1 / 60

Security and Safety Analysis of WSN Based on Finite Model Checking

Security and Safety Analysis of WSN Based on Finite Model Checking. Vladimir A. Oleshchuk University of Agder Norway. Vladimir I. Zadorozhny University of Pittsburgh USA. Outline. WSN basics Motivation Simulation and Model-checking for security analysis

kyrie
Download Presentation

Security and Safety Analysis of WSN Based on Finite Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security and Safety Analysis of WSNBased on Finite Model Checking Vladimir A. Oleshchuk University of Agder Norway Vladimir I. Zadorozhny University of Pittsburgh USA UkrProg 2008 Kiev

  2. Outline • WSN basics • Motivation • Simulation and Model-checking for securityanalysis • Trust-Aware Query Processing in Data Intensive Sensor Networks • Experimental results • Conclusions UkrProg 2008 Kiev

  3. WSN Basics UkrProg 2008 Kiev

  4. Real world Computer world real world computer world UkrProg 2008 Kiev

  5. From sensors to sensor nodes Sensor Autonomous Computer Sensor node UkrProg 2008 Kiev

  6. From sensor nodes to sensor networks (Collaboration, Event-driven processing, …) =Distributed Applications UkrProg 2008 Kiev

  7. Basic WSN Taxonomy • Topology: • Random sensor network (not a-priori topology) • Structured sensor network (a-priori topology) • Special-purpose WSNs(e.g., Structural Health Monitoring) • Mesh Networks (e.g., MeshScape 4.0 Millennial Net system) • Mobility: • Stationary sensor nodes • Mobile sensor nodes UkrProg 2008 Kiev

  8. Typical WSN applications • Support distributed interaction with the physical environment through measuring and aggregating data. • Example: monitoring and information tracking for managing critical assets: • Structural Health Monitoring (SHM) for monitoring integrity of civil and military structures • Monitoring of the vital signs parameters of patients • Military (battlefield) applications • …. UkrProg 2008 Kiev

  9. CoBIS Scenario: Support for safety-critical processes such as alerting against inappropriate materials being stored together or outside of approved storage facilities UkrProg 2008 Kiev

  10. VITUS • VITUS (Video Image analysis for TUnnel Safety) • The main aim of this project is to build and implement a prototype for an automatic video image analysis system in order to increase safety in tunnel road. UkrProg 2008 Kiev

  11. CenSCIR (and Sustainable Bridges) UkrProg 2008 Kiev

  12. WINES II • Use of Wireless Sensor Networks for Ageing Engineering Infrastructures (water supply, tunnels, bridges, etc.) UkrProg 2008 Kiev

  13. WSN Applications • Generally speaking, WSNs can be used in applications where sensors are unobtrusively embedded into systems, consequently involving operations like: • monitoring • tracking • detecting • collecting • reporting UkrProg 2008 Kiev

  14. Security concerns The reasons why security becomes an essential issue in WSN are: • sensitive nature of many of those applications (specially Critical Infrastructure Protection) • untrusted environment where the sensors are deployed share the drawbacks of any wireless network: natural physical insecurity of wired communications is present. UkrProg 2008 Kiev

  15. Security concerns It is difficult to protect WSN because every node becomes a potential point of logical and physical abuse • Logical: • monitor transmissions, • intercept and modify data, and • impersonate nodes injecting false information to others. • Physical: • gain access to one or more of them and reprogram their operation • introduce his own fake nodes. UkrProg 2008 Kiev

  16. Security Requirements • Data Confidentiality • Authentication • Data Integrity • Data Freshness • Non-repudiation • Availability • Time Synchronization • Secure Localization • Self-Organization • Forward secrecy • Backward secrecy UkrProg 2008 Kiev

  17. Compare … RAM: GBs Disk: 100s of GBs Running at: GHzs WSN products μAMPS-1 (MIT) MICA-2 and MICA2Dot (UC Berkeley, Crossbow) Medusa MK-2 (UCLA) RAM: 4-128 KB Flash: 32KB - 1 MB Running at: 4 – 40 MHz UkrProg 2008 Kiev

