate based - Z-H - MOCA - SEKM - UBIQ - AKM - PGP-A - COMP - MoB-a/MoB-so Identity based - IBC-K Symmetric key schemes

Partially distributed Threshold CA Scheme (Z-H )
Provide an available, intrusion tolerant, and robust CA functionality for ad hoc networks Private CA key distributed over a set of server nodes Using share refreshing to counter mobile adversaries synchronization needed

MOCA An extension to Z-H
Nodes that exhibit best physical security and computational resources serve as MOCAs Moves the combiner function of Z-H from CA servers to requesting end-nodes MOCA certification protocol

SEKM Servers of MOCA form a multicast group
Efficient updating of secret shares and certificates

UBIQ Fully distributed threshold CA scheme
All nodes get a share of the private CA key Certification service is delivered within 1-hop neighborhoods Bandwidth efficient and good for the scalability Possible requirement of human involvement

AKM Autonomous key management (AKM) R G H N1 N2 N3 N4 N6 N5 H4 H6 H5
Initialization f(N1) f(N2) f(N3) S1 S2 S3 (k,n) = (3,3) New node added f(N4) f(N5) f(N6) (k,n) = (3,6) Split g(N1) g(N2) g(N3) h(N4) h(N5) h(N6) S’=f(N1)+f(N2)+f(N3) g()=S”+b1+b2 S”=f(N4)+f(N5)+f(N6) g()=S”+c1+c2 S=S1+S2+S3 f()=S+a1+a2

PGP-A CA functionality completely distributed,all nodes have equal roles Assumes trust is transitive Certificates exchanged periodically Renewals require contact with the issuer

COMP Combines MOCA’s partially distributed threshold CA with PGP-A certificate-chaining Each certificate includes a confidence value reflecting the level of confidence Higher security than obtainable with PGP-A Increased availability of CA service compared to MOCA

MOB Seeks to mimic human behavior
Can be fully self-organizing (MOB-so) or rely on an off-line authority (MOB-a) Bandwidth efficient with limited scalability Long delay to establish security associations with all communication partners

IBC-K PKG 1 SETUP PKG chooses two large primes as private maser key, and publishes the chosen and calulated public system parameters as shown Private Master Key : p, q (two large primes) Public system params: n = p·q (factorization is kept secret) e = large prime, gdc (e,φ(n)) = 1 f = hash function 2 EXTRACTION 3 SIGNING user The user presents its identity, to PKG PKG returns the corresponding private key:g The identity is related to g in the following way g =i (mod n) e g Alice Bob f(t,m) (i, m, t, s) 4 VERIFICATION The signature (s,t) of the message m is verified by checking: S = i·t (mod n) The security of Shamir’s IBS schem relies the difficulty of deciding g given g mod n when the factorization of n is unknown secure channel The signature (s,t) of the message m is caculated as follows: t = r , s =g·r (mod n) i : user id m : message s,t : signatrue r : random

Symmetric key schemes Public key schemes: MANETschemes - PSGK - SKIMPy
- S-HEAL - LKH - GKMPAN Identity based - PRE - SPINS - PEBL - INF - LEAP

PSGK Key distribution centre pre-distributing a symmetric key to all members of the group Lacks intrusion tolerance in the sense that security succumbs to a single captured node Not designed specially for ad hoc networks

SKiMPy Designed for MANETs to protect network layer routing information or application layer user data Periodical updates group key to counter cryptoanalysis Bandwidth efficient Adds complexity compared to PSGK

S-HEAL Key distribution scheme with revocation, for networks with unreliable links Demands pre-shared secrets and group manager Self-healing Inapplicable for protection of routing information

LKH K K1234 K1 K12 K2 K3 K34 K4 K5678 K5 K56 K6 K7 K78 K8 N1 N2 N3 N7 N5 N8 N4 N6

GKMPAN Designed for secure multicast in ad hoc networks
Assumes a pre-distributed group key plus a pre-distributed commitment Increases intrusion tolerance compared to PSGK

PRE Assumes WSN nodes outfitted with a pre-installed key ring
A number of PRE schemes for WSNs have been proposed The idea of the key ring of PRE is intrusion tolerance Intrusion resistance comparable to PSGK

