detection diagnosis and isolation of control and data attacks in sensor networks n.
Skip this Video
Loading SlideShow in 5 Seconds..
Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks PowerPoint Presentation
Download Presentation
Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks

Loading in 2 Seconds...

play fullscreen
1 / 32

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks - PowerPoint PPT Presentation

  • Uploaded on

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks. Issa Khalil, Saurabh Bagchi , Cristina Nita- Rotaru , Ness B. Shroff p pt. by Sanjiban Kundu, Tamal Biswas , Junfei Wang. Sensor Networks. Vulnerability of Sensor Networks.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks' - claire

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
detection diagnosis and isolation of control and data attacks in sensor networks

Detection, Diagnosis, and Isolation of Control and Data Attacks in Sensor Networks

IssaKhalil, SaurabhBagchi, Cristina Nita-Rotaru, Ness B. Shroff

ppt. by Sanjiban Kundu, TamalBiswas, Junfei Wang

vulnerability of sensor networks
Vulnerability of Sensor Networks
  • Open nature of wireless communication
  • Lack of infrastructure
  • Fast deployment practices
  • Hostile deployment environment
attacks in sensor networks
Attacks in Sensor Networks
  • Control Attack
  • Data Traffic Attack
attacks in sensor networks1
Attacks in Sensor Networks
  • Contol Attack
  • Data Traffic Attack
attacks targeting data traffic
Attacks targeting Data traffic
  • Black hole
  • Selective Forwarding
  • Artificial delaying of packets
opportunity for improvement
Opportunity for improvement
  • Few protocols discuss method for removing malicious nodes
  • Few provide quantitative analysis on detection coverage
  • Authors extended their earlier work on local monitoring and detection mechanism to address these issues of control and data attacks in an unified framework
dicas description
DICAS - Description
  • Proposed to provide detection and isolation to control and data attacks
  • Provides two primitives:
    • Neighbor discovery
    • One-hop source authentication
  • Used as building blocks for two main modules
    • Local monitoring
    • Local response
attacker model
Attacker Model
  • Attacker can control an external node ( no knowledge of cryptographic keys) or an internal node
  • Insider node may be created by compromising a node
  • Malicious node can perform all attacks by itself or by colluding with other nodes
  • Malicious node can establish out-of-band fast channels or have high powered transmission capability
system assumptions
System Assumptions
  • Communication links are bi-directional
  • Finite time required to from a node’s deployment to be compromised and to perform neighbor discovery protocol
  • Network has sufficient redundancy, so any node has some good guards
  • Static topology
  • Key management protocol
neighbor discovery protocol
Neighbor discovery protocol
  • Used to build data structure of first hop neighbors of each node and neighbors of each neighbor
  • Used in local monitoring to detect malicious nodes and in local response to isolate these nodes
  • Each node also has a commitment key of each one of its direct neighbors
  • Process performed only once in a lifetime of a node and secure in static wireless networks considering the stated assumptions
commitment key generation and update
Commitment key generation and update
  • Protocol used to generate and update commitment key used by one hop source authentication protocol
  • Values derived from a random seed
  • Subsequent values of commitment key disclosed to neighbors during subsequent transmissions
one hop source authentication
One hop source authentication
  • Allows node to distinguish between its neighbors to prevent identity spoofing
  • Uses commitment key to authenticate transmitted packets to neighbors
  • May fail if attacker blocks transmission range of certain source from rest of network
  • -TESLA authentication used to countermeasure such attacks


LocalResponse Module

LocalMonitoring Module

local monitoring detection diagnosis
Local monitoring: Detection &Diagnosis
  • Each packet forwarder
    • must explicitly announce the immediate source of the packet it is forwarding
    • M must be a neighbor of both A and the previous hop from A, say X
local response and isolation
Local Response and Isolation
  • Detection and diagnosis is only the first step towards protecting the network.
  • The local response and isolation module is used to propagate the detection knowledge to the neighbors of the malicious node and to take appropriate response to isolate it from the network
steps in local response and isolation
Steps in Local Response and Isolation
  • When the MalC(X,A) crosses a threshold, Ct , X revokes A from its neighbor list, and sends to each neighbor of A, say D, an authenticated alert message indicating A is a suspected malicious node.
    • Authenticated using the shared key between X and D to prevent false accusations.
  • D verifies its authenticity,
    • X is a guard to A,
    • A is D’s neighbor.
  • D stores ID_xin an alert buffer associated with A.
  • When D receives enough alerts, about A, it isolates A by marking A’s status as revoked in the neighbor list.
  • After isolation, D does not accept any packet from or forward any packet to a revoked node.
lsr lightweight secure routing
LSR: Lightweight Secure Routing
  • LSR is an on-demand routing protocol, sharing many similarities with the AODV
  • LSR is resilient to a large class of control attacks such as wormhole, Sybil, and rushing attacks, as well as authentication and ID spoofing attacks.
  • Combined with DICAS, LSR can deterministically detect and isolate nodes involved in launching these attacks.
feature of lsr
Feature of LSR
  • Node-disjoint routes
    • have completely disjoint routes where there are no nodes or links in common
attacks and countermeasures
Attacks and Countermeasures
  • We will talk about 3 attacks and their counter measures
    • ID Spoofing and Sybil Attacks
    • Wormhole Attack
    • Selective Forwarding
id spoofing and sybil attacks
ID Spoofing and Sybil Attacks
  • A node will not accept (forward) traffic from (to) a non-neighbor node.
  • The one-hop source authenticated broadcasting prevents a node from generating traffic using spoofed identity of a neighbor node
    • Reason: each node must authenticate its generated traffic to the neighbors.
  • Local monitoring detects a forwarding node when spoofing a neighbor’s identity.
wormhole attack1
Wormhole Attack
  • Local monitoring detects the nodes involved in tunneling the route control packets
  • local response disables the tunnel from being established in the future by isolating the malicious nodes
selective forwarding1
Selective Forwarding
  • Information about the incoming data packet is stored in the watch buffer of the guard node.
  • If the incoming packet stays in the watch buffer unmatched beyond a threshold period of time, the guard node increments the MalC value for the node being monitored.
  • In the case of the selective forwarding attack, the packet which is dropped by the adversary node, will remain unmatched in the guard node’s watch buffer.
  • The guard node monitors a fraction of the data traffic, with the packet to be monitored being chosen randomly.
  • The adversary node will thus be detected when the MalC value crosses the threshold.
performance analysis
Performance Analysis
  • Probability of Wormhole detection
performance analysis1
Performance Analysis
  • Probability of False Alarm
performance analysis2
Performance Analysis
  • Isolation latency and Watch buffer size
  • We have presented a distributed protocol, called DICAS, for detection, diagnosis, and isolation of nodes launching control attacks, such as, wormhole, Sybil, rushing, sinkhole, and replay attacks.
  • DICAS uses local monitoring to detect control and data traffic misbehavior, and local response to diagnose and isolate the suspect nodes.
  • We presented the probability of false alarm and missed detection