  18. Compare … • IEEE 802.11: wireless local area networks • 802.11b: 11 Mbps, operate at 2.4 GHz • 802.11g: 54 Mbps, operate at 2.4 GHz • 802.11a: 54 Mbps, operates at 5 GHz • Typical transmit power: 250 mW. Wireless Network Standards • IEEE 802.15: wireless personal area networks • Suitable for low power and low data rate sensor networks • 802.15.4: data rates: 20, 40 or 250 kbps in the 868, • 915 or 2400 MHz bands respectively. • Typical transmit power: 1 – 2 mW. UkrProg 2008 Kiev

  19. Challenges • It is questionable if primitive traditionally used in other networking scenarios are suitable for sensor networks • because small amount of RAM memory. • and very modest computational power. • Cryptographic operations must be designed to minimize the use of memory. • Also, design of secure protocols should consider that • Each bit transmitted consumes as much power as executing hundreds of instructions. UkrProg 2008 Kiev

  20. Example: Routing • Maximum transmission distance of current generation of sensor nodes ranges between 100 and 300 m. • Thus, messages cannot be transmitted directly between any two nodes • routing infrastructures needed • Algorithms should work • Even when nodes start to fail due to energy issues • With any network size and node density • Providing a certain quality of service • Minimizing the memory usage, speed and energy consumption • And Security must be considered!!! UkrProg 2008 Kiev

  21. Collision! Collision! n7 n5 n6 n4 n3 n1 n2 Collisions and Collision Domains UkrProg 2008 Kiev

  22. n2 n5 n4 n6 n3 n1 n7 Collision Aware Data Delivery UkrProg 2008 Kiev

  23. Secure Routing • Challenge: (almost) no protocols with security in mind from scratch! • It is essential to make the routing algorithm robust against attacks: • Malicious nodes and denial of service still possible • Some work that focus on protection of existing routing protocols • Others focus on designing new protection techniques UkrProg 2008 Kiev

  24. Securityissuesin WSN • Sensor nodes are devices with limited computational and energy resources • Wireless (open) transmission of critical information with limited communication channels (distance and broadband) • Sensors can be either inaccessible, or easily accessible and unprotected. • WSN can be large and potentially dynamic UkrProg 2008 Kiev

  25. Problem of assuring WSN security • Users expect that certain level of WSN security will be guaranteed despite of limited resources (energy) allocated to each node. • Use of simulation tools may help to produce quantitative security assessment on particular execution sequences. • These predictions depend on the number performed simulation runs, and on the criteria used to select these runs • Seldom, but critical worst-case executions scenarios may be ignored during the simulation campaign UkrProg 2008 Kiev

  26. Two approaches: Simulation and Model Checking • The objective of using Simulation is to study “average” case behavior of WSN • The objective of using Model Checking (MC) is to provide an approach to discover worst case scenario to improve security, safety, reliability of sensor network based applications. UkrProg 2008 Kiev 26

  27. High-level MC scenario for WSN analysis • Step 1: Define a model M of the a behavioral description of the whole WSN that represents all possible execution sequences • Step 2: Use MC to find the worst-case execution sequences UkrProg 2008 Kiev

  28. Example: Using MC to find the minimal lifetime of WSN • Identify the set of “final states” in the model M representing the state of the network when it is considered as “dead” • Find the shortest execution sequences (from the time duration point of view) leading to such final states • Such execution paths represent a worst-case execution scenario and give the minimal lifetime of the network UkrProg 2008 Kiev

  29. Trust-Aware Query Processing in Data Intensive Sensor Networks UkrProg 2008 Kiev

  30. Outline • Trust‐based routing: motivation • System model • Subjective logic • Trust‐based routing : an example • Experimental results UkrProg 2008 Kiev

  31. Trust‐based routing: motivation • Current focus of research mostly on time/energy efficiency. • Reliability and trustworthiness of gathered data may be critical. • Usage of cryptographic protection is limited UkrProg 2008 Kiev

  32. Trust-based routing: idea • The required level of trustworthiness can be achieved by routing data via trusted sensors, even though such trusted routes are longer and may be more time/energy consuming. • Trustworthiness of each sensor or groups of sensors may be determined from their context (e.g., properties of deployment area, sensor design, etc.). UkrProg 2008 Kiev

