Security in Ad hoc and Sensor Networks

Network Security Course Project Report

by Vishal Khandelwal (05305404) Amit Pathak (05305017) Sameera Deshpande (05305801) Sanjeev Suman (05305019) Santosh Kumar (05305003)

under the guidance of Prof. Bernard L. Menezes

Indian Institute of Technology, Bombay Mumbai 2006

Abstract
Due to the recent development in mobile ad hoc networks and sensor networks, they are being used widely. Security in sensor networks has become a important research topic. Inherent properties of these networks like limited resources (like computing power battery power), dynamic topology, wireless vulnerabilities, multi-hop communication pattern, open air environment complicates providing security solution in these networks. These constraints make it hard to extend the existing security solutions to these networks, so new security solutions needs to be devised to overcome the constraints in these networks and still able to provide secure services over insecure network. In this report we study key challenges in providing security and intrusion detection techniques to provide security while considering the constraints in mind.

Contents
1 Introduction 1.1 Sensor and Ad hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Applications of Sensor and Ad hoc Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Organization of the report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Key Management 2.1 Key Management in Sensor Network . 2.1.1 Exclusion Basis System . . . . 2.2 Key Management in Ad hoc Networks 2.2.1 Distributed PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 2 2 3 3 4 4 5 7 7 8 8 8 9 10 11 11 11 11 12 13 15 17 17 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 18 20 21 22 24 27

3 Secure Routing 3.1 Routing in Sensor Networks . . . . . . . . . . . . . . . . . . . 3.1.1 Preventing Routing Attacks . . . . . . . . . . . . . . . 3.2 Routing in Ad hoc network . . . . . . . . . . . . . . . . . . . 3.2.1 Attacks on routing protocol . . . . . . . . . . . . . . . 3.2.2 Secure AODV (SAODV) . . . . . . . . . . . . . . . . . 3.2.3 Authenticated Routing for Ad hoc Networks (ARAN) 4 Intrusion Detection System 4.1 Intrusion Detection in Ad hoc Network . . . . . . . . 4.1.1 Key Challenges . . . . . . . . . . . . . . . . . 4.1.2 Key Requirements . . . . . . . . . . . . . . . 4.1.3 Cooperative Intrusion Detection Architecture 4.2 Intrusion Detection in Wireless Sensor Networks . . 5 Views 6 Conclusions and Future Work Appendices A Appendix A.1 Dynamic key management in sensor networks . . . . A.2 On Demand Pairing Establishment Protocol (OPEP) A.3 Updations in Distributed PKI . . . . . . . . . . . . . A.4 Self Organized Public-Key Management . . . . . . . A.5 Routing protocols in sensor networks . . . . . . . . . A.6 Extensions on IDS in sensor network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

List of Figures
1.1 2.1 2.2 4.1 4.2 A.1 A.2 A.3 A.4 A.5 A.6 An example of Sensor and Ad hoc Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tree based key management structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . An Example of Certicate updation using distributed PKI . . . . . . . . . . . . . . . . . . . . . IDS in ad hoc networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Intrusion detection phases for Sensor network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hierarchical structure of WSN . . . . . . . . . . . . . . . Steps involved in OPEP . . . . . . . . . . . . . . . . . . . OPEP when A and B are not neighbors . . . . . . . . . . Certicate generation and exchange . . . . . . . . . . . . Maximum Degree Algorithm & updated local repositories Authentication using certicate chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 5 13 14 19 20 21 23 23 24

ii

Chapter 1

Introduction
1.1 Sensor and Ad hoc Networks

Sensor network is a collection of tiny, low power, low cost, generally mobile devices which monitor the environment in which they are deployed, collect the data, and communicate with each other in order to transmit that data to the base station. Ad hoc network is collection of autonomous devices which communicate with each other by forming peer to peer, multihop wireless network. These network dier from traditional networks and these dierences introduces new security challenges and complicates extending regular security practices to these networks. Some of those properties and their impact on security are listed bellow: 1. These networks have limited resources like computational power, memory, battery power as compared to traditional wired networks. Which means that security should be enforced with very little extra work, forbid using large keys, expensive encryption algorithms, etc. 2. These networks exhibit dynamic topology, though the ad-hoc networks is dynamic mainly due the fact the mobile devices move in and out of the radio range of the network, whereas sensor network exhibits dynamic nature as new nodes can be deployed or old nodes die. This means that we can no more rely on topological information which complicates secure routing and intrusion detection. 3. These networks use multihop communication technique. So, each node acts as a router, which is not the case with traditional network. This complicates secure routing since all nodes in the network can not be trusted. 4. These networks are more prone to physical attacks, as they are established in unattended and insecure environment. 5. These network use wireless medium to communicate which adds up all wireless vulnerabilities. Even though these networks seem very similar, there are subtle dierences. The sensor network have a xed communication pattern where all the sensor nodes forward the data to the base station through intermidiate sensor nodes whereas ad hoc network are truly peer to peer where any two nodes can potentially communicate by forming multi hop network. Also, resource constraints of sensor networks are much higher as compared to ad hoc networks, where nodes are generally mobile phones, laptops, PDAs etc. An example specication of a sensor node could be a 4 MHz 8bit CPU with 128 KB of instruction memory, 4 KB of RAM for data, and 512 KB of ash memory. The CPU consumes 5.5 mA (at 3 volts) when active, and two orders of magnitude less power when sleeping. Communication bandwidth is extremely expensive: each bit transmitted consumes about as much power as executing 8001000 instructions, and as a consequence, any message expansion caused by security mechanisms comes at signicant cost. The various challenges in providing security to these network are: 1

Figure 1.1: An example of Sensor and Ad hoc Network 1. Very limited resources (memory, battery power, computational power, storage) 2. Unreliable communication (transfer, conicts, latency) 3. Unattended operation (physical attacks, remote management)

1.2

Applications of Sensor and Ad hoc Networks

Ad-hoc network is generally used where we cannot establish traditional wired network whereas sensor netwok is used where human intervention is not feasible or costly. The following table presents some of the current applications of these networks. Ad hoc Networks Military Applications Collaborative Computing Disaster Management Multimedia Applications Sensor Networks Military applications Seismic monitoring Chemical Experiment Smart surrounding

Table 1.1: Applications of Sensor and Ad-hoc Networks.

1.3

Organization of the report

In this report, we would be concentrating on the three main aspects in providing security to ad hoc and sensor networks: Key Management, Secure Routing and Intrusion Detection. We rst discuss various key management protocols for sensor and ad hoc networks in chapter 2 and would then move on to analyzing various existing routing protocols, various kinds of attacks on them and possible ways to counter those attacks in chapter 3. In chapter 4 we would look the key challenges in doing intrusion detection in these networks and provide some solutions to overcome those challenges. Our views, issues and possible enhancements on the protocols discussed in chapter 5.

Chapter 2

Key Management
Key management deals with key generation, storage, distribution, updating, revocation and certicate service in accordance with security policies. In this chapter, we will analyze the key management protocols, existing and proposed, and the issues related to key management for Ad hoc and Sensor networks.

2.1

Key Management in Sensor Network

Due to various resource constraints (like limited memory, battery power and computational power,) security techniques used in traditional networks cannot be implemented in these networks. At the same time, the unreliable communication channel and unattended operation makes security defenses in sensor networks very critical. In this section, we will look at the key management techniques used for sensor networks. Key management must take into account following issues: It should dynamically establish and maintain secure communication channel in insecure environment. It must be aware of resource constraints. The eect of attacks should be localized. i.e. even if some sensor node is physically captured, the knowledge of security critical information at that node must not aect security of the whole network. The capturing any node must not reveal secrets of entire network, or substantial part of the network. As sensor network is denser than traditional network, the security technique must be scalable. The key management process can be divided into four basic functions: Analysis: In this phase, the keying requirements are analyzed. The number of keys to be distributed to each node in order to achieve connectivity, and total number of keys in network is determined. Assignment: The parties willing to communicate with each other need same key to share for establishing communication channel. Hence, in this phase, key mapping among dierent parties is done. No keys are generated in this phase but it determines that which parties need to share a key. Generation: The keys are actually generated by some trusted party in this phase. Distribution: The trusted party distributes the generated keys to respective nodes.s Out of these, key analysis can be done statically by some central authority, to decide upon how many keys are needed to be distributed in the entire network. Generally, key assignment is done randomly, which is least expensive solution. So the nodes which can communicate is determined randomly. Hence, we will concentrate on key generation and key distribution methods.

