2-Thesis-Secure Routing Protocols For

MASARYK UNIVERSITY

FACULTY OF INFORMATICS

}w�� !"#$%&'()+,-./012345<yA|Secure Routing Protocols for

Wireless Sensor Networks

MASTER’S THESIS

Bc. Jirı Kur

Brno, spring 2008

Declaration

Hereby I declare, that this paper is my original authorial work, which Ihave worked out by my own. All sources, references and literature used orexcerpted during elaboration of this work are properly cited and listed incomplete reference to the due source.

Advisor: Mgr. Petr Svenda

ii

Acknowledgement

I express my gratitude to Petr Svenda for introducing me into the prob-lematic of evolutionary algorithms and for our fruitful discussions. I amgrateful to my sister Hanka for the language corrections.

iii

Abstract

In this thesis, we examine the security aspects of wireless sensor networkswith emphasis on security of routing. Several secure routing protocols arereviewed and their security is evaluated. In the second part of the thesis,concept for automatic attack generation and introduction to evolutionaryalgorithms are presented. Usability of the concept was verified using evo-lutionary algorithms. Several attacks on routing protocols were generated.The impact of generated attacks is discussed with respect to countermea-sures.

iv

Keywords

Wireless Sensor Network, Routing, Security, Evolutionary Algorithms

v

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Wireless sensor networks . . . . . . . . . . . . . . . . . . . . . . . 2

2.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Hardware characteristics . . . . . . . . . . . . . . . . . . . . . 32.3 Security in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.3.1 Security goals . . . . . . . . . . . . . . . . . . . . . . . 52.3.2 Key management . . . . . . . . . . . . . . . . . . . . . 52.3.3 Attacker model . . . . . . . . . . . . . . . . . . . . . . 6

3 Secure Routing in WSNs . . . . . . . . . . . . . . . . . . . . . . . 83.1 Attacks on routing . . . . . . . . . . . . . . . . . . . . . . . . 9

Bogus routing information . . . . . . . . . . . . . . . 9Selective forwarding . . . . . . . . . . . . . . . . . . . 9Sinkhole attack . . . . . . . . . . . . . . . . . . . . . . 9HELLO flood attack . . . . . . . . . . . . . . . . . . . 10Wormhole attack . . . . . . . . . . . . . . . . . . . . . 10Acknowledgement spoofing . . . . . . . . . . . . . . 10Sybil attack . . . . . . . . . . . . . . . . . . . . . . . . 10Denial of Service . . . . . . . . . . . . . . . . . . . . . 11

3.2 Towards secure routing . . . . . . . . . . . . . . . . . . . . . . 113.2.1 µTesla . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2.2 ARMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3 Secure routing protocols . . . . . . . . . . . . . . . . . . . . . 143.3.1 Scure Implicit Geographic Forwarding . . . . . . . . 14

IGF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14SIGF-0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 15SIGF-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16SIGF-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.3.2 Secure Directed Diffusion . . . . . . . . . . . . . . . . 173.3.3 SeRINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.3.4 A Clean-Slate Approach . . . . . . . . . . . . . . . . . 21

4 Introduction to Evolutionary Algorithms . . . . . . . . . . . . . . 234.1 Population of individuals and their representation . . . . . . 23

vi

4.2 Genetic operators . . . . . . . . . . . . . . . . . . . . . . . . . 244.3 Fitness function and selection operator . . . . . . . . . . . . . 24

5 Automatic design of attack strategy . . . . . . . . . . . . . . . . . 255.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.2 Basic concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.2.1 Elementary rules . . . . . . . . . . . . . . . . . . . . . 265.2.2 Generation of attack strategy . . . . . . . . . . . . . . 285.2.3 Translation . . . . . . . . . . . . . . . . . . . . . . . . . 295.2.4 Strategy execution . . . . . . . . . . . . . . . . . . . . 295.2.5 Fitness function evaluation . . . . . . . . . . . . . . . 29

5.3 Concept realization via evolutionary algorithms . . . . . . . 295.3.1 Attacker model revised . . . . . . . . . . . . . . . . . 305.3.2 Evolutionary algorithms and genome structure . . . 32

Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . 34Instructions . . . . . . . . . . . . . . . . . . . . . . . . 35

5.3.3 Network simulator . . . . . . . . . . . . . . . . . . . . 365.3.4 Fitness functions . . . . . . . . . . . . . . . . . . . . . 37

5.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385.4.1 Minimum Cost Forwarding . . . . . . . . . . . . . . . 39

Forging beacons . . . . . . . . . . . . . . . . . . . . . 40Selective forwarding . . . . . . . . . . . . . . . . . . . 40

5.4.2 Implicit Geographic Forwarding . . . . . . . . . . . . 41Rushing attack . . . . . . . . . . . . . . . . . . . . . . 42MAC layer jamming . . . . . . . . . . . . . . . . . . . 43Neighborhood congestion . . . . . . . . . . . . . . . 44

5.4.3 Experience and future work . . . . . . . . . . . . . . . 446 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46A Example of generated attack strategy . . . . . . . . . . . . . . . . 52

vii

Chapter 1

Introduction

Sensor nodes are tiny, low-cost devices equipped with environment sensorsand radio for wireless communication. These sensor nodes may constitutethe network for monitoring physical phenomena. Such network is calledWireless Sensor Network (WSN). Wireless sensor network consists of highnumber (102−106) of sensor nodes and one or few powerful devices actingas gateways. Wireless sensor networks can be utilized in a broad varietyof applications ranging from battlefield surveillance in military, through re-mote patient monitoring in medicine to forest fire detection in environmen-tal applications. Majority of WSN applications require at least some levelof security. In order to achieve the needed level, secure and robust routingis necessary. However, routing protocols for WSN were not designed withsecurity requirements in mind. Karlof and Wagner [KW03] triggered a rev-olution in this field by proposing a comprehensive study on the securityof routing in wireless sensor networks. They showed that all the protocolswere then prone to simple attacks. Since then, security of routing has be-come a hot topic and several secure routing protocols were proposed.

In this thesis, we aim to review the issue of secure routing in wirelesssensor networks. We first introduce the concept of wireless sensor networksand outline their security aspects. In the second chapter, we examine se-lected secure routing protocols and evaluate their benefits and drawbacks.We also describe common attacks on routing protocols.

