Research Project
High Integrity Sensor Nets
Technology > Systems: Network Autonomy > High Integrity Sensor Nets
On this page: Overview | Approaches | Systems/Experiments | Accomplishments | Future Directions | People
OVERVIEW
Networks of wirelessly interconnected embedded sensors and actuators promise an unprecedented ability to observe and manipulate our physical world. Indeed, recent years have seen much research on understanding the fundamental properties of such networks, and on developing algorithms and hardware-software building blocks for cheap and energy-efficient implementation. However, as with almost every disruptive technology that has impacted human society, the benefits of Embedded Networked Sensing are accompanied by a significant risk factors and potential for abuse. If wireless sensor networks are really going to be the eyes and ears of our society, as envisioned by many, then one needs to answer the following question: How can a user trust the information provided by the sensor network?
Building sensor networks poses challenges of secure routing, node authentication, data integrity, data confidentiality and access control that are faced in conventional wireless and wired networks as well. In the realm of sensor networks these problems are even more challenging due to the resource constraint nature and the scale of these networks. Only recently, researchers have started developing customized cryptographic solutions for sensor networks. However, current security mechanisms for sensor networks focus on external attacks. They fail to protect against internal attacks where a subset of sensor nodes are compromised. Due to lack of physical security and tamper resistance, adversaries can recover the embedded cryptographic material from these nodes and subsequently pose as authorized nodes in the network. A wide variety of sensor network applications such as forest fire monitoring, anti terrorism, bio/chemical agent monitoring etc. falls into the broad class of sense-response applications, where the system objective is to collaboratively detect the events and report the event detection back to the base station. The detection of an event is followed by some physical response such as sending special personnel, vehicles etc. to the location of the event. Compromised nodes can inject false data about non-existent events and authenticate them correctly to the user using their keys (false negative attacks), or stall the reporting of real events (false positive attacks). Thus, there is a need for developing a secure event reporting protocol.
Cryptographic keys form the backbone of any security protocol; the scale and ad-hoc deployment of nodes coupled with the ability of adversaries to easily recover the cryptographic materials make it a challenging problem to solve. In general the efficacy of any key establishment strategy needs to be gauged on the basis of both security metrics such as resiliency against node capture, node replication, access control measures and also on the complexity aspect such as scalability, storage etc. Existing key establishment techniques rely on a deterministic or probabilistic pre-distribution of keys in the network, trading off its performance on one metric with the other. We believe that a more apt approach in the realm of sensor networks is to derive them deterministically at runtime based on a single master key and unique physical attributes of the nodes.
Although cryptography and authentication helps, it alone is not sufficient for the unique characteristics and novel misbehaviors encountered in sensor networks. We believe that in general tools from different domains such as economics theory, statistics and data analysis will have to be combined with cryptography for the development of trustworthy sensor networks. Fundamental to this is the observation that sensor network applications are based on collective interaction between a large numbers of nodes, which do collaborative data gathering, collective data/information processing, and multi-hop data delivery. This decentralized in-network decision-making, which relies on the inherent trust among the sensor nodes, can be abused by internal adversaries to carry out security breaches while generating information. An adversary can potentially insert bogus data to mislead the whole network! Clearly, cryptographic mechanisms alone cannot be used to solve this problem as adversarial nodes can use valid cryptographic keys to authenticate bogus data. Besides malicious attacks, the two other system characteristics that hinder the development of high integrity sensor networks are system faults and sensing channel inconsistencies. Sensor nodes are currently made of cheap hardware components, highly vulnerable to system malfunctioning. Non-malicious behavior such as radios/sensors going bust can also result in the generation of bogus data, bringing equally detrimental effects to the functioning of the whole network. Another distinguishing trait of sensor networks is there strong coupling with the physical world. This gives rise to a unique opportunity for adversaries, whereby instead of abusing the network, they can insert bogus data into the network by abusing the physical world. The very nature of these attacks is completely outside the realm of cryptography.