2.1.1

Exclusion Basis System

Sensor network exhibits dynamic topology as new sensor nodes can be deployed or old sensor nodes may die. Hence, there are frequent uctuations in network topology. This dynamic nature must be tolerated gracefully by keying mechanism with minimal system overhead. E xclusion Basis System (EBS) [15] is combinatorial formulation for group key management problem, which establishes secure communication channel between members of the group using some secret key among them and also allow peers to share their own secret keys. Let us see the EBS algorithm in detail. Consider the gure 2.1 shown below. The gure on right gives hierarchical wireless sensor network, with 3 layers. Base station(BS)

Figure 2.1: Tree based key management structure is the central authority controlling the entire network, which is at the top. The second level consists of group leaders or cluster leaders(GLs) which are high power sensor nodes. Finally there are regular sensor nodes which are the part of sensor groups. We can divide the hierarchical structure into 2 parts, the upper part in which base station manages the collection of group leaders and lower part in which the group leader manages the sensor nodes in respective groups. We will see the EBS key management scheme for upper part, and same scheme can be applied at lower part as well. The gure on left explains key distribution. The base station comes up with large set of keys. It selects dierent sets of k random keys from this large key pool and distributes it to each group leader, which is shown as circle. The set of keys known to all group leaders is denoted by K All , which is used by Base Station to broadcast messages to all group leaders. Two group leaders can communicate with each other if and only if there is subset of keys common among those two nodes and any key from that subset is not known to any other group leader. For eg, nodes GL 2 and GLn can communicate with each other using keys represented by set K2,n . The set of keys which are known only to a specic group leader are used as secret key by that GL to communicate with base station. This keying scheme enables to handle problem of node compromisation. So, if some group leader is compromised, the base station uses the keys from large key pool which are not known to the compromised node, to distribute new key sets to remaining group leaders. Extentions to this protocol for handling the dynamic nature of the system is discussed in appendix A.1

2.2

Key Management in Ad hoc Networks

In this section, we would analyze one of the protocols for key management in ad hoc networks. In the following section, we will look at each of these algorithms in detail and other two protocols. One of them is based on symmetric key and other is based on completely distributed certicate authority is discussed in appendix A.2 and A.4

2.2.1

Distributed PKI

In contrast with conventional networks, mobile ad hoc networks usually do not provide online access to trusted authorities or to centralized servers. They exhibit frequent partitioning due to link and node failures and node mobility. Along with these reasons, single Certicate authority can become security bottleneck. Hence, traditional security solutions that require online trusted authorities or certicate repositories are not well-suited 4

for securing ad hoc networks. In this section, we analyze a Distributed PKI algorithm using a distributed Certicate Authority (CA) [21]. To overcome the problem or unreachability of a single CA we might think of having redundant CAs. This may decrease the reachability problem but it will decrease security, because even if a single node is compromised the private key of the CA will be lost. An alternate approach, which is explained below, could be of a distributed CA, i.e., a group of nodes together acting as a CA. 1 As for the initialization part, say we want K CA to be the public key of the CA and KCA to be the private key of the CA. Now, in the ad hoc network, we take k nodes and make them server nodes. Assume they have ids from 1 to k. We take a random k 1 degree polynomial f (x) where

f (x) = (a0 + a1 x + a2 x2 + .. + ak1 xk1 )modp =

1 such that KCA = a0 .

k i=0

ai1 xi1 modp

We then compute a f (i) = Si for each server node i. This Si the share of the private key for ith server node. This is called (k,n) secret sharing technique. Certicate Updation We now see how these server nodes togeather act as a CA 4.1. (Assume that server nodes can securely communicate in between each other). A client C can request any of the server node (say server node 1) to sign its public key Ki . This server node asks other server nodes to compute partial certicates as shown below. Here Li (0) is the Lagranges basic equation.

Certi = (Ki )Sj Li (0) modp xi ) j=i (xi xj ) 1 Server 1 can compute (Ki )Kca , from the partial certicates using the equation. Li (x) =
k j=1 j=i (x

Certi =

k Sj Li (0) modp j=1 (Ki )

= Ki

Pk

j=1

Sj Lj (0)

modp = KiKca

Figure 2.2: An Example of Certicate updation using distributed PKI The algorithm for server share updation and adding new server are explained in the appendix A.3 There are two important points here: 1. No single server at any point of time has the private key of the CA. So until at least k servers get compromised CAs private key cannot be revealed. 2. In case a server node gets compromised or goes down, the remaining server nodes will not be able to act as a CA. To overcome this problem we still take a k 1 degree polynomial, but now we have more than k(say m) server nodes and thus generate m shares. Any k servers out of m servers togeather can act as CA.

Chapter 3

Secure Routing
In this chapter, we will look into a few existing wireless routing protocols and see how they are modied for Ad hoc and sensor networks. We will also look into a few protocols designed specically to work for these networks.

3.1

Routing in Sensor Networks

In this chapter, we will analyze various types of attacks on sensor networks [20] and [8]. Attacks on sensor network can be divided into 2 major classes. 1. mote class the attacker has access to a few sensor nodes with similar capabilities to other sensor nodes. 2. laptop class the attacker may have access to more powerful devices, like laptops or their equivalent. Thus they may have greater battery power, a more capable CPU, a high-power radio transmitter, or a sensitive antenna. The various types of attacks are: 1. Spoofed, altered, or replayed routing information: create routing loops, attract or repel network trac, extend or shorten source routes, generate false error messages, partition the network, increase end-to-end latency, etc. 2. DoS : Jamming (constant, intermittent) 3. Selective forwarding: refusal to forward certain messages and simply drop them, ensuring that they are not propagated any further. 4. Sinkhole attacks: lure nearly all the trac from a particular area through a compromised node, creating a metaphorical sinkhole with the adversary at the center. 5. Sybil attack : a single node presents multiple identities to other nodes in the network. 6. Wormholes: tunnels messages received in one part of the network over a low latency link and replays them in a dierent part. 7. Trac analysis attack : identifying important nodes (e.g. trac near the base station is more). 8. Node replication attack : copying ID of another node. Disturbs trac, leads to protocol failures. 9. HELLO ood attacks: many protocols require nodes to broadcast HELLO packets to announce themselves to their neighbors, and a node receiving such a packet may assume that it is within (normal) radio range of the sender. 10. Acknowledgment spoong: Goals include convincing the sender that a weak link is strong or that a dead or disabled node is alive. Since packets sent along weak or dead links are lost, an adversary can eectively mount a selective forwarding attack using acknowledgment spoong by encouraging the target node to transmit packets on those links. 6

3.1.1

Preventing Routing Attacks

Appendix A.5 discusses various routing protocols and lists the attacks on them. In this section, we look into a few techniques to overcome some of these routing attacks. These are: 1. To overcome DOS attacks (e.g: jamming), the commonly used technique is redundancy. Also, there are some techniques those can be used to identify jammed part of the networks from time to time. 2. To prevent selective forwarding, multipath routing can be used. 3. To prevent sinkhole attacks geographic routing can be used. 4. To prevent Sybil attack, simple link layer encryption and authentication using a globally shared key can be employed. Another solution could be to have every node share a unique symmetric key with a trusted base station. 5. To protect workhole attacks, geographic routing protocols can be used as they are resistant to this attack. Each node could send information such as neighboring nodes and its geographic location (if known) back to a base station. Using this information, the base station(s) can map the topology of the entire network. This information can be updated periodically. 6. For protocols based on clustering, countermeasures such as refusing to use the same cluster-head in consecutive rounds or randomized selection of a clusterhead may be used.

