04-03-2013, 04:34 PM
SET: Detecting node clones in Sensor Networks
SET Detecting.pdf (Size: 448.69 KB / Downloads: 94)
Abstract
Sensor nodes that are deployed in hostile environments
are vulnerable to capture and compromise. An adversary
may obtain private information from these sensors, clone and
intelligently deploy them in the network to launch a variety of
insider attacks. This attack process is broadly termed as a clone
attack. Currently, the defenses against clone attacks are not only
very few, but also suffer from selective interruption of detection and
high overhead (computation and memory). In this paper, we propose
a new effective and efficient scheme, called SET, to detect such
clone attacks. The key idea of SET is to detect clones by computing
set operations (intersection and union) of exclusive subsets in the
network. First, SET securely forms exclusive unit subsets among
one-hop neighbors in the network in a distributed way. This secure
subset formation also provides the authentication of nodes’ subset
membership. SET then employs a tree structure to compute nonoverlapped
set operations and integrates interleaved authentication
to prevent unauthorized falsification of subset information during
forwarding. Randomization is used to further make the exclusive
subset and tree formation unpredictable to an adversary. We show
the reliability and resilience of SET by analyzing the probability
that an adversary may effectively obstruct the set operations.
Performance analysis and simulations also demonstrate that the
proposed scheme is more efficient than existing schemes from both
communication and memory cost standpoints.
INTRODUCTION
Unlike traditional network equipment, sensors have very
limited resources: low processing capability, small memory size,
and limited power supplies. Many sensor networks are selfconfigured
with no centralized control. This enables unattended
sensor deployment into inaccessible and hostile environments.
These environments, however, often make sensors susceptible
to capture and compromise. Once a sensor is compromised,
the information inside is easily accessible. An adversary may
replicate captured sensors and deploy them in the network to
launch a variety of insider attacks. This attack process is broadly
termed as a clone attack.
NETWORK AND THREAT MODEL
Network Model and Assumptions
We deal with a sensor network which consists of a base
station (BS) and a large number of low-end sensors. We model
the wireless sensor network as an undirected graph G = (V,E)
where V and E are a set of nodes and edges, respectively. We
use a unit disk graph model so that there exists an edge between
nodes u and v, (u, v) 2 E, if the Euclidean distance of u and
v satisfies |u − v| 1. We assume that the sensor network is a
connected graph, i.e., there exists a path between any two sensor
nodes.
We assume that the base station has information (e.g., key
materials) of all deployed sensors. Each sensor has a unique key
shared with the base station which can be used for computing
authentication codes or encrypting data to the base station. In
addition, sensors are able to establish a pairwise key with other
peers to support secure peer-to-peer communication. We employ
an id-based pairwise key establishment scheme such as [3], [6],
[8], [15] in which the keying material of a node is bound to
its identity. Thus a node cannot lie about its id to neighbors,
and a node knows the authenticated ids of all its neighbors.
We also assume that a broadcast authentication protocol such
as μTESLA [12] can be used to authenticate packets broadcast
by the base station. We assume that the communication between
the base station and sensors is made reliable by using one of
many retransmission techniques.
Threat Model
We consider a setting in which the capability of the adversary
is bounded such that only a limited number of sensors are
compromised. Compromised nodes are totally in control of the
adversary. An adversary may capture a few sensors, copy the
information into its own sensors, and deploy the clones in places
that are intelligently decided. Since cloned nodes have authenticated
information extracted from the compromised sensors, they
can be involved in network operations and launch various insider
attacks.
Interleaved Authentication on a Subset Tree
An important issue we must address in the tree-based set
operation is the dependability of the set operation results (intersection
and union of subsets) on the tree. A parent collects
its children’s subsets, and computes the intersection and union
of the collected subsets, with its own subset. If the parent is a
corrupted node, it may delete cloned identifiers from the union.
Therefore, the set operations should be verified. To address
this, we leverage the previous work [16] to propose an interleaved
authentication scheme on the tree. During the tree construction, a
SLDR obtains the path information from the root to itself. When
a SLDR sends a report to its parent, it computes a keyed MAC,
such as an HMAC [2], not only for its parent, but also for its
grandparent (interleaved MAC).
Performance of ESMIS algorithm
As a reference point, we used a random MIS algorithm in
which a node is randomly selected from V to join a MIS and
its neighboring nodes are removed from V . This operation is
performed continuously on V until V becomes empty.
We conducted simulations on the ESMIS algorithm and the
random MIS algorithm 50 times to get the average size of the
MIS. The results are shown in Figure 5. The results show that
the ESMIS algorithm creates fewer subsets than the random MIS
algorithm, while it can be executed in a distributed and parallel
way. Since communication cost is proportional to the number
of subsets, we claim that the ESMIS algorithm is appealing due
to its distributed nature and its lower communication overhead,
which we quantify below.
RELATED WORK
In this section, we review the existing research efforts to
combat clone attacks. Capkun et al. [4] proposed a secure
positioning and distance measuring scheme. In particular, they
considered an attack in which cloned nodes appear to be a single
node that is changing location. To address this attack, the base
station uses a unique fingerprint to identify each device. However,
this may not be applicable to communication among peer sensors
since each sensor will be required to keep the unique fingerprint
information of other sensors. If a node is captured and cloned,
it will then have the fingerprints it requires to go undetected.
Zhu et al. [15] proposed a key management protocol for
sensor networks that provides a defense against the clone attack.
The idea is to remove the master key once a sensor established
pairwise keys so that although the adversary may generate clones
of a node and deploy them, the clones cannot establish pairwise
keys with the new neighbors.
A Sybil attack [10] is orthogonal to the clone attack. An
adversary compromises nodes and deduces important information
of different identifiers so that it can make clones to appear as
different nodes. Newsome et al. [10] explored the Sybil attack in
sensor networks and proposed several defenses.
CONCLUSIONS
Considering that sensors may not be equipped with tamperresistant
hardware, it is crucial to provide a detection system
against clone attacks. In this paper, we presented SET, a detection
scheme based on a set model of the sensor network. SET is
composed of four components: formation of exclusive subsets,
authentication of subset covering, distributed set computation on
subset trees, and preservation of reliable set operations on the
tree. The randomization schemes used in SET enable resilient
and efficient detection, while providing distributed load sharing
among nodes in the network.