First Stage Detection of Compromised Nodes in Sensor Networks

First Stage Detection of Compromised Nodes in Sensor Networks Wei Ding

Bireswar Laha

Sumanth Yenduri

Austin Peay State University U.S.A.

Core Projects & Technologies Limited India

The University of Southern Mississippi U.S.A.

Abstract— The node capture attack in wireless sensor networks (WSNs) can be decomposed into three stages: physically capture of node, redeployment of compromised node, and rejoin the network for various insider attacks. A well accepted belief ⎯ that the physical capture is easy to implement and that its detection is difficult ⎯ has directed majority of research effort to defense in stages three and two. The belief was recently proved false [4]. The discovery made first stage detection an attractive tactic. This paper proposes a new approach to detect the attack at the first stage. The detection is based upon the discovery of missing and malfunction of nodes due to the physical capture. The approach is simple, reliable, energy-efficient, completely local, and completely distributed. It can be used along with other approaches at stages two and three. Hence it could be employed in wide range of applications. In simulation we compare our proposal to one of latest successful research in the area. [2] Simulation results have proved that our approach is more effective and more efficient for in detection of node capture attacks. Keywords- node capture attack; sensor networks; first stage detection; compromised nod

I.

INTRODUCTION

Wireless sensor networks (WSNs) have following special characteristics. [1] 1. Sensor nodes have limited energy, computation power, memory, external storage, and communication capability. 2. Sensors are tightly coupled with their environments. 3. Sensor nodes are usually accessible after deployment, which makes the physical attack much easier. Many traditional networking security measures are not directly usable due to these characteristics. These features bring up unique threats and attacks in WSNs. Perrig et al [1] listed following threats to WSNs. • Routing security • Node capture attack • Key assignment and distribution • Denial of service attack The node capture attack is regarded one of most serious security loopholes for WSNs. [1] Previously, the hypothesis that physical node capture is easy to operate and difficult to detect were widely accepted. The low cost requirement has made hardware measures to prevent tampering literally impossible. Under this assumption, the neighbor-based approach by Song et al [2] and the SET protocol by Choi et al

978-1-4244-2787-1/09/$25.00 ©2009 IEEE

[3] represent solutions for clone attack and redeployment attack, respectively. A node capture attack consists of three stages: 1. physically capture and compromise the sensors 2. redeploy the compromised nodes and/or cloned node 3. launch insider attacks after redeployed nodes rejoin the network By far, most proposed detection schemes address this problem at the third stage. Proposals from both Song et al and Choi et al fall into stage 2 in above framework. Song et al designed a countermeasure to deal with attacks at the second stage. [2] Their approach detects the redeployment, not capture. The design is based upon the assumption that the location difference between original nodes and redeployed node is highly likely. Song et al argued that the error in current GPS devices is sufficient to cause considerable location difference. That may be true for unmanned vehicle capturer, but not that convincing for human attacker. An enemy soldier can simply mark the precise location with a red flag. Their approach is not adequately active. It only monitors data packets from monitee. If the portion of WSN has very low workload, no data packet will be transmitted, therefore there is no way to detect compromised node. Particularly, there is a problem with the approach of Song et al. The detection procedure provided in [2] will not work if only data packets are monitored by guardian nodes, since data packets, as specified by Song et al, are transmitted at fixed radio power level pdata. To make their approach work, the redeployed node has to repeat the booting-up process, that is, broadcasting probe messages at multiple power levels. The attacker certainly will not let the redeployed node do so. Doing so is equivalent to announcing “I am a compromised node.” Furthermore, to make the paradigm work, every node in the WSN has to repeat the full range probe broadcasting periodically. If multiple power levels are used, the procedure will be very expensive in terms of time, energy cost, and computation overhead. Another problem with Song’s approach is the setting up. The setting up consists of power level tuple recording and guardian node marking. Basically these two preparation steps set up two neighbor sets for each node. One neighbor set includes neighbors accessible with lower radio transmission power; another includes neighbors accessible with higher radio transmission power. We think this provision is unnecessary and expensive in terms of overhead. It is justifiable only when data

packets are transferred at different radio power level, which will certainly need much more overhead in message control. Most current sensor networks use fixed uniform radio power. With fixed radio power, Song et al.’s approach could only work when special messages (like our Hello message described in Section II) are regularly broadcasted by every node. But this situation

The basic idea is using periodical Hello messages at the least possible level of radio power. If a neighbor (called guardian node) does not receive three consecutive Hello messages from the monitored node (called monitee), it will send two successive probing AYT (Are You There?) messages with a fixed short interval. Every node must respond to an AYT request at earliest possible time if it can.