3.2

Routing in Ad hoc network

Due to lack of pre-deployed infrastructure (routers etc.), for routing, ad hoc networks rely on intermediate peers. They route packets by forming a multihop network. Securing routing in ad hoc networks presents challenges because each node in the network is potential router, with limited security and trusted. This, alongwith the usual vulnerability of wireless networks, mobility, resource limitations and other properties of ad hoc networks, discussed in chapter 1.1 complicates providing security during routing. Most of the time, routing in ad hoc network is done in an on demand manner. Whenever a source S wants to communicate to D it broadcast the route request packet RREQ(S,D): mentioning S wants to nd path to D. Now, whenever a node hears this request from its adjacent nodes; it checks if it is intended destination D or not. If not, it updates route request by increasing hopCount or by including its id in the path list and again broadcasts it. Ultimately hop by hop the request reaches the destination D. The destination D, which receives large number of RREQ(S,D) packets, chooses shortest path using hopCount or path eld in the RREQ) packet and uni-cast the RREP to source S along the reverse path. Now S will use this path to communicate D. Two most commonly used protocol which use above mentioned technique include Ad hoc On-Demand Distance Vector Routing (AODV)[12] and Dynamic Source Routing (DSR)[6]. AODV uses hopCount to identify shortest path while DSR appends ids of intermidiate nodes to identify shortest path. These protocols will be described in the later sections.

3.2.1

Attacks on routing protocol

The routing technique just mentioned is vulnerable to various attacks. Here, we group dierent types of attacks into three categories according to the type of attack. Attacks Using Modication In this type of attack, malicious nodes change routing information in the routing protocol packet, aiming to disrupt the routing in the network. Here, we discuss a few of those attack. Modifying route sequence number: Protocol like AODV maintains monotonically increasing destination sequence number(DSN ) for each destination to determine fresh request and reply. When a node receivers RREP for destination D with DSN smaller than the current stored DSN for that destination it 7

rejects this packet assuming it to be older. Taking advantage of this behavior an attacker send a RREP with high DSN making source to ignore all upcoming legitimate RREP. Modifying hopCount: A malicious node decrement the hopCount eld in RREQ to attract more trac through it. Denial of service In case of DSR malicious node changes routing path eld in the routing packet by adding one of the non existing node in the routing path eld and thus causes DOS. Attacks Using Impersonation In this type of attack an attacker impersonates source or destination and sends false RREQ or RREP packets. Such attacks include: Impersonate source, destination. Create loops by impersonating the intermidiate nodes. A single node can tactfully move in and out radio range of other nodes in the network and can create loops by impersonating other nodes. Attacks Using Fabrication In this type of attack, an attacker fabricates false routing messages into the network and disrupts the routing in the network. For example, an attacker can send False route error messages saying that route to D no more exist. This causes other nodes in the network to believe that node D is down and they possibly need to perform route discovery through other nodes. Two nodes X, Y in a network can collaborate to disrupt the routing. For example, a node X in a network tunnels the routing packet through existing route between X and Y. Now Y broadcasts the routing packet. Eectively, the packet goes from X to Y without increasing hopCount! Now let us look at two mechanisms to solve some of these problems.

3.2.2

Secure AODV (SAODV)

SAODV [3] tries to add security to the AODV [12] protocol. AODV routing packet contain source address, destination address, DSN and hopCount as its important elds. These elds can be manipulated by attacker as explained in the section 3.2.1. SAODV is based on the principle that update route information in routing table only if that route information concerns the node that is sending the information. In this way, a malicious node can aect only itself by sending false information about itself. So let us see how this principle is used to secure routing. In general, any routing packet have two types of data: 1. Immutable Information: which should not be changed on the path from source to destination like source address, destination address, DSN. 2. Mutable Information: which should be changed on the path from source to destination according to AODV protocol. The only mutable eld in AODV is hopCount. SAODV uses two dierent mechanisms to secure mutable and immutable elds. Securing Immutable Information SAODV assumes that there is a key management sub-system that makes possible for each node to obtain public keys of the other nodes in the network. To protect immutable information digital signature are used. The sender digitally signs source address, destination address and DSN and when packet reaches the destination it can verify the integrity and authenticity of these elds. Thus these elds are now secured from attacks. Thus receiver creates/changes a route to a node A only if the RREQ or RREP is originated from A. (Immutable elds are signed by A.)

Securing Mutable Information AODV roting packets have only one mutable eld i,e hopCount, which each intermediate node should increment before forwarding. The attacker might decrement it to attract more trac through it. To avoid this SAODV uses hash chains. Every time a node originates a RREQ or a RREP message, it performs the following operations: 1. Generates a random Seed. 2. Sets the MaxHopCount eld to the TimeToLive value from IP header. 3. Sets the Hash eld to the Seed value. 4. Calculates TopHash by hashing Seed MaxHopCount times and sends it along with the packet. To prevent TopHash from changing on the path; it digitally signs it along with other immutable elds. Now, when a node receives a RREQ or RREP message, it performs the following operations: 1. It hashes Hash (MaxHopCount - hopCount) times and veries it equals TopHash. Thus if intermediate node decrement hopCount eld it get caught. 2. Before rebroadcasting a RREQ, it increments hopCount and replaces Hash with hash value of Hash, thus forming a chain of hash. Route Maintenance Whenever a node identies that it can not forward packets to a node to which it earlier had a route, it broadcasts RERR message by digitally signing it. A node receiving RERR message changes its routing table only if sender of RERR the next hop for that route.

3.2.3

Authenticated Routing for Ad hoc Networks (ARAN)

ARAN [16] is based on use of a trusted certicate server, whose public key is known to all the nodes. Each node gets a certicate from such an authority before entering the network. It is based on the assumption that nodes in the network holding a certicate are not malicious so only these node can participate in route discovery as other nodes fully trust their messages. It also assumes that clocks of all the nodes are nearly synchronized. It provides security as follows: Route Discovery 1. To nd a route to destination D, source node S broadcasts RREQ to its neighbors which includes address of D, certicate of S, nonce NS and timestamp t. It then digitally signs this information to protect from changing along the path. The nonce and timestamp are used in conjunction with each other to overcome clock skew and detect replay attacks. 2. Each intermidiate node on the way removes the digital signature and certicate of previous node (except of the source node) puts its certicate and digitally signs new packet and broadcasts. Also note down reverse path to S. 3. When request reaches D it prepares route reply RREP with contents as address of S, certicate of D the same nonce NS and timestamp t sent by S (to match the reply to request). Then signs it and unicast on reverse path to source S. The intermidiate node work similar way and forward the message to S on the reverse path stored in step 2. Route Maintenance Whenever a node identies that it can not forward packets to a node to which it earlier had a route, it sends the RERR message by digitally signing it on all the paths on which the aected node was present. Thus a node receiving RERR message changes its routing table only if sender of RERR the next hop for that route and then inform other nodes in same way. 9

Chapter 4

Intrusion Detection System

4.1 Intrusion Detection in Ad hoc Network

As we know that any system can not be fully secure, we always require IDS, So in this section we will see what are the main challenges for intrusion detection in ad hoc networks and how to tackle those.

4.1.1

Key Challenges

In xed network IDS techniques are fairly standardized but these can not be easily extended to the ad hoc networks because of following challenges: Lack of xed trac concentration points: In xed network most of the trac ows through some xed point like gateway or router where all packets can be monitored for intrusion detection, but as ad hoc network are multihop, there is no such trac concentration point so it forbids using (NIDS). Limitations of Host Based network Intrusion Detection: An alternative way to NIDS is to do intrusion detection at each host, but this approach has many drawbacks, for example, this results in having multiple, single points of failures, also their view of system is very local so can not corelate events happening in dierent parts of the network. Resource constraints: As the devices in the ad hoc network have very low resources, the IDS should work without doing much extra work. For example if we want to use signature based IDS in ad hoc networks then the overhead of storing, updating the signature might be much large and can make such scheme impractical. This also means that even if we opt for HIDS (since there is no concentration point) the individual host might not have enough resources to do full edged HIDS. Dynamism: The anomaly detection techniques create normal model for the network and detect intrusion if current behavior of network is far from normal behavior. Because of dynamism it is hard to dene the normal model for the network so new techniques must be developed and used to do anomaly detection. Wireless communications: Ad hoc network uses the wireless medium and protocols that are susceptible to eavesdropping, jamming, interference, noise, collisions, and many other physical and MAC layer eects. These eects may lead to packet loss and intermittent connectivity. Mobility: Due to mobility, there may not be a clear separation between normalcy and anomaly in wireless ad-hoc networks. A node that sends out false routing information could be the one that has been compromised, or merely the one that is temporarily out of sync due to volatile physical movement.

