or more base stations, namely a information sink acted as a gateway ... the basis of our routing protocol Feedback based Forwarding. (FBF) is present in Section.
c J. PERVASIVE COMPUT. & COMM. 1 (1). °TROUBADOR PUBLISHING LTD
1
FBSR: Feedback based Secure Routing Protocol for Wireless Sensor Networks Zhen Cao, Jianbin Hu, Zhong Chen, Maoxing Xu, Xia Zhou School of Electronics Engineering and Computer Science Peking University, Beijing, China {caozhen, hjbin, chen, xumx, zhouxia}@infosec.pku.edu.cn
Abstract— Wireless sensor networks, due to their potentially wide application perspectives, may proliferate in future. Two major stumbling blocks are the dynamic variance of the network caused by both the capacity constraint of sensor nodes and uncertainties of wireless links, and secure routing in the special security sensitive environment. Therefore adaptable and defendable routing mechanism is in urgent need for the deployment of sensor networks. In this paper, we propose a Feedback based Secure Routing protocol (FBSR). Feedback from the neighboring nodes serves as the dynamic information of the current network, with which sensor nodes make forwarding decisions in a secure and energy aware manner. Feedback message is included in the MAC layer acknowledgement frame to avoid network congestion, and it is authenticated with the proposed Keyed One Way Hash Chain (Keyed-OWHC) to avoid feedback fabrication. Furthermore, we enhance FBSR’s resilience to node compromise by statistic efforts accomplished by the base station. We present both mathematical analysis and simulation results to show that FBSR is not only reliable but also energy efficient. Index Terms— Feedback, Secure Routing, Keyed-OWHC
I. I NTRODUCTION Wireless sensor networks, which combines data sensing, wireless communicating, information processing, and distributed computing, has becoming more and more popular in recent years. Self organized sensor nodes form a multi-hop wireless sensor networks which collects sensed data to one or more base stations, namely a information sink acted as a gateway connecting the physics world with the computer world. The large scale sensor nodes together with small number of base stations compose an asymmetric wireless networks, applications of which ranging from indoor automation, habitat monitoring, forest fire prevention to battlefield monitoring. Two problems may be most compelling in wireless sensor networks; they involve the dynamic variance in topology and secure routing respectively. These problems can be attributed to the strict constraint of sensor nodes’ energy and the frequently variance of wireless channels qualities, which make the nodes susceptible to energy failures and links prone to external interference, hence gives rise to dynamic variance of the network. Some researches proposed integrated routing and MAC protocol [1] [2] [3] [4] to address this problem. At the same time, nodes limited resource also make wireless sensor networks vulnerable to both inside and outside attacks under severe security environment arising from the broadcast nature of the wireless channel and lack of physical security. There are already some work [5] [6] addressing the special concerns and
constraints met by wireless sensor network security. Whereas in certain security sensitive applications such as battlefield and frontier monitoring, security and intrusion tolerance are especially important. As a result, security is viewed as an important service and functionality that must be offered by network designs such as routing and aggregation protocols, and it actually has attracted tremendous researches dedicated to it. Therefore, it is desirable to take these questions into account for designing a both adaptable and secure routing protocol performing well in the context discussed above. With this in mind, in this paper, we introduce a novel routing scheme called Feedback Based Secure Routing protocol (FBSR) for wireless sensor networks. Through utilizing feedback information from neighbor nodes to represent current states of them, FBSR consists of local independent forwarding decisions based on current feedback information and prediction of future conditions. Hence in other words, highly dynamic changes of network topology will not apparently compromise FBSR ’s performance since feedback information makes it more adaptable to the variance of network topology. Without any cryptographical protection, the stateless FBSR is resilient to routing state corruption, Wormhole and HELLO flood attacks. To protect FBSR from routing attacks such as Sinkholes and Sybil attacks, we propose the Keyed One Way Hash Chain (Keyed-OWHC) to authenticate the feedback from neighboring nodes. Furthermore, as it is usually the case that base station owns powerful capacity because of the rechargeable energy supply, its capacity can be exploited to do heavy statistic computations and analysis in order to detect malicious nodes. In this way, FBSR achieves the secure routing objective without imposing too much energy consumption on normal nodes. The design objectives of FBSR includes: 1) Dynamic behavior. Our intuition comes from the usage of ’dynamic information’ about the sensor network. Instead of routing packets in an ’ad-hoc’ manner, each sensor node in FBSR chooses the next hop based on the feedback of their neighbors. The feedback information coming from neighbors is an evaluation of the current computing capacity. Because the computing capacity of each node will change with times, the feedback message constructed this way can reflect the current status of this node. This feedback information is included in the acknowledgement frame without any usage of extra message for the consideration of avoiding network
c J. PERVASIVE COMPUT. & COMM. 1 (1). °TROUBADOR PUBLISHING LTD
2