SPINS Assume pre-installed individual (pairwise) keys between sensor nodes and base station Demands routing protocol and reliable access to the base station Includes a scheme for authenticated broadcast

PEBL Refer to large ad hoc networks with small size and large number nodes An extension to PSGK Protection of application data Offers no protection against replay or intrusion attacks Bandwidth consuming, needs synchronization

INF Intended for WSNs Assumes static sensor nodes and mass deployment
A key whispering approach is used Simple, self-organizing, and robust to Byzantine behavior and faulty nodes Bandwidth efficient, scales well Vulnerable to eavesdropping during key whispering

LEAP Designed for static WSNs Different keys for different purposes
Pre-distributed individual keys are used for communication between sensor nodes and the base station Pre-shared group key is applied for protection of broadcast information from the base station

Authentication issues
Authentication needed in wireless networks MAC (message authentication code) used to provide authentication Asymmetric mechanisms adopted for multi-party communication

Integrity Data integrity needed in wireless networks
CRC and MAC can be used to provide data integrity

Challenges and Solutions: Protection

Privacy and anonymity There is conflict between the need for public information and the demand of personal privacy in wireless networks Anonymity techniques are needed to provide privacy Information flooding is an efficient way to provide anonymity Policy-based access control decision and authentication can also help

Privacy and anonymity Anonymity approaches to provide privacy
Decentralize sensitive data Using secure communication protocols, SPINS De-patterning data transmission Increasing sensor node mobility

Intrusion detection Intrusion detection is the first line of defense
Intrusion detection techniques Abnormality detection Misuse detection Specification based detection

Intrusion detection Architectures for IDS in wireless ad hoc networks
Stand-alone IDS Distributed and Cooperative IDS Hierarchical IDS Mobile Agent for IDS IDS for sensor networks

Defense against traffic analysis
Rate monitoring attack Method against rate monitoring attack Time correlation attack Method against time correlation attack

Access control and secure human computer interaction
Problems related with password mechanism Characteristics should be considered for password design Different methods for access control and strange password design

Software based anti-tamper techniques
Software based anti-tamper techniques is efficient for software cracking attacks Encryption wrappers Code obfuscation Software watermarking and fingerprinting Guarding

Encryption wrappers Software is encrypted and has to be decrypted before use Only the codes that will execute in the system should be decrypted Decryption keys have to be protected Add overhead for decryption in run time.

Code obfuscation Code obfuscation can prevent attacks of reverse engineering Quality of obfuscating transformations: potency, resilience ,cost Different kinds of obfuscation transformations: layout transformation, data transformation, control transformation, preventive transformation

Software watermarking and fingerprinting Software watermarking and fingerprinting can protect illegal copying of digital items Behavior of the watermarked program should be affected if the watermark is distorted or destroyed Fingerprinting embeds a unique message in the software for traitor tracing Static watermarking and dynamic watermarking

Guarding Multiple (possibly simple) protection techniques provide robust protections Guard is a piece of code responsible for performing certain security-related actions Guards can provide multiple layers of defense

Hardware protection Physical attacks toward the wireless sensor networks Hardware protection of physical attacks Using tamper-resistant processors and lightweight hardware Advantages and disadvantages of hardware based protection

Availability and plausibility
Network availability can be increased using security techniques Checking the plausibility is a useful method for defending against compromised nodes

Secure Routing

Secure Routing Approaches
- attack prevention - attack detection and recovery from the attack - resilience against security attacks

Defense Against Wormholes
Geographical Leashes: The source node S includes its location lS and the packet transmission time tS as the geographical leash into its packet PS sent to destination D. S→D: lS, tS, PS The clocks are synchronized to within ±Δ. The upper bound for the distance is db. The node localization error upper bound is δ. The upper bound for the velocity in transmitting signals is v The node i that forwards the packet, which is at location li, and receives the packet at time ti can check the following condition: db ≤ |li – lS|+2v × (ti-tS + Δ) + δ