Those two steps need be done when every nodes powers up. In first step, each node sends out a series of probing packets with gradually increased radio power. The packet number for each node could be as many as 255 for a Berkeley Mica2 mote. A node with 10 neighbor have to receive and process 2550 probing packets to set up its two neighbors in best case when no collision or interference occur during the procedure, which is highly unlikely.

If the guardian node does not receive a response message from the monitee after a fixed timeout, the guardian node will broadcast a Captured message to neighbors with its maximum radio power. Only Captured message will not be forwarded by its neighbors to the entire network. The amount flooding is very limited. The receivers of the message will add the announced node into its list of known captured nodes. No more data packet from the captured node will be forwarded or aggregated. If keys are used in sensor network security scheme, the current keys should be replaced with alternative keys.

The SET protocol detects clones by set operations of exclusive subsets in the network. First, exclusive subsets of one hop neighbors are established in a distributed and secure manner. This secure subset formation also provides the authentication of nodes’ subset membership. A tree structure is used in set operation calculation. The tree integrates interleaved authentication to prevent falsification of subset information from clone nodes. Randomization enhances authentication of set operations and tree formation. However, SET uses a hierarchical centralized structure, in which the base station has to collect information from every subset leader, including information about its members, information about leaders and members of its neighbor subsets, and relevant message authentication codes. The overhead in terms of control message, time consumed, and computation amount, is remarkable. By detailed analysis and experiment, Tague and Poovendran [4] showed that the above hypothesis that physical node capture is easy to operate and difficult to detect is false. This essentially degrades all existing detection algorithms working at stage three and stage two. This paper tries to detect the captured nodes at the first stage. Detection at earliest possible time minimizes the loss considerably. It is the key in the defense against the attack. Our detection is based upon missing and malfunction of nodes II.

FIRST STAGE SOLUTION TO NODE CAPTURE ATTACK

We assume: 1. The sensor network is pure static. No node should move in normal operation. 2. All nodes have built in unique node ID. 3. A WSN is connected. If a network is not actually connected, it could be decomposed into several disjoint connected components. Each then could be regarded as a complete WSN. 4. Capturing of a node will interrupt or disturb the node’s normal operation, if it is not completely disabled. Even it may be not very easy to detect such disturbance when some patient attackers are equipped with state-of-art fancy devices for eavesdropping. This is the most important underlying assumption.

Identify applicable sponsor/s here. (sponsors)

Furthermore, a captured node can also broadcast an IMC (I Am Captured) message to neighbors. However, this message will not be forwarded by its neighbors. Receivers of the IMC message will convert the message into a Captured message, with the same originator but different sender. Above description is for active nodes. For inactive nodes, that is, nodes are put into hibernation or sleep, the frequency of sending out Hello message will be much lower. III.

HELLO MESSAGE-BASED DETECTION

A. Set up Neighbor Table The Hello message is transmitted at the same radio power level as regular data packets; but it is very limited in size. It only contains the sender’s node ID, and location information if available. The message will be encrypted with the first key in a pre-installed key list. Every node should have the same key list installed by the manufacturer. The node ID is assigned prior to the deployment. After powering up, a node starts sending Hello messages with uniform intervals. A neighbor node will extract the node ID from the Hello message and store it in its neighbor table. Every node maintains a one hop neighbor table. B. Messages Used There are four types of messages in FSD protocol: Hello, AYT (Are you there?), IMF (I am fine), Captured, and IMC (I am captured). All messages follow the format. msg (type, originator, sender, receiver, captured, flooding) C. Outline of Detection Protocol All algorithms are written in Abstract Protocol notation. For simplicity, we assume that all nodes are powered up at exactly same time. After setting up the neighbor table, each guardian node should run a monitoring routine. The monitoring routine keeps a counter for each neighbor (monitee), which records the number of consecutively missed Hello messages from that particular neighbor. When the counter overflows the threshold of three, a probing AYT message is sent to the neighbor. The protocol demand that all nodes must respond to an AYT request. If a positive response, i.e. IMF message, is not received from

that monitee after a fixed timeout, the guardian node broadcasts a Captured message to all its one hop neighbors. The Hello interval is the primary parameter of FSD. According to [4], a severe attack needs more than 20 seconds to accomplish. We take half of this period, that is, 10 seconds, as our benchmark. Three Hello message intervals should be about 10 seconds, so we choose the Hello message interval as three seconds. To protect the system from malevolently disguising messages, Hello messages later than three successive intervals should not be accepted. However, IMF messages should be accepted since they are not regular messages that have been overheard many times. To be able to fake IMF messages, the attacker has to obtain and understand most of the protocol, which is almost impossible in a short amount of time. IV.

