Sensor networks hold the promise to accomplish missions in hostile environments that are not feasible to accomplish with any other system architecture. Consisting of hundreds to thousands of expendable computing nodes, a sensor network is capable of tolerating the loss of a significant portion of its nodes. The requirement of expendable sensor nodes necessitates usage of low cost hardware. Consequently, applications with security requirements must be carefully designed in order to circumvent the heavy performance requirements associated with traditional security techniques.
In this work, we consider the design and performance of distributed sensor network algorithms that are designed to tolerate insider attacks, wherein individual nodes are compromised. When used in conjunction with cryptographic techniques specifically crafted for low capability hardware, we find that sensor networks can be designed to a high level of robustness against attack, despite limited security of individual sensor nodes. In this work we present three such algorithms: secure localization, use of secure clusterhead election to prevent energy attacks, and detection of cloned nodes.
Localization is the process by which sensor nodes determine their physical location in the network based on receipt of position information from beacon nodes. Existing localization approaches are characterized by a lack of any security mechanisms or an inability to tolerate the compromise of beacon nodes. We address these shortcomings with our Secure Localization with Attack Tolerance (SLAT) protocol. In SLAT message authentication is used to prevent maliciously forged beacon messages, while localization is designed to tolerate compromised beacons nodes. The degree to which a compromised beacon node can adversely effect nonbeacon node location estimates is inversely proportional to the deviation from its actual distance. Through simulation, we have found that even large numbers of malicious beacon nodes have minimal effect. For instance, we show that compromising 40 out of 200 nodes only increases average localization error from 3 meters to 5 meters.
The ability of sensor nodes to enter a low power sleep mode is very useful for extending network longevity. We show how adversary nodes can exploit clustering algorithms to ensure their selection as cluster heads for the purpose of launching attacks that prevent victim nodes from sleeping. We present two such attacks: the barrage attack and the sleep deprivation attack. The barrage attack bombards victim nodes with legitimate requests, whereas the sleep deprivation attack makes requests of victim nodes only as often as is necessary to keep the victims awake. We show that while the barrage attack causes its victims to spend slightly more energy, it is more easily detected and requires more effort on behalf of the attacker. Thus we have focused our research on the sleep deprivation attack. Our analysis indicates that this attack can nullify any energy savings obtained by allowing sensor nodes to enter sleep mode. We also analyze three separate methods for mitigating this attack: the random vote scheme, the round robin scheme, and the hash-based scheme. We have evaluated these schemes based upon their ability to reduce the adversary's attack, the amount of time required to select a cluster head, and the amount of energy required to perform each scheme. We have found that of the three clustering methods analyzed, the hash-based scheme is the best at mitigating the sleep deprivation attack.
Efficient key management in sensor networks is a major research issue. Random key predistribution security schemes are well-suited for use in sensor networks due to their low overhead. However, the security of a network using predistributed keys can be compromised by cloning attacks. In this attack an adversary breaks into a sensor node, reprograms it, and inserts several copies of it into the sensor network. Cloning gives the adversary an easy way to build an army of malicious nodes which can be used to cripple the sensor network. We provide two methods for detecting the presence of cloning given the network is utilizing a random key predistribution scheme. The first technique is a proof of concept which we have used to illustrate that the distribution of keys can be used to detect the presence of cloning. This method is based Receiver Operator Characteristic (ROC) graphs, which are a general purpose methodology used to evaluate detection schemes. The second technique is a detection algorithm, based upon hypothesis testing, which a sensor network could utilize to determine the presence of cloning. We have shown that our hypothesis testing method is an accurate and robust mechanism to detect the presence of clones.