The second half of the thesis deals with the problem of the attack strate-gies’ automatic generation and presents our results. We introduce the con-cept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter,we present our concept for automatic design of attack strategies. We usethis concept to discover attacks on routing algorithms. We summarize theresults and outline the future work in the conclusion.

1

Chapter 2

Wireless sensor networks

Wireless Sensor Network is a heterogenous network composed of a largenumber of tiny low-cost devices, denoted as nodes, and few general-purposecomputing devices referred to as base stations. The general purpose of wire-less sensor network is to monitor some physical phenomena (e.g., tem-perature, barometric pressure, light) inside the area of deployment. Thebasic units of WSN are nodes (sometimes called motes). These nodes areequipped with communication unit, mostly the radio transceiver, process-ing unit, battery and sensors. Due to the size and expected costs of thenodes, they are constrained in processing power and energy. The numberof nodes deployed in WSN can vary from tens to tens of thousands depend-ing on the particular application. Nodes can be deployed, for example, byprecise placing one by one into predefined positions or by dropping fromthe plane. Their positions can be static or mobile. Networks with nodesin static positions are more common. Nodes have to be autonomous andthe network itself has to be self organizing. They are also prone to failures,thus the topology of the network changes very often. Beside resource lim-ited nodes, the wireless sensor network includes one or more base stations(sometimes called sinks). These base stations have more resources and ca-pabilities than the nodes. Assume base stations might have laptop capabili-ties. They act as gateways between the sensor network and other networks,e.g. Internet. They can also somehow coordinate the nodes. In most com-mon application scheme, the nodes collect measured data and send themto the base stations, which forward them to the consumer.

2.1 Applications

There is a broad variety of applications for wireless sensor networks. Theseapplications can be divided into five categories [ASSC02]: military, envi-ronmental, health, home and other commercial applications. In military, thewireless sensor networks can be used for battlefield surveillance, sniper lo-

2

2. WIRELESS SENSOR NETWORKS

cation or to detect the chemical or biological attacks. Sensor network canalso be greatly beneficial for the environment. For example, it can detectforest fires or help researchers to monitor animal habits. Important applica-tion area is medical environment, where nodes can collect patient’s physio-logical data. In commerce, wireless sensor networks can be deployed in cartracking systems or used for securing buildings, temperature regulation inoffices, etc.

2.2 Hardware characteristics

Sensor nodes are small, low-cost and battery supplied devices. Thereforethe concept of WSNs is quite challenging. There are two main constraints,the low processing power of the nodes and the capacity of their batteries.

The former constraint directly determines the algorithms we can use.For example, we cannot use asymmetric cryptography or maintain largerouting tables. Since the priority in the development is to minimize cost,size and power consumption, there is only a small chance of a significantimprovement of computational power and memory in the near future.

The later constraint influences the properties of used algorithms indi-rectly. Capacity of the batteries is essential for the node’s lifetime. Often itis impossible or not intended to be possible to change batteries. Thereforethe lifetime and usability of the network depends on their capacity and onthe consumption of the nodes. Energy consumption is closely related to thealgorithms implemented. For example, the biggest energy consumer is ra-dio transceiver, hence the communication between nodes is very expensivein terms of node’s energy resources. Efficient algorithms must take this intoan account.

The batteries are dominating part of the node in terms of size. The sizeof the node is thus directly proportional to a capacity of its batteries.

Here are the parameters of typical today sensor node, TMote Sky [TM006]:

• size: 65 x 32 x 7 (mm, excluding battery pack)

• 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory,10KB RAM

• 1024KB of external flash memory to store data and code

• radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal an-tenna outdoor range reaches 125m, indoor range up to 50m

• tinyOS operating systems

3


Figure 2.1: TMote Sky sensor node. Figure taken from [TM006]

• 2xAA battery

• lifetime > 1 year using sleep modes

• senors: temperature, humidity, light

Contrary to the nodes, base station is assumed to have laptop capabili-ties and unlimited energy resources. More on wireless sensor network prin-cipals can be found in [ASSC02].

2.3 Security in WSN

Majority of sensor network applications require strong security features.This requirement is obvious in case of military applications or applicationsworking with sensitive personal data, like health or home applications.However security is a very demanded property also in commercial appli-cations, where information means a competitive advantage and all assetshave to be protected. Also environmental applications need some level ofsecurity, at least in terms of robustness against accidental errors and van-dalism.

Nodes have two properties, which have critical impact on the securityof WSNs, and which both are caused by the small size and low costs of thenodes. First, the nodes are not considered tamper resistant. Attacker withphysical access to the node can extract the keys and other sensitive datafrom the node relatively easily. Attacker can then also turn the node into amalicious one by uploading malicious firmware into it. Second, the node islimited in resources, consequently only some security mechanisms can beapplied.

Contrary to nodes, base station is considered tamper-resistant and trusted.

4


It also has much greater capabilities, suppose it may have lap-top capabili-ties and unlimited energy supply.

2.3.1 Security goals

The security goals in sensor networks are similar to those in traditional net-works. We require confidentiality, integrity, authenticity, freshness, anonymityand availability of service.

Confidentiality, integrity and authentication are traditionally providedby an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLSor SSH. But sensor networks often require in-network processing of themessages, like data aggregation, to be efficient and thus end-to-end ap-proach is not in use. Therefore link-layer security architectures such as Tiny-Sec [KSW04] and mechanisms for securing node-to-node communication[PST+02] are of a great interest in sensor networks.

Freshness, anonymity and availability of service should be provided bya secure routing protocol. There are several other security features of theideal secure routing protocol. For example an attacker should not be able toabuse the routing algorithm to shorten the network’s lifetime. Or he shouldnot be able to significantly slow down the traffic or increase latency. How-ever these features are application specific and it is unlikely to design uni-versal secure routing algorithm with all such properties.

2.3.2 Key management

Poor sensor node’s capabilities prevent us from massive use of expensive(in terms of computational resources) public key cryptography based onRSA or complexity of discrete logarithm problem. However some new de-signs [PLGP06] propose to use public key cryptography based on ellip-tic curves, which is less computationaly complex. They assume that everynode contains a public key of a single trusted authority and is able to verifycorresponding digital signature. It is questionable whether the public keycryptography will be available in sensor networks in the near future. Pri-mary aim is to miniaturize the node and to decrease its cost, not to increaseits processing power. However there are more and more schemes employ-ing asymmetric cryptography and we feel that its use has an increasingtendency.