Temporal Leashes: The transmission and reception times of the packets are used for detecting wormholes. When a node A sends or forwards a packet to another node B, it also includes the transmission time tA into the packet PA. A→B: tA, PA Node B checks the difference dAB between the transmission time tA and reception time tB of the packet. If dAB is larger than a given threshold θ, it may indicate a wormhole attack.

c b d w2 2 1 3 6 4 5

Defense Against Sybil Direct validation: A node directly verifies if the identity of a neighboring node is valid. For example, a node may assign each of its neighbors a separate channel to communicate, and ask them to transmit during a period. Then it checks these channels in a random order within that period. If a node is transmitting in its assigned channel, the node is a physical node. Indirect validation: Another trusted node provides the verification for the identity of the node. For example, every node may share a unique key with the base station. When two nodes need to establish a link between them, they verify each others identity through the base station by using these keys. Random key: Random keys assigned to nodes also provide security against sybil attacks.

Defense Against Selective Forwarding
Acknowledgements: Every intermediate node that forwards a packet waits for an acknowledgement from the next hope. If the next hope node does not return the same number of acknowledgements as the number of the packets sent, the node generates an alarm about the next hop node. Compromised nodes can generate acknowledgements also for the packets that they dropped which make this scheme fails. Moreover a malicious node can generate fake alarms to organize a DoS attack. Multipath routing: This requires at least link disjoint paths, where two paths may share some nodes but any link. Of course node disjoint paths, where two paths do not have any node in common, are better and reduce the risk of selective forwarding attack

Secure Routing in Sensor Networks
- Secure broadcasting for the downstream traffic. - Secure multicasting for the downstream traffic. - Secure data aggregation when routing from multiple nodes to a base station. - Secure data aggregation and multicasting when routing from multiple nodes to multiple base stations or actuators.

Routing that Enhance Security
Random Walk Greedy Random Walk Flooding Baseline flooding Probabilistic flooding Flooding with fake messages Phantom flooding

Secure Routing Protocols
Intrusion Tolerant Routing in Wireless Sensor Networks (INSENS) Authenticated Routing for Ad Hoc Networking (ARAN) On Demand Secure Ad Hoc Routing (ARIADNE) Watchdog Pathrater Secure Ad Hoc on Demand Distance Vector (SAODV) Secure Link State Routing Protocol (SLSP)

INSENS Fixed sensor networks Multipath link state routing
Base station computes and broadcasts the routes

INSENS Route Discovery Phase
Base station floods a route request message Use TESLA for authentication Everynode appends its id and a MAC by using a secret key before forwarding the route request Everynode returns a route reply to the base station message after waiting t Base station verifies MAC, computes the routes, and send them to nodes Data Forwarding Phase <destination, source, immediate sender> Example: Route: S to D: S → a → b → c → D The forwarding table of a: <D, S, S> The forwarding table of b: <D, S, a> The forwarding table of b: <D, S, b>.

ARAN Dynamic source routing for ad hoc networks
When a node A accesses the network first time or needs a certificate for route discovery, it requests the certificate from the trusted server T. The server T first authenticates the node A and sends a certificate to it: T → A: certificateA IPA is the IP address of Node A, KA+ is the public key of A, t is the time the certificate is created, e is the time that the certificate expires, KT- is the private key of T.

ARAN A node S that has a valid certificate can start a route discovery for another node D by broadcasting a route discovery packet (RDP): where NS is a nonce, which is the sequence number, i.e., the source node S monotonically increase the nonce each time it performs a route discovery, to ensure the freshness of the reply message expected from the destination D.

ARAN When a node receives an RDP message, it first decrypts the message, and then records the neighbor that sends the message as the next hop node for the source node of the message. If the node receives a reply message for this RDP, it just forwards the reply to the neighbor in this record. Finally, it encrypts the message by using its private key, appends its certificate and broadcasts the message.