4.1.2

Key Requirements

Looking at these challenges the IDS should be both distributed and cooperative to suite the needs of wireless ad-hoc networks. We list the two-fold requirements for IDS below.

10

1. Architecture: IDS must have an architecture to overcome the challenges like lack of centrality while considering resource constraints. Architecture should be responsible for making data available, on which dierent intrusion detection techniques can be easily applied. 2. Detection Technique: Using the data provided by the underlying IDS architecture, the models for dierentiating abnormal behavior should be dened which should consider challenges like dynamism, mobility, faults in wireless communication. In this report we concentrate on architecture part which should make available the data on which dierent intrusion detection techniques can be easily applied.

4.1.3

Cooperative Intrusion Detection Architecture

As nodes in the network have local view of the system, a single node on itself can not perform intrusion detection, so nodes in the network needs to cooperate to do intrusion detection considering resource constraints. Architecture Requirements Let us look at some important requirements that an architecture should provide: Ecient services for transferring data from widely distributed sources so that data can be collected, interpreted and correlated locally, regionally, and globally, as appropriate, and exchanged among peers for correlation or traceback. Services for querying data sources for additional related data as needed. Services to support data fusion/integration and data reduction including support for correlating distributed events to a single attack, reconciling conicting data and compensating for possibly bogus data. Services for relaying intrusion detection management and intrusion response directives. Facility to allocate intrusion detection responsibilities dynamically. Organizational model In this section, we will see a dynamic hierarchy based model [18] In this architecture, the nodes in the network are arranged in the virtual hierarchy to facilitate intrusion detection. Such hierarchy is dynamic and can be formed using attribute based clustering [18], where dierent attributes can be used at dierent levels of the hierarchy to select the nodes to work in that level. For example, the nodes near the root are more important and should not be compromised. So, while selecting nodes at such level we should see trustworthiness of nodes.The nodes in the hierarchy are assigned dierent responsibilities based on the position in the hierarchy. Let us see responsibilities of nodes at dierent levels. Responsibilities of leaf nodes Responsibilities of leaf nodes include: The main responsibility of leaf nodes is to collect intrusion detection data by promiscuous monitoring, for example, collect link level statistics like number of packets forwarded to particular neighbor, number of packets received from particular neighbor, collect statistics of routing protocol like number of requests from particular node. Also higher level data collection responsibilities can be given to the leaf node. Do intrusion detection on the data available to it. Leaf nodes are also responsible for consolidating the data and sending it to their parents in the hierarchy. Responsibilities of Clusterhead Nodes The responsibilities of clusterhead nodes include all of the responsibilities of leaf nodes. In addition, they are given following responsibilities: Aggregate and consolidate its own intrusion detection data with data reported by its childrens.

11

 Perform intrusion detection computations on consolidated data. For example, from consolidated link-layer statistics, detect channel hogging and intentional dropping of forwardable data packets. Thus, in short, each node in the network collects data by promiscuous monitoring or from their children and does intrusion detection on that data. Now if it detects intrusion, it sends alert and evidence to their parents to alert them; it also sends directives to their children. Each node also sends consolidated data to their parents otherway parents can also ask for more data to their children. Thus intrusion detection data ows up the tree while the directives ow down the tree. The key principle used is : Intrusion detection and correlation should occur at the lowest level in the hierarchy at which the aggregated data is sucient to enable an accurate detection or correlation decision. This should be opted to reduce detection latency and amount of data transfer. One such dynamic hierarchy is shown in gure: Nodes annotated with a 1 are the representatives of rst level clusters. Arrows pointing to these nodes originate from the other (leaf) nodes in their cluster that report to them. Similarly, arrows from rst level representatives to their second level representative (annotated with a 2), show the composition of one of the second level clusters.

Figure 4.1: IDS in ad hoc networks

4.2

Intrusion Detection in Wireless Sensor Networks

In this section, our goal is to study an intrusion detection system that ts the demand and restrictions of sensor networks. Initially we will see an IDS which is based on the monitoring network statistics obtained from the analysis of events detected by monitor nodes. This is basically a decentralized IDS model which overcomes WSN restrictions. The proposed IDS is based on the observation of the network behavior obtained from the analysis of events detected by a monitor node, i.e, the node that implements the IDS system. Then we will see some issues related to this IDS like, selection of monitor node and delegation of some intrusion detection task to normal sensor node. This model is consists of four types of nodes: common node, monitor, intruder and base station. The common node has sensor and router functions. As a sensor, it collects censoring data, and sends it to the base station. As a router, it retransmits all messages directed to the base station. The monitor is responsible for monitoring its neighbors looking for intruders. By doing this, the node keeps its radio in a promiscuous mode, storing relevant information and processing it according to selected rules. This node also executes the sensor/router functions since it is a common node where an IDS was installed. The intruder node switches between a common node behavior and an intruder behavior. Here base station is only the destination of all data messages. Figure 4.2 shows the architecture of a monitor node. This node runs the common node functions in addition to the IDS functions. The IDS has three modules, which are explained below: Phase 1: Data Acquisition: In this phase, messages monitor node listens messages in promiscuous mode and it lters and stores important information like message header for subsequent analysis. Thus, we use less

12

Figure 4.2: Intrusion detection phases for Sensor network. memory and less processing time, saving energy. This data is stored in an array data structure. Phase 2: Rule Application: In this phase, each entry in the array data structure is evaluated according to a sequence of rules specic to each message type. If a message fails in one of the rules, a failure counter is incremented. At this moment, no other rule will be applied and the message is saved for further analysis. This strategy makes sense since the rst failure already gives us an indication of an abnormal behavior in the network and helps to save the resources. Rules are applied on the data in increasing order of complexity. After being tested against all rules, if all rules fail then the message is discarded. Phase 3: Intrusion Detection: In this phase, the attacks such as data alteration, blackhole, selective forwarding, and jamming are detected by using the failure counts and saved headers for faulty messages. In this model, an attack is raised only if, after number of failures detected by the monitor node in a round are greater than an expected value. The expected value is learned dynamically by the monitor node, using a failure history for each node in its neighborhood. The history updation takes place only if the number of failures for that round is close to the cumulative value kept by the monitor. In this case, the value of the round failure and the previous cumulative value are combined and form a new cumulative value. This technique introduces the idea of a deviation tolerance. Dierent types of rules are discussed in A.5. Also, extensions to this algorithm is discussed in A.6 Selecting Monitor Node: One of important issue in this case is selection of monitor nodes. Dierent attribute aect such selection for example battery power, computation power, number of neighbors, network topology,etc. Only a certain subset of nodes that cover all communications in the sensor network should work as monitor node. How this task is done depends on the underlying architecture of the sensor network. There are two basic architectures that specify how the sensors route the information over the network and how sensors group themselves. These two architectures are called hierarchical and at. In hierarchical congurations, sensors are grouped into clusters. One of the members of the cluster behaves as server, or cluster head, which can be more powerful than the other nodes. On the other side, in at congurations, information is routed sensor by sensor (every sensor of the network participates in the routing protocol), and almost all sensors have the same computational capabilities and constraints In hierarchical architectures cluster head can work as monitor node, because the combination of all cluster heads covers (in most cases) the entire sensor network. Consequently, total network coverage is assured. This approach helps to preserve the overall energy of the system because cluster heads are either more powerful than other nodes or are rotated periodically and all messages reach base station through group leaders.

