Robust Range-Independent Localization for Wireless Sensor Networks Radha Poovendran Joint work with Loukas Lazos Network Security Lab University of Washington

2 Motivation Problem Assumptions Approach Solution: SeRLoc Threats and defense Performance High resolution localization: HiRLoc Conclusions Talk Outline

3 Location information is used for Applications-Search & rescue etc. Network Functions-Routing etc. Location estimation Techniques Range-based Absolute p2p distance/angle estimate. Requires hardware/sync. clocks. Range-free No distance or angle measurements Used by Dv-hop, APIT etc. Motivation

4 Secure Localization Problem Localization Problem: Estimate sensor’s location. Threat: An adversary can provide false info  displace the sensor. Secure Localization: Ensure robust location estimation even in the presence of adversaries. Related work: Capkun [Technical Report—SecPos]

5 Network Model Assumptions (1) Two-tier network architecture LocatorSensor Omnidirectional antennas, unknown location, randomly deployed, density ρ s. Directional antennas, known location, randomly deployed, density ρ L. ρ L << ρ s r R

6 Network Model Assumptions (2) Locator deployment: Homogeneous Poisson point process of rate ρ L  Random spatial distribution. Sensor deployment: Random sampling with rate ρ s. LH s : Locators heard at a sensor s

7 Develop range-free location estimation technique that Detects attacks on localization. Allows robust location estimation even in the presence of attacks. We do not attempt to eliminate attacks on other network protocols. Our Approach

8 Our Approach: SeRLoc LocatorSensorROI L1L1 L4L4 L3L3 L2L2 Each locator L i transmits information that defines the sector S i, covered by each transmission. Sensor s defines the region of intersection (ROI), from all locators it hears. s

9 LocatorSensor L1L1 L4L4 L3L3 L 2: (X 2, Y 2 ) LocatorsCoordinatesSlopes L1:L1:(X 1, Y 1 )[θ 1,1, θ 1,2 ] L2:L2:(X 2, Y 2 )[θ 2,1, θ 2,2 ] L3:L3:(X 3, Y 3 )[θ 3,1, θ 3,2 ] L4:L4:(X 4, Y 4 )[θ 4,1, θ 4,2 ] The sensor collects information from all the locators that it can hear. SeRLoc – Step 1: Beacon reception θ 2,2 θ 1,2 (0, 0) Computing the ROI analytically by intersection of conics is EXPENSIVE!  Approximate method.

10 SeRLoc – Step 2: Search area LocatorSensor L1L1 L4L4 L3L3 L2L2 R RR R: Locator’s Range Search Area Define : (X min +R, Y max -R) (X min +R, Y min +R) (X max -R, Y min +R) (X max -R, Y max -R) 2R+X min - X max 1.Sensor knows the rectangular coordinates and places a grid. 2.Every grid point coordinates are known. X min = min { X i i  L } Y min = min { Y i i  L } X max = max { Y i i  L } Y max = max { Y i i  L }

11 ― Sensor holds a Grid Score Table (GST) ― GST is initialized to zero. ― Perform Grid sector test for every point in the grid: ― If C 1 =True and C 2 =True, increase GST score value by one. SeRLoc – Step 3: Grid-sector test LocatorSensor R: Locator’s Range L1L1 g: (x g,y g ) θ 1,2 θ 1,1 R

12 SeRLoc – Step 4: ROI computation SensorSearch Area … … ROI Majority vote: Points with highest score define the ROI. Error is introduced due to discrete computation. We trade Accuracy vs. Complexity.

13 SeRLoc - Security mechanisms Message Encryption : Messages are encrypted by a shared symmetric key. Locator ID authentication : A locator L i has a unique password PW i. PW i is blinded with a one-way hash function H : {0,1}  {0,1} A hash chain is generated by iterative application of H h 0, h 1,…, h n, h 0 =PW i, h 1 =H(PW i ) Preload every sensor with the values H n ( PW i ) of all locators. A sensor can authenticate a locator within its range (one-hop authentication). Locator beacon format: L i : { (X i, Y i ) || (θ i,1, θ i,2 ) || (H n-j (PW i )), j } Ki Locator’s coordinatesSlopes of the sector ID authentication Shared symmetric key Hash index

14 SeRLoc – Wormhole Attack L1L1 L4L4 L3L3 L2L2 L5L5 L8L8 L7L7 L6L6 THREAT MODEL An attacker records beacons in region A Tunnels beacons via wormhole link at region B Replays the beacons. Sensor “hears” locators LH s : {L 1 - L 8 }. No compromise of integrity, authenticity of the communication or crypto protocols. Direct wormhole link allows timely replay of beacons. sensorLocatorAttacker Region B Region A Wormhole link

15 Wormhole attack detection (1) Accept only single message per locator Multiple messages from the same locator are heard due to: – Multi-path effects – Imperfect sectorization – Replay attack sensorLocator AcAc Wormhole link Attacker obstacle