Because of the limited processing power, symmetric cryptography isdominant in sensor networks. There are several schemes of key sharingamong the nodes and base stations. We will examine the most common of

5


them. Single key shared among all nodes : Simple, but weak scheme. Com-promission of a single node compromise the whole network. This scheme issometimes used for establishing the keys between each pair of neighboringnodes. It assumes, that attacker needs some time to compromise the node.During this time the new keys are established and globally shared key iserased. Every node shares a unique key with base station : Keys can be in-serted into nodes off-line, prior to their deployment. Compromission of asingle node compromise only its own key. Frequent assumption of securityprotocols. Each pair of neighboring nodes shares a key : Also common as-sumption. Frequently applied together with previous scheme. Enables hop-by-hop encryption and in-network processing, therefore it is convenient forsensor network. However in most applications, keys cannot be preinstalledand must be distributed after deployment. Suppose we deploy the nodesby dropping them from the plane. We do not know, which nodes will beneighbors and which not. The neighborhood is established during the de-ployment process and keys have to be distributed afterwards. This task isnontrivial and requires additional assumptions and complex key distribu-tion protocol [EG02, PST+02, ZSJ03].

2.3.3 Attacker model

Karlof and Wagner have proposed following attacker model [KW03] suit-able for sensor networks and routing. There are two types of attacker: mote-class attacker and laptop-class attacker. Mote-class attacker has one or fewnodes with capabilities similar to a legitimate node. On the other hand,laptop-class attacker has a powerful device with capabilities comparable tolaptop. He is not energy constrained and can have more sensitive antennaand more powerful radio. Another distinction can be made between insiderattacks and outsider attacks. Insider attacks deal with a legitimate partici-pants of the network behaving in a malicious way, whereas outsider attacksare mounted by outsider who is not the part of the network. However out-sider can eavesdrop the communication easily due to the broadcast natureof a wireless communication.

Attacker can be modeled also with respect to the Needham-Schroedermodel [NS78]. Needham and Schroeder assume that ”an intruder can intr-pose a computer on all communication paths, and thus can alter or copyparts of messages, replay messages, or emit false material”. This modelwas extended to node-compromise model [EG02], which further assume:1) keys can be loaded into the nodes in the secure way before the nodes aredeployed. 2) the attacker is able to compromise only a fraction of the nodes.

6


3) attacker can extract all keys from compromitted node and 4) attacker isable to monitor only fraction of links during the short time period after thedeployment of the nodes. This means that there is something like period ofprotection for nodes after deployment.

7

Chapter 3

Secure Routing in WSNs

Routing techniques in wireless sensor networks are influenced by two fac-tors. First, it has to deal with hardware and resource constraints. The rout-ing algorithm has to be energy aware, thus minimize the control informa-tion flows and communication. Routing table maintenance is limited bymemory capacity. Second, the nature of sensor network applications de-fines traffic patterns, which are different from the traditional ones. In sen-sor networks, it is not necessary to support communication between anypair of nodes, the dominant traffic is one-to-many (base station multicast),many-to-one (data sent to the base station) and local communication be-tween neighbors. As the resources are limited and the number of nodes islarge, wireless sensor network usually does not support global addressing,that brings high overhead. It often trade on its data centric character in-stead and deploys attribute-based addressing. This means the base stationsends queries for data with specific properties. However routing techniqueis strongly dependent on the particular application for which the wire-less sensor network is used. Each application has different requirementson routing.

Today routing techniques can be divided into three categories [AKK04]based on the network structure: flat-based, hierarchical-based and location-based routing. In flat-based routed networks, each node plays the samerole, due to the large number of nodes the global addressing is not sup-ported, the data-centric approach is used instead. Typical algorithms in thiscategory are Direct Diffusion and Sensor Protocols for Information via Ne-gotiation (SPIN). The hierarchical-based (sometimes called cluster-based)algorithms are used in networks, where the nodes are organized into clus-ters and route the information via special nodes denoted as cluster heads.The main benefit of such routing algorithms is data aggregation, whichsaves energy and increases efficiency. The typical representative of this cat-egory is Low Energy Adaptive Clustering Hierarchy (LEACH). Location-based routing uses node’s location for addressing. The position of a nodecan be relative to its neighbors or absolute, detected, for example, by GPS.

8

3. SECURE ROUTING IN WSNS

To this category are included geographic routing algorithms like Geographicand Energy Aware Routing (GEAR) or Geographic Forwarding (GF).

3.1 Attacks on routing

Since the concept of sensor networks originates from the wireless ad-hocnetworks, many attacks on wireless ad-hoc networks can be adapted forsensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wag-ner [KW03] show another types of attacks and furthermore they proposetwo novel attacks – HELLO floods and sinkholes. Denial of Service attackson sensor networks are studied by Stankovic and Wood [WS02]. We presenta brief summary of major attack classes here.

Bogus routing information

The basic method how to influence routing is to change the routing in-formation. An adversary spoofs, alters or replays routing information. Bythese methods he can create loops in routing, increase latency, extend thepaths or attract the traffic to the chosen node.

Selective forwarding

Selective forwarding is a variant of the DoS attack. Malicious node forwardsonly a chosen packets and drops the rest. Attacker has to be included in thepath of the data flow to mount selective forwarding. To do so, he can usecan use Sybil attack or sinkhole attack. The ultimate variant of this attack iscalled a Black hole attack. In such case, all the packets are dropped. How-ever node behaving like a Black hole can be easily detected by the neighbor-ing nodes, considered as dead and excluded from the routing path. There-fore dropping only some messages may be more beneficial for the attacker.

Sinkhole attack

The goal of the sinkhole attack is to attract as much of the traffic as possi-ble to the malicious node. The principle of this attack is that the maliciousnode tries to look very attractive for other nodes with respect to the routingalgorithm. This goal can be achieved, for example, by spoofing the routeadvertisement or by providing a high-quality path to the base station usingwormhole attack. Sinkhole can be further used for selective forwarding,which is very efficient and easy in that case.

9


HELLO flood attack

In some protocols, nodes announce themselves to the neighbors by broad-casting the HELLO packets. Node receiving such packet concludes, that thebroadcasting node is his neighbor and is within the normal radio range. Alap-top class attacker can use a powerful radio to send HELLO packets tonodes, which are far more distant than the normal radio range from him.These nodes will send their messages to oblivion trying to reach the neigh-bor, which is not in their radio range.