APPROACHes
- Secure Event Reporting Protocol (SERP): SERP ensures the generation and delivery of valid event reports and minimizes the occurrence of false alarms even in the presence of internal attacks using compromised nodes. The architecture of SERP is based on two interacting mechanisms: ARG and PAKE. ARG provides the core mechanism for Authenticated Report Generation, and exploits redundancy and mutual oversight within the group of nodes triggered by an event. ARG relies on pairwise cryptographic keys, which form the backbone of the security infrastructure. PAKE provides scalable post-deployment derivation of the cryptographic keys needed by ARG, and is based on the idea of Physical Attributes based Key Establishment; in SERP we bound the cryptographic keys of a node to its geographical location and identity.
To provide fault tolerance, the end user reacts to the receipt of an event only if it is simultaneously observed by multiple nodes in the network. If each node sends a packet (report) to the base station in response, precious energy will be wasted. To prune this redundant traffic, sensor nodes collaboratively create one final report to be send to the base station that contains the testimony of every node that have detected the event. ARG incorporates explicit authentication mechanisms in the report generation and reporting process. Specifically, we introduce node-to-node authentication so that nodes collaborate only with good nodes in generating the final report and base station-to-node authentication so that user responds only on valid event detection. ARG requires two sets of keys at every node – pairwise-secret keys among neighboring nodes for node-to-node authentication and a unique secret key for base-station-to-node authentication.
A distinguishing trait of sensor networks is their strong coupling with the physical world. We exploit this link to propose a key establishment strategy where nodes derive their own keys, after getting deployed into the network, based on their unique physical attributes. In the context of sense-response applications, the two fundamental properties of an event notification are where and who detected the event. Therefore, we bind the cryptographic keys of a node to its physical location and identity. This allows the end-user to implicitly learn the event location and the subset of nodes that detected the event. Existing approaches for key establishment in the context of sensor networks can be broadly classified into – Deterministic pre-assignment and Random pre-distribution. Deterministic pre-assignment refers to the approach of programming nodes with unique secret cryptographic keys. Unlike the previous approach, random key distribution concentrates on probabilistically establishing pairwise keys between neighboring nodes in the network. The general approach is to pre-assign a random subset of keys from a key pool to every node; two nodes establish a pairwise-secret key based on the subset of the shared keys between them. PAKE fundamentally differs in two ways; there is no pre-distribution of keys (making it scalable) and the key establishment is implicit (no explicit hard coding or key/key-identifier exchange over the communication medium). Unlike the previous two approaches, it does not use any pseudo random generators to derive the cryptographic keys. Instead, the keys are inherently random as they are derived from physical processes (ad hoc deployment of nodes, random sensor data etc.). Unlike probabilistic establishment of keys, PAKE deterministically derives both pairwise and global keys for every node in the network. PAKE also provides resiliency against node capture and also prevents the external nodes to access the system. - Reputation based Framework for Sensor Networks (RFSN): The problem of generating reliable information in sensor networks can be reduced to one basic question – How do sensor nodes trust each other to ensure reliable collaborative behavior among them? We take the motivation from observing the evolution of existing social networks in the world. Embedded in every social network is a web of trust with a link representing the amount of trust between two individuals in the network. Let’s try to analyze the integrated role of “reputation” and “trust” in assessing the reliability of information. Trust can simply be defined as the expectation of one person about the actions of others. It is used by the first person to make a choice, when an action must be taken before the actions of others are known. Reputation is defined as the perception that a person has of another’s intentions. When facing dilemmas, individuals tend to trust those which have a reputation for being trustworthy.