13

Chapter 5

Views
In this chapter, we present our views on the various protocols we studied, their strengths and weaknesses, along with possibilities of enhancements. Key Management in Sensor network In EBS scheme, the size of key pool must be large. This increases individual key size, which results in large computation and large storage area. If we limit the key size to a smaller value then requirement of computational power and storage area will be less, but at the cost of security of messages and scalability of the network. Even if a single node is compromized, we require to transmit large number of messages to carry out whole rekeying process. Moreover we have to generate new key pool every time the node is compromized. Let each node hold k keys. If this k is of nearly same size as pool size M, then the number of messages to be transmitted across the network, for redistributing new keys will be relatively small. (M k is maximum number of messages transmitted for new key distribution.) But in such case, small set of compromized nodes can reveal the whole key pool, which is secret of the network. In contrast, if k is small, then number of messages to be transmitted, becomes very large, which results in large battery power consumption. Key Management in Ad hoc network 1. The distributed PKI based algorithm (Section 2.2.1): It is very secure, fault tolerant and provides security until k 1 nodes are not compromized. It provides facility for adding/deleting servers without aecting security. Even if some existing server is compromized it can do no more than signing in wrong way in which case user can easily verify using public key of CA that generated certicate is false. Requires very little extra processing for generating certicate but nodes must have enough resources to use public key cryptography in order to use these certicates. Protocol assumes that there is an authority that initially empowers the servers and that some nodes behave a servers and also some nodes have dierent task. It is not clear how these distinction are kept when power in the nodes decrease. 2. OPEP algorithm(Section A.2): It consumes very less resources for sharing secret keys. It trusts intermidiate nodes which can easily break the scheme by man in middle kind of attacks. So for long distant nodes setting up a key, trusting upon all intermediate nodes does not seem practical. Lot of keys may need to be be stored in case of large network, thus may not be scalable. 3. Self Organized Public-Key Management Algorithm:(Section A.4) It is on demand, fully decentralized and no initialization is required. 14

 This algorithm requires lots of message transfer in order to keep the certicates updated. So consumes lots of resources. It also rely on some trust on the neighboring nodes which can hamper the security. Every node virtually stores the complete certicate graph, with doesnt seem practical. It is based on PKI so computationally expensive. elliptic curve based cryptography techniques can be used as they are computationally less expensive. Secure Routing in Ad hoc networks After studying SAODV and ARAN protocols we come up with following pros and cons of each. ARAN require signing at each hop so, nding route takes time while SAODV requires verifying integrity of hopCount which require hashing large number of times on each hop; but such hashing are suitable only if network radius is small. ARAN includes certicates in routing messages and requires Certicate Authority while SAODV requires key distribution mechanism above routing protocol, but since such KDC may not be always reachable due to mobility, nodes may have to know public keys of other nodes beforehand making addition of nodes to network dicult. Both SAODV and ARAN can not overcome attacks like tunneling attacks. ARANs assumption that all node with certicate are authentic makes protocol less secure because a node can easily captured or compromised in the ad hoc network. While SAODV requires no such assumption since route to a node A is changed only if the route is sent by A itself. ARAN and some other protocol like Ariadne [4] requires clocks to be synchronized which is hard to maintain since lack of centrality. On the other hand, SAODV use DSN which can be updated easily. For making the protocol secure, both these protocol lose eciency; ARAN increases messages size with digital signatures and also requires signing at each hop, while in SAODV, even if intermidiate node on route discovery path have route to the destination they can not reply to route request; as this reply must come digitally signed from destination. Intrusion Detection in Ad hoc Network Section 4.1.3 provides a good architecture to do IDS although some issues needs to be resolved. This is just an architecture and its eciency will depend upon the implementation of IDS, eg, in some cases it may not be possible to aggregate the data and will require sending large amount of data. As nodes up in the the hierarchy are more important, if they get compromised whole system may collapse. [18] suggest that attribute level clustering can be used where probability of compromise can be one of the factor, but details are missing. We think that various trust management techniques can be used to build the trust about nodes in the network and then use this trust to select the nodes. Also all nodes participate in the intrusion detection process so does the malicious node and can send bad data or incorrect directives. So some mechanism is needed to lter out the such data may be using statistical properties of data, data from other nodes in the network. IDS in Sensor network If there are dedicated monitor nodes, which carry out task of monitoring the trac and detecting intruders as well as perform the work of general nodes, then they will get easily exhausted. Monitor node is the bottleneck in the security of wireless sensor network. If monitor node is compromised then the whole security of that part of network is compromized. Determining the threshold values are the key of these IDS algorithms. This is very tough because every network dier from each other and the dynamic nature of these networks increases this problem exponentially. In IDS where we transfer some intrusion detection task to all nodes, some nodes can be compromized and can be used for generation of large false positives which results in some unnoticed intruder attacks. 15

Chapter 6

Conclusions and Future Work

Key Management Key management is important because security of various protocols like routing protocols, transport layer protocol and various application highly rely on being able to securely communicate using secure keys. for ad hoc networks, we saw some mechanisms for key management based on symmetric key, distributed PKI and (k,n) secret sharing. The algorithm based on (k,n) secret sharing are highly secure and security is guaranteed until some xed number of nodes are compromised. But these algorithms can only be used if nodes in the network have enough power to support the calculations, for example, if network consist of laptops, PDAs, etc. If nodes have relatively less power, for example nodes are mobile phones then, we have to use symmetric key cryptography. But the algorithms for managing secret keys rely either on secure out-of-band channel or they trust some of the nodes in the network. These trusted nodes single handedly can carry out man in middle kind of attacks and hamper the security. So these algorithms are not much secure. Routing For ad hoc networks, we saw two protocols SAODV and ARAN which extends already existing roting protocols in ad hoc networks to make them secure. The secure routing problem in such networks isnt well modeled. A more complete model of possible attacks would let protocol designers develop and evaluate the security of their routing protocol. Another problem is designing ecient routing protocols that have both strong security and high network performance. Although researchers have designed security extensions for several existing protocols, many of these extensions remove important performance optimizations. For sensor network, due to resource constraints, general routing protocols are not possible which require storing large amount of data. Also attacks such as Sybil attacks etc are hard to handle. Moreover, laptops attacks can severely jam the system while mote attacks are hard to detect. IDS Intrusion detection in MANETs is challenging because these inherent properties of networks such as dynamic topology, lack concentration points, intermittent connectivity,etc. Ad hoc networks are truly distributed system and to do intrusion detection we must co-relate the events happening in the dierent parts of the network but as no single node in the network have global view of system we need an architecture which allows the nodes in the network to collaborate to do global intrusion detection. Such architecture should be ecient in terms of resource utilization and scalable and dynamic. We have seen one such dynamic hierarchy based architecture. It provides mechanism to co-relate intrusion detection data from the dierent parts of the networks but some issues remain unanswered. What complicate this issue is that there is no central authority to assign these responsibilities moreover ad hoc network being ad hoc such responsibilities needs assigned dynamically. For sensor, again, very limited recourses complicates this problem. So we need to apply simple rules and do limited collaboration in terms of data exchange to do the intrusion detection. One thing, which helps in sensor network is that mostly they are centrally administrated by some authority so it eases the task of applying serious security policies.

16

Appendix A

Appendix
A.1 Dynamic key management in sensor networks

Dynamic key management schemes change keys periodically, on demand or on detection of node capture. The major advantages of dynamic keying over static keying are: enhanced network survivability : Any captured key(s) is replaced in a timely manner in a process known as rekeying. secure network scaling : Addition of new sensor node in the network does not increase probability of key capture, which is the case with static keying as it uses xed pool of keys. The main problem in dynamic key management is designing ecient rekeying mechanism. The period of refreshing the keys must be optimal, i.e. it should not be too large, which may increase possibility of key capture, as well as it should not be too less, which will exhaust the sensor nodes. The LOcalized Combinatorial Keying (LOCK) scheme discussed in [10] uses EBS (refer section 2.1). In LOCK, no pre-deployment information is assumed. We can divide the hierarchical structure into 2 layers, the upper layer in which base station manages the collection of cluster leaders and lower layer in which the cluster leader manages the sensor nodes in that cluster. The upper layer uses EBS algorithm discussed in section 2.1 to generate keys EBS b to carry out administrative tasks like redistributing new keys to cluster leader, to enable communication among dierent cluster leaders. We assume that there are nb cluster leaders in sensor network, k b is number of keys stored at cluster leaders and mb is number of messages the base station multicasts in order to remove one of cluster leaders. Similarly, at lower layer each cluster leader CL i uses keys EBSCLi to establish communication among sensor nodes in its cluster. The LOCK scheme can be divided into 2 phases, namely, Initialization and Key distribution. Lets discuss these phases in detail. Initialization phase: Pre-deployment Initialization : 1. Base station generates chain of backup keys (one key for each sensor node in cluster) for each cluster. 2. Similarly base station shares secret key with each cluster leader. 3. Each sensor node in the cluster shares secret key with cluster leader. 4. The sensor nodes and cluster leaders are deployed in the region where the monitoring task is to be performed. Post-deployment Initialization : 1. Cluster leaders register with the base station. (using pre-deployment key.) 2. Base station comes up with kb + mb keys. 3. Base station assigns kb keys to each cluster leader. 17