Wormhole attack

Wormhole is a low-latency out-of-band channel used to connect two distantpart of the network. Wormhole attack exploits the routing race conditions.This means that message, which should normally traverse multiple nodes,traverse only single one and hence is delivered in a much less time. Timeof the delivery can be important for the routing scheme, especially if theinfluenced message contains routing information.

The attacker can send replayed packets through the wormhole to per-suade two distant nodes that they are neighbors. He can, for example, cre-ate wormhole between the base station and a node at the opposite side ofnetwork, thus instead of multiple hops the node appears to be only singlehop from the base station. Therefore it becomes a sinkhole for his neighborsproviding low-latency route to the base station.

Acknowledgement spoofing

Acknowledgement spoofing focus on the algorithms using link layer ac-knowledgements. An attacker spoofs these acknowledgements to persuadethe node, that its dead neighbor is alive or that the weak link is reliable. Theimpact is similar to selective forwarding, chosen packets are lost with highprobability.

Sybil attack

In the sybil attack, the attacker simulates multiple nodes and advertise mul-tiple identities to the rest of the network. By this, he can cripple even therobust multipath routing algorithms, because the bulk of the paths (evenall) may pass through him. In geographic routing, attacker’s node can bevirtually at more locations simultaneously and thus influence routing algo-

10


rithm. Sybil attack in general means serious threat not only for routing, butalso for other algorithms such as voting algorithm or distributed storage.

Denial of Service

Denial of Service represents more or less general class of attacks, that can bemounted on several ISO/OSI layers of wireless sensor network, includingthe network layer. Almost all above attacks, especially selective forwardingand HELLO floods, can result in the denial of service.

3.2 Towards secure routing

Insecurity of routing algorithms is usually caused by missing authentica-tion, freshness and integrity check of the routing information. This factis demonstrated in presented attacks. Spoofing of routing information oracknowledgements is not be possible, if proper mechanisms ensuring in-tegrity and authenticity are implemented. Sybil attack becomes more com-plicated if authentication of nodes is present. Freshness of messages canstop replay attacks.

We present two security concepts proposed for sensor networks in thissection. These concepts can be used to secure the existing routing proto-cols or can be taken as a security primitives when designing new protocol.They address the broadcast authentication problem, because broadcast isfrequently used to spread the routing information along the network.

3.2.1 µTesla

In several routing protocols [HSW+00, YCLZ01, AKK04], the base stationperiodically broadcasts routing information or advertise itself as a base sta-tion. Attacker can forge such broadcasted information in case it is not prop-erly authenticated. To achieve authenticated broadcast, asymmetric cryp-tography is traditionally used. However this approach is not suitable forresource constrained sensor networks. Therefore, µTesla [PST+02] was de-signed. It provides an efficient authenticated broadcast based on symmet-ric cryptography. µTesla is the building block of the security architecturefor sensor networks called SPINS (Security Protocols for Sensor Network)[PST+02]. Another building block is SNEP, which is used to achieve confi-dentiality, integrity, authentication and freshness.

µTesla exploits the concept of one-way hash chain. Because this conceptis frequently used in secure routing protocols, we describe it in detail. Let

11


us assume that we have public one-way function F , and random number r.The one-way hash chain of length n is the sequence of n numbers, where thelast number is r, and i− th number is obtained by application of function Fon (i+1)-th one, for 0 < i < n. Generation of one-way hash chain thus startsby application of function F on r. The key property of this chain is, thateveryone can compute i-th item, having arbitrary j-th item, where i < j,but not vice versa. One of the first applications of this chain was Lamport’sscheme for one-time password generation [Lam81].

To make use of µTesla, each node has to share a secret key with the basestation. There also has to be a loose time synchronization between nodesand the base station. Prior to the actual broadcast, the base station generatesthe one-way hash chain of the length n with the random key Kn as the lastelement, let us denote this chain as a one-way key chain. Then the derivedkey K1, first element of the one-way key chain, is delivered to all nodesin an authenticated (not necessarily confidential) manner using their keysshared with the base station.

The time is divided into uniform intervals. Note that we have loose timesynchronization. Base station associates each key of the key chain with oneinterval. Hence in the interval i base station authenticates the packets withthe Message Authentication Code (MAC) using key Ki. The node receivingthese packets, stores them for further authentication. In the following timeinterval, the base station reveals the key Ki. Receiving nodes use that keyto check authenticity of the packets stored in previous time interval andverify the integrity and authenticity of the key by application of the one-way function F on it. Note that the nodes already posses keyKv, where v <i. If the verification of the key succeeds,Kv is replaced byKi and the packetis considered as authentic. In time interval i only packets authenticated bykey Ki are accepted. This prevents an attacker from using already revealedkey to spoof the packets.

µTesla has two drawbacks. The nodes have to keep the messages buffered,because the authentication is delayed. It can be problem because of the lim-ited memory of nodes. It also delays the propagation of routing informa-tion. The second drawback is the need of loose time synchronization.

µTesla can be extended to provide authenticated broadcast not only forbase stations but also for nodes. Nevertheless, this model is not needed sooften. Nodes usually broadcast messages only to their neighbors and thesemessages can be authenticated in more efficient way as showed in followingsubsection.

12


Figure 3.1: ARMS. The relation between packets. i denotes the actual con-tents of the packet. Message represents sequence F (Kn+1)|Kn|i. Figuretaken from[LC06b]

3.2.2 ARMS

µTesla aims to authenticate broadcast messages from the base station. Un-fortunately this scheme is not suitable for resource constraint nodes, whichare not able to maintain long one-way hash chain. Moreover, nodes typi-cally performs only so called local broadcast, which means the packets arebroadcasted only to the neighbors. Authentication of a local broadcast canbe achieved in an efficient way using ARMS [LC06b] (An AuthenticatedRouting Message in Sensor Networks). ARMS scheme assumes, that eachpair of neighboring nodes share a secret key. This assumption is reasonableand can be achieved by several schemes [EG02, PST+02, ZSJ03]. As µTesla,ARMS trade on the one-way hash chain principle. In contrast to µTesla, thechain is extremely short and periodically renewed.