RFSN manifests itself in a similar way, whereby sensor nodes maintain reputation for other nodes in the network. A node monitors the behavior of other nodes, based on which it builds up this reputation metric over time, in a completely localized and distributed manner. This reputation is used as a metric for predicting the future behavior of the nodes. At the time of collaboration, a node only cooperates with those nodes that they trust. The end objective of the framework is to generate a community of trustworthy sensor nodes. It is important to realize that the key to the success of sensor networks is the collaborative data processing between nodes and a sensor node individually cannot provide any meaningful information to the end user. Thus, in order to contribute a node needs to collaborate with other nodes in the network. The key to the development of highly reliable sensor networks lie in making the nodes collaborate with only other good (non-malicious and non-faulty) in the network. Eventually members with a bad reputation, because they deliberately refused to cooperate or are malfunctioned, will be excluded from the community. - Countering attacks in physical monitoring applicaitons: As a first step towards developing countermeasures, we have carried out a broad classification of the existing physical world scenarios - non-cooperative (e.g. battlefield monitoring), neutral (e.g. environmental monitoring) and cooperative (e.g. monitoring of objects tagged with RFIDs in an inventory). We envision developing different customized solutions for these three different types of scenarios.
The first approach that is applicable to neutral physical processes is that of modeling and prediction. We note that in these scenarios inconsistencies will arise due to inherent environmental noise and not due to malicious security breaches. Thus, if the network observes a huge discrepancy between the predicted and the sensed results; it can conclude that something is wrong. We note that complete a priori knowledge of the physical process is not only infeasible but also defeats the purpose of deploying a sensor network. However, in the scenario of environmental monitoring the statistical behavior of the process is roughly known and the intent is to learn the actual parameters, making this approach feasible.
A more sensitive class of applications envisioned for sensor networks is that of intrusion detection (non-cooperative physical processes). An intruder can act in a completely random fashion and in fact any prior assumptions made by the network can be exploited by the adversary. We propose to thwart these attacks by introducing redundancy on the sensing channel. Thereby, instead of relying on a single sensor modality such as temperature, the decision of intrusion must be taken through an efficient multimodal fusion of temperature, acoustic and camera sensing modalities. This can potentially thwart the attempt of a compromise by an adversary on a single sensor modality such as insertion of heat source affects temperature.
SYSTEMS / EXPERIMENTS
- We have developed a prototype implementation of SERP and the underlying ARG and PAKE mechanisms on Mica2 Motes. The protocol was written in NesC and the underlying operating system is TinyOS. The protocol is available as a plug-in for sense response applications.
We have carried out a detailed energy analysis for SERP. Table I provides the rough summary of results for an example network scenario consisting of 2000 nodes, where nodes happen randomly in the network. We have measured the actual execution time in calculating a MAC on Mica2 motes. This was accomplished by toggling a GPIO pin at the start and end of the MAC computation and observing the resultant waveform on the oscilloscope. Over a set of 100 independent runs, the average time was measured to be 1.207ms.
We have also conducted several experiments over a network of motes, deliberately creating malicious attacks in the network. We have successfully verified that SERP provides resiliency to both false negative attacks (spurious event reported in the absence of any event) and false positive attacks (real event occurrence suppressed). In all our experiments, the functionality of SERP is consistent with the qualitative assertions made in the technical report.
ACCOMPLISHMENTS
- Securing the process of report generation in sensor networks is paramount for the efficient functioning of the systems deployed for monitoring and reporting critical events. We have proposed a novel scheme for authenticated report generation (ARG) through the usage of Location and Identity dependant keys (PAKE). SERP is resilient to both false negative (spurious event reported in the absence of any event) and false positive (real event occurrence suppressed) attacks carried out by internal adversaries in the system. Besides thwarting a plethora of attacks, SERP also facilitates evasive action against adversarial nodes and also limits their colluding capabilities. The feasibility of the scheme on resource constrained sensor nodes is verified through implementation on Mica2 mote platform. SERP provides a simple, scalable and practical solution for securing report generation in sensor networks.
