Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks - PowerPoint PPT Presentation

Jimmy
detecting malicious beacon nodes for secure location discovery in wireless sensor networks l.
Skip this Video
Loading SlideShow in 5 Seconds..
Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks PowerPoint Presentation
Download Presentation
Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks

play fullscreen
1 / 21
Download Presentation
Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks
231 Views
Download Presentation

Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Detecting Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks Donggang Liu, Peng Ning – North Carolina State University Wenliang Du – Syracuse University Proc. ICDCS 2005 Presented by: Jacob Lynch

  2. Overview • Introduction • Related work • Detecting malicious beacon signals • Filtering replayed beacon signals • Revoking nodes • Performance • Conclusion

  3. Introduction • Technological advancements enable large scale sensor networks to be deployed • Many applications require sensors to know their locations • Environment monitoring, target tracking, etc. • Impractical to have GPS receiver on every node • Malicious nodes ignored so far

  4. Related work • Two stage location discovery algorithm • Stage 1: non-beacon nodes receive radio signals known as beacon signals from beacon nodes • Stage 2: after receiving enough beacon signals, sensors can calculate location • Received Signal Strength Indicator (RSSI), Time of Arrival (ToA), Time Difference of Arrival (TDoA), Angle of Arrival (AoA) • Cannot deal with compromised nodes

  5. Detecting malicious beacon signals (1) • Malicious nodes want to remain undetected • Give normal information to beacon nodes • Malicious nodes shouldn’t know which nodes are beacon nodes • Implement fake IDs • Each beacon node is given multiple IDs with the corresponding secure keys for communication to all other nodes

  6. Detecting malicious beacon signals (2) • Beacon node can request beacon signals when it detects them • Beacon node uses a fake ID that keeps the broadcaster from knowing it’s a beacon node • Paper assumes the nodes have no way to tell if an ID belongs to a beacon node or not • Beacon node then gets the beacon signal and can analyze it with GPS receiver

  7. Detecting malicious beacon signals (3) • Detecting node (using fake ID) requests beacon signal • Detecting node uses packet location information in beacon signal to compare estimated distance and calculated distance • If distance is larger than the possible error, then the node may be malicious

  8. Detecting malicious beacon signals (4)

  9. Filtering replayed beacon signals (1) • Malicious beacon signal may contain benign node ID, not sure if the signal has been replayed or not • Beacon signal may be relayed through a wormhole • Attacker sends packets from one part of a network to another part of the network using a low latency link • Techniques have been established to filter these

  10. Filtering replayed beacon signals (2) • Locally replayed beacon signals • Attacker replays a beacon signal received from a neighbor beacon node • Most wormhole detectors cannot detect this • Use round trip time (RTT) to filter out locally replayed beacon signals • Temporal leashes require time synchronization between nodes, while RTT does not

  11. Filtering replayed beacon signals (3) • Compare observed RTT to range of RTT derived from experiments on an actual sensor network • If RTT <= max RTT, not locally replayed • If RTT > max RTT, locally replayed beacon signal, ignore it

  12. Filtering replayed beacon signals (4) • Benign nodes only report other benign nodes when all of the following occur: • They are not neighbor nodes • The attacker creates a wormhole between them • The wormhole is not detected by detecting node • The delay is less than the detectable delay • Increase the number of IDs to increase detection rate • More malicious packets increases detection rate

  13. Filtering replayed beacon signals (4) • Overhead cost • Beacon signals unicast, location information only done once for each non-beacon node • Sensors nodes usually only communicate with a few other nodes in communication range • Most overhead comes from key establishment and cryptographic operations

  14. Revoking nodes (1) • Nodes generate alerts containing IDs of target and detecting node • All alerts sent to a base station • Base station accepts alert if • Number of alerts from that detecting node is under a certain threshold • Target node has not been revoked • Accepted reports increase report counter of detecting node and alert counter of target node

  15. Revoking nodes (2) • If alert counter exceeds a certain threshold, the target node is considered a malicious beacon node and is revoked from the network • Alerts may still be accepted from revoked nodes if the node’s report limit is under the threshold and the target node is not revoked • Prevent malicious beacon nodes from getting benign nodes revoked before they can send alerts

  16. Revoking nodes (3) • Overhead cost • Observations must be reported to base station • Limited monitoring done by a beacon node, few alerts will be sent • No computation or storage overhead for sensors • Base station has more resources

  17. Performance (1) Pr = detection rate P = probability that (1) a requesting non-beacon node receives a malicious beacon signal from a malicious beacon node, and (2) this malicious beacon signal is not removed by the replay detector m = number of IDs on a detecting beacon node

  18. Performance (2) Nc = number of requesting nodes P = probability that (1) a requesting non-beacon node receives a malicious beacon signal from a malicious beacon node, and (2) this malicious beacon signal is not removed by the replay detector

  19. Performance (3) • Simulations were run on the TinyOS simulator Nido • 1,000 sensor nodes randomly deployed, 100 beacon nodes • P = probability that (1) a requesting non-beacon node receives a malicious beacon signal from a malicious beacon node, and (2) this malicious beacon signal is not removed by the replay detector • N’ = average number of requesting non-beacon nodes accepting the malicious beacon signals

  20. Performance (4) • Na = number of compromised nodes • τ’ = benign node report threshold

  21. Conclusion • Authors came up with a practical solution to detect malicious beacon signals as well as replayed beacon signals • Overhead added for these techniques is minimal • False positive rate pretty good when few nodes are malicious