Prior to the actual broadcast, sender generates random key K1. Thenhe derives short one-way key chain F (K1), K1, and sends the value F (K1)(commitment) to all the neighbors using authenticated unicast. Broadcastedpacket has then the form: [F (K2)|K1|i|MAC(K1,message)], where F (K2)is a new commitment, i is the actual authenticated content, message is[F (K2)|K1|i] and MAC(K,m) denotes MAC of m using key K. Since re-ceiver knows previous commitment F (K1), he can immediately verify theauthenticity of key K1 and thus authenticity and integrity of the wholepacket. Concurrently, new commitment F (K2) is established. The relationbetween subsequent packets is shown in the figure 3.1.

Note, that if a single message is lost, the phase of authenticated uni-cast has to be repeated. For this reason, authors have extended the one-way

13


chain. In extended scheme, up to two messages can be lost without needof restart. Unlike µTesla we do not require time synchronization, becausebroadcast is only local and the messages are delivered in the same time toall nodes. Thus attacker cannot forge any packet using just revealed key.

ARMS is very efficient, it require only 20 additional bytes per message.Also memory requirements are very low (16 bytes for receiver, 48 bytes forsender). The only problem can be the generation of random data. Senderhave to generate 8 bytes of random data per every two messages. Howeverthese date could be obtained using for example noisy radio channel.

3.3 Secure routing protocols

Since Karlof and Wagner [KW03] drew the attention to the problem of se-cure routing in sensor networks, several novel secure routing protocolswere proposed [DHM02, KLP03, LC06a, NC07, PLGP06, WFSH06, WYC04,YM06]. Some of them can be considered completely secure, but some ofthem prevents only selected types of attacks. We have encountered also fewprotocols that were pretty secure, but with assumptions unsuitable for sen-sor networks. In this section we deeper examine four secure routing pro-tocols. We have selected protocols, which we consider innovative, efficientand secure, and which come up with interesting ideas appropriate for fur-ther use.

3.3.1 Scure Implicit Geographic Forwarding

Secure Implicit Geographic Forwarding (SIGF) [WFSH06] is a configurableprotocol family for secure routing. It consists of three protocols, which rep-resent three security levels. The higher level inherits the capabilities fromthe lower ones. SIGF extends the Implicit Geographic Routing (IGF) [BHSS03]and thus can be included into location-based class of algorithms.

IGF

Implicit geographic routing is a stateless hybrid routing/MAC protocol.The next hop is determined at the transmission time, during the MAC-layerhandshake. The IGF is build on RTS/CTS MAC protocol1. In IGF, each nodeis aware of its location. The routing procedure starts when a sender broad-casts Open Request To Send (Open RTS) with its position S and destinationposition D. Nodes located within the 60◦ sextant centered on the line from

1. IGF have originaly extended basic 802.11 DCF MAC protocol [IEE99]

14


S toD are considered as candidate nodes. Each of these nodes sets the ClearTo Send (CTS) response timer according to its distance from S, remainingenergy and the distance to center of sextant. The more suitable the nodeis for forwarding the message the shorter time it sets. When the responsetimer expires, the node sends CTS. Then the sender sends him the data.Nodes hearing CTS cancel their timers.

Authors of SIGF have presented security analysis of IGF [WFSH06]. IGFis robust and fault tolerant. It is safe against altering or spoofing the routinginformation, because no one is sent. Furthermore neither HELLO floods norwormhole attacks have much effect, no routing tables are kept and routingis dynamic and independent of routing information exchange. But Sybil at-tack, Selective forwarding and DoS remains a threat for IGF. In Sybil attack,a single node attacker can create multiple virtual nodes around the sendingnode and thus increase the chance of being chosen. This attack can resultinto selective forwarding or black hole. Simple, but very effective attack isso called rushing attack. Malicious node ignores the CTS respond timer andsends CTS immediately. On the other hand such behavior is easy to detect.DoS attack can be performed by replaying either old ORTS message or oldCTS message. This confuses the neighboring or sending nodes forcing themto restart their timers or send the data to oblivion.

SIGF-0

SIGF-0 is a simple extension of IGF. It allows us to configure several param-eters of IGF. Unlike IGF, where the forwarding area is fixed to 60◦ sextant,SIGF-0 supports enlarging of this area and thus takeing into account moreneighboring nodes. This decreases the chances of malicious nodes to be cho-sen. In IGF, sender chooses the first CTS message he obtains, then closes thecollection window and sends the data. Contrary, in SIGF, sender keeps thecollection window opened for some time to obtain more CTS messages andthen chooses one of them. The choice can be made randomly or based onsome priority. Sender can also choose multiple nodes to increase the ro-bustness of the algorithm. Last configurable settings of SIGF-0 is whetherthe location of a node will be omitted or not in the CTS response timer cal-culation.

Key difference between IGF and SIGF-0 is that IGF closes the CTS collec-tion window after obtaining the first CTS, while SIGF-0 collects multiple ofthem. Hence SIGF-0 is not so vulnerable against rushing attack. Althoughit brings a small inefficiency, it significantly improves security.

15


SIGF-1

This variant inherits all the properties of SIGF-0. Furthermore it introducean inner state of the node. This state is initialized and maintained by thenode itself and it does not bring any communication overhead. SIGF-1 worksas SIGF-0, but the choice of a next hop is based also on the reputation valueassigned to each neighbor. This value is derived from the state informa-tion stored and maintained by the node. The node keeps the number ofsent messages T , and several records for each neighbor node N : numberof messages sent to N ; number of messages actually forwarded by N (thisis determined by overhearing the traffic of node N ); last claimed locationof N ; average delay during forwarding of message (again determined byoverhearing). From these data node derives the reputation value of nodeN .Candidates, which has the reputation value below a threshold are droppedfrom the candidate list. This approach protects the algorithm against a Sybilattack. Note that all options of IGF-0 still remains.

SIGF-2

SIGF-2 includes both previous variants and adds the use of cryptographyto prevent the DoS attack. It also ensures confidentiality, authenticity, in-tegrity and freshness of the communication between neighboring nodes.SIGF-2 require neighboring nodes to share the secret key. In addition, theneighborhood key has to be establish to enable authenticated broadcast ofOpen RTS message.

