A DoS-Resilient En-route Filtering Scheme for Sensor Networks

Poster Abstract: A DoS-Resilient En-route Filtering Scheme for Sensor Networks Chia-Mu Yu

IIS, Academia Sinica Dep. of Electrical Engineering, National Taiwan University

[email protected]

Chun-Shien Lu∗

Institute of Information Science, Academia Sinica Taipei, Taiwan, ROC

[email protected]

ABSTRACT

[email protected]

nodes always broadcast false endorsements, is launched, resulting in the energy waste of en-route nodes and suppression of event reports. In addition to FEDoS attack, we study a so-called false-identity-based DoS (FIDoS) attack, wherein the IDs attached to the event report are replaced. The FIDoS attack, which is largely ignored in the literature, has the similar effect of FEDoS attack but is more difficult to resist than FEDoS attack. Contribution. To address the two problems stated above, a DoS-resilient en-route filtering (DREF) scheme for sensor networks is proposed. Our method can deal with the false data injection attack, while defending against PDoS, FEDoS, and FIDoS attacks, and maximizing the resilience to dynamic topology. The following two points of DREF and the corresponding performance and security gain substantially differentiate DREF from the previously proposed works. First, compared with all methods focusing on constructing the sophisticated key sharing relationship among nodes, DREF takes a completely different manner, which employs an authentication scheme capable of filtering invalid messages, which is also our recent work, CFA [4], to achieve en-route filtering. Second, without relying on unrealistic assumptions, a novel idea of embedding proximity information into a Bloom filter prepared for the query purpose is employed to localize the impact of node compromises.

The major contribution of this paper is to propose a robust en-route filtering scheme for data authentication in sensor networks without relying on unrealistic assumptions. Categories and Subject Descriptors: C.2.0 [ComputerCommunication Networks]: General Security and protection; C.2.1 [Computer-Communication Networks]: Network Architecture and Design Wireless communication General Terms: Security, Algorithm, Design. Keywords: En-route Filtering, Denial-of-Service Attack, Sensor Network Security.

1.

Sy-Yen Kuo

Dep. of Electrical Engineering, National Taiwan University Taipei, Taiwan, ROC

INTRODUCTION

Sensor networks are vulnerable to the false data injection attack, in which the adversary injects false data, attempting to either deceive the base station (BS) or cause path-based DoS (PDoS) attack [1]. While the false data injection attack leads to a severe problem regarding data gathering in sensor networks, a general framework of designing en-route filtering schemes capable of resisting these two attacks is to exploit the redundancy property of sensor networks, which means that an event can be simultaneously observed by multiple sensor nodes, for event report authentication. Specifically, an event report is validated only if it carries the endorsements generated by multiple endorsing nodes, which agree on that report. In literature, a few schemes like LEDS [3], SEF [5], LBRS [6], and IHA [7] are proposed under this framework. Nevertheless, several issues arise within this framework. First, the event report can be forged at any tactical position without being detected as long as the number of compromised nodes is above a threshold. To alleviate this problem, although the location-bind keys and mobile robots can be utilized to enhance the effect of limiting the use of compromised nodes, the existence of secure bootstrapping time is essential in all of the existing schemes [3, 6, 7]. However, these assumptions are unrealistic in some missioncritical networks, leading to the impracticality of restricting the impact of node compromises. Second, the delivery of legitimate event reports will fail when the false-endorsementbased DoS (FEDoS) attack [2], wherein the compromised

2. PROPOSED METHOD System Model. Assume that sensor nodes are deployed over the sensing region such that each position of interest can be monitored by T ≥ t nodes, where t is a predetermined security parameter. After the event E of interest is detected, an event report is generated and then forwarded by the report generating node, which is elected by detecting nodes, to the BS in a multi-hop fashion. Nodes can be compromised by the adversary, and the secret can be extracted from the compromised nodes. The goals of the adversary considered in this paper are to 1) let the BS accept the false report, 2) waste the energy of en-route nodes by injecting false reports, and 3) suppress the report forwarding by injecting false endorsements and IDs. DREF can be divided into four phases, which are 1) setup phase, 2) bootstrapping phase, 3) report generation phase, and 4) verification phase. In setup phase, the security parameter t will be determined and each node u will be loaded with a unique key Ku shared only with the BS. The objective of bootstrapping phase is to let each node have ability to query the neighborhood relationship. To this end, each node u broadcasts its ID to its one-hop neighbors in plaintext.

∗ Contact Author. This work was supported, in part, by NSC 97-2221-E-001-008.

Copyright is held by the author/owner(s). MobiHoc’09, May 18–21, 2009, New Orleans, Louisiana, USA. ACM 978-1-60558-531-4/09/05.