Figure A.1: Hierarchical structure of WSN 4. Sensor nodes register with their cluster leader. (using pre-deployment key.) 5. Each cluster leader comes up with k cli + mcli keys. 6. Cluster leader assigns kcli keys to each sensor node. 7. The cluster leaders announce Key generation nodes (KGNs) in respective cluster. Key Distribution phase: In case of node capture : Sensor node or key generation node capture : 1. Key generation node generates new keys and distribute them to sensor nodes. 2. New backup keys are generated. Cluster node capture : 1. Base station generates new administrative keys, and back up keys. 2. Distributes these keys to other cluster leaders using m b keys not known to compromised cluster leader. 3. Deploys or assigns new cluster leader. 4. communicates with sensor nodes to give ID of new cluster leader using backup keys. 5. New sensor node then comes up with new k cli + mcli keys. 6. New Key generation nodes (KGNs) are announced. 7. KGNs assign kcli keys to each sensor node. In case of periodic refreshing : 1. Base station updates EBSb and redistributes new keys using previously established keys. 2. KGNs generate and update their EBS CLi and redistribute new keys to sensor nodes in respective clusters.

18

A.2

On Demand Pairing Establishment Protocol (OPEP)

In this section we look into a symmetric key based key establishment Protocol for Ad hoc networks [9]. The protocol designed for Wireless Personnel Area Networks (WPANs), enables two nodes in an ad hoc network to establish a pairwise key. It is assumed that the base protocol is an on demand MANET routing protocol. Suppose node A and node B want to establish a symmetric key between then there can be 2 cases. 1. A and B are neighbors 2. A and B have some intermediate nodes between them. We explain here the rst case as the second case is just an extension of this case. A and B are neighbors The algorithm runs in 2 phases. The rst phase takes place over a Out Of Band (OOB) channel. This is short range communication through blue-tooth or infrared technology and is assumed to be secure. The steps involved are (This is also illustrated in the gure A.3):

Figure A.2: Steps involved in OPEP A generates a Dee-Hellman secret a and sends the hashed value of g a , (h(ga )) to be over the out of band channel, along with its ID (IDA ), to B. Similarly, B generates a Dee-Hellman secret b and sends the hashed value of g b , (h(gb )) to be over the OOB channel, along with its ID (ID B ), to A. This ends the phase 1. Now, the phase 2 can take place using an insecure wireless channel. What happens here is that: A send its ID (IDA ) to B along with ga . When B receives them, to check they are correct, B take hash of ga and check it with the h(ga ) it received in phase 1. If they match, B computes the shared key K ab B picks a Nonce (Nb ). It takes this nonce along with its ID and Hash value of ga and encrypts it with the shared key and sends it to A. It also sends its ID and its DH key along with it. 19

 When A receives it, it does the same. check whether g a is correct, generates Ka b and retrieves the nonce. It then send this nonce along with its own nonce N a and its ID encrypted with the shared key to B. B check whether the Nonce (Nb ) is correct, and then sends Na back to A to complete phase 2 of the protocol. After this both nodes compute the shared pairwise-key as HMAC (Hashed Message authentication code). This is the nal key they use to communicate. HM AC = h((k + opad)||h((k + ipad)||m)) A and B are not neighbors In this section, we will see how we can extend the algorithms explained in the previous section for the case when A and B are not neighbors. A path is found between A and B such that all the intermediate nodes have pair wise key as shown in the gure. So, this path is assumed to be secure and thus acts as the OOB channel between A and B as was shown in the phase 1 earlier. Phase 2 is then similar.

Figure A.3: OPEP when A and B are not neighbors The protocol ensures that this node cannot process the packet or forward it unless it shares a secret key with the last node forwarding the REQUEST, otherwise the packet is dropped. If an end-to-end path with the required security attributes can be found, a suitably modied REPLY is sent from an intermediate node or the eventual destination. OPEP is able to nd a route with a guarantee of security and key pairing between the nodes. If one or more routes that satisfy the required security attributes exist, OPEP will behave like any on-demand routing protocol and will nd the shortest secure route. If all the nodes on the shortest path (in terms of hop count) between two nodes can satisfy the security requirements, OPEP will nd optimal routes. However, if the ad hoc network does not have a path with nodes that meet desired security requirements, OPEP may fail to nd a route even if the network is connected, at which time, OPEP initiates the pairing mechanism between the source node and the intermediate node. There are three things are to be noted here: 1. Kab is the long term shared key between A and B and can be used to change the pairwise key 2. Phase 1 and phase 2 need not be carried out togeather, Phase 1 can takes place much earlier than phase 2. 3. Key generation is On Demand. So key between two nodes are not created unless required.

A.3

Updations in Distributed PKI

In this section we will see how the server share can be updated time to time to make algorithm more secure and how to add new server nodes. Easily adding a new server node eciently is important since ad hoc networks are highly dynamic and requires this facility. Server Share Updation
k1 Each server i randomly selects a k 1 degree polynomial g i (x) = d=1 (bd,1 , xd )modp. Here gi (0) = 0. Each server performs the process same as in the initialization phase to distribute shares of its polynomial to other servers. Every server computes the new share by taking summation of all the shares, old and new. Note that private key of the CA is still the same.

20

Handling New Server Lets assume the id of new server is r. Each server i randomly selects a k 1 degree polynomial such that gi (r) = 0 and gi (0) = 0. Each server performs the process same as in the initialization phase, to distribute shares of its polynomial to other servers. This time the old servers do not update their shares but still compute summation of all the shares, old and new, separately. This newly computed temporary shares are sent to the new node r. Now r can create a polynomial (as its has k shares) which is dierent from the original polynomial, but with same value at r as the original polynomial.

A.4

Self Organized Public-Key Management

In this section, we analyze a fully self-organized public-key management system that allows users to generate their public/private key pairs, to issue certicates, and to perform authentication regardless of the network partitions and without any centralized services or require any special nodes for the purpose. The main problem of any public-key based security system is to make each users public key available to others in such a way that its authenticity is veriable. More precisely, two users willing to authenticate each other are likely to have access only to a subset of nodes of the network (possibly those in their geographic neighborhood). Each node maintains two local certicate repositories: the nonupdated certicate repository, containing the certicates that the node does not keep updated, and the updated certicate repository, containing a subset of certicates that the node keeps updated. This means that the node requests the updates for the certicates contained in its updated repository from their issuers, when or before they expire. In this model, the public keys and the certicates of the system are represented as a directed graph G(V, E) where V and E stand for the set of vertices and the set of edges, respectively. This is called the certicate graph. The vertices of the certicate graph represent public keys and the edges represent certicates. More precisely, there is a directed edge from vertex K u to vertex Kw if there is a certicate signed with the private key of u that binds Kw to an identity. Initialization The steps involved during the initialization phase are: 1. Key Generation This is the generation of public/private key pair, done by the user locally. 2. Issue Certicate to neighbors If a user u believes that a given public key K v belongs to a given user v, then u can issue a public-key certicate in which K v is bound to v by the signature of u. Certicates are issued with a limited validity period T V , and each certicate contains its issuing and expiration times. Therefore, each user holds in her local repository only the certicates that she issued and the certicates that other users issued to her. 3. Certicate Exchange Certicate set are exchanged with the neighbors and stored in non-updated certicate set (GN ). This is a lowcost mechanism that allows nodes to share and distribute certicates u that they issue and hold. This continues even after initialization. 4. Transfer some certicates to updated certicate set (G u ) Node u applies the Maximum Degree algorithm on GN , which results in Gu . While executing the algorithm, u checks, by communicating with u its issuers, the validity of each certicate that it stores in G u . The Maximum Degree algorithm selects a subgraph that consists of two logically distinct parts: an out-bound and an in-bound subgraph. More precisely, the subgraph consists of several vertex-disjoint out-bound and vertex-disjoint inbound paths (the subgraph that is built resembles a star). The selection of the edges and their terminating or originating vertices, in each round of the algorithm, is based on their degree. More precisely, in each step, vertices that have the highest degree are selected. Therefore, only local knowledge (the neighbors degrees) is necessary for the nodes to perform the Maximum Degree algorithm. An example of an out-bound subgraph constructed with the Maximum Degree algorithm is shown in A.5.