congestion. 2) Secure routing. The routing protocol may be particularly vulnerable if no protection against routing attacks [7] is guaranteed. We provide two mechanisms to defend against routing attacks. On the one hand, the feedback from neighbors are authenticated with Key One Way Hash Chain (Key-OWHC), which is effective and efficient in that it does not require delayed authentication or time synchronization among sensor nodes. On the other hand, we utilize the feedback from the base station to identify malicious nodes, so that normal nodes can effectively avoid the spoofed, altered and replayed routing information from these nodes. 3) Energy efficient. FSBR uses energy aware and geographically informed neighbor evaluation heuristics to feedback the current status of neighbors. The neighbor evaluation function is a combination of energy level and distance metrics. But we argue that energy aware neighbor selection is necessary only when the consumed energy exceeds a certain level. So a threshold evaluation function is utilized to evaluate the energy level. When the consumed energy is below a threshold, the energy level stays static, otherwise it linearly slips down. The rest of this paper is organized as follows. In Section.II, we summarized some research work on routing schemes that incorporate the idea of feedback and secure routing. The the basis of our routing protocol Feedback based Forwarding (FBF) is present in Section. III, followed by a discussion on its vulnerability to several routing attacks and the specification of our secure routing protocol FBSR in Section. IV. In Section. V, we evaluate the performance of FBSR by our simulation results, and we conclude our paper in Section. VI. II. R ELATED W ORK Some routing protocols [8] [9] [10] utilize the idea of feedback to help make routing decisions. FBR [8] is a feedback based routing protocol, in which a router monitors packet traffics on its routes and use this as feedback to determine the usability of the routes, so as to be resistant to attacks and byzantine failures. But FBR is proposed for the Internet, hence not applicable for sensor networks. ALARM [9] is an adaptive routing protocol for Mobile Ad-hoc Networks, which uses link duration as the mobility feedback metrics to determine the appropriate forwarding method. Since nodes are relatively static in wireless sensor networks compared with MANET, this method does not fit for our objectives. SPEED [10] uses local feedback control to guarantee per-hop delay, so as to meet the real-time requirement of sensor networks. However, aiming at being adaptable to the dynamic variance of sensor networks, FBSR handles network dynamics by implicitly including the feedback in the MAC layer acknowledgement frames with which the sender makes forwarding decision in an energy efficient way. Gupte [11] and Pervaiz [12] survey most work on secure routing in ad hoc networks. Though some secure routing protocols for ad-hoc networks such as Ariadne [13], SEAD [14] and ARAN [15] are too expensive in terms of node
state and packet overhead and hence not suitable for sensor networks, they have shed light on how to design a secure routing protocol for sensor networks. Perrig et. al [16] put forward the first insight on the design of security protocols in wireless sensor networks, and introduce two low-level secure building blocks, SNEP and µTESLA. Karlof et al. [7] give the first analysis of secure routing in sensor networks, and introduce two classes of novel attacks against sensor networks, Sinkhole and HELLO flood. By exploiting the potential capacity of base station, INSENS provides an intrusion tolerant routing protocol that routes packets between nodes and base station and routes packets between arbitrary nodes by relaying them through the base station. SIGF, a family of configurable secure routing protocols for wireless sensor networks, which circumvents ”good enough” security without relying on strong security mechanisms. Parno et al. [17] starts from a clean slate and systematically design a general purpose secure routing protocol that incorporates all the three design principles of resilience, protection and detection. In FBSR, we make use of the stateless protocol to provide resilience to routing state corruption, Wormholes and HELLO flood, and propose the Keyed One Way Hash Chain to authenticate the feedback efficiently hence protecting it from Sinkholes and Sybil attacks. With respect to node compromise problem, FBSR leverages the capacity of base station to statistically detect Sinkholes and Sybil attacks which are potentially caused by compromised nodes. III. F EEDBACK BASED F ORWARDING In this section, we describe the details of Feedback based Forwarding (FBF), a routing protocol which is the basis of our secure routing. Once transmitting a packet, the sender prioritizes its neighbors with an evaluation function and places this neighbor list in the packet header. Neighbors, on receiving the packet, will includes its feedback in the ack frame and acknowledges the sender, and in the meantime makes independent decision of whether to forward the packet. Though FBF does not require any cryptographical support, it does provide certain resilience to routing attacks by integrating dynamic behaviors and non-determinism into the routing paradigm. A. Neighbor evaluation and prioritizing In order to bring the packet closer to the destination in an energy efficient way, the sender will prioritize its neighbors according to their last time feedback and put this prioritized neighbor list in the routing packet header (During the first round when feedback is not available, neighbors are prioritized by their distances to the destination). Then the sender transmits the packet, deferring the decision of which node to forward until the process of MAC layer contention, which will be discussed in the next subsection. The neighbors feed back their current energy status and geographical location, which is to be evaluated by the packet sender with an evaluation function. The evaluation function is a combination of the node’s current energy status and its distance to the destination. Energy level is used as the metric to evaluate the energy status of the sensor nodes. When the
CAO ET. AL,: FBSR
3
Energy Level
B
S
X
A
D
1.0
C 0
threshold
100% Consumed Energy(%)
Fig. 1. Energy level evaluation. When the consumed energy is less than the threshold, the energy level stays at 1.0, and when it exceeds the threshold, the energy level linearly slips down until zero.
