become self-managed and more autonomic. The security management ... attacks and saving energy by the activation of security services only when necessary.
A Security Management Framework for Sensor Networks Sérgio de Oliveira1, 2, Thiago Rodrigues de Oliveira1, José Marcos Nogueira1 {sergiool, thiagool, jmarcos}@dcc.ufmg.br 1 Computer Science Department, Federal University of Minas Gerais Av. Antônio Carlos, 6627, Belo Horizonte, MG Brazil 2 President Antônio Carlos University BR 482, km 3, Cons. Lafaiete, MG Brazil Abstract - This paper proposes a security management framework to dynamically configure and reconfigure security components in sensor networks according to management information collected by sensor nodes and sent to decision-maker management entities. The idea is to give sensor networks tools to become self-managed and more autonomic. The security management model includes the definition of security levels, management information base, protocol messages and events. I.
INTRODUCTION
Several works in literature propose security approaches to sensor networks to avoid effects of enemy presence in network. However, each security solution has a cost; operations or activities like processing and communications dispend energy and time and sensor networks must save energy to extend its lifetime. Usually it is unfeasible to recharge the battery, at least in the kind of sensor networks we are dealing with. Network management systems can administer resources focusing on extending the network lifetime. Density control is an example of such a network management service used to extend lifetime in Manna, a network management framework for sensor networks [8]. As management run in autonomic way, it is called self-management, and is performed without human intervention. In sensor networks, network management is essential to guarantee rational use of all resources. Network management functions can setup and turn on or off all components to attain better energy consumption. A security management system can act in a network in the same way, for example, by turning on or off security services and functions just when the network presents such a demand. Thus, network can save energy when there is no indication or suspicion of intruder presence. Intrusion detection systems can alert the network about intruder by generating and reporting events. In autonomic management mode, the management system can activate or deactivate security systems in network. This work proposes a security management model for wireless sensor networks, including security components selection, management information description, messages description, and security events definition. In autonomic mode, security component are grouped into levels, which can be set up in answer to intruder detection events. The objective is to extend the network lifetime by avoiding the effect of attacks and saving energy by the activation of security services only when necessary. This work was developed considering static flat WSNs. To adhere to real sensor network elements, the work refers to Berkeley Mica2 Motes wireless sensor nodes limited to only 4 Kbytes of RAM memory and 128 Kbytes of program memory [4]. The neighborhood of any node is not known previously,
the wireless communication is not secure and is subject to eavesdropping, insertion of packages, and replication of messages. The nodes are vulnerable to tampering; if a node is tampered with, the enemy can know all the information it handles. There is a unique base station, which is source or destination of all data and control packets. II.
RELATED WORKS
There is few works about management of sensor networks. Savola and Uusitalo [9] present security management principles to ad hoc networks, which poses different challenges for security than sensor networks do. The main problem in ad hoc networks is the lack of a central trust administration. Sensor networks, by this turn, don’t have this kind of problem, although they present more energy and hardware constraints. Dimitriou and Krontiris present [12] an overview of current research challenges on sensor networks security, highlighting their autonomic communication aspects. They present issues in sensor network security research: key establishment and initial trust setup, resilience to denial of service attacks, resilience to node compromises, routing security, location aware security, data fusion security, and efficient cryptography primitives. In Manna [8], policies describe desired behavior of management components, like agent and manager. Manna framework considers a three-dimensional management architecture, which consists of functional areas, management levels and WSN functionalities. These dimensions are specified for the management of a WSN and are the basis for a list of management functions. This work extends Manna network management framework for sensor network, which is based on the paradigm of self-management, which are the automatic functions and services of management using a minimum of human interference. III.
SECURITY COMPONENTS
Several security solutions for sensor networks are found in literature. This work considers hop-by-hop and end-to-end cryptography, and necessary key management approaches; intruder detection mechanism, secure routing mechanisms, a revocation schema and secure data fusion and aggregation. A. Cryptographic primitives Due to hardware constrains, it is unfeasible to use public key algorithms to encrypt messages in sensor networks. These algorithms would take several minutes to encrypt and decrypt a short message in a typical sensor node. Thus, only symmetric key algorithms could be used without causing long delays and much energy consumption.