The integrity and authenticity of messages is ensured by Message Au-thentication Code using shared key. Freshness is guaranteed by sequencingthe messages, for each neighbor node a counter is kept. SIGF-2 offers pay-load encryption to keep data confidential and prevent eavesdropping. Byusing authentication and sequencing, DoS attack is prevented as old mes-sages are discarded by the nodes. However in case of compromitted node,attacker can still mount such an attack. It is optional in SIGF-2, which typeof messages will be protected by cryptographic mechanisms. This gives theuser ability to set an appropriate level of security.

SIGF is a good example of routing protocol, which can be qualified assecure. SIGF can be configured to a certain level of security and robustness.One can easily trade off between security, efficiency and performance of thealgorithm. What’s more configuration can be done dynamically. For exam-ple, system can be set to maximum performance and in case the attacker

16


is detected, the system can be reconfigured as a reaction to the attack. Weconsider the configurability of SIGF as a great advantage. We also appre-ciate the approach of IGF which integrate routing with the medium accesscontrol. This significantly increases the performance and efficiency of theoverall system, which is important in limited wireless sensor networks. Weare aware of the fact, that mixing the ISO/OSI layers has also many draw-backs and that IGF/SIGF is dependent on the particular MAC algorithm,but WSNs are specific and one cannot expect truly universal solution. Theimportant limitation of IGF/SIGF is its essential assumption, that everynode knows its location. However we consider this assumption as justi-fiable. Furthermore such equipped network can offer advanced services.There are two ways to satisfy this assumption. In the first way, every nodeis equipped with GPS. The second way uses few GPS equipped nodes andmechanism of triangulation to determine the location of the rest of nodes.

Comparing the variants of SIGF, we would evaluate the SIGF-0 as thebest using cost/performance approach. It is very simple extension of IGF,which provides variety of settings and adorable security properties for triv-ial cost. SIGF-1 is also very paying. However in a high-density network, thestate maintenance can occupy significant part of a memory and the processof overhearing can consume nontrivial amount of energy. SIGF-2 uses en-cryption, which require key establishment and management. It is costly andthe benefits in terms of defense against DoS attack are very small. Since sen-sor nodes are not tamper resistant, it is relatively easy for the attacker to be-come part of the network and mount the attack anyway. Nevertheless oncethe keys are distributed, the cryptography can provide additional services.Hence the SIGF-2 mechanisms can be used in cooperation with other pro-tocols. This could justify the cost. We would consider implementing ARMSfor authenticated local broadcast of Open RTS messages, instead of sharingneighborhood key. ARMS would also provide implicit sequencing of theOpen RTS messages.

3.3.2 Secure Directed Diffusion

Directed Diffusion is a very important data-centric routing protocol forWireless Sensor Networks [IGE00]. However this protocol has several se-curity shortcomings. Therefore Secure Directed Diffusion (SDD) [WYC04],a secure variant of this protocol, was designed. SDD protocol makes use ofimmediate TESLA [PCST01], that is a mechanism for authenticated broad-cast.

Original Directed Diffusion has four phases. In the first phase, base sta-

17


tion broadcasts interest for data, which is named by attribute-value pair.This interest floods the network and sets up gradients at each node. Gra-dients specify data rate and direction in which to send data. Second phasebegin, when the interest reaches the node, which can satisfy it. That nodesends low-rate data along the reverse path of the interest dissemination.At the end of this phase, base station receives low-rate data from multiplepaths. The next phase is reinforcement phase. Base station selects one par-ticular path and sends reinforcement via this path in order to obtain higherdata rate. In the last phase, source node generates data at the requested rateand sends it through the reinforced path. Not only base stations can rein-force the path, but also node included in the path can. This enable to repairbroken paths. Also negative reinforcements are supported.

Directed Diffusion is vulnerable to attacks, because of missing authen-tication and integrity checking. Karlof and Wagner [KW03] has shown sev-eral attacks on Directed Diffusion. Attacker can spoof positive or negativereinforcements in order to change the data flow. This may include him intothe path and result into selective forwarding, data tampering, DoS or eaves-dropping. Attacker can also clone the data flow by rebroadcasting the inter-est listing himself as a base station. Lap-top class attacker can create a sink-hole using wormhole attack in combination with forged reinforcements.

SDD protocol adopts ideas of immediate TESLA protocol [PCST01] toensure authenticity and integrity of routing and data messages. Only sym-metric cryptography is used and asymmetry is achieved by one-way hashchain. The principle is similar to µTESLA described in section 3.2.1. SDDprotocol requires that there is only one base station and it shares a secretkey with each node. All nodes are also seeded with the first value k1 ofthe one-way key chain, where only base station knows kn to be able toauthenticate its messages. SDD has the same phases as original DirectedDiffusion, but in each phase, the integrity and authenticity of origin ofthe messages is protected. In the first phase, the base station floods mes-sage M = (H(INTERESTx)|MAC(kx|H(INTERESTx))), where H(m)denotes hash of the message m, MAC(k,m) denotes Message Authentica-tion Code of m using key k and | denotes concatenation. Suppose all nodeshave received message M after time t. Then base station floods anothermessage (INTERESTx|kx). Now, node can verify that kx is from base sta-tion by computing F x−1(kx) = k1. Having kx, node can verify integrity andauthenticity of H(INTERESTx) and subsequently of INTERESTX . Thesame technique is used when sending reinforcements in the third phase.Thus the interests and reinforcements cannot be forged or modified. No-tice the drawback, that now the broken path cannot be repaired as in the

18


insecure Directed Diffusion, because only base station can send reinforce-ments.

The data sent in the second and fourth phase by the source node arealso authenticated and its integrity is protected. In the phase of low-ratedata propagation, source node N floodsD = (H(DATA1)|MAC(k1

N |H(DATA1))|(k1N )SF

|N), where k1N is the first

key of the one-way key chain generated by node N , and (m)Sn denotesencryption of m using key Sn shared between node N and base station.Base station decrypts the key k0

N and sends it in the authenticated way asin first phase to all nodes on the path. After this source node N sends data(DATA1|k2

N |nonce1|N |(nonce1)SN), where N is the list of nodes. nonce1 is

used to ensure freshness. If node E receives this data, it sends(DATA1|k1

N |nonce1|N,E|((nonce1)SN)SE

). The process continues until basestation receives the data. Base station can verify authenticity and integrityof the data and also check the identity of the nodes on the path. Than basestation probabilistically selects one of the possible paths. In the last phase,data are sent from the source nodeN in the similar authenticated way as theinterests and reinforcements, but in opposite direction. Sequence numbersare also contained in the data to ensure freshness.