consumed energy is less than the threshold, the energy level stays at 1.0, and when it exceeds the threshold, the energy level linearly slips down until zero. Figure.1 shows the curve of the energy level evaluation function, where both consumed energy and threshold is denoted by the percentage by the initial energy on the nodes. FBF uses this threshold mechanism different from Different from GEAR [18] because we believe that when the energy problem is not severe, excessive consideration of the energy will lead to the choice of a longer route and thus consume more energy of the whole network. And our feedback evaluation function is: f (energy level, distance) = energy level×(D−D0 ), where D and D0 are the distance from source and from this node to the destination respectively. The bigger the evaluation value, the higher priority the neighbor node represents. Only when the consumed energy exceeds the threshold does the evaluation function become relevant to both energy and distance metrics. And when the consumed energy is below the threshold, f () = D − D0 , which means that the evaluation function represents how much this neighbor geographically brings the packet closer to the destination. B. MAC Layer decision and feedback FBF integrates routing layer and MAC layer so that the decision of which neighbor will forward the packet is decided by the MAC layer. FBF employs the distributed slotted MAC protocol similar to ExOR [1]. During transmission, the sender reserves multiple slots of time for the MAC layer contention. Neighbors, on the other hand, delay an amount of time determined by their priority in the neighbor list before sending back ACK, so that the higher rank a neighbor is placed in the neighbor list, the higher probability it will be the next hop (to be proved). The acknowledgement from the MAC layer carries a feedback field (containing its energy level and geographical location) as well as the IDh of the sender of the highest priority ACK heard so far (to depress duplicate forwarding according to ExOR [1]). Neighbors will neglect any ACK frames coming from nodes that are not included in the neighbor list, and when hearing from a node with higher priority, the neighbors update the IDh with that node’s ID. When the slotted acknowledgement window has passed, each neighbor makes a local decision on whether to forward the
Fig. 2. Feedback based Forwarding. Nodes A, B and C are evaluated and prioritized by the sender S according to their feedback included in the MAC layer acknowledgement frame.
packet. Anyone who has not heard any ACK of higher priority neighbors will forward the packet. In the meantime of MAC layer contention, the sender should keep track of the feedback value carried in the ACK frame, so that it can detect and cache the current status of its neighbors. The sender will reprioritize the neighbor list based on the feedback value, and to avoid heavy computation overhead, the prioritization will be done with a time slot. We will show how dynamic behavior is achieved with MAC layer feedback. We illustrate this with the topology shown in Figure 2. Suppose source node S is sending packets for node D (destination), and node A, B, and C are S’s neighbors. In the beginning, the neighbor list is prioritized as A, B, and C. But after a while, when node A is engaged in communication with node X, it will not respond to the invitation of forwarding packets from node S, and no feedback is sent back to S. Not hearing the acknowledgement of neighbor A, node S partially knows that A is currently not available and regards its feedback is NULL (0), then after the next prioritization, node A is at the end of the neighbor list with the least probability of being the next hop. In this way, FBF can always find the next hop with a currently good capacity. And after the prioritizing timeout, if node A recovers from communicating with node X, it can find its proper place in the neighbor list again. When node A consumes most of its energy some time later, certain node will replace it on the top of the neighbor list, then the network traffic will be directed to the other node, hence balancing the energy consumption network wide. IV. FBSR: F EEDBACK BASED S ECURE ROUTING In this section, after analyzing the impact of the routing attacks on FBF, we propose the Feedback based Secure Routing (FBSR). Without adopting any cryptographical mechanisms, FBF provides resilience to routing state corruption, wormhole attacks and certain kind of Denial of Service attacks, but it is still susceptible to Sinkhole, selective forwarding and Sybil attacks. The proposed FBSR enhances the routing protocol against those attacks by securing the neighborhood feedback and statistical efforts accomplished by the base station. A. System Assumptions We assume the base station is preloaded with public key −1 KBS and private key KBS . The base station works as the
4
network authority which the whole network trust. We also note that it is feasible to apply the public key cryptography to sensor networks with care [19]. Before network deployment, each sensor node α must be preloaded with the base sation’s public key KBS , a unique identity IDα signed by BS, i.e., {IDα }K −1 . Each sensor node is also BS preloaded with a Keyed One Way Hash Chain (KeyedOWHC, which is introduced in Section IV-C.1) with value Kα0 , Kα0 0 , Kα1 , Kα0 1 , . . . , Kαm , Kα0 m , the secret key Shk for the Keyed-OWHC, and the signed initial value of its KeyedOWHC together with its identity IDα , i.e.,{Kα0 k IDα }K −1 . BS In addition to the keying information related to the KeyedOWHC, our protocol does not require a pairwise key between any two nodes or group key among a number of nodes. For the attackers, since the wireless links are insecure, attackers may eavesdrop on radio transmissions, inject messages, and record and later replay messages, or drop it for any purposes. Attackers possess hardware capabilities similar to that of legitimate nodes. We also assume that attackers are relatively easy to capture localized legitimate sensor nodes, for it is not hard to do so in an unattended area, but they are not able to capture sensors in the distance because they are afraid of being discovered. For the base station, because it is always placed on the monitoring side with physical attendance, we can assume that it is equipped with a special sensor node which has rechargeable energy supply and high enough radio power. Finally, our protocol is designed for networks in which all nodes are primarily stationary and move infrequently, and does not require time synchronization among any nodes.