Encryption and signature will be used to give privacy, integrity and authentication. These processes can be done hopby-hop or end-to-end modes. There are some implementations of cryptography for sensor networks. TinySec [3] is a fully implemented link layer security architecture based on Tiny OS, an operational system for wireless sensor networks. TinySec specifies cryptographic methods to sign and encrypt link layer messages, providing authentication and privacy properties to a WSN, at the expenses of a few additional bytes and low energy cost increasing in 3% of the energy cost to signed mode enabled and 10% for signed and encrypted mode enabled. To work, TinySec requires the sharing of keys among neighbor nodes. Several approaches can be used, such as globally shared keys or probabilistic key sharing. A globally shared key isn’t secure because a single captured node can reveal this global key. Probabilistic approaches, where two nodes share a key with a certain probability, aren’t good too because communication links cannot be established when one or two nodes of the pair don’t have the proper key. B. Key management Key management is a problem in sensor networks. Public keys schemas are unfeasible due to high processing costs. Some works present symmetric key solutions: globally shared keys, keys shared between nodes and base station, pairwise keys established among neighbor nodes and cluster keys to cluster applications. Pairwise keys are harder to establish, because network topology are not previously known and memory restrictions deny full pairwise keys sharing. Several pairwise keys establishment protocols are found in literature. Probabilistic approaches [5] are good proposals, but don’t assure key establishment between all neighbor nodes. Deterministic approaches [10] assume an initial trust of a globally shared key to establish all pairwise necessary keys. As solution to key establishment, we choose SPINS for end-to-end cryptography and NEKAP for hop-by-hop cryptography. These approaches are chosen because they have lower energy consumption to established and are deterministic approaches, allowing all link communications. SPINS is a pioneer work that proposes two building security blocks optimized for sensor networks: SNEP and µTesla [2]. SNEP provides end-to-end data confidentiality, two part data authentication, and data freshness between the base station and each node. µTesla is a protocol which provides multihop broadcast from base station. µTesla uses a one way key chain to authenticate its messages. The keys are announced periodically. All packets sent before key announcement are authenticated with this key. NEKAP [10] is a pairwise and cluster establishment key protocol for WSN. In NEKAP, a global key KG and a master key KMi are preloaded in each node. After the deployment, a node i encrypts the master key KMi with the key KG and broadcasts the result to all of its neighbors. KG has a short valid time, enough to allow exchanging of the master keys.
A. Intrusion detection systems and revocation schemas Intrusion detection in WSN must have much more different approaches than those for conventional networks, due to differences in models, attacks and resources. Two types of approaches can be used for the intrusion detection in WSN: centralized or decentralized. In the centralized approach, the base station is responsible for detecting intruders, starting the process from the information collected from the network, specially the information about the production of the sensor nodes (production map); the base station has a large set of information to its disposal, which facilitates the process of detection. In the decentralized approach, some or all network nodes perform simple operations to detect intruders [1][6]; the biggest advantage is the instantaneous availability of information, seen that the nodes can notice the attacks in the moment they actually happen. Intrusion detection is normally followed by revocation of the intruder node. The revocation is the exclusion of a node from the network, making impossible to it all the communication with its neighbors. This process must be authenticated to avoid wrong revocation of authentic nodes by intruders. Since the nodes are not trusted, it is a lot safer let the base station alone promotes the revocation of nodes. Otherwise, an intruder node could revoke authentic nodes, thus promoting another kind denial of service attack. µTesla [2] can be used to authenticate revocation messages. B. Secure routing Sensor networks are ad hoc networks based on selfconfiguration, self-healing and self-optimization. Thus, routing is a critical task because an enemy can insert itself in the network to promote a denial of service attack. We will consider three mechanisms to protect routing: broadcast authentication, end-to-end or hop-by-hop, during route establishment [2][10]; intrusion detection in routing [1][6][11]; and alternative routes [11] to give resilience to intrudes. Routing with alternative routes can increase network resilience against intruders [11] when all nodes have two routes to forward data to base station. If there are intruders in a route, the other one can forward messages to base station. C. Secure data fusion and aggregation Data fusion [7] can combine sensing data of the same type (about the same phenomenon) as well as sensors data of different types. Data aggregation differs from data fusion because it just joins several sensing data in a single packet to send to base station. A data aggregation function doesn’t need access the meaning of sensing data to perform the operation. Security solutions can interfere with data fusion and aggregation. First, end-to-end encryption prevents data fusion, because intermediate nodes must have access to sensing data to perform data fusion. Second, data fusion and data aggregation can confuse intruder detection mechanisms, like watchdog [9]. In critical security applications, data fusion and aggregation must be disabled, in order to use end-to-end encryption and intruder detection systems. 2
IV.AUTONOMIC DECISIONS