Secure Directed Diffusion is secure variant of popular data-centric pro-tocol. Unlike the original one, it does not support data aggregation andpath recovery. On the other hand, it is resistant to almost all known at-tacks. However there is a problem during the low-rate data propagationphase. Possible paths are discovered and one is probabilistically selected.The probability of attacker being on the path is proportional to the frac-tion of paths including attacker and all the paths. Suppose the attacker Aoverhears message (DATA1|k1

N |nonce1|N,E|((nonce1)SN)SE

). He can cre-ate message(DATA1|k1

N |nonce1|N,E,A|(((nonce1)SN)SE

)SA) and thus introduce new

path. The more such paths are created the greater the probability for the at-tacker to be on the selected path. The authors are aware of this attack. How-ever they rely on the property of the original Directed Diffusion, that fordata dissemination the MAC unicast is used. We believe, that this is a poorcountermeasure. Unicast is not used for security purposes. It is still pos-sible for an attacker to eavesdrop the communication. In addition, strongattacker can use, for example, selective jamming to prune away the originalpath.

19


3.3.3 SeRINS

Secure alternate path Routing IN Sensor networks [LC06a] is a routing pro-tocol, which combines several existing security mechanisms together withits neighbor report system to ensure secure routing. The goal of SeRINS isto protect the network against insider, which launches selective forward-ing or advertise bogus routing information. Authors of SeRINS assumethat attacker can compromise only small number of nodes. They also as-sume, that each node shares a unique secret key with base station, and thateach pair of neighboring nodes agrees on the shared secret key. The lastassumption protects outsider attacker from joining the network, becauseall communication is protected by hop-by-hop encryption. SeRINS consistsof three different schemes, an alternate path scheme, neighbor report sys-tem, and neighbor authentication. An alternate path scheme establishes arouting topology. Base station builds a tree with itself as a root by periodicbroadcast of routing information. There are two difference over the MCF orTinyOS beaconing. First, the routing information packets are authenticated.Second, each node keeps more than one parent node and hence multiplepaths to the base station exist. Regarding the authentication of the routingupdates, first hop from base station is authenticated using one-way hashchain, so no one can impersonate base station, subsequent hops are authen-ticated using neighbor authentication scheme. This scheme is no more thanARMS scheme described in section 3.2.2. To mitigate the impact of the selec-tive forwarding, multiple paths are established and for every packet one ofthem is randomly chosen. The third scheme, neighbor report system, wasdesigned to identify and eliminate malicious nodes, which advertise bo-gus routing information. All neighbor nodes checks the routing informationsend by a node and if inconsistency is detected, malicious node is reported.Decision whether reported or reporting node is malicious is done by basestation based on votes from neighboring nodes. Base station eliminates themalicious node by flooding this information and revoking its keys. Under

given assumptions, SeRINS seems to be resistant to all known attacks men-tioned in section 3.1. Sybil attack, Sinkhole attack, HELLO floods and ac-knowledgement spoofing are impossible due to secure channels betweeneach pair of neighboring nodes. Note that responsibility is moved to theunderlaying key distribution scheme. Wormhole attack is supposed to bedefended by extern schemes like packet leashes [HPJ03]. SeRINS itself de-fends routing against selective forwarding and advertising of bogus routing

20


information. Impact of selective forwarding is minimized using multiplepaths scheme, yet some impact remains. Problem of bogus routing infor-mation is solved using detection and reaction mechanism called neighborreport system. We consider this system very inspiring. It is the example ofleveraging the fact, that neighboring nodes can overhear the surroundingcommunication. It can be denoted as intrusion detection system. Howeverit is strongly embedded in the routing scheme and cannot be applied alonewithout massive changes.

3.3.4 A Clean-Slate Approach

Parno et al. [PLGP06] have decided to design a completely novel routingprotocol with security and efficiency as the main goals. Their protocol tradeon the combination of prevention, detection/recovery and resiliency. Fur-thermore, it provides node-to-node routing scheme. Unlike the majorityof algorithms for sensor networks, this one exploits public key cryptog-raphy. There is a single trusted authority NA and each node is preloadedwith its public key PNA and is able to verify the signature. Authors argue,that verification of signature can be very efficient and performed even by anode. Each node has also unique ID and a certificate (ID)SNA

signed by thetrusted authority. Additionally the node has a one-way hash chain of chal-lenge values C1...Ck. Node also possesses (C1||ID)SNA

to be able to sendauthenticate the challenges. Note, that these assumptions are strict indeed,but can be satisfied off-line prior to the actual deployment of the nodes.

The algorithm assigns the unique network address to each node andestablishes the routing tables using recursive grouping. Recursive group-ing algorithm is initiated by every node broadcasting its ID and certificate.Neighboring nodes thus constructs a list of authenticated neighbors. Af-ter this phase, no node can join the neighborhood. The grouping algorithmitself starts with every node comprising its own group. Than the processcontinues by recursive merging of the groups until the whole network com-prises single group. During the grouping algorithm, hierarchical networkaddresses are constructed and forwarding is based on the address prefixes.After this procedure each node posses the routing table, that maps addressprefixes to the neighboring nodes. To make routing resilient, multiple rout-ing entries can be maintained for routing into a subgroup. Thus node canchoose between multiple paths.

Besides the grouping algorithm, there are several additional techniquesto detect malicious behavior, eliminate malicious node and recover normalstate. Grouping Verification Tree (GVT) algorithm detects malicious behav-

21


ior during recursive grouping algorithm. It is based on Merkle hash tree[Mer80], which provides authentication of leaves having authentic root,and validation of the tree construction having authenticated leaves. GVTexploits authenticated challenges Ck and prevents the malicious node fromjoining the group or corrupting the grouping algorithm. GVT can be ex-tended to verify the neighbor lists of the node or to verify the address ofa particular node. The routing protocol implements a distributed detectionalgorithm [PPG05] for detection of a node claiming multiple identities, orreplaying the broadcasted packets in the first phase. A simple algorithm(HoneyBee) is used to eliminate such nodes. Legitimate node, who has de-tected the malicious one, sacrifices itself. It floods its own ID together withthe malicious node’s ID in an authenticated way. Both refereed nodes arerevoked.