c J. PERVASIVE COMPUT. & COMM. 1 (1). °TROUBADOR PUBLISHING LTD
3)
4)
5)
6)
7) B. Attack Analysis With no additional cryptographical protection, FBF provides some (though not good enough) resilience to some routing attacks. Karlof and Wagner [7] and others [5] [20] have systematically studied attacks on routing protocols. Because FBF makes the forwarding decisions dynamically according to the MAC layer competition, and keeps every node stateless, it is resilient to routing state corruption, Wormhole and HELLO flood attacks, which is also the observation of [21] on the Implicit Geographical Forward (IGF) [4] routing protocol. Unlike to SIGF [21], FBF is self resilient to Denial of Service attacks because the forwarding decision is made by neighborhood negotiation so that an attacker cannot exhaust its nearby neighbors by always choosing them as the next hop. Nevertheless, FBF is vulnerable to Sinkhole, selective forwarding and Sybil attacks without further protection. The detailed analysis is shown as below. 1) Routing state corruption. By spoofing, altering, or replaying routing information, attackers are able to create routing loops, attract or redirect network traffic, increase end-to-end delay, etc. FBF keeps no keeps every node stateless with local information only, so it is resilient to routing state corruption; 2) Wormhole attacks. In this attack, an adversary tunnels messages received in one part of the network over a low latency link and replays them elsewhere. Since FBF
makes the forwarding decision dynamically according to the MAC layer competition, attackers have no way to construct wormholes in the network. HELLO flood. HELLO flood can be thought of one-way, broadcast Wormhole. As with Wormholes, HELLO flood does not threat FBF. Denial of Service. DoS attacks are always conducted by exhausting the computing or storage resources of the network and hence degrading the service level provided for the legitimate users. Unlike to SIGF, FBF is self resilient to Denial of Service attacks because the forwarding decision is made by neighborhood negotiation so that an attacker cannot exhaust its nearby neighbors by always choosing them as the next hop. Sinkhole attacks (Blackholes). By acting especially attractive to surrounding node with respect to the routing algorithm, a malicious node lures nearly all the traffic from a particular area and hence enables many other attacks. Without further protections, FBF is particularly vulnerable to Sinkholes, since adversaries may feed back false routing information and make themselves especially attractive. We enhance its security by securing the feedback to defend against this kind of attacks. Selective forwarding. Attackers selectively forward packets instead of faithfully forwarding all received packets or completely dropping all packets. Selective forwarding attacks are especially dangerous if they are combined with Sinkholes where much traffic is controlled by the attackers, so we consider defending against them together with Sinkholes. Sybil attacks [22]. A malicious node behaves as if it were a larger number of nodes by impersonating other nodes or simply by claiming false identities. The Sybil attack can significantly break down the fault tolerance property guaranteed by the routing protocol. We will show how FBSR defends against Sybil nodes by authenticating the feedback from neighbors.
C. Securing Neighborhood Feedback Based on the analysis above, we protect the FBF against Sinkhole, Selective forwarding and Sybil attacks by extending it to FBSR, adopting some cryptographical primitives to secure the feedback information included in the MAC layer acknowledgement. The most essential problem in securing the feedback and making the FBSR insusceptible is how the sender can make sure that the feedback is coming from legitimate neighboring nodes. We adopt the Keyed One Way Hash Chain (Keyed-OWHC) to address this problem. 1) Keyed One Way Hash Chain: We leverage the concept of one way sequence proposed by the µTESLA protocol [16] to identify a Keyed One Way Hash Chain (Keyed-OWHC). A Keyed One Way Hash Chain (Keyed-OWHC) is two levels of sequence values K0 , K1 , . . . , Kn , and K00 , K10 , . . . , Kn0 , as indicated in Fig. 3. For the first level, the root of the chain Km is randomly chosen and kept as secret. Each value in the chain Ki is computed by applying n − i times of the one way hash function F1 , i.e., Ki = F1n−i (Kn ). The one way
CAO ET. AL,: FBSR
K0
K1
5
K2
Kn ............
K’0
K’1
K’2
K’n
Fig. 3. Keyed One Way Hash Chain. Each Ki is computed by applying the hash function i times on the root value Kn , i.e., Ki = F1i (Kn ). Each value Ki0 is computed via Ki0 = F2 (Shk , Ki ).
