17-01-2013, 04:49 PM
A Three-Tier Framework for Intruder Information
Sharing in Sensor Networks
A Three-Tier Framework for Intruder.pdf (Size: 297.97 KB / Downloads: 38)
Abstract
—In sensor networks, an intruder (i.e., compromised
node) identified and isolated in one place can be relocated and/or
duplicated to other places to continue attacks; hence, detection
and isolation of the same intruder or its clones may have
to be conducted repeatedly, wasting scarce network resources.
Therefore, once an intruder is identified, it should be known
to all innocent nodes such that the intruder or its clones
can be recognized when appearing elsewhere. However, secure,
efficient and scalable sharing of intruder information remains a
challenging and unsolved problem. To address this problem, we
propose a three-tier framework, consisting of a verifiable intruder
reporting (VIR) scheme, a quorum based caching (QBC) scheme
for efficiently propagating intruder reports to the whole network,
and a collaborative Bloom Filter (CBF) scheme for handling
intruder information locally. Extensive analysis and evaluations
are also conducted to verify the efficiency and scalability of the
proposed framework.
I. INTRODUCTION
Due to unattended deployment environment and absence
of tamper resistance, sensor networks are vulnerable to various
attacks. In response, schemes have been proposed to
identify intruders (i.e., compromised nodes) misbehaving in
routing [1], localization [2], and other scenarios [3], [4]. Once
an intruder is identified, it is isolated by its detectors. However,
this is inadequate. Nodes other than these detectors should
also be aware of the intruder; otherwise, the intruder can be
relocated or duplicated to other places to continue attacks.
To share intruder information with all sensor nodes, the
detectors may generate and flood intruder reports to the whole
network, directly or through trusted membership servers;
other nodes receive and record the reports to maintain their
knowledge of intruders. This approach, however, has following
security and performance issues: (I.1) Intruders may fake
false reports to revoke innocent nodes or repeatedly broadcast
false reports to drain network resources; although trusted
membership servers can be used to filter false reports, these
servers may become attractive targets of attacks. (I.2) If the
network scale is large and/or the network needs to operate
for a long time (e.g., the network is deployed for long-term
surveillance in a hostile area) and hence requires a large
number of sensor nodes be deployed to accomplish a long
network lifetime, the potential number of compromised nodes
is also large, which may result in frequent flooding of intruder
information even without fake reports. (I.3) If the number of
intruders is large, maintaining an intruder list in each node may
cause high storage overhead. To the best of our knowledge,
there has not been any secure, efficient and scalable solution
reported in the literature that can deal with all the above issues.
To address the intruder information sharing problem, we
propose three schemes in this paper: (S.1) a verifiable intruder
reporting (VIR) scheme, which distributedly generates
intruder reports that are verifiable by any node, and can
prevent malicious nodes from arbitrarily accusing innocent
nodes unless the majority number of neighbors of an innocent
node have been compromised; (S.2) a quorum-based caching
(QBC) scheme, which efficiently propagates intruder information
through caching intruder information in selected nodes
and infrequently updating the information throughout the
network; and (S.3) a collaborative Bloom Filter (CBF) scheme,
which consumes only small storage space at each node and
meanwhile leverages localized collaboration to enable accurate
identification of intruders.
To facilitate the execution of the above three schemes
and also to integrate them together, we further propose a
framework that contains three tiers of interacting entities: a
dedicated membership server (DMS) on the top tier, connecting
to the network occasionally at random places to avoid
being tracked and attacked; a small number of sensor nodes
on the second tier, acting as temporary intruder information
caches (IICs); and other ordinary sensor nodes on the bottom
tier. Extensive analysis and simulations are conducted to
evaluate the efficiency and scalability of the proposed solution.
In the following, Section II presents the system model.
Section III provides an overview of the proposed framework,
which is followed by description, analysis and evaluation of
VIR, CBF and QBC in Section IV, V, VI, respectively. Finally,
the paper concludes in Section VII.
II. SYSTEM MODEL
A. Network Assumptions
We consider a sensor network composed of a network
controller and a large number of densely-deployed resourceconstrained
sensor nodes. The controller connects to the network
every now and then at arbitrary positions (i.e., it need
not be connected to the network at all the time or be at a fixed
place). In addition, the network has the following features: (i)
Each sensor node knows its own location (via GPS based or
non-GPS based localization schemes). (ii) The network needs
to operate for a long time and is composed of static nodes,
mobile sensor nodes, or a mixture of static or mobile sensor
nodes. Mobile sensor nodes may be relocated to respond to
a new task. Static sensor nodes may be deployed every now
and then to maintain a network lifetime that is longer than
the lifetime of a single sensor node. (iii) The network has
a relatively static topology. Normally, there are two cases
that cause a topology change: relocation of mobile sensors
and deployments of new static sensor nodes. However, these
happen infrequently.
B. Security Assumptions
We assume that the controller is trustworthy and cannot
be compromised. Sensor nodes are innocent before they are
deployed, but can be compromised at a certain rate after deployment.
Existing intrusion detection schemes [1], [2] are run
by sensor nodes. Misbehaviors of compromised nodes (called
intruders interchangeably) can be detected by its neighbors,
and the identified intruders can be isolated. The adversary
may relocate identified intruders or their clones to other places.
Furthermore, an intruder is capable of launching the following
attacks. (i) False Accusation: An intruder may mis-accuse an
innocent sensor node. (ii) Fabrication/Dropping Attack: An
intruder may tamper or drop an intruder report. (iii) Denialof-
service (DoS) Attack: An intruder may flood the network
with false intruder reports.
OVERVIEW OF THE PROPOSED FRAMEWORK
The proposed framework (shown in Fig. 1) is composed of
the following three tiers of entities:
• On the top tier is a dedicated membership server (DMS),
which aggregates and periodically disseminates intruder
information to the whole network. Due to its critical role,
the DMS may become an attractive target of attacks.
Specifically, the adversary may locate the DMS and
then either compromise the DMS directly or block the
communication between the DMS and the rest of the
network. To protect the DMS, it is not connected to the
network all the time. Instead, it goes online every now and
then at different places randomly. The protection makes
it hard for the adversary to trace, attack, or isolate the
DMS.
• On the middle tier are intruder information caches (IICs),
which are a small number of sensor nodes picked from
all sensor nodes in the network. They temporarily cache
new intruder information when the DMS is offline. As
ordinary sensor nodes, they could be compromised by
the adversary. If compromised, the intruder information
cached by these IICs may be removed or modified,
which is addressed in our solution through (i) verifying
intruder information to prevent faking or fabricating, and
(ii) duplicating intruder information to maintain high
availability of the information.
• On the bottom tier are ordinary sensor nodes, which collaboratively
identify intruders and report intruder information
to IICs. Sensor nodes maintain their own intruder
information based on the periodical updates disseminated
by the DMS, and collaboratively determine the legitimacy
of sensor nodes who join their neighborhoods; they may
also query IICs to obtain latest intruder information when
necessary.