ALGORITHM FOR FSD PROTOCOL

All algorithms are written in Abstract Protocol notation. [5] We only list few key algorithms due to page limit. For simplicity, we assume that all nodes are powered up at exactly same time. All timers count down to zero, which triggers the action. A. Variable List 1) Constant List ALL: all neighbor nodes in radio range of the current node. HELLO_INTERVAL: the fixed interval for all Hello messages. AYT_INTERVAL: the interval between first and second AYT request. Usually set as 5 seconds. AYT_TIME_OUT: time before sending a Captured message. MAX_INT: the default value of timers. 2) Variable List in Node Class in_queue: incoming message queue out_queue: outgoing message queue Γ: current set of one-hop neighbor objects, not real nodes. CapturedNodes: List of node IDs for known captured nodes. HelloTimer: timer for the Hello interval of the current node. AYT1: set of IDs of first AYT messages. AYT2: set of IDs of second AYT messages. 3) Variable List in Neighbor Class AYTStatus: number of sent AYT messages. AYT1Timer: timer for sending out the second AYT request AYT2Timer: timer the response after sending last AYT request. HelloTimer: timer of monitor for monitee’s Hello interval. MissedHelloCounter: counter of the consecutively missed Hello message. Its range is usually 0 to 3. B. Algorithm in AP Notation In following algorithms, h, s are Neighbor type objects. (a1) initialize the FSD protocol in every node. (a2) control the sending of Hello, AYT, and Captured messages. (a3) process received Hello. (a1) Power up → in_queue := ∅ out_queue := ∅ Γ := ∅ CapturedNodes := ∅ AYT1 := ∅

AYT2 := ∅ HelloTimer := HELLO_INTERVAL broadcast msg(Hello, ID, ID, ALL, False) count_down HelloTimer

[] (a2) HelloTimer = 0 → broadcast msg(Hello, ID, ID, ALL, False) HelloTimer := HELLO_INTERVAL for each h ∈ Γ do if h.HelloTimer = 0 h.HelloTimer = HELLO_INTERVAL h.MissedHelloCounter ++ if h.MissedHelloCounter >= 3 then if h.AYTStatus = 0 then send msg(AYT, ID, ID, h, False) h.AYT1Timer := AYT_INTERVAL h.AYTStatus := 1 count_down h.AYT1Timer else if (h.AYTStatus = 1) AND (h.AYT1Timer = 0) then send msg(AYT, ID, ID, h, False) h.AYT2Timer := AYT_TIME_OUT h.AYTStatus := 2 count_down h.AYT2Timer else if (h.AYTStatus = 2) AND (h.AYT2Timer = 0) then CapturedNodes := CapturedNodes ∪ {h.ID} broadcast msg(Captured, h.ID, ID, ALL, True) Γ := Γ - {h} // Remove h from Γ [] (a3) Receive msg(Hello, sID, sID, ALL, False) → s := new (Neighbor) // Blank node s.ID := sID found := false for each h ∈ Γ do if h.ID = sID then s := h; // Now s and current h point to same object in Γ found := true break from for loop if NOT found // first Hello message from a new neighbor then s.MissedHelloCounter := 0 s.HelloTimer := HELLO_INTERVAL count_down s.HelloTimer s.AYTStatus := 0 Γ := Γ ∪ {s} else // first Hello message received by the current node, /// the node already in Γ if s.MissedHelloCounter < 3 // After 3 Hello intervals, incoming Hello are malevolent. then // Roll back all abnormal indicator to normal status. s. MissedHelloCounter = 0 s.HelloTimer := HELLO_INTERVAL count_down s.HelloTimer if s.AYTStatus ≠ 0 print an error message s.AYTStatus := 0

[]

Note that at some rare cases, a monitee’s Hello message could arrive after the current node already sent one even two AYT messages to it. Only IMF message can stop the procedure to exclaiming the node capture. After the maximum of three consecutive missed Hello messages, incoming hello will be regarded as malevolent and discarded.

(a4) Receive msg(AYT, sID, sID, rID, False) → if ID ≠ rID then return if sID ∉ AYT1 then AYT1 := AYT1 ∪ {sID} else if sID ∉ AYT2 then AYT2 := AYT2 ∪ {sID} if (ID ∉ CapturedNodes) AND (Have not detected any danger of being captured) send msg(IMF, ID, ID, ALL, False) [] A sensor node detects attack and tampering to itself by hardware. Possible causes of falsely reported missed Hello messages could be problems in radio propagation, such as reflection, refraction, diffraction, absorption and scattering, or temporary software or hardware failure. In these cases, if a monitee receives an AYT message, an IMF message will be broadcasted to all one hop neighbors. If the receiver of an AYT message believes that it has been captured or in great danger, it will do nothing and simply let the regular capture detection mechanism at the guardian nodes do their jobs. The procedure (a7) deals with the scenario in which a node has not received any AYT message while believing that it has been captured or in great danger. (a5) Receive msg(Captured, oID, sID, ALL, True) → if oID ∉ CapturedNodes then CapturedNodes := CapturedNodes ∪ { oID} for each h ∈ Γ do if h.ID = oID then Γ := Γ - {h} // Remove h from Γ break from for loop broadcast msg(Captured, oID, ID, ALL, True) [] (a6) Receive msg(IMF, sID, sID, ALL, False) → s := new (Neighbor) // Blank node, all variables of s take default values. s.ID := sID found := false for each h ∈ Γ do if h.ID = sID then s := h; // Now s and current h point to same node object in Γ