21

Figure A.4: Certicate generation and exchange

Figure A.5: Maximum Degree Algorithm & updated local repositories An overall virtual certicate graph G(V, E) is thus created with paths indicating reachability. It contains only valid certicates. Authentication The authentication is performed in the following way: When a user u wants to verify the authenticity of the publickey Kv of another user v, u tries to nd a directed path from K u to Kv in Gu Gv . The certicates on this path are then used by u to authenticate K v . An example of a certicate graph with updated local repositories of the users is shown on A.6. If there is no path from Ku to Kv in Gu Gv , u tries to nd a path from Ku to Kv in Gu GN . If such a u path is found, u updates the expired certicates, checks their correctness and performs authentication. If there is no path from Ku to Kv in Gu GN , u fails to authenticate Kv . u Certicate Revocation In the explicit revocation scheme, to revoke a certicate that she issued, the user issues an explicit revocation statement. Due to the way the nodes construct their updated repositories, each node has a list of nodes that request updates for the certicates that it issued. Therefore, when the user revokes a certicate, it does not need to send the revocation to all nodes, but only to the nodes that regularly update it. The implicit revocation scheme is based on the expiration time of the certicates. Specically, each certicate is implicitly revoked after its expiration time. 22

Figure A.6: Authentication using certicate chain Key revocation is based on the same scheme as for certicate revocation: If a user believes that her private key has been compromised, she revokes its corresponding public key by notifying the users that issued certicates to her. These users will then use the certicate revocation mechanisms to revoke the certicates that contain the public key in question. Coping with Misbehaving Users A dishonest user may try to trick other users into believing in a false user-key binding by issuing false certicates. She may issue several types of false certicates. 1. issue a certicate that binds a key K v to a user f instead of to user v 2. issue a certicate that binds user v to a false key K v 3. a malicious user can invent a number of user names and public keys and bind them by appropriate certicates The certicate exchange mechanism allows nodes to gather virtually all certicates from G. This enables nodes to cross-check user-key bindings in certicates that they hold and to detect any inconsistencies (i.e., conicting certicates). Two certicates are considered to be conicting if they contain inconsistent user-key bindings (i.e., if both certicates contain the same username but dierent public-keys, or if they contain the same public-key, but are bound to dierent usernames).

A.5

Routing protocols in sensor networks

In this section, we briey look at the existing and proposed protocols and a summary of attacks against them. 1. TinyOS beaconing: It constructs a breadth rst spanning tree rooted at a base station. Periodically the base station broadcasts a route update. All nodes receiving the update mark the base station as its parent and rebroadcast the update. The algorithm continues recursively. All packets received or 23

generated by a node are forwarded to its parent (until they reach the base station). Relevant attacks against it include: Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO oods, routing loops. 2. Directed diusion: It is a data-centric routing algorithm for drawing information out of a sensor network. Base stations ood interests for named data, setting up gradients within the network designed to draw events (i.e., data matching the interest). Nodes able to satisfy the interest disseminate information along the reverse path of interest propagation. Relevant attacks against it include: Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO oods (claim to be high energy nodes), routing loops. 3. Minimum cost forwarding: It works by constructing a cost eld starting at the base station. The base station has cost zero. Every other node maintains the minimum cost required to reach the base station. Cost can represent any application dependent metric: hop count, energy, latency, loss, etc. Cost values can be calculated through ooding a beacon starting from the base station. As a nodes cost converges to its minimum cost, the node will immediately send out a new advertisement every time its cost is updated. A message initiated by a source contains a cost budget initialized to the calculated minimum cost from the source to the base station. At each hop, the link cost of the hop is subtracted from the budget. The message is broadcast without specifying a specic next hop. A neighboring node hearing the message will forward the message only if the packets remaining cost budget is equal to that nodes own minimum cost.Relevant attacks against it include: Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO oods. 4. Clustering based protocols (LEACH: Low-Energy Adaptive Clustering Hierarchy): Leverages clustering of nodes to eciently disseminate queries and gather sensor readings to and from all nodes in the network LEACH organizes nodes into clusters with one node from each cluster serving as a cluster-head. Nodes rst send sensor readings to their cluster-head, and the cluster-head aggregates, or compresses this data for transmission to a base station. If cluster-head selection is static, those unlucky nodes chosen as cluster-heads would quickly run out of energy and die. LEACH uses randomized rotation of nodes required to be cluster-heads to evenly distribute energy consumption over all nodes in the network. Relevant attacks against it include: Selective forwarding, HELLO oods. Countermeasures such as refusing to use the same cluster-head in consecutive rounds or randomized selection of a clusterhead (rather than strongest received signal strength) but can easily be defeated by a Sybil attack. 5. Geographic routing (GPSR, GEAR): Geographic and Energy Aware Routing (GEAR) and Greedy Perimeter Stateless Routing (GPSR) leverage nodes positions and explicit geographic packet destinations to eciently disseminate queries and route replies. GPSR uses greedy forwarding at each hop, routing each packet to the neighbor closest to the destination. When holes are encountered where greedy forwarding is impossible, GPSR recovers by routing around the perimeter of the void. One drawback of GPSR is that packets along a single ow will always use the same nodes for the routing of each packet, leading to uneven energy consumption. GEAR attempts to remedy this problem by weighting the choice of the next hop by both remaining energy and distance from the target. In this way, the responsibility for routing a ow is more evenly distributed among a set of nodes between the source and base station. Both protocols require location (and energy for GEAR) information to be exchanged between neighbors, although for some xed, well-structured topologies (a grid for example) this may not be necessary. Relevant attacks against them include: Bogus routing information, selective forwarding, Sybil attack. 6. Rumor routing: Rumor routing oers a energy ecient alternative when the high cost of ooding cannot be justied. In rumor routing, when a source observes an event, it sends an agent on a random walk through the network. Agents carry a list of events, the next hop of paths to those events, the corresponding hop counts of those paths, a time to live (TTL) eld, and a list of previously visited nodes and those nodes neighbors (used to help straighten paths and eliminate loops). When an agent arrives at a new node, it informs that node of events it knows of (and the next hop on the path to those events), adds to its event list any events the node might know of, and decrements its TTL. If the TTL is greater than zero, the node probabilistically chooses the agents next hop from its own neighbors minus the 24