hash function F1 has the property that it is computationally infeasible to compute any Ki in a limited time by knowing Kj where i > j. For the second level, each value Ki0 is computed via Ki0 = F2 (Shk , Ki ), where function F2 is a keyed one way hash function such as HMAC MD5, and Shk is preconfigured global secret before network deployment known only by legitimate nodes if they are not compromised. Each sensor node α holds a signature signed by the base station over its identity (IDα ) and the commitment of the Keyed-OWHC (Kα0 ), i.e., {Kα0 k IDα }K −1 . This signature is used to auBS thenticate the commitment of the Key-OWHC, hence rejecting malicious nodes from creating their own unauthenticated one way sequences. Therefore, if we know that the value Ki is authentic, we can authenticate the value of Ki+1 by check whether equation Ki = F1 (Ki+1 ) holds true. More generally, we can verify any Kj given an authentic value Ki (i < j) by checking whether Ki = F1j−i (Kj ) holds true. Unlike to digital signature verification which contains computation of public key cryptography, the verification of the Keyed-OWHC is efficient in that only hash computation is needed. 2) How to Use the Keyed-OWHC: During the first round when the sender does not know any information about the neighboring nodes’ Keyed-OWHC, the neighboring nodes should include the commitment signed with BS’s private key in their feedback. The sender authenticates its neighbors by verifying this signature, and keeps the key commitments of their neighbors in an local entry matched with the neighbors’ corresponding identities. In addition, the sender keeps the freshest value of its neighbors’ Keyed-OWHC it has ever heard of as Kf . When the i-th value of the Key-OWHC Ki has not been disclosed yet, the authenticated feedback message is in the following format: < M AC(Ki0 , M ), M, Ki > where M is the acknowledgement data frame, and M AC() is a Message Authentication Code (MAC) 1 function. The sender, on receiving the feedback, first verifies the authenticity of Ki by checking whether Kf = F1i−f (Ki ) holds true. If Ki is authentic, the sender goes on to derive Ki0 by applying Ki0 = F2 (Shk , Ki ), and used the derived Ki0 to verify the MAC. If the MAC validation comes out successfully, the sender makes sure that the feedback is coming from a legitimate node trusted by the base station. If any verification comes out failure, the sender considers the corresponding 1 this is different from Medium Access Control layer which we always refer to as MAC layer in this paper
neighbors malicious and will get rid of them from the neighbor list in the communications henceforth. Recall that in FBF, neighbors will neglect any ACK frames coming from nodes not included in the prioritized neighbor list, so malicious nodes could not corrupt the MAC layer competition unless they are successfully authenticated. When the Keyed-OWHC runs out of sequence values, it should be renewed. The sensor node can randomly choose a new root value and use it to derive a new hash chain. The commitment of the new chain should be authenticated by the most recently disclosed value of the old chain before the renew process proceeds. 3) Discussion: In Keyed-OWHC, we use a two levels hash chain to leverage the concept of OWHC proposed in the µTESLA protocol [16]. In µTESLA, the MAC of the broadcast message is computed by the keys on the hash chain. In order to prevent the malicious nodes from fabricating the valid broadcast message with an instantly disclosed key value, µTESLA makes use of a delayed key disclosure procedure (i.e., each key Ki used in interval i is disclosed in interval i + d, where d is the disclosure delay), and delays message authentication until the key to compute the MAC is disclosed (i.e., messages received in time interval i are buffered and delayed authenticated until interval i + d). Delayed authentication poses potentially vulnerability to Denial of Service attacks where the malicious nodes flood the victim with an eavesdropped valid hash value and randomly fill authentication message hence depleting the victim’s storage resources. With instant key disclosure and authentication, the proposed Keyed-OWHC is resilient to Denial of Service. Although the values in the hash chain is disclosed instantly, malicious nodes cannot forge a valid MAC because the keys (Ki0 ) to the MAC is only derivable for those legitimate nodes who knows the hash secret Shk . In addition, Key-OWHC does not require even loose time synchronization among networked sensors. With Keyed-OWHC to authenticate the feedback message from neighboring nodes, FBSR can be insusceptible to Sinkhole and Sybil attacks. • Sinkhole attacks. Because the feedback is authenticated with the Keyed-OWHC whose commitment is signed with the private key of the base station, attackers cannot fabricate valid feedback and lure network traffics unless they have compromised some legitimate nodes. • Sybil attacks. Attackers can impersonated as the other nodes unless they can counterfeit the feedback authenticated with the Keyed-OWHC. Since each node’s identity (ID) is signed by the base station, it is difficult for Sybil attackers to get a valid identity that can be successfully verified by the packet sender. D. Base Station Feedback Though FBSR achieves prevention of Sinkholes and Sybils, it is still susceptible to these attacks if some legitimate sensor nodes are compromised. As assumed, it is easy for attackers to compromise some nodes in an unattended area. We enhance FBSR’s resilience to node compromise by statistic efforts accomplished by the base station feedback in this subsection.
