Secure In-Network Aggregation for Wireless Sensor Networks Bo Sun Department of Computer Science Lamar University Research Supported by Texas Advanced Research Program under Grant 003581-0006-2006
Outline of Presentation Introduction and Motivation Assumptions and Network Model Local Detection Challenges Extended Kalman Filter based Monitoring CUSUM GLR based Monitoring Collaboration between Intrusion Detection Module (IDM) and System Monitoring Module (SMM) Performance Evaluation Conclusions and Future work
Introduction and Motivation
Wireless Sensor Networks (WSNs) Many simple nodes with sensors deployed throughout an environment Sensing + CPU +Radio = Thousands of Potential Applications
Why do we need Aggregation in WSNs? Example Query: What is the maximum temperature in area A between 10am and 11am? Redundancy in the event data Solution: Combine the data coming from different sources Eliminate redundancy Minimize the number of transmissions 2 1 3 4 5 Individual sensor readings of limit use Information redundancy Forwarding raw information too expensive Scarce energy Scarce bandwidth
Secure In-Network Aggregation Problem
Observation There is very little work that aims at addressing secure in-network aggregation problem from the intrusion detection perspective Our Work We set up the normal range of the neighbor’s future transmitted values We propose the integration between System Monitoring Modules and Intrusion Detection Modules
Intrusion Detection Systems (IDSs) Goal: Highly secured Information Systems Why do we need IDSs? Security has become one of the main concerns when we deploy information systems in reality. Intrusion prevention measures, such as encryption and authentication, can be used in ad-hoc networks to reduce intrusions, but cannot eliminate them. For example, encryption and authentication cannot defend against compromised mobile nodes, especially the internal or insider attackers, which often carry the private keys. The history of security research has taught us a valuable lesson { no matter how many intrusion prevention measures are inserted in a network, there are always some weak links that one could exploit to break in. What is intrusion? Intrusion detection. Layered mechanism Security has become one of the main concerns when we deploy MANET in reality. Our goal is to construct highly secured MANET. Intrusion detection presents a second wall of defense and is necessary in a highly-survivable network. Intrusion detection is not introduced to replace the prevention-based techniques such as authentication and access control. Instead, it is intended to be used along with the existing security measures. This is my research focus. As we can see, another layer of protection is intrusion tolerance, that is, the tolerance of security policy violation. Based on this model, an attack can only be successful if the corresponding vulnerability exists and no additional precautions have been taken to prevent the security policy violation.
Intrusion Detection Systems Intrusions in an information system are the activities that violate the security policy of the information system, and intrusion detection is the process to identify intrusions. Intrusions are any set of actions that try to compromise the integrity, confidentiality, availability of the system. Analysis of the behaviors of users and applications for evidence of malicious activities Intrusion detection is a security technology that attempts to identify individuals who are trying to break into and misuse a system without authorization and those who have legitimate access to the system but are abusing their privileges An intrusion detection system (IDS) is a computer system that dynamically monitors the system and user actions in the network and computer systems in order to detect the intrusions. First, we have the detection engine, here different detection techniques can be deployed. which send probes to and collect audit information describe the events that occur on the system. Intrusion detection system needs to have a database to store the long term information related to the technique used to detect intrusions (a knowledge base of attacks, for example) and configuration information describe the current state of the system. Intrusion response can be used to minimize the attack damages, gather evidence for prosecution, or even launch counter attacks.
Challenges It is difficult to achieve the real aggregated values High packet loss rate Individual sensor readings are subject to environmental noise Uncertainty of the aggregation function Sensor nodes suffer from stringent resources
Challenges
Assumptions and Network Models
Assumptions The majority of nodes around some unusual events are not compromised Falsified data inserted by compromised nodes are significantly different from real values
Network Models
Local Detection
Kalman Filter A set of mathematical equations Recursively estimate the state of a process Time Update: Project the current state estimate ahead of time Measurement Update: Adjust the projected estimate by an actual measurement
Extended Kalman Filter based Monitoring
Extended Kalman Filter based Monitoring – System Dynamic Model Process Model Measurement Model
Extended Kalman Filter based Monitoring – System Equations Time Update State Estimate Equations: Error Project Equations: Measurement Update Kalman Gain Equation: Estimate Update with Measurement: Error Covariance Update Equation:
EKF based Local Detection Algorithm
CUSUM GLR based Location Detection EKF based solution ignores the information given by the entire data sequence EKF based solution is not suitable if an attacker continuously forge values with small deviations Solution Cumulative Summation (CUSUM) Generalized Likelihood Ratio (GLR)
An Example of CUSUM Cumulative sum: Source: D.C. Montgomery (2004).
CUSUM GLR based Location Detection
Collaboration between IDM and SMM to Differentiate Malicious Events from Emergency Events
Performance Evaluation
Simulation Setup Aggregation Function Simulation Performance Metric Average, Sum, Min, and Max Simulation Different packet loss ratio: 0.1, 0.25, 0.5 D: Attack Intensity The difference between attack data and normal data Performance Metric False Positive Rate Detection Rate
Performance Evaluation – Average of EKF
Performance Evaluation – Average of CUSUM GLR
Performance Evaluation – Sum of EKF
Performance of Evaluation – Sum of CUSUM GLR
Performance Evaluation – Min of EKF
Performance Evaluation – Min of CUSUM GLR
Performance Evaluation – Max of EKF
Performance Evaluation – Max of CUSUM GLR
Related Work Hu and Evans’ secure Aggregation Secure Information Aggregation Secure Hierarchical In-Network Aggregation Secure hop-by-hop data aggregation Topological Constraints based Aggregation Resilient Aggregation
Conclusions and Future Work Extended Kalman Filter based approach can provide an effective local detection algorithm Intrusion Detection Module and System Monitoring Modules should work together to provide intrusion detection capabilities Future Work Large scale test of the proposed approach Further elaboration of interactions between IDM and SMM
Thank You !