Sensor networks must be self-healing, setting up their components just to extend network lifetime and assure data production. In this work, security components are setting up based on security events generated by intrusion detection systems. Intruder detection events set up security components. Intruders detected at the base station are revoked by authenticated messages sent by the base station to the nodes. Intruders detected in decentralized way can’t be revoked by the base station, because they aren’t trusted, but an intruder event is generated, in way to turn on security components. We define security levels to make easier the autonomic decisions based on received events. In each security level, a subset of the security components is turned on to protect the network against detected intruders. The network increases its security levels in case of intruder’s evidence. Security level can be decreased too, in case of critical energy level; to save power, security components, like intruders detection systems, can be turned off. The presence of a single intruder is sufficient to cause change of security level; this is because this fact indicates that the current security level couldn’t prevent the ingress of the intruder. TABLE 1 shows the defined security levels. The centralized intruder detection is always enabled. This system executes in base station and doesn’t demand communication or processing resources. The base station revokes detected intruders. TABLE 1 - SECURITY LEVELS
Level Low Medium
High
Critical
Security components used - No intruder detection in nodes - No cryptography - Data fusion enabled - 10% of nodes execute intruders detection - Routing update authenticated end-to-end - Hop-by-hop cryptography enabled - Data fusion enabled - Alternative routes - 20% of nodes execute intruders detection - End-to-end cryptography enabled - Data aggregation enabled - Routing update authenticated hop-by-hop - Alternative routes - 30% of nodes execute intruders detection - No data fusion or aggregation - End-to-end and hop-by-hop cryptography enabled - Routing update authenticated hop-by-hop - Alternative routes
In the first or lowest level, no security component is enabled and data fusion is enabled to reduce network energy consumption. In the medium level, the chosen components imply processing and communication overhead although they don´t block data fusion and others in-networking processing functions. Thus, security components don´t interfere in network operation. In the high level, end-to-end cryptography prevents in-network processing. Thus, data fusion can’t be used, but data aggregation can be used instead. Data aggregation is also a method to save power. The high level starts only if intruder nodes are detected even when hop-by-
hop cryptography is active. In critical level all security components presented here are activated, including hop-byhop and end-to-end cryptography. No data fusion or aggregation is used because intermediary intruders could use these processes to drop packets, and intruder detection mechanisms, like watchdog, work better without data aggregation or fusion. In this level, it is considered that intruder nodes know some network keys. Thus, redundant cryptography, end-to-end, and hop-by-hop are used. In this level, an intruder must know several keys to access network messages. Cryptography can include encryption and signature. The network objectives must determine which of them is to be used. If network data is confidential, encryption must be used. V.
MANAGEMENT MODEL
The management model of this work follows the general guidelines of the Manna framework [8]. The framework includes a management protocol called MannaNMP, which describes the services provided and the format of the messages, as well as a management information base. In our work, we propose extensions to MannaNMP to include security. The management model, presented in the following, is composed of a management information base, exchanged messages, and events. The model considers that the security components above described can be part of instances of the management. In this way, configuration of security components is dynamic, what means that they can be included, excluded, activated, and deactivated in operation time. A. Management Information Base To configure security components, a number of management objects have been defined for the MIB. The objects are organized according to the kind of security component they serve: cryptography, keys, data, and administration. Cryptography Boolean objects indicate if the system uses a specific security function; their names are self-explanatory: End-to-end encryption, Hop-by-hop encryption, End-to-end signature, Hop-by-hop signature, and Broadcast communication. Key management Five objects are defined: Broadcast keys (list of keys used to broadcast); Pairwise keys (list of keys used for each neighbor of a node); Last key (Last revealed key of the key chain of each neighbor node); End-to-end key (Key to be used in end-to-end encryption); Global key (Key to be used by all neighbor nodes). Data Many kinds of control data are sent through the network by the nodes or base station. A number of them has been defined for the MIB: Security level (Choice - Low, Medium, High, Critical); Data fusion enabled? (Boolean); Data aggregation enabled? (Boolean); Intruder detected? (Boolean); Intruder identifier (ID); Revoked node identifier (ID); Revoked node list (List); Revoked keys list (List).
3
B. Message definition Cryptographic messages: activation of end-to-end encryption; activation of end-to-end signature; activation of hop-by-hop signature; utilization of broadcast (for a specific period of time); change of key management protocol. Data messages: change of security level (change of configuration of security components); utilization of data aggregation; utilization of data fusion (generates message to deactivate end-to-end encryption); intrusion detection (put network in alert state and notifies intruder identifier to base station); node revocation (includes revoked node identifier in the lists; key revocation (includes revoked key to the lists of revoked key of the receiver nodes). C. Events The defined events are the following: Intrusion detection (sensor node has identified a suspect node); Key revocation (an intruder node was revoked); Node disappearance (node suspected that a neighbor node has disappeared); Disappeared node reactivation (a node previously suspect of disappearance has been identified and can be a intruder); Critical energy level (a critical energy level of a node has been reached; the keys of the node must be revoked). VI.