c J. PERVASIVE COMPUT. & COMM. 1 (1). °TROUBADOR PUBLISHING LTD
6
TABLE I NOTATION R n N ni f ri pri f gi
D
the route trace set the total number of nodes (distinctive) in R the total number of nodes (non-distinctive) in R times of node i appearing in R the frequency of each node i appearing in R the frequency that the other nodes appearing more frequently than node i the number of various instances of node i’s location
After a sensor node is compromised by attackers, it will be forced to conduct Sinkhole attack by feeding back attractive energy level and geographical location pretending to be energy efficient and able to bring the packet closer to the destination, or perform Sybil attack impersonating as the other nodes or being impersonated by attackers who capture it. This kind of node deviation behavior is hard to detect in the localized area because those deviated nodes are clever to avoid being discovered by their neighbors. So it is desirable to resort to resolving this problem by the base station. As assumed, base station is not resource limited, so FBSR employs base station statistics and feedback to detect node deviations. In FBSR, the routing packet header contains a route trace that includes the node ids and its geographical location gid along the way. When a node receives a packet, it adds the id and geographical location gid of the previous hop to the route trace. In this way, FBSR prevents the malicious nodes from evasion of being put their ids in the routing trace. If the malicious nodes just drop packet and refuse to participate in the routing algorithm, they can easily be detected with the method proposed in [21]. Otherwise if they participate in the routing and forward packets they have attracted, they cannot avoid the other nodes (the next hops) putting them in the route trace. With the route trace information, base station can detect the potential malicious nodes and then broadcast in the networks so that normal nodes can avoid these nodes in future. Further more, the base station can assure its detection result by attestation taking advantage of the SCUBA protocol [23]. The notations used in the proposed statistical scheme are indicated in Table. I. Base station is responsible for keeping track of the routing trace information, recording the statistic information of the sensor nodes and their locations. Our method aims at detecting malicious network traffic caused by two kinds of attacks: Sinkhole attack and Sybil attack. In Sinkhole attacks, compromised nodes lure nearly all the traffics from a particular region, therefore the emergence frequency of these nodes will be exceptionally high in the route trace. The following two statistics are examined to detect Sinkholes: 1) f ri : the frequency of each distinctive node appearing in the route trace set R. ni (1) f ri = , ∀i N P where N = i ni . Obviously, the more the f ri , the more node i appears in the route trace, but we should consider the relative frequency denoted by pri before node i is concluded to be a Sinkhole.
B
C
S
A
Fig. 4. An example of our simulation topology with a 5 × 5 grid where S, A, and B are sensing nodes, D is the base station.
2) pri : the frequency that the other nodes appearing more frequently than node i. ]{j|f rj > f ri } , ∀i; (2) n the smaller the pri , the fewer nodes emerge more frequently than node i which means node i appears relatively more frequently than more of the others. As the network and the routing trace scale up, the frequency of each node appearing in the routing trace (f ri ) will inevitably scale down. As a result, it is difficult for us to predefine a threshold on f ri . But pri reflects the frequency that the other nodes appearing more frequently than node i, we can predefine a threshold on pri , and if pri ≤ threshold1 , the base station views the node i as malicious, and broadcasts its identity in an authentic way. For Sybil attacks, the base station utilizes the consistency of node i’s claimed geographical location to discovery Sybil attackers. f gi , the various of the claimed address of node i can be set to 0 and increased by one each time the base station finds a new location claimed by node i. If f gi ≥ threshold2 , node i may be viewed as Sybil, and its identity will be broadcast by the base station in an authentic way. Notice that the threshold values such as threshold1 , threshold2 can be set by the network planner before network deployment or be trained with certain statistical methods. Many researches went in that way [24] [25], but we do not focus on this problem in this work. pri =
V. P ERFORMANCE EVALUATION A. Approximate Analysis First we give an approximate analysis of the probability of successful transmission, and prove that with our mechanism higher rank neighbors have higher possibility of being the next hop. The result also shows that FBSR can tolerate node failures and guarantees a high probability of successful transmission. For simplicity, we assume that the loss rates of both data packet and acknowledgement of all the node pairs are identical. Suppose k denotes the size of neighbor list, pd denotes the data packet loss rate, pa denotes the acknowledgement frame loss rate. P (Fi ) denotes the probability of neighbor ranked
CAO ET. AL,: FBSR
10.4
7
1.2
MFlood FBSR network partition time (normalized)
packet arrival time
10.3
10.2
10.1
10
9.9
9.8
1
0.8
0.6
0.4
0.2
0 0
Fig. 5.
MFlood FBSR
100
200
300 400 number of nodes
500
600
700
0
Source-destination Delay compared with flooding.
1 − pd (1 − pd ) × (pa − pa pd + pd ) (1 − pd ) × (pa − pa pi−1 + pi−1 d d )
(3)
From (3) we know that P (Fi ) − P (Fj ) = (1 − pd )(1 − pa )(pid − pjd ) > 0, i < j
(4)
It is (4) that prove that with our mechanism, higher rank neighbors have higher possibility of being the next hop. Suppose Pf orward and Pf0 orwar denote the data successful transmission probability in FBSR and other protocols that choose only one neighbor forwarding, respectively. Again from (3), we can get Pf orward
= P( = 1
k [
(Fi )) = 1 − P (
i=1 − pkd
> 1 − pd =
k \
(Fi )) i=1 Pf0 orward
200
300 400 number of nodes
500
600
700
Fig. 6. Network lifetime varied with node number. Normalized network partition time is used as a network lifetime metric.