  33. System model (1) • Two types of nodes: sensors and base stations. • Every sensor can be associated with one or several base stations. • Each sensor and each base station have an assigned opinion about the trustworthiness of the sensors it queries. • Each base station knows opinions about sensors it controls and opinions about trustworthiness of recommendations of sensors and other base st. UkrProg 2008 Kiev

  34. System model (2) • A level of trust to each sensor based on its location, design, software configuration ,etc. • A sensor query originates at a base station propagating it to all sensor nodes in the network and collecting the results back from the sensors. • A query optimizer runs at a base station and generates a set of alternative query routing trees. • The optimizer selects a query tree that delivers results satisfying trustworthiness requirements (in addition to other requirements, such as finding maximizing concurrent transmissions). UkrProg 2008 Kiev

  35. Subjective logic • Opinionω expresses an opinion about level of trustworthiness. • Let t, d and u be such that • where • Then a triple I called an opinion, where components and correspond to trust, distrust and uncertaintyrespectively. • The level of trustworthiness is defined based on several opinions. • Distrust could be expressed as opinion ω={0.0,0.9,0.1} • Maximum trust could be expressed as opinion ω={0.96,0.0,0.04} . UkrProg 2008 Kiev

  36. Subjective logic operators • The subjective logic defines a set of logical operators for combining opinions such as conjunction, recommendation, and consensus. • An opinion of entity A about logical statement p being true is • For example, if A is a sensor node and statementp corresponds to the statement that “data received from A represents temperature in room XXX” UkrProg 2008 Kiev

  37. Conjunctionof opinions UkrProg 2008 Kiev

  38. Recommendation operator . (1) • A has none direct opinion about p, and will try to deduce some indirect opinion about trustworthiness of p based on the given recommendation. • An opinion of entity A about trustworthiness of a recommendation given by B denoted as: • when B gives a recommendation to A about trustworthiness of a statement p in form of its opinion. UkrProg 2008 Kiev

  39. Recommendation operator (2) UkrProg 2008 Kiev

  40. Consensus operator ⊕ • When there are several independent opinions about the same statement p, we can use consensus operator to get combined opinion about the same statement. UkrProg 2008 Kiev

  41. Sensor network with base station and aggregation sensor node UkrProg 2008 Kiev

  42. Optimized routing query tree without consideration of trustworthiness requirements with consideration of trustworthiness requirements UkrProg 2008 Kiev

  43. Analyzing trust properties • denote trustworthiness level of result received by B on query q. • In English: Trustworthiness level of any query issued by node B will never be lower than N • In LTL: UkrProg 2008 Kiev

  44. Expressing it in LTL • WSN is secure in the sense that any measurement can be delivered at least on trust level N. • Any message can be eventually delivered to base station B without degradation of its trustworthiness UkrProg 2008 Kiev

  45. Questions in progress: • What is trade-off between energy and trust efficiency, latency and trust, etc. ? • What is the minimal lifetime in trust-aware WSN? • What is relation between required trust level and lifetime? • We should be able to validate that WSN conform given security policy. UkrProg 2008 Kiev

  46. Trust-Aware Query Processing in Data Intensive Sensor Networks: Some Experimental Results

  47. Experiments • Small-scale topology (10 nodes) • Experimental Set up • Results • Large-scale topology (73 nodes) • Experimental Set up • Results UkrProg 2008 Kiev

  48. Small-scale: Experiments Set up • 10 nodes wireless sensor network • Data-intensive • Multi-hop delivery • Each node transmits: at least 128 Kb • Each node has an opinion: <t,d,u> • ‘t’ ranges between 0.97-0.99 (high trust!) • d and u; randomly assigned values such that t+d+u = 1 UkrProg 2008 Kiev

  49. Small-scale: Routes Data delivery evaluated on following 5 different routes UkrProg 2008 Kiev

  50. Time and Energy Cost for Various Routes • Route 1,2 and 5 have comparable latency • Route 3 has minimum latency • Route 4 has maximum latency and energy cost • Route 1 has minimum energy cost • A Time-Energy Optimizer would pick Route 1 or Route 3 as a (near) optimal route UkrProg 2008 Kiev

More Related