DISCUSSION
A common requirement of most solutions for sensor network is the increasing of network availability. Energy saving is one main target to extend availability by extending network lifetime. However, security problems can be found, especially Denial of Service attacks, which limit the network provided services before the exhaustion of the batteries. Several security solutions can block DoS attacks to improve network availability. Each solution increases the energy consumption of the network from 10 to 20%. If these solutions are always used, network lifetime will decrease faster because of battery exhaustion. A security management framework, as presented here, can improve the balance of network availability and energy consumption by turning on or off security services when necessary. However, security management present also extra energy cost. Considering the framework presented here, we can see three scenarios: network without security, with constant use of security services or with security management. In the first scenario intruders can reduce data production and network lifetime. In the second one, intruder presence is avoided or reduced, but energy consumption increases up to 50%. With security management, if no intruder is detected, network works without security services, saving power to prolong network lifetime. When intruders are detected, management system increases the security level to avoid intruder effect. The additional energy consumption of the third scenario with security services depends on the presence of intruders. In the better case, only the centralized intruder detection system executes, and there is no overhead in the nodes. When an intruder is detected, the security management starts its operation by sending messages to set up security services. The security services will be gradually turned on, increasing
network consumption although avoiding intruders’ effects. In large-scale networks, the network can be divided in sectors and security services can be turned on solely in the regions where intruders are detected. VII.
CONCLUSION AND FUTURE WORKS
This paper presents a security management framework for sensor networks. The objective is to extend network availability and lifetime through the setting up of security services only when it is necessary. In terms of self-managed or autonomic operation, a manager at the base station can automatically determine changes in security levels of the sensor nodes, turning on or off security components to avoid intruders’ effect or save energy. Intruder detection events start autonomic set up of security levels. We foresee many challenges in this area and this work is not finished. A one example of the continuation of this work, we intend to propose the optimization of the security solutions here investigated, the sharing of algorithms, keys and code to reduce memory and processing demands. VIII. REFERENCES A. P. R. Silva, A. A. F. Loureiro, M. H. T. Martins, L. B. Ruiz, B. P. S. Rocha, H. C. Wong – “Decentralized Intrusion Detection in Wireless Sensor Networks” - ACM Q2SWinet 2005. [2] A. Perrig, R. Szewczyk, J. D. Tygar; V. Wen; D. E. Culler – “SPINS: security protocols for sensor networks” – Wireless Networks 8, 2002, Kluwer Academic Publishers, Netherlands [3] C. Karlof, N. Sastry, and D. Wagner – “TinySec: A Link Layer Security Architecture for Wireless Sensor Networks”, Proceedings of the Second ACM Conference on Embedded Networked Sensor Systems (SenSys 2004). November 2004. [4] Crossbow Technology Inc – “Mica 2 wireless measurement system” available at http://www.xbow.com/Products/Product_pdf_files/ Wireless_pdf/6020-0042-04_B_MICA2.pdf accessed in Setember 17, 2007, San Jose, CA, USA, February 2004. [5] D. Liu, P. Ning, R. Li “Establishing Pairwise Keys” in Distributed Sensor Networks ACM Transactions on Information and System Security, Vol. 8, No. 1, February 2005 [6] F. Freiling, I. Krontiris, T. Dimitriou – “Towards Intrusion Detection in Wireless Sensor Networks” - 13th EuropeanWireless Conference, Paris, France, 2007. [7] H. Luo, J. Luo, Y. Liu, and S. Das, "Adaptive Data Fusion for Energy Efficient Routing in Wireless Sensor Networks," IEEE Transactions on Computers, vol. 55, no. 10, Oct. 2006. [8] L. B. Ruiz, J. M. Nogueira, and A. A. F. Loureiro, “Manna: A Management Architecture for Wireless Sensor Networks,” IEEE Communications Magazine, vol. 41, no. 2, pp. 116–125, 2003. [9] R. Savola, I. Uusitalo – “Towards Node-Level Security Management in Self-Organizing Mobile Ad Hoc Networks” - International Conference on Internet and Web Applications and Services/Advanced International Conference on Telecommunications, 2006. AICT-ICIW - Volume , Issue , 19-25 Feb. 2006 Page(s): 36 – 36 [10] S. Oliveira, H. C. Wong, J. M. Nogueira – “NEKAP: Intruder Resilient and Energy Efficient Key Establishment in Sensor Networks” – IEEE ICCCN'07 Workshop on Advanced Networking and Communications – Honolulu, Hawai, 2007 [11] S. Oliveira, H. C. Wong, J. M. Nogueira, W. P. Paula – “Alternate Routes for Detection and Increase of Resilience to the Distributed Intrusion in WSN” - IFIP NETWORKING 2006 Workshop on Security and Privacy in Mobile and Wireless Networking (SecPri_MobiWi 2006), Coimbra, Portugal [12] T. Dimitriou, I. Krontiris, "Autonomic Communication Security in Sensor Networks," 2nd International Workshop on Autonomic Communication, WAC 2005 [1]
4