16 Communication range constraint property. Locators heard by a sensor cannot be more than 2 R apart. R : locator-to-sensor communication range. sensorLocator AiAi AjAj Wormhole attack detection (2) Wormhole link Attacker 2R2R LiLi LjLj

17 Probability of wormhole detection The events of a locator being within any region A i, A j, A c are inde- pendent (Regions do not overlap). sensorLocator AiAi AjAj AcAc Wormhole attack detection (3) Wormhole link Attacker 2R2R

18 Wormhole attack detection (4) Probability of wormhole detection L

19 Attach to Closest Locator Algorithm (ACLA) 1.Sensor s  : Broadcasts a nonce η. 2.Locator L i  : Reply with a beacon + the nonce η, encrypted with the pair-wise key K s,Li. 3.Sensor s  : Identify the locator L c with the first authentic reply. 4.Sensor s  : A locator L i belongs to the valid set, only if it overlaps with the sector defined by the beacon of L c. Resolution of location ambiguity L1L1 L4L4 L3L3 L2L2 L5L5 L8L8 L7L7 L6L6 sensorLocator Attacker Region B Region A Wormhole link A sensor needs to distinguish the valid set of locators from the replayed ones.

20 THREAT MODEL The attacker has compromised the globally shared key K 0. The attacker can impersonate any locator not directly heard to the sensor under attack. SeRLoc – Sybil Attack L1L1 L2L2 L3L3 L4L4 Impersonator Attacker can fabricate arbitrary number of beacons. Attacker succeeds in displacing the sensor if more than |LH s | locators can be impersonated.

21 In a successful Sybil attack, a sensor hears at least twice the number of locators. Define a threshold L max as the maximum allowable number of locators heard, such that: Sybil Attack detection – Defense (1) Probability of false alarmProbability of Sybil attack detection Design goal: Given security requirement δ, minimize false alarm probability ε.

22 Sybil Attack detection – Defense (2) Random locator deployment we can derive the L max value: L max /2 L max False Alarm Probability Detection Probability

23 SeRLoc – Compromised entities THREAT MODEL Attacker possess 1.Knowledge of all cryptographic quantities 2.Full control over the behavior of the entity. Compromise of a sensor  reveals the globally shared key K 0. Compromise of a locator  reveals K 0, master key K Li, and the hash chain of the locator. The adversary can launch a Sybil attack from a location closer to the sensor under attack than any locator  Compromise the ACLA algorithm  Displace any sensor.

24 Enhanced location determination algorithm L2L2 L3L3 L4L4 L5L5 L6L6 L1L1 L7L7 L8L8 L9L9 1. The sensor transmits a nonce with his ID and set LH s 2. Locators within r from the sensor relay the nonce. 3. Locators within R reply with a beacon + the nonce. 4. Sensor accepts first L max replies. Attacker has to compromise more than L max /2 locators, AND Replay before authentic replies arrive at s.

25 Simulation setup: ― Random locator distribution with density ρ L. ― Random sensor distribution with density ρ s. Performance evaluation metric: : Sensor location estimation. s i : Sensor actual location. r : Sensor-to-sensor communication range. |S| : Number of sensors. Performance Evaluation

26 Localization Error vs. LH SeRLoc outperforms current schemes for any LH value Satisfactory performance even for very small LH.

27 Localization error vs. antenna sectors Higher number of directional antennas (narrower sectors) reduces LH. More expensive hardware at each locator.

28 Localization error vs. sector error Sector error: Fraction of sectors falsely estimated at each sensor. SeRLoc is resilient against sector error due to the majority vote scheme. Even when 50% of the sectors are falsely estimated, LE < r for LH  6.

29 Localization error vs. GPS error GPS Error ( GPSE ): Error in the locators’ coordinates. For GPSE = 1.8r and LH = 3, LE = 1.1r. DV-hop/Amorphous: LE = 1.1r requires LH = 5 with no GPSE. APIT: LE = 1.1r requires LH = 12 with no GPSE.

30 High Resolution localization - HiRLoc Can we increase the accuracy of the location estimate, while preserving the resilience against attacks? How do we achieve ROI segmentation ? Expensive solution 1.Increase the locator density  More sectors will intersect. 2.Decrease the sector size  Smaller ROI. Inexpensive solution 1.Variation of the antenna orientation. 2.Variation of the communication range. Is it feasible? Yes, if we can further segment the ROI

31 Variation of the antenna orientation Rotate the antenna system by some angle α. Broadcast beacons with the new coordinates. Compute ROI by intersection of all sectors S i (j) over time, j : transmission round Initial ROI estimate L1L1 L2L2 s α α Sector dependence: S i (j) = S(θ i (j), j) Improved ROI

