A Survey of Secure Location Schemes in Wireless Networks /5/21
2/35 Outline Introduction Secure Location Schemes Location Verification Range-independent Scheme (SeRLoc) Base Station Assisted Secure Localization Detect Compromised Beacon Nodes Defeat Non-cryptographic Attacks Summary
3/35 Location & Identity in Wireless Networks Application Location Based Service (LBS) privacy issues Solution: legal framework, k-anonymity, etc. Network Geographical routing, location based access control Physical Layer Location could be used to detect source spoofing attacks (in wireless networks)
4/35 Wireless Sensor Network (WSN) WSN Have mission-critical tasks Sensor nodes: low cost, limited resource, multifunctional Usually has one BS Prone to failure, easy to be compromised Location matters The location of sensors is a critical input to many higher- level networking tasks [5]
5/35 Localization in WSN Techniques: GPS Ultrasound Radio (RF) RSSI, ToA, TDoA, AoA, etc. Usually has Beacon nodes With known locations and sending beacon signals Security issues: Location discovery in hostile environments Attacker could masquerade or compromise beacon nodes, or perform replay attacks
6/35 Threat Model (Internal) dishonest or compromised nodes Can authenticate itself (to other sensor nodes) Report false position (External) malicious nodes Can not authenticate itself (as an honest nodes) Can perform timing attack (delaying or speeding-up) Other attacks PHY-layer attack
7/35 Examples Compromised beacon node Masquerade beacon node Replay attack (locally replay or through wormhole)
8/35 Taxonomy Secure Location w/ beacon nodesw/o beacon nodes Localization: Location Verification Range-independent localization Base Station Assisted Attack Detection: Detect Compromised Beacon Nodes Defeat Non- cryptographic Attacks
9/35 Location Verification (Location-based Access Control) In-region verification Roles: Claimants & Verifiers Method: Distance bounding techniques Upper bound the distance of one device to another (dishonest) device C: I’m at some location l VC R Region of interest [1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM Workshop Wireless Security, 2003, pp
10/35 Location Verification (Location-based Access Control). p (prover) A simplified case c: light speed s: sound speed More complex cases: Consider processing/transmission delay, Consider non-uniform regions, Consider multiple verifiers (why sound?) Echo Protocol: (secure, lightweight)
11/35 Distance Enlargement Attacks Distance bounding – vulnerable to distance enlargement attacks but not to distance reduction attacks Propose VM (Verifiable Multi-lateration) Also relies on distance bounding (at least 3 verifiers) [2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp T: set of verifiers that form triangles around u (claimant) (MMSE: Min. Mean Square Estimate)
12/35 Detection of Distance Enlargement Attack u’ Enlarging db 1 is impossible
13/35 SPINE (Secure Positioning In sensor NEtwork) SPINE: a system for secure positioning of a network of sensors, that is based on VM Possible Attacks: (Attacker-x-y) x: # of compromised nodes (c) y: # of malicious nodes (m)
14/35 SPINE (Secure Positioning In sensor NEtwork) (cont ’ d) Operate in 2 phases: Sensors measure distance bounds to their neighbors Central authority compute sensors’ positions (according to the distance bounds) BDV (Basic Distance Verification) (Verify db(s), then compute positions based on verified db(s)) (Positioning is also based on MMSE)
15/35 SPINE (Secure Positioning In sensor NEtwork) (cont ’ d) Effectiveness: The effectiveness of this system depends on the number of node neighbors (node density) and on the number and the distribution of the reference nodes (verifiers)
16/35 Taxonomy Secure Location w/ beacon nodesw/o beacon nodes Localization: Location Verification Range-independent localization Base Station Assisted Attack Detection: Detect Compromised Beacon Nodes Defeat Non- cryptographic Attacks
17/35 Range-Independent Localization Motivation: Distance measure is vulnerable Do not count on distance measure to infer the sensor location Secure localization ≠ location verification Goal: Decentralized, resource efficiency, robust Contributions: Propose SeRLoc, a range-independent localization scheme Propose security mechanism for SeRLoc Evaluate the performance of SeRLoc [3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp
18/35 SeRLoc Concept: Locators use sectored antennas (with range R) A sensor can identify the region it resides by computing the overlap between all the sectors it resides Then estimates its location at the center of gravity of the overlapping region
19/35 Secure SeRLoc Encryption: To protect the localization information, encrypt all beacons transmitted from locators Sensors and locators share a global symmetric key K 0 Locator ID authentication: Use one-way hash chains to provide locator ID auth. Each sensor has a table containing {ID i, H n (PW i )} of each locator Storage issues
20/35 Threat Analysis Authors analyze (1) wormhole attacks and (2) Sybil attack and compromised sensors Analyze the vulnerabilities of other 3 range- independent localization schemes Dv-hop, Amorphous localization, APIT
21/35 Taxonomy Secure Location w/ beacon nodesw/o beacon nodes Localization: Location Verification Range-independent localization Base Station Assisted Attack Detection: Detect Compromised Beacon Nodes Defeat Non- cryptographic Attacks