found := true break from for loop if NOT found // message is first Hello message from a new neighbor, i.e. s is already in Γ then s.MissedHelloCounter := 0 s.HelloTimer := HELLO_INTERVAL count_down s.HelloTimer s.AYTStatus := 0 Γ := Γ ∪ {s} else s. MissedHelloCounter := 0 s.HelloTimer := HELLO_INTERVAL s.AYTStatus := 0 count_down s.HelloTimer [] (a6) is very similar to (a3). Only difference is when at (a3), s.AYTStatus should be 0, while at (a6), it should not. (a7) Having detected the current node is captured → if AYT1 = ∅ AND AYT2 = ∅ // No AYT message received then CapturedNodes := CapturedNodes ∪ {ID} broadcast msg(IMC, ID, ID, ALL, True) [] (a8) Receive msg(IMC, sID, sID, ALL, True) → if sID ∉ CapturedNodes then CapturedNodes := CapturedNodes ∪ {sID} for each h ∈ Γ do if h.ID = sID then Γ := Γ - {h} // Remove h from Γ break from for loop broadcast msg(Captured, sID, ID, ALL, True) [] V.

SIMULATION

A. Simulation Setup As in [2] false positive ratio and false negative ratio are primary parameters in our simulation. The former is the error rate in marking nodes as captured. The latter is the error rate in not marking nodes as captured. Our selection of captured nodes is completely random. Our approach is purely decentralized and local. The size of network is not important. The simulated WSN covers a 100 feet by 100 feet square. As in [2], two networks are tested. The one with 100 nodes and another with 25 nodes represent regular and sparse WSNs respectively. In both layouts, sensor nodes are randomly distributed in the square. After a short bootstrapping, in which every node broadcasts Hello messages to its neighbors, certain percent nodes are randomly chosen as captured. Their capture time is also randomly selected. In our abstract simulation, we simply disable the sending function of a node when it is chosen to be captured. But we still allow it to receive messages.

Figure 1. Comparing our FSD with the simulator of Song et al. in the false positive rate with 30 feet radio range and 100 nodes

Figure 4. Comparing our FSD with the simulator of Song et al. in the false negative rate with 30 feet radio range and 25 nodes

VI.

CONCLUSION

This paper proposes a new, simple, and effective FSD protocol to detect physically captured sensor nodes. It detects captured nodes with high accuracy at the earliest time. Early detection gains tremendous time and advantage for the defense. The detection uses simple Hello packets to detect missing nodes. The simulation results show that our approach has better performance than existing paradigms. In addition, it has the flexibility for a wide range of applications. REFERENCES Figure 2. Comparing our FSD with the simulator of Song et al. in the false positive rate with 10 feet radio range and 100 nodes

B. Simulation Result 1) False Positive False positive is the error rate in marking actually captured nodes, that is, the ratio of the number of incorrectly marked as captured nodes, which are actually not captured, to the number of captured nodes. 2) False Negative False negative is the error rate in NOT marking actually captured nodes, that is, the ratio of the number of undetected captured nodes to the total number of captured nodes.

Figure 3. Comparing our FSD with the simulator of Song et al. in the false negative rate with 10 feet radio range and 25 nodes

[1]

[2]

[3]

[4]

[5]

Adrian Perrig, John Stankovic, and David Wagner, Security in Wireless Sensor Networks, Communications of the ACM, Volume 47, Issue 6, Pages: 53 - 57, June 2000. Hui Song, Liang Xie, Sencun Zhu, and Guohong Cao, Sensor Node Compromise Detection: The Location Perspective, IWCMC 2007, August, 2007, Honolulu, Hawaii, USA. Heesook Choi, Sencun Zhu, and Thomas F. La Porta, SET: Detecting node clones in Sensor Networks, Proceeding of SecureComm 2007, Page 341 - 350, September 2007. Alexander Becher, Zinaida Benenson, and Maximillian Dornseif, Tampering with motes: real-world physical attacks on wireless sensor networks, Third International Conference on Security in Pervasive Computing, SPC 2006, York, UK, April 2006. Chin-Tser Huang and Mohamed G. Gouda, Hop Integrity in the Internet, Springer US, 2006.