Sk the ith to forward the packet. Then P ( i=1 (Fi )) denotes the probability of at least one neighbor successfully forwarding the packet. From some statistical algebra, we can easily obtain: P (F1 ) = P (F2 ) = ...... P (Fi ) =
100
(5)
That is Pf orward > Pf0 orward , so we can get: Lemma 1: FBSR guarantees a higher probability of successfully transmission than protocols that only choose one neighbor as forwarding candidate. B. Simulation results We have already implemented FBSR on NS2.28 [26], a discrete event-driven simulator. Since FBSR integrates routing and MAC layer, some modifications of 802.11 are needful to make MAC layer decision and feedback possible. For our basic simulation network topology, we used a regular n × n grid with n2 sensor nodes, where each sensor is placed at each grid point. The communication radius is set √ to 2, allowing the nearest eight neighbors to be reached. The base station is placed at the (n, n) (the right top), and the sensing area is the four nodes at the left bottom. Figure 4 is an example of 5 × 5 grid, where S, A, and B are sensing nodes, D is the base station. Simulation is done with network sized 3 × 3, 10 × 10, 15 × 15, 20 × 20 and 25 × 25.
First we test the time efficiency of our protocol. In flooding protocol, each node forward the packets it receives to all the neighbor nodes, so flooding protocol is characterized by its short time delay between source and destination. In order to demonstrate that FBSR is time efficient, packet arrival time is used to compare FBSR and simple flooding. Figure 7 is our simulation results, which shows that FBSR behaves approximately 2% better than Flooding, and this gap increases as the network size scales up. We use the network partition time to evaluate the energy effectiveness of FBSR and its threshold mechanism. As in Figure 4, both S, A and B are transmitting sensed data towards the base station. When node A, B and C are all draining out of energy, the network is partitioned. So this network partition time is used as our energy efficient metric. In simulation, we set the initial energy of each node to 3000 units, while transmitting and receiving data packets consume 10 and 8 units energy respectively(this ratio is the observation of [27]). We then compare FBSR with flooding protocol according to the network partition time. Figure 6 presents our simulation results, which shows that FBSR survives approximately two times longer than flooding before network partition. This result addresses that our feedback mechanism is energy efficient. To demonstrate our threshold mechanism of energy evaluation function, we vary the threshold from 0, 0.1 and 0.5( while threshold = 0 is the case of completely energy awareness). The normalized network partition time in Figure.7 indicates the threshold does make some sense in prolonging the network lifetime, which also validates our intuition about energy efficient. Keyed-OWHC. In order to allow for more code reuse, we take the CBC-MAC of RC5 Block Cipher as our one way hash function F1 (i.e., F1 (k) = CBC-MAC(k, 1)), F2 and the MAC algorithm to authenticate messages. Each value in the Keyed-OWHC is 128 bit. The fast implementation of RC5 CBC-MAC algorithm on TinyOS [28] in SPINS [16] shows that it take 1.28 ms to process a 16 byte message. Recall that Key-OWHC does not require any delayed key disclosure and authentication, it takes averagely three MAC computations to authenticate one message (approximately 3.84 ms), which is much smaller than that in µTESLA (17.8 ms). Keyed-OWHC costs the same as µTESLA in the key setup process because the second level of keys are derived from the first level only
c J. PERVASIVE COMPUT. & COMM. 1 (1). °TROUBADOR PUBLISHING LTD
8
1.3
threshold=0.5 threshold=0.1 threshold=0.0
network partition time(normalized)
1.25 1.2 1.15 1.1 1.05 1 0.95 0.9 0.85 0.8 0
100
200
300 400 number of nodes
500
600
700
Fig. 7. Network lifetime varied with node number under different threshold value. TABLE II P ERFORMANCE C OMPARISON BETWEEN K EY-OWHC
Key setup Authenticate one message Time Synchronization Delayed Authentication
Key-OWHC 3.92 ms 3.84 ms Non Non
AND
µTESLA
µTESLA 3.92 ms 17.8 ms Loose Must
when we use them to authenticate messages. A comparison between Keyed-OWHC and µTESLA is shown in Table. II. VI. C ONCLUSION AND F UTURE W ORK In this paper, a Feedback based Secure Routing protocol (FBSR) is proposed for adaptable and defendable routing in wireless sensor networks. We present the Keyed One Way Hash Chain (Keyed-OWHC) to authenticate feedback from neighbors, and use the statistic detection on base station to discover potentially compromised nodes, hence making FBSR resilient to existing routing attacks. ACKNOWLEDGMENT This work is part of Project No. 60673182 supported by National Natural Science Foundation of China. A preliminary version of this paper appeared in Proceedings of the 2006 IEEE International Workshop on Pervasive Computing and Ad hoc Communication (PCAC’06) [29]. The authors would like to thank the anonymous reviewers for their valuable advice. R EFERENCES [1] S. Biswas and R. Morris, “ExOR:opportunistic routing in multi-hop wireless networks,” in Proceedings of the Annual Conference of ACM Special Interest Group on Data Communication (SIGCOMM’05), August 2005. [2] M. Zorzi and R. R. Rao, “Geographic random forwarding (geraf) for ad hoc and sensor networks: Multihop performance,” IEEE Transactions on Mobile Computing, vol. 2, no. 4, pp. 337–348, 2003. [3] ——, “Geographic random forwarding (geraf) for ad hoc and sensor networks: Energy and latency performance,” IEEE Transactions on Mobile Computing, vol. 2, no. 4, pp. 349–365, 2003. [4] B. Blum, T. He, S. Son, and J. Stankovic, “IGF: A state-free robust communication protocol for wireless sensor networks.” in Technical Report CS-2003-11. University of Virginia, Charlottesville, VA, 2003. [5] F. Hu and N. K. Sharma, “Security considerations in ad hoc sensor networks,” Elsevier’s AdHoc Networks Journal, vol. 3. [6] J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, “Wireless sensor network security: A survey,” in book chapter of Security in Distributed, Grid, and Pervasive Computing, Yang Xiao (Eds.). CRC Press, 2007.