- RFSN provides a unified approach for countering all types of malicious/non-malicious behavior in the realm of sensor networks. Instead of developing application specific security mechanisms, we provide a generalized framework for developing trustworthy sensor networks. The framework integrates all customized solutions for providing secure communication, aggregation, data consistency, SERP etc. and uses them as building blocks to develop one classifying metric, reputation, of a node. As time passes by, these customized solutions can interact with the framework to learn about the subset of trustworthy nodes enhancing their own efficiency. Thus, the framework and the individual security schemes complement each other and jointly drive the system towards a highly reliable point of operation.
FUTURE DIRECTIONS
- Since, we derive the keys based on geographical location; node movement should be followed by the derivation of a new set of cryptographic keys for it. However erasing the master key at the end of the bootstrap phase implies that no node (malicious/non-malicious) can generate any valid cryptographic keys after the bootstrap phase. Thus, PAKE will not function in the presence of dynamically changing topologies such as mobile nodes or new nodes being added into the network. We have extended PAKE to network scenarios of dynamically changing topologies, allowing for low restricted mobility of nodes trading it off against the resiliency of PAKE. We accomplish this by using a higher abstraction of regions rather than geographical locations while deriving the cryptographic keys. We have also extended PAKE to account for new added nodes into the network by exploiting the presence of some high-end nodes, such as stargates, that can be quipped with expensive tamper proof hardware resistance. We intend to study in more depth these optimizations. Furthermore, we plan to comprehend our qualitative assertions through quantitative facts via a prototype implementation on a hierarchical network of motes and stargates. We are also working towards an end-to-end secure protocol that couples SERP with a secure routing protocol. The immediate goal is to gauge the energy consumption of SERG through real time energy measurements.
- We have laid down the basic foundations of RFSN and have implemented it on a PARSEC based simulator, NESLsim. We intend to study analytically the behavior of RFSN, specifically concentrating on its convergence and stability properties. We also plan to take an information theoretic perspective to study the statistical behavior of RFSN. Till now we have just scratched the surface in this domain; lots of issues still needs to be resolved. The short term goal is also to get this framework implemented on motes.
- Security attack implementation & emulator: Security attacks refer to malicious behavior from those practical adversaries in real world. The ultimate goal of security countermeasures is to prevent these practical adversaries from disabling network services or significantly degrading service performance. Therefore, it is important to actualize security attacks when we are designing security countermeasures. In many cases, empirical cryptanalytic results and performance measurements are indispensable metrics to evaluate the impact of security attacks and efficiency of corresponding countermeasures. Nevertheless, so far in sensor network security research, many security attacks are studied only by textual descriptions and up to the level of network simulation. To our best knowledge, there are no systematic efforts invested in practical attack implementations and emulations using real sensor devices. We hereby propose a project framework to amend this obvious deficiency in security design.
- Although many data source sensors are static, it is feasible to realize mobile data aggregators/disseminators and mobile sinks in sensor networks. Due to mobility, such mobile aggregators/disseminators and sinks are less vulnerable to enemy’s physical attack. Besides, state-of-art progress in UAV (Unmanned Aerial Vehicle) and UGV (Unmanned Ground Vehicle) research has converted the idea into reality. These unmanned network components are consistent with unmanned sensors. We argue that this architecture besides being energy efficient is also apt for reliably transferring the data from sensor nodes to the sink. We propose an on-demand security mechanism whereby cryptographic keys are dynamically established on demand between the two communication parties. Clearly when tiny sensors are concerned, the security system should avoid expensive public key cryptosystems. We introduce a new sensor networking paradigm where a sensor network performs in two modes---static A/D mode and mobile A/D mode. In both modes, there could be mobile sinks. Only in mobile A/D mode, there are mobile aggregation/dissemination (A/D) nodes roaming in the sensor network to collect data reports or to disseminate control commands. The mobile A/D nodes constitute a mobile ad hoc network (MANET). We show that interoperability between a distributed sensor network and a MANET results in a securer, more energy efficient, and more robust new network.
PEOPLE
FACULTY
Prof. Greg Pottie
Prof. Mani Srivastava
GRADUATE STUDENTS
Saurabh Ganeriwal
webmaster at cens.ucla.edu