ARAN When destination node D receives the route discovery message from the last node in the route, i.e., let it be C for our example, it first verifies the source’s signature, and then prepares a reply (REP) message and unicasts it to C:

ARIADNE ARIADNE route discovery process starts with a ‘route request’ that has the following fields: - Route request - Source node - Destination node - Route request Id - Time interval - Hash chain: The hash value created by all the nodes in the route - Node list: The list of nodes in the route - MAC list: The list of the MAC values calculated by every node in the route Hash chain is computed first by the source node S as follows: h0=MAC(KSD, REQUEST | S | D | id | ti) After computing h0, source node initializes node list and MAC list fields as empty lists and broadcasts the ‘route request’ message. S → broadcast:{REQUEST, S, D, id, ti, h0, (), ()}

A → broadcast:{REQUEST, S, D, id, ti, h1, (A), (MA)}
ARIADNE Every node that receives route request first checks <source, id> fields in its buffer. If this request has already been received, the new request is dropped. The node also checks the time interval. If it is too far in the future or the key associated with it is already disclosed, packet is discarded. Otherwise the receiving node modifies the hash chain hi. Assume that A is a node one hop from the source node S. It computes h1 as follows: h1=H(A, h0) It also calculates its MAC value by using the next key KAti in the TESLA key chain, adds it’s address and the MAC value into the ‘route request’ message and broadcasts it: A → broadcast:{REQUEST, S, D, id, ti, h1, (A), (MA)}

ARIADNE When the destination node receives the ‘route request’, it checks the validity of the request by determining that the keys of the time interval are not disclosed yet, and the final hash chain is equal to H(an, H(an-1, H(…..,H(a1, MAC(KSD, REQUEST | S | D | id | ti))….))) where an is the address of the node at position n and there are n nodes in the node list. If both of these conditions are hold, it indicates that the request is valid. Then the destination node D computes the destination MAC MD, prepares ‘route reply’ message and returns it along the source route that can be obtained by reversing the sequence of hops in the node list of the ‘route request’ message. D → C:{REPLY, D, S, ti,,(A, B, C), (MA, MB, MC), MD, ()}

ARIADNE In the reverse path, every node waits until it can disclose its TESLA key. After than it appends its TESLA key and forwards to the next hop in the reverse path. When source receives the ‘route reply’ message, it verifies that each key and each MAC are valid. If they are, it accepts the ‘route reply’ message. Otherwise it discards the message. After this the route is maintained in the ‘route cache’ until a ‘route error’ message is received. When an intermediate node B that tries to forward a message to the next node C in the route fails, it generates the following ‘route error’ message and sends it to source node S along the reverse path.

WATCHDOG PATHRATER Pathrater rates the links based on the reliability of the links and misbehaving knowledge of the nodes. Every node rates every other node in the network. When a link used successfully, its rate increases. If a link break occurs, the rate of the link decreases. High negative numbers are assigned to the nodes suspected misbehaving. Paths are rated averaging the link ratings along the path. When the source node has multiple options to a destination, it selects the path with the highest path rate. Paths that contain misbehaving nodes are avoided. When there is no misbehaving link free path to the destination, the source node initiates a ‘route request’ process.

SAODV To secure the integrity of hop count, a hash chain is formed by applying one way hash function H to a randomly selected seed value s. Before transmitting a route request (RREQ) or route reply (RREP) message the source sets hash value h to seed s. The maximum hop count is assigned the time to live value ttl, and then top hash value T is computed by applying hash function ttl times to seed s. h=s T=Httl(s) When a node i receives a message after i hops from the source node, it first checks if the following condition holds: T = Httl-i(h)

SAODV Since every intermediate node applies hash function H once to the hash value h in the message before relaying it, when H is applied ttl-i times to the current h, it should give top hash value T. Otherwise it indicates either the hash value h or hop count i is not correct. After this check, node i applies H to h and forwards it. h=H(h) To protect the integrity of the other fields in the message the source node signs every thing but the hop count and hash value h fields, which are modified by every intermediate node.