[7] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: attacks and coutermeasures,” Elsevier’s Ad Hoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, September 2003. [8] D. Zhu, M. Gritter, and D. Cheriton, “Feedback based routing,” in Proceedings of ACM Workshop on Hot Topics in Networks (HotNet-I). ACM, October 2003. [9] J. Boleng and T. Camp, “Adaptive location aided mobile ad hoc network,” in Proceedings of the 23rd IEEE International Performance, Computing, and Communications Conference, 2004. [10] T. He, J. A. Stankovic, C. Lu, and T. Abdelzaher, “SPEED: A real-time routing protocol for sensor networks,” in Proceedings of the 23rd International Conference on Distributed Computing Systems (ICDCS’03), May 2003. [11] S. Gupte and M. Singhal, “Secure routing in mobile wireless ad hoc networks,” Elsevier’s AdHoc Networks Journal, vol. 1. [12] M. O. Pervaiz, M. Cardei, and J. Wu, “Routing security in ad hoc wireless networks,” in A book chapter in Network Security, S. Huang, D. MacCallum, and D. -Z. Du (eds.). Springer, 2006. [13] Y. Hu, A. Perrig, and D. Johnson, “Ariadne: a secure on-demand routing protocol for ad hoc networks,” in The 8th ACM International Conference on Mobile Computing and Networking, September 2002. [14] Y.-C. Hu, D. B. Johnson, and A. Perrig, “Sead: secure efficient distance vector routing for mobile wireless ad hoc networks,” Elesevier Journal of Ad Hoc Networks, vol. 1, pp. 175–192, 2003. [15] K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. BeldingRoyer, “A secure routing protocol for ad hoc networks,” in Proceedings of the 10 th IEEE International Conference on Network Protocols (ICNP’02). IEEE Computer Society, November 2002, pp. 78–87. [16] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. Tygar, “SPINS: Security protocols for sensor networks,” Wireless Networks, vol. 8, no. 5, pp. 521–534, 2002. [17] B. Parno, M. Luk, E. Gaustad, and A. Perrig, “Secure sensor network routing: A clean-slate approach,” in Proceedings of the 2nd Conference on Future Networking Technologies (CoNEXT’06). ACM, December 2006. [18] Y. Yu, D. Estrin, and R. Govindan, “Geographical and energy-aware routing: A recursive data dissemination protocol for wireless sensor networks,” in UCLA Computer Science Department Technical Report, UCLA-CSD TR-01-0023, May 2001. [19] K. Piotrowski, P. Langendoerfer, and S. Peter, “How public key cryptography influences wireless sensor node lifetime,” in Proceedings of ACM Workshop on Security in Ad Hoc and Sensor Networks (SASN’06). ACM, October 2006. [20] A. D. Wood and J. A. Stankovic, “Denial of service in sensor networks,” IEEE Computer Magazine, pp. 54–62, 2002. [21] A. D. Wood, L. Fang, J. A. Stankovic, and T. He, “Sigf: A family of configurable, secure routing protocols for wireless sensor networks,” in Proceedings of ACM Workshop on Security in Ad Hoc and Sensor Networks. ACM, October 2006. [22] J. Newsome, R. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks: Analysis and defenses,” in Proceedings of IEEE International Conference on Information Processing in Sensor Networks (IPSN 2004), April 2004. [23] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla, “Scuba: Secure code update by attestation in sensor networks,” in Proceedings of ACM Workshop on Wireless Security (WiSe’06). ACM, September 2006. [24] N. Song and X. L. Lijun Qian, “Wormhole attacks detection in wireless ad hoc networks: A statistical analysis approach,” in Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS’05). IEEE Computer Society, 2005. [25] E. C. H. Ngai, J. Liu, and M. R. Lyu, “On the intruder detection for sinkhole attack in wireless sensor networks,” in Proceedings of the 19th IEEE International Conference on Communications (ICC’06). IEEE, 2006. [26] NS2. [Online]. Available: http://www.isi.edu/nsnam/ns/ [27] O. Kasten, “Energy consumption,” in ETH-Zurich, Swiss Federal Institute of Technology. [Online]. Available: http://www.inf.ethz.ch/˜kasten/research/bathtub/energy consumption.html [28] TinyOS, http://www.tinyos.net. [29] Z. Cao, J. Hu, Z. Chen, M. Xu, and X. Zhou, “Feedback: Towards dynamic behavior and secure routing for wireless sensor networks,” in Proceedings of IEEE International Workshop on Pervasive Computing and Ad hoc Communication. IEEE, April 2006.