343

1.2

0.6

0.4

25

5

Energy consumption (J)

0.8

Ord

Ord

6 Energy consumption (J)

filtering probability

E

E

1

4 3 2 1

EDREF

0 10 5 0

2

4 6 Number of traveled hops

8

10

15 10 5

0 600

0.2

0

20

False data ratio (β)

(a)

0

3

2

1

4

5

6

Number of carried MACs

EDREF 4

400

3 2

200 Path length

(b)

0

1 0

4

x 10

Total number of nodes

(c)

Figure 1: Simulation results of the DREF scheme. (best viewed on a color display) (u)

(u)

Let u’s neighbors be N (u) = {N1 , . . . , Nq }. u calcu(u) (u) (u) (u) lates N M ACu = M ACKu (u||N1 ||D1 || . . . ||Nq ||Dq ), (u) (u) where Di is the distance between u and Ni estimated via received signal strength (RSS), and then sends Nu = (u) (u) (u) (u) (u, N1 , D1 , . . . , Nq , Dq , N M ACu ) to the BS. It should be noted that the nodes could be compromised by the adversary immediately after deployment and the IDs of compromised nodes could be broadcasted at selected tactical positions. In this study, according to the information contained in Nu ’s, the duplicate IDs can be revoked by the BS based on using the calculated pairwise distances between any two nodes as the input to multidimensional scaling (MDS). The way is to derive the relative estimated coordinate matrix X and examine if the eigen-structure of XX T is significantly deviated, i.e.; the minimum and maximum absolute values, em and eM , of the eigenvalues of XX T are significantly different. Once em /eM is sufficiently close to 1, we present an algorithm, called recursively incremental sampling (RIS), to identify and revoke the replicated IDs. The goal of RIS is to repeatedly check if a properly selected subset of nodes contains replicated nodes. After ensuring the security of the connectivity information, the BS initializes an empty Bloom filter B. For each received Nu , if Nu can be authenticated by using Ku , the BS calculates the set Nu of t-fold u-neighbor and then stores Nu into B. Here, the t-fold u-neighbor is defined as a bit string, in which (t − 1) different IDs selected from N (u) are concatenated with u. At the end of bootstrapping phase, the BS broadcasts B to the entire network using techniques like μTESLA. In the report generation phase, the report generating node u calculates its own MAC, CM ACu (E), and collects MACs, CM ACN (u) (E), . . . , CM ACN (u) (E), where µ1

aid of CFA [4], each en-route is guaranteed to be able to check the legitimacy of event reports. It can be found from Fig. 1(a) that almost all false data can be filtered in the first hop on the path to the BS, implying a strong filtering capability. The relationships between energy consumption and network parameters are shown in Figs. 1(b) and 1(c). Note that EDREF and EOrd denote the energy consumption of report forwarding with and without DREF, respectively, and the ratio of legitimate and false traffic is 1 : β. It can be observed from Fig. 1(b) that EDREF grows as more MACs are attached to a packet. In addition, when β = 0, EDREF is slightly larger than EOrd because the attachment of MACs in the packet also increases packet overhead. However, when β ≥ 1, the impact of energy saving appears. Note that in reality, β could be orders of magnitude more than legitimate traffic [5]. Thus, the energy saving due to the use of DREF is rather significant. It can also be found from Fig. 1(c) that the length of the forwarding path to the BS and the total number of nodes also have impact on the energy saving of report forwarding. That is, when the path length is longer, more energy will be wasted in the transmission incurred by false data. Since multiple IDs should be attached in the DREF packet, the network with larger size results in larger packet overhead as the number of bits required to represent an ID is proportional to the network size. Discussion. The filtering capability of SEF [5] is found to be poor and that of some existing schemes such as IHA [7] and LEDS [3] relies on a complicated security association structure, which incurs additional overhead and difficulty to maintain. For example, IHA [7] and LEDS [3] are inapplicable in the networks with mobile sinks. However, the superiority of DREF is its generality and practicality in that it can be applied on networks with different configurations and without compromising the security and performance.

µt

μ1 , . . . , μt ∈ {1, . . . , q} and CM ACµ (E) is the MAC of the event E generated by the node μ via CFA [4]. u checks the legitimacy of collected MACs via CFA [4] so that the malicious nodes mounting the FEDoS and FIDoS attacks can be identified and discarded by u. Finally, if MACs are all legitimate, u sends the report RE along with MACs to the BS. In the verification phase, each en-route node and the BS (u) (u) check if u||Nµ1 || . . . ||Nµ1 exists in B and also check if the event E can be successfully verified via the MACs attached to each received RE . RE will be forwarded to next hop if both two verifications succeed, and discarded otherwise.

3.

4. REFERENCES

[1] J. Deng, R. Han, and S. Mishra. Defending against path-based DoS attacks in wireless sensor networks. In ACM SASN, 2005. [2] C. Krauß et al. Defending against false-endorsement-based dos attacks in wireless sensor networks. In ACM WiSec, 2008. [3] K. Ren et al. LEDS: providing location-aware end-to-end Data security in wireless sensor networks. In IEEE INFOCOM, 2006. [4] C.-M. Yu et al. A Constrained Function Based Authentication Scheme for Sensor Networks. In IEEE WCNC, 2009. [5] F. Ye et al. Statistical en-route filtering of injected false data in sensor networks. In IEEE INFOCOM, 2004. [6] H. Yang et al. Toward resilient security in wireless sensor networks. In ACM MobiHoc, 2005. [7] S. Zhu, S. Setia, S. Jajodia, and P. Ning. An interleaved hop-by-hop authentication scheme for filtering of injected false data in sensor networks. In IEEE S &P, 2004.

EVALUATION Some preliminary results are shown in Fig. 1. With the

344