SLSP A node V broadcasts its link state data by using an LSU packet.
V → broadcast:{TYPE, R, Zone_R, LSU_Seq, LSU_signature, Hops_Traversed, LS_Data} where Type is the packet type, R is the number of hops from the node to the zone boundary, Zone_R=HR(X), Hops_Traversed=H(X), X is a random number, H is the hash function that every node knows, LSU_Seq is the sequence number of the LSU packet,

Hop_Traversed=H(Hop_Traversed)
SLSP Receiving nodes first validate the signature. If the LSU packet is valid, they can derive the link state information in the packet. Then they hash Hops_Traversed value in the LSU packet. Hop_Traversed=H(Hop_Traversed) If the new Hop_Traversed value is equal to Zone_R value after hashing, it indicates that the packet is reached to the boundary of zone, and should not be forwarded further.

Specific Challenges

Security Protocols for Sensor Networks
- Sensor Network Encryption Protocol (SNEP) Data confidentiality Authentication Integrity Freshness - µTESLA Authenticated Broadcast (Perrig A, Szewczyk R, Wen V, Culler D, Tygar J D, ‘SPINS: Security Protocols for Sensor Networks,’ MOBICOM, 2001.)

Sensor Network Encryption Protocol SNEP
In SNEP, A sends the following message to B to transmit a data fragment D: A→B: є, м where є is the encrypted data fragment, i.e., є ={D}< Κencr, c> м is the MAC, i.e., м =MAC( Κmac , с│є ) с is the counter value.

Sensor Network Encryption Protocol SNEP
For strong freshness Node A generates a nonce ηA randomly and sends it along with a request message ρA. A→B: ηA, ρA - Node B returns the nonce ηA with a response message ρB after a MAC computation. B→A: {ρB}< Κencr, c>, MAC(Κmac , ηA │c│{ρB}< Κencr, c>)

µTESLA Ki = F(Ki +1) time t1 t2 t3 t4 t5 tn P1 P2 P3 P4 P5 P6 Pk K1 K2
Kn K0

Quarantine Region Scheme
anti-node sensor node quarantine region quarantined sensor node sensor range Quarantine region is the region in the coverage area of an anti-node. (Coskun, V, Cayirci, E., Levi, A., Sancak, S., “Quarantine Region Scheme to Prevent Spam Attacks in Wireless Sensor Networks,” IEEE Transactions on Mobile Computing, Volume 5, No. 8, pp , August 2006.)

Authentication in a Quarantine Region
b c d e f j g h i k l m n o collector p d receives authenticated from b, and sends authenticated to j, o receives authenticated from l, and sends unauthenticated to p. o receives unauthenticated from n, and sends unauthenticated to p. Detecting an attack, and declaring a quarantine period, Finding quarantined nodes, Authentication in quarantine region, Cancelling a quarantine period.

Quarantine Region

Secure Charging and Rewarding
B infrastructure u f AReq AConf BReq BRep BSA BSB BConf (Salem N B, Buttyan N, Hubaux J, Jakobsson M, ‘A Charging and Rewarding Scheme for Packet Forwarding in Multi-hop Cellular Networks,’ MobiHoc, 2003.)

Secure Charging and Rewarding
Authenticate the initiating node A, and charge A before its packets are delivered to prevent refusal to pay attacks. Authenticate the forwarding nodes to ensure that only the selected nodes can forward and nodes that do not forward cannot claim that they do. Reward upstream nodes when the packets from A reach BSA. Reward downstream nodes when B acknowledges. - Charge B when the packets from A are forwarded to B by BSB. Reimburse this charge when B acknowledges.

Secure Charging and Rewarding (Session Establishment -1)
Source sends a request to BSA: A→BSA: AReq0 AReq0 = AReqID│oldASID│ARoute│TrafficInfo, MAC(KA, AReqID│oldASID│ARoute│TrafficInfo) Intermediate upstream nodes forwards AReqi = AReqID│oldASID│ARoute│TrafficInfo, MAC(Ki, AReqi-1) BSB forwards the request to destination: BSB→B: BReq0 BReq0 = BReqID│oldBSID│BRoute│TrafficInfo Intermediate downstream nodes forwards BReqj = BReqID│oldBSID│BRoute│TrafficInfo, MAC(Ki, BReqj-1)