previously seen nodes listed in the agent. When a base station wants to disseminate a query, it creates an agent that propagates in a similar way. A route from a base station to a source is established when a query agent arrives at a node previously traversed by a event agent that satises the query. Relevant attacks against it include: Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes: An adversary can mount a denial-of-service attack by removing event information carried by the agent or by refusing to forward agents entirely. Query or event information in agents can also be modied. 7. Energy conserving topology maintenance (SPAN, GAF): It may be dicult to replace the batteries on energy-depleted nodes or even add new ones. A viable solution in such contexts is to initially deploy more sensors than needed, and make use of the additional nodes to extend network lifetime. GAF: nodes are placed into virtual grid squares according to geographic location and expected radio range. Any pair of nodes in adjacent grid squares are able to communicate. Nodes are in one of three states: sleeping, discovery, and active. SPAN: nodes decide whether to sleep or join a backbone of coordinators that attempt to maintain routing delity in the network. Coordinators stay awake continuously while the remaining nodes go into power saving mode and periodically send and receive HELLO messages to determine if they should become a coordinator. A node becomes eligible to become a coordinator if two of its neighbors cannot reach other directly or via one or two coordinators. In order to prevent broadcast storms if multiple nodes discover the need of a coordinator and were simultaneously to announce their intention to become one, each node delays its announcement of becoming a coordinator by a randomized backo. The randomized backo is a function of utility and remaining energy. Utility is a measure of the number of pairs of nodes (among a nodes neighbors) that would become connected if that node were to become a coordinator. The relevant attacks on these protocols include: Bogus routing information, Sybil, HELLO oods. Dierent Rules Since sensor nodes have very less power so challenge is to come up with simpler rules which can be easily applied to do eective intrusion detection. Some of therules are listed below: Interval rule : A failure is raised if the time past between the reception of two consecutive messages is larger or smaller than the allowed limits. Two attacks that will be detected by this rule are the negligence attack, in which the intruder does not send data messages generated by a node, and the exhaustion attack, in which the intruder increments the message sending rate in order to increase the energy consumption of its neighbors. Retransmission rule: Here monitor node checks whether its neighbor is forwarding the messages towards base station By promiscuously monitoring how many messages sent to a neighbor and how many of those are forwarded by it. Two types of attacks that can be detected by this rule are the blackhole and the selective forwarding attack. In both, the intruder suppresses some or all messages that were supposed to be retransmitted, preventing them from reaching their nal destination in the network. Integrity rule: The message payload must be the same along the path from its origin to a destination, considering that in the retransmission process there is no data fusion or aggregation by other sensor nodes. Attacks where the intruder modies the contents of a received message can be detected by this rule. Delay rule: The retransmission of a message by a monitors neighbor must occur before a predened timeout, otherwise, an attack will be detected. Repetition rule: The same message can be retransmitted by the same neighbor only a limited number of times. This rule can detect an attack where the intruder sends the same message repeatedly, thus promoting a denial of service attack.

25

A.6

Extensions on IDS in sensor network

For increasing performance and reducing load on only a few sensor nodes, a load distribution mechanism can be used by dividing these agents must be divided into two parts: The monitor nodes as global agents and regular sensor nodes and local agents. Global agents should watch over the communications of their neighbors. In previous section we saw how monitor node act as a global agent. Here we will see more about local agent. The local agents can do a little additional work to help do intrusion detection and thus take some load o the monitor nodes. They can monitor the local activities and the messages sent and received by itself. This should only be carried out when the sensor is active, and the sensor only manages its own communications. Thus, the overheads imposed on the sensor node are not much. However, not all nodes can perform this operation at the same time, because this operation would require sensors to analyze the contents of all packets in their radio range. Following attack can be detected by sensor nodes(local agent): 1. Attacks against the physical or logical safety of sensor nodes can be discovered if the nodes are able to know whether they are being manipulated or not. Sensor nodes, for example, can detect whether they are being reprogrammed, so they can raise an alarm before allowing the execution of any new code. 2. Since the primary task of the sensor nodes is to analyze environmental data, any adversary can try to inuence this process for his own benet. Nevertheless, all data being read by the nodes come from the real world, and follow certain patterns and limits. Therefore, anomaly detection techniques can be used for monitoring these measurements. For example, if the node is going to be deployed in a static place, any variation in the accelerometer means that the node is being taken by an unknown source, so it will raise an alarm.

26

References
[1] S. Capkun, L. Buttyan, and J. Hubaux. Self-organized public-key management for mobile ad hoc networks, 2002. [2] Ana Paula R. da Silva, Marcelo H. T. Martins, Bruno P. S. Rocha, Antonio A. F. Loureiro, Linnyer B. Ruiz, and Hao Chi Wong. Decentralized intrusion detection in wireless sensor networks. In Q2SWinet 05: Proceedings of the 1st ACM international workshop on Quality of service & security in wireless and mobile networks, pages 1623, New York, NY, USA, 2005. ACM Press. [3] Manel Guerrero Zapata. Secure ad hoc on-demand distance vector (saodv) routing, February 2003. INTERNET-DRAFT draft-guerrero-manet-saodv-05.txt. [4] Y. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks, 2002. [5] Yih-Chun Hu and Adrian Perrig. A survey of secure wireless ad hoc routing. IEEE Security and Privacy, 2(3):2839, 2004. [6] David B Johnson and David A Maltz. Dynamic source routing in ad hoc wireless networks. In Imielinski and Korth, editors, Mobile Computing, volume 353. Kluwer Academic Publishers, 1996. [7] Oleg Kachirski and Ratan Guha. Eective intrusion detection using multiple sensors in wireless ad hoc networks. In HICSS 03: Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS03) - Track 2, page 57.1, Washington, DC, USA, 2003. IEEE Computer Society. [8] Chris Karlof and David Wagner. Secure routing in wireless sensor networks: Attacks and countermeasures. In First IEEE International Workshop on Sensor Network Protocols and Applications, pages 113127, May 2003. [9] Mounis KHATIB, Khaled MASMOUDI, and Hossam AFIFI. An on-demand key establishment protocol for manets. In AINA 06: Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 2 (AINA06), page 924, Washington, DC, USA, 2006. IEEE Computer Society. [10] Mohamed Moharrum Mohamed Eltoweissy. Dynamic key management in sensor network. In IEEE Communication Magzine-2006. IEEE Computer Society. [11] Anand Patwardhan, Filip Perich, Anupam Joshi, Tim Finin, and Yelena Yesha. Active Collaborations for Trustworthy Data Management in Ad Hoc Networks. In Proceedings of the 2nd IEEE International Conference on Mobile Ad-Hoc and Sensor Systems, Washington, DC, November 2005. IEEE. [12] C. Perkins. Ad hoc on demand distance vector (aodv) routing, 1997. [13] A. Perrig, J. Stankovic, and D. Wagner. Security in wireless sensor networks, 2004. [14] J. Roman, R. Jianying Zhou Lopez. Applying intrusion detection systems to wireless sensor networks. In Consumer Communications and Networking Conference, 2006., 2006. [15] Jr. Samuel T. Redwine. A logic for the exclusion basis system. In HICSS 04: Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS04) - Track 9, page 90280.1, Washington, DC, USA, 2004. IEEE Computer Society. 27

[16] K. Sanzgiri, B. Dahill, B. Levine, and E. Belding-Royer. A secure routing protocol for ad hoc networks, 2002. [17] RuiYing Du; HuiJuan Tu; Wen Song. An ecient key management scheme for secure sensor networks. In Parallel and Distributed Computing, Applications and Technologies, Dec. 2005. IEEE Computer Society. [18] D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, C-Y. Tseng, T. Bowen, K. Levitt, and J. Rowe. A general cooperative intrusion detection architecture for manets. In IWIA 05: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA05), pages 5770, Washington, DC, USA, 2005. IEEE Computer Society. [19] D. Sterne, P. Balasubramanyam, D. Carman, B. Wilson, R. Talpade, C. Ko, R. Balupari, C-Y. Tseng, T. Bowen, K. Levitt, and J. Rowe. A general cooperative intrusion detection architecture for manets. In IWIA 05: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA05), pages 5770, Washington, DC, USA, 2005. IEEE Computer Society. [20] John Paul Walters, Zhengqiang Liang, Weisong Shi, and Vipin Chaudhary. Wireless sensor network security: A survey, 2006. [21] Bing Wu, Jie Wu, Eduardo B. Fernandez, and Spyros Magliveras. Secure and ecient key management in mobile ad hoc networks. In IPDPS 05: Proceedings of the 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS05) - Workshop 17, page 288.1, Washington, DC, USA, 2005. IEEE Computer Society. [22] Manel Guerrero Zapata and N. Asokan. Securing ad hoc routing protocols. In WiSE 02: Proceedings of the 3rd ACM workshop on Wireless security, pages 110, New York, NY, USA, 2002. ACM Press. [23] Yongguang Zhang and Wenke Lee. Intrusion detection in wireless ad-hoc networks. In ACM MobiCom2000, pages 275283, 2000.

28