Overview

Networks of wirelessly interconnected embedded sensors and actuators promise an unprecedented ability to observe and manipulate our physical world. Indeed, recent years have seen much research on understanding the fundamental properties of such networks, and on developing algorithms and hardware-software building blocks for cheap and energy-efficient implementation. However, as with almost every disruptive technology that has impacted human society, the benefits of embedded networked sensors are accompanied by significant risk factors and potential for abuse. If wireless sensor networks are to be the eyes and ears of our society, then one needs to answer the following question: How can a user trust the information provided by the sensor network? This has become a key bottleneck, which still hinders the wide scale adoption and deployment of the embedded networked sensing in day-to-day life.

Our research efforts in this domain are motivated by two key observations. First, sensor networks are highly susceptible to malicious behavior wherein an adversary can capture nodes and subsequently pose as an authenticated node in the network. Sensor networks often operate unattended in physically insecure environments, and are designed with an emphasis on numbers and low cost which makes measures such as tamper-proof hardware not cost effective. This makes the problem of developing secure sensor network applications, which heavily relies on inherent trust and collaborative behavior among network nodes, even more challenging. Second, sensor networks are deeply coupled with the physical world, which influences the tasks that they perform (detection, identification, tracking, inference, reconstruction etc.) as well as the core middleware services they depend on (node location, timing synchronization, sensor calibration etc.). This coupling opens up new types of security attacks whereby a malicious adversary seeks to subvert the sensor network by exploiting weaknesses at the interface between the sensor network and the physical world. The adversary can cause an event-detection and tracking task to fail by manipulating the node localization or timing synchronization processes, or by manipulating the sensing channel.

Approach

These novel attacks cannot be addressed by developing mechanisms that are solely based on cryptography and authentication. This is in part because of the uncertainties in and lack of control over the physical world and compromised nodes. To comprehensively address the security problems in sensor networks, we have been following a new methodology: combining cryptographic mechanisms with robust estimation techniques from signal processing and artificial intelligence together with physics and statistics based models. This approach would not only help counter malicious attacks but also system faults resulting from non-malicious corruptive processes, thus paving the development of trustworthy sensor networks. The specific technical innovations that we have been working on are:

• Reputation based framework : RFSN provides a generalized framework that provides resiliency to the insertion of faulty and bogus data in the system by both malicious entities and non-malicious corruptive processes such as hardware faults, software crashes etc. RFSN is motivated from existing social networks in the world. Borrowing tools from statistics, cryptography and decision theory, we have defined a comprehensive, distributed and completely scalable framework, where sensor nodes maintain reputation for other nodes in the network. A sensor node uses the reputation to evaluate the trustworthiness of other nodes. This establishes a web of trust in the network, which is then used as a fundamental aspect in predicting the future behavior of nodes in the network. We employ a Bayesian formulation, specifically a beta reputation system, for reputation representation, updates and integration. A suite of protocols, based on statistical outlier detection, forms the watchdog mechanism, which is used in classifying the observed behavior of other nodes as cooperative or non-cooperative.
• Secure time synchronization toolbox: Time synchronization is critical to sensor networks at many layers of its design and this makes it a prime target for potential abuse from adversaries. Although several time synchronization protocols have been developed for sensor networks, none of them have been designed with security in mind. We have performed an in-depth security analysis of the existing protocols to point out this flaw. We showcase the feasibility of several attacks, whereby an attacker can arbitrarily affect the achieved synchronization precision between the nodes. Following this, we have developed a suite of protocols for secure pairwise (SPS) and group synchronization (SGS) of nodes that lie in each other’s power ranges and of nodes that are separated by multiple hops. These protocols can help us achieve secure short-term instantaneous synchronization between sensor nodes as well as can be extended to achieve secure network-wide time synchronization.
• Secure Localization: The problem of localizing the sensor nodes in space has been mainly studied in a non-adversarial setting. A malicious adversary or a compromised node can abuse the existing protocols to either lie about their locations to the base-station or make the base-station obtain a faulty estimate about the location of valid nodes in the network. Our aim is to integrate security mechanisms in these approaches but at the cost of insignificant overhead to keep these protocols lightweight. Our approaches are twofold. First, we propose a new approach to secure localization based on hidden and mobile base stations. This approach is indifferent to the underlying techniques used for ranging measurement and hence, is extendible to a broad spectrum of localization techniques: ultrasonic or radio, based on received signal strength or signal time of flight. Through several examples we show how this approach can be used to secure node-centric and infrastructure-centric localization schemes. Second, we propose a lightweight secure localization scheme for sensor networks based on the received signal strength (RSS) ranging techniques. Our scheme enables the network authority to obtain locations of sensor nodes in the presence of an attacker. The proposed scheme uses a small number of anchor nodes with known locations that provide points of reference from which the sensors' locations are computed. This scheme makes use of robust localization and time synchronization primitives, which, appropriately combined, enable the detection of attacks on localization.

Systems/Experiments

• RFSN has been implemented and is available as a generalized middleware service on SOS. The applications can register to use this service and can then configure the parameters of RFSN according to the context. The middleware service allows multiple reputation metrics to be maintained by different applications on the same node or even by the same application for different contexts. It also allows for a gray rating of a node i.e. the level of confidence with which the node behavior can be characterized as misbehaving. The complete functioning of RFSN has been shown in the context of a temperature monitoring system on a lab scale testbed of Mica2 Motes.
• The performance of the synchronization toolbox, both SPS for pairwise and SGS for group synchronization, has been extensively tested through a detailed experimental study on Mica2 motes.
• Although localization service has not been implemented yet, a detailed analysis has been performed to showcase its feasibility on existing sensor networking platforms such as Mica2 and Telos motes. Furthermore, the efficacy of the algorithms has been tested through extensive Matlab simulations.

Accomplishments

• RFSN can provide resiliency to malicious or non-malicious attacks on the sensing channel. This tool can be used in two ways: (1) Reliably aggregating the data from several sensor nodes, and (2) Tracking malicious or faulty misbehaving nodes.
• Secure time synchronization toolbox achieves the same accuracy as the insecure protocols, without incurring any extra overhead. Furthermore, it restricts the maximum impact of an attack on the achieved time synchronization precision to the order of a few microseconds. It also enables the successful detection of an attack, enabling the user to take appropriate countermeasures.
• Our localization approaches enable the secure and reliable computation of the location of sensor nodes, even in the presence of external adversaries or a minority of compromised nodes. Furthermore, the achieved location precision is the same as the insecure approaches.

Future Directions

We believe that our solutions for secure data collection and resilient aggregation as well as for secure time synchronization and localization can pave the development of high integrity and trustworthy sensor networks. Although, each of these solutions has been rigorously tested in simulations and over lab scale testbeds, a thorough evaluation in the context of a real world application is still needed. In the coming year, we hope to integrate these solutions in existing CENS deployments such as James reserve as well as in some of the upcoming systems in the domain of urban sensing and remote healthcare.

People

• Saurabh Ganeriwal, Graduate Scholar, Department of EE, UCLA
• Srdjan Capkun, Post Doctoral Researcher, Department of EE, UCLA
• Prof. Mani B. Srivastava, Department of EE, UCLA