Secure Charging and Rewarding (Session Establishment -2)
Destination accepts BReqj = BReqID, MAC(KB, BReqB-1) Base stations confirms source and destinations AConf = AReqID│ASID│AMACA│AMAC1│…….│AMACa AMACi = MAC(Ki, AReqID│ASID│oldASID│ARoute│TrafficInfo) BConf = BReqID│BSID│BMACA│BMAC1│…….│BMACa BMACj = MAC(Kj, BReqID│BSID│oldBSID│BRoute│TrafficInfo)

Secure Charging and Rewarding (Packet Delivery)
Source prepares the packet SPkt0,η = SSID│ Body0,η Body0,η = η│Payloadη │MAC(KS, SSID│η │Payloadη) η is the sequence number Intermediate nodes forward the packet SPkti,η = SSID│ Bodyi,η Bodyi,η = PADi,η  Bodyi-1,η Acknowledging delivery DAck = DSID│Batch│LastPkt│LostPkts, MAC(KD, DSID│Batch│LastPkt│LostPkts)

Secure Node Localization
Techniques against masquerading, replaying and node tampering Secure routing techniques Multimodal localization schemes, e.g., received signal strength indicator and time difference of arrival Assessing the reliability of beacon nodes Consistency checks by statistical methods - Attack resistant node localization schemes

Malicious Beacon Node Detection - 1
- The detecting beacon, requests a beacon signal, i.e., Breq, from another beacon node na, the target beacon node. Detecting beacon acts as it is not a beacon node. n→na: Breq - Target beacon sends the beacon signal, i.e., Bbeacon, which includes the location (xa, ya) of the target beacon na. na →n: Bbeacon

Malicious Beacon Node Detection - 2
- Detecting beacon estimates the distance da to the location (xa, ya) of the target beacon based on the RSSI calculation. The detecting node knows its location, it can calculate the distance between itself and the target node location sent in Bbeacon. If the difference between the estimated distance da, and the calculated distance d is higher than the threshold τ, this may indicate that the target node is malicious.

Attack Resistant Location Estimation
Inconsistency among the location data can be detected by inspecting the mean square error of estimation (MMSE) given by where ε is the mean square error, (xi, yi) is the location of beacon node i, (x, y) is the estimated location, di is the distance to beacon node i, m is the number of beacon nodes used in the location estimation.

Voting Scheme for Location Estimation
3 a b c m 2

Secure Time Synchronization
- Step 1: Node A sends Node B a synchronization message at t1, and the message is received by Node B at t2. A(t1)→(t2)B: A, B, NA, synch - Step 2: Node B replies Node A at t3, and the reply message is received by Node A at t4. B(t3)→(t4)A: B, A, NA, t2, t3, ack, MAC(KAB, B│A│NA│t2│t3│ack) Step 3: Node A calculates RTT. If RTT is smaller than the maximum RTT threshold, the synchronization is accomplished. Otherwise it is aborted. If (t4-t1)-(t3- t1) < θ, proceed. (Ganeriwal S, Capcun S, Han C, Srivastava M B, ‘Secure Time Synchronization Service for Sensor Networks,‘ WiSE, 2005.)

Secure Event & Event Boundary Detection
1. Faulty Node Detection di = xi – medi N(Si)  N*(Si) N*(Si)  (N(S1) N(Si) N(Sn)) N*(Si)={S1, …, Si, …, Sn} N(S1) N(Si) N(Sn) S1 Si Sn N*(Si) (Ding M, Chen D, Xing K, and Cheng X, ‘Localized Fault Tolerant Event Boundary Detection in Sensor Networks’, INFOCOM, 2005.)

Secure Event & Event Boundary Detection
2. Boundary Node Detection 1. Construct the set of faulty nodes Ω1. 2. For each sensor Si not in Ω1, - Partition the N(Si) into sectors. - Calculate the difference dij for each sector. - Assign the largest dij as the new di for Si. - Recalculate the mean μ, standard deviation σ, and yi for N*(Si)-Ω1 and the new di. - If |yi|≥θ2 after recalculation, Si goes into the set of boundary nodes denoted by Ω2. Sector A Si N(Si) Event Region E Out of Event Region E Sector B Sector C