22/35 Base Station Assisted Approaches Contribution: New approach, relies on a set of covert base stations Enables secure localization with a broad spectrum of localization techniques (ultrasound, RF, etc) Covert Base Station (CBS): Known position Passively listen to the on-going communication Could be hidden or mobile base station [4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, PBSsensor nonce broadcast nonce (PBS: Public Base Station) PBS CBS measure TDoA and compute sensor’s position
23/35 1. Infrastructure-centric Positioning with Hidden Base Stations TDoA: Position a source by finding the intersection of multiple hyperboloids. Pros: does not require communication from BSs and mobile nodes Security analysis: TDoA drawback: using directional antennas, attackers could cheat BSs Δ: tolerant size (also means the size of attacker’s guessing space) T: signal propagation time + node processing time
24/35 2. Node-centric Positioning with Hidden Base Stations Node compute its position, then verified by CBS Node-centric: Attacker might spoofs node’s position and then cheats on the position verification mechanism CBS again verify the reported position by distance measure
25/35 3. Secure Positioning with Mobile Base Stations
26/35 Taxonomy Secure Location w/ beacon nodesw/o beacon nodes Localization: Location Verification Range-independent localization Base Station Assisted Attack Detection: Detect Compromised Beacon Nodes Defeat Non- cryptographic Attacks
27/35 Detecting Malicious Beacon Nodes Motivation: None of previous techniques can work properly when some of the beacon nodes are compromised Goal: Try to detect and remove compromised beacon nodes Ensure correct location discovery Approach: Detect malicious beacon signals Detect replayed beacon signals to avoid false positive Revoke malicious beacon nodes [6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. ICDCS, 2005, pp
28/35 Detecting Malicious Beacon Signals Idea: Use beacon node (known location) to detect other beacon nodes Locations of beacon nodes must satisfy the measurements (of their locations) derived from their beacon signals Method: (By request & reply) Note: to mislead the location estimation, the attacker has to make the estimated distance inconsistent with the calculated one.
29/35 Filtering Replayed Beacon Signals (Goal: avoid False Positive) Malicious signal ≠ this node is malicious ! Due to replay attack Replay through a wormhole attack Detect this attack by checking the measured distance and the radio communication range If within the communication range, go to next step (locally replay) Locally replayed beacon signals Detect extra delay by measuring RTT between two neighbors RTT measure in a real setup (does NOT consider the impacts of MAC protocol or any processing delay) Extra delay larger than RTT max (Assumption required) authenticated and unicasted beacon signal !!
30/35 Revoke Malicious Beacon Nodes Use the base station to further remove malicious beacon nodes from the network Each beacon node shares a unique random key with BS Beacon nodes can report the detecting results to BS securely BS evaluates the suspiciousness of each beacon nodes BS Maintains alert counters and report counters This mechanism requires more beacon nodes and incurs more communication overhead
31/35 Taxonomy Secure Location w/ beacon nodesw/o beacon nodes Localization: Location Verification Range-independent localization Base Station Assisted Attack Detection: Detect Compromised Beacon Nodes Defeat Non- cryptographic Attacks
32/35 Focus on Non-cryptographic Attacks Non-cryptographic attacks (physical attacks) Such as signal attenuation and amplification Degrade the performance of localization Algo. Propose a general attack detection model Based on this model, analyze two broad localization approaches (Multi-lateration based & signal strength based) The attack detection mainly depends on statistical significance testing Other test statistics are also discussed Conduct trace driven evaluations Using an network and an (ZigBee) network [5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, 2007.
33/35 Models Linear attack model on RSS Conduct Exp. in two real office buildings Detection model: Statistical significance testing Define test statistic T, null hypothesis H 0, and its acceptance region Ω Metrics: Detection Rate ROC curve
34/35 Reference [1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM Workshop Wireless Security, 2003, pp UC Berkeley [2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp EPFL Switzerland [3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp Univ. of Washington [4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, 2006.
35/35 Reference [5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, Rutgers Univ. [6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. International Conf. Distributed Computing Systems (ICDCS), 2005, pp NCSU, Syracuse Univ. [7] D. Liu, P. Ning, and W. Du, “Attack-Resistant Location Estimation in Sensor Networks,” in Proc. International Symposium Information Processing Sensor Networks (IPSN), 2005, pp [8] L. Fang, W. Du, and P. Ning, “A Beacon-less Location Discovery Scheme for Wireless Sensor Networks,” in Proc. INFOCOM, [9] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks,” in Proc. IEEE International Parallel Distributed Processing Symposium (IPDPS), 2005, pp. 41a-41a.