32 Antenna rotation equivalence Rotation Antenna rotation emulates an antenna system with more directional antennas (narrower sectors). L1L1 3-sector antenna L1L1 6-sector antenna

33 Variation of the communication range Reduce the communication range R i (j) via power control. Broadcast beacons with the new R i (j). Compute the intersection of all sectors S i (j). Initial ROI estimate L1L1 L2L2 s Sector dependence: S i (j) = S(R i (j), j) Reduction in communication range Improved ROI

34 Intersecting multiple sectors L1L1 For same angle transmissions θ i (j), j=1..k, but different range R i (j), pick sector with smaller range R min =minR i (j). S 1 (1 ) S 1 (2 ) S 1 (k ) R min R max L1L1 S 1 (k )

35 Computation of the ROI Option 1: 1.Collect S i (j) info j =1..m. 2.Intersect all S i (j) j =1..m to determine the ROI. Option 2: 1.Collect S i (j) for all L i in LH s. 2.At each round j, compute ROI t  ROI(j) = ROI(j-1)  ROI t.

36 Conclusions  Presented a robust range-free localization: SeRLoc  SeRLoc  Robustly computes the location in the presence of attacks  No neighboring sensor information required.  Uses light-weight security mechanisms (hashing, symmetric crypto).  HiRLoc: Achieves high resolution localization with no additional hardware resources, will preserving robustness against threats in WSN.  This work is only the first step.  More research is needed!

37  Thank you for your time!

38  Appendix for Readers

39 HiRLoc – Wormhole attack (1) L1L1 L4L4 L3L3 L2L2 L5L5 L8L8 L7L7 L6L6 Transmissions in every round are done with R max. Sensor hear LH s ={L 1...L 8 } at every antenna rotation. Sensor can determine valid LHs={L 1..L 4 } as in SeRLoc. Use only valid LH s, in ROI computation. Wormhole attack for case 1 HiRLoc security  SeRLoc security Case 1: Antenna Orientation Variation Region B Region A Wormhole link

40 ROI(j) ROI(1) HiRLoc – Wormhole attack (2) L1L1 L4L4 L3L3 L2L2 THREAT MODEL Locators in valid LH s can get out of range, once R i (j) reduced. Attacker can replay transmissions from valid LH s not heard at the sensor. DEFENSE Sensor determines valid LH s based on transmissions with R max. Determine Intersect any future ROI(j), j = 2..m with ROI(1). Case 2: Communication Range Variation Wormhole link

41 HiRLoc – Sybil attack (1) Locators transmit with R max at every antenna rotation. Attacker cannot impersonate locators directly heard to the sensor. Sybil detection as in SeRLoc  |LH s |  L max. If under attack, execute ACLA. Case 1: Antenna Orientation Variation L1L1 L2L2 L3L3 L4L4 Impersonator Sybil attack for case 1 HiRLoc security  SeRLoc security

42 HiRLoc – Sybil attack (2) THREAT Locators in LH s when R max, that get out of range due to reduced Ri(j), can be impersonated. Limiting |LH s |  L max. does not defend against the Sybil attack. DEFENSE Compute the ROI(1) based on R max beacons. Intersect future ROI(1) estimation with ROI(1). The sensor cannot be displaced outside ROI(1) HiRLoc ROI  SeRLoc ROI L1L1 L4L4 L3L3 L2L2 Impersonator Case 2: Communication Range Variation

43 Performance Evaluation (1) SeRLoc vs. HiRLoc – Antenna orientation variation 3-sector antennas used, beamwidth 120 o. Each antenna rotation is by 40 o. LH   % of ROI improvement . After 3 antenna rotations. ROI(3)<0.46 ROI(1)

44 Performance Evaluation (2) SeRLoc vs. HiRLoc – Antenna orientation variation LH = 15. Each antenna rotation is by 2π/3M, M = # of sectors Sectors   % of ROI improvement . After 3 antenna rotations. ROI(3)<0.46 ROI(1)

45 Performance Evaluation (3) SeRLoc vs. HiRLoc – Communication range variation After 3 antenna rotations ROI(3) < 0.58ROI(1) 3-sector antennas used, beamwidth 120 o. Each antenna rotation is by 40 o. LH   % of ROI improvement . For small LH, sectors get out of range with range reduction.

46 Performance Evaluation (4) SeRLoc vs. HiRLoc – Communication range variation LH = 15. Each antenna rotation is by 2π/3M, M = # of sectors Sectors   % of ROI improvement . After 3 antenna rotations. ROI(3)<0.58 ROI(1)

47 Performance Summary  HiRLoc leads to significant improvement over SerLoc even with a small number of antenna rotations and/or communication range variations.  HiRLoc is more effective for small LH and wide antenna sectors, when SeRLoc does not give a high resolution location estimation.  HiRLoc achieves high resolution localization with no additional resources.