Wireless Security Standards

X.800 and IETF RFC2828 X.800 IETF RFC2828 ITU-T recommendation
Security architecture for OSI Define general security-related architectural elements Establishes guidelines and constraints to improve existing recommendations and/or to develop new recommendations IETF RFC2828 Internet Security Glossary Provides abbreviations, explanations, and recommendations for information system security

Security threats and attacks
Accidental vs. intentional threats Passive vs. active threats Attacks Insider vs. outsider attacks Active vs. passive attacks

Security services Authentication service Access control
Data origin authentication Peer entity authentication Access control Data confidentiality Connection confidentiality Connectionless confidentiality Selective field confidentiality Traffic flow confidentiality

Security services Data integrity Non-repudiation
Connection integrity with recovery Connection integrity without recovery Selective field connection integrity Connectionless integrity Selective field connectionless integrity Non-repudiation Non-repudiation with proof of origin Non-repudiation with proof of delivery

Security mechanisms Specific security mechanisms and pervasive security mechanism Specific security mechanisms Encipherment Digital signature Access control Data integrity Authentication exchange Traffic padding mechanism Routing control Notarization mechanism

Security mechanisms Pervasive security mechanisms
Trusted functionality Security labels Event detection Security audit trail Security recovery

Relationships between security services and mechanisms
signature control integrity exchange padding Data origin authentication Y - Peer entity authentication Access control Connection Confidentiality Connectionless Confidentiality Selective Field confidentiality Traffic Flow Confidentiality

Relationships between security services and mechanisms
Connection Integrity with Recovery Y - -l Connection Integrity without Recovery Selective Field Connection Integrity Connectionless Integrity Selective Field Connectionless Integrity Non-repudiation with proof of origin Non-repudiation with proof of delivery Notes: Y: the mechanism is considered to be appropriate, either on its own or in combination with other mechanisms - : the mechanism is considered not to be appropriate

Placements of security services and mechanisms
Layers 1 2 3 4 5 6 7* Data origin authentication - Y Peer entity authentication Access control Connection Confidentiality Connectionless Confidentiality Selective Field confidentiality Traffic Flow Confidentiality

Placements of security services and mechanisms
Connection Integrity with Recovery - Y Connection Integrity without Recovery Selective Field Connection Integrity Connectionless Integrity Selective Field Connectionless Integrity Non-repudiation with proof of origin Non-repudiation with proof of delivery Y: Service is provided within the layer mentioned. - : Service is not provided within the layer mentioned * It should be noted, with respect to layer 7, that the application process may, itself, provide security services

Wired equivalent privacy (WEP)
WEP-based WLAN configuration

WEP encryption principle

WEP decryption principle

WEP weakness Passive attacks to decrypt traffic
Active attacks to inject traffic Active attack from both ends Table-based attack Monitoring

Wi-Fi protected access (WPA)
WPA enterprise mode

WPA personal mode

Authentication Encryption Using a longer IV (48 bits) Increasing the key size from 40 to 128 bits Renewing encryption key every 10,000 packets Using per packet key mixing of the IV Message integrity

WEP and WPA comparison WEP WPA Encryption
Flawed, cracked by scientists and hackers Fixes all WEP flaws 40-bit keys 128-bit keys Static key – Same key used by everyone on the network Dynamic session keys, i.e., per user, per session, per packet keys Manual distribution of keys – Hand typed into each device Automatic distribution of keys Authentication Flawed, used WEP key itself for authentication Strong user authentication, utilizing 802.1X and EAP

WPA2 Based on the Robust Security Network (RSN) mechanism
Support for all mechanisms available in WPA Encryption mechanism different with WPA Using Advance Encryption Standard (AES) with CCMP

Conclusion

Conclusion Introduction Physical Protection Wireless Medium MAC Layer
Routing Protocols Transport Layer Node Localization and Time Synchronization

Security in Wireless Ad Hoc and Sensor Networks

Similar presentations

Presentation on theme: "Security in Wireless Ad Hoc and Sensor Networks"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Security in Wireless Ad Hoc and Sensor Networks

Similar presentations

Presentation on theme: "Security in Wireless Ad Hoc and Sensor Networks"— Presentation transcript:

Similar presentations

About project

Feedback