The security of this algorithm is ensured by running authenticated neigh-borhood discovery and by the GVT algorithm which detects possible tam-pering. The recursive grouping algorithm runs deterministically and is pro-tected by GVT, hence it prevents an intruder from altering the resultingtopology. The Sybil attack is prevented using unique node IDs and certifi-cates signed by trusted authority. Multiple path variant is also fault tolerantand robust. The algorithm itself cannot cope with wormhole. To overcomethis, authors suggest integrating one of the wormhole detection algorithms.

We consider the ”Clean-slate approach” as innovative due to the effi-cient asymmetric cryptography usage. On the other hand, we are still notfully convinced, that it is necessary to employ asymmetric cryptography.Even though it is relatively efficient it still remains costly. Moreover, nodesneed to maintain routing tables, merge tables and challenge constants inmemory. This algorithm consumes much resources of the node. We rate thisas the biggest weakness of the algorithm. To be really secure, algorithm hasto integrate many additional mechanisms, this fact also degrades the usabil-ity of the algorithm. Regarding benefits, this protocol is designed to routebetween any pair of nodes, whereas the huge majority of routing schemesrelaxed to this traffic pattern. Therefore it predestines this technique to beemployed in specific applications where such pattern is needed.

22

Chapter 4

Introduction to Evolutionary Algorithms

In this thesis, we try to automatically generate attack strategies on routingalgorithms for WSNs. We have decided to employ evolutionary algorithmsfor this purpose. Evolutionary algorithms are stochastic search algorithmsinspired by biologic evolution. In order to find the optimal solution, evolu-tionary algorithms employ the basic mechanisms of evolution. They workwith a set of individuals (denoted as population), in which each individualrepresents a possible solution. From these individuals, new ones are cre-ated using operations of mutation, crossover and reproduction. The qualityof new individuals is evaluated by the fitness function. The new populationis then sieved by the natural selection, that is based on the fitness function.The natural selection decides, which individuals will be reproduced (andthus their capabilities and features will be used for further generations)and which will be forgotten. This process is repeated until good enoughsolution is found. Details on the evolutionary mechanisms follow.

4.1 Population of individuals and their representation

Most algorithms for solving optimization problems work with a single can-didate solution at a time. Evolutionary algorithms work with a populationof candidate solutions instead. This enables parallel search for the solu-tion and natural selection mechanism. The number of candidate solutionsin population has significant impact on the convergency towards optimalsolution and is typically set by an expert. Another key factor of the evo-lution progress is the representation of the candidate solutions, which isdenoted as genome. In linear genetic programming [BNKF98], which is thetechnique we use in this work, genome consists of a sequence of instruc-tions. Another common structure of genome is a tree-based structure usedin genetic programming [Koz92].

23

4. INTRODUCTION TO EVOLUTIONARY ALGORITHMS

4.2 Genetic operators

In order to work, evolution has to have mechanisms, that ensure replica-tion of individuals and that introduce new abilities to them. The replica-tion of individuals is provided by the replication operator, which simplycopies the individual, and by the crossover operator, that combines differ-ent parts from two or more individuals into a single one. In specific settings,crossover can supply the task of replication New properties are introducedto an individual by the mutation operator. Mutation modifies the genomeof the individual by replacing some parts of the genome by newly gener-ated ones.

4.3 Fitness function and selection operator

The crucial part of the evolution process is the natural selection. It decideswhich individuals are replicated or modified and which are removed fromthe population. In evolutionary algorithms, the selection is based on theoutput of the fitness function.

The fitness function captures the relation between the candidate solu-tion and the optimal solution for the problem in question. It expresses thequality of the candidate solution with respect to the desired goal and pro-vides feedback to the evolution.

The fitness function has to be graded with sufficient granularity to beable to distinguish the quality of two similar individuals. If it is not, thenthe search process can degrade down to a random search. For example, sup-pose we have only binary fitness function, which outputs ’1’ if the solutionsucceeds and ’0’ if not. Then, until the optimal solution is found, all candi-date solutions have the same quality and hence the selection is completelyrandom. This results into the random search.

Fitness function must be also fast to compute. This condition is purelypractical, because in the evolution process, we have to be able to evaluate alarge number (103 − 106) of candidate solutions in a reasonable time.

The fitness function leads the evolution to the intended goal, thus weset the subject of the search by the definition of the proper fitness function.Note that some problems cannot be solved using evolutionary algorithms,because we are not able to define the fitness function satisfying above prop-erties, especially gradation.

24

Chapter 5

Automatic design of attack strategy

In this work, we examine the security of routing protocols for wireless sen-sor networks. We aim to design an automatic method for generating attackstrategies on these protocols. Such method can help us reveal, understandand countermeasure potential weaknesses.

There is a significant asymmetry between designing a secure system andattacking such system. The designer of a system has to consider and preventall possible strategies, whereas the attacker needs to employ only one ofthose strategies to be successful. This is analogous to an exhaustive searchthrough the whole search space versus a guided search through a part ofthe search space. The exhaustive search is practically impossible in our case,because the space of possible attack strategies is extremely large. Thus, wehave decided to employ guided search and try to find at least some attackstrategies. We are aware of the fact, that the chosen approach cannot provethe security of a system, even in case no attack strategy is found. However,it can help to secure the system by revealing its potential weaknesses.

5.1 Related work

So far, there have been several proposals for use of automatic attack genera-tion. The automatic attacks were mainly used in relation with Intrusion De-tection Systems (IDS). Automatic generation of attack graphs2 using sym-bolic model checking algorithms was proposed [SHJ+02]. Constructing ofattack graphs is crucial part of the vulnerability analysis of the network.

In [MGL+06], virtual network infrastructure is proposed, which is ableto generate testing data set. This set would be further used for evaluationand testing of intrusion detection systems.

Polymorphic blending attacks (PBA) can be used to evade some payload-based intrusion detection systems. The principal of PBA is to transform the

2. Attack graph is ”the data structure used to represent all possible attack on the network”.[SHJ+02]

25

5. AUTOMATIC DESIGN OF ATTACK STRATEGY

attack packets into the form, that match the normal packet profile and thusevade IDS. In [FL06], authors propose to use the hill climbing for automaticgeneration of PBA instances, given the IDS and particular attack.

Combination of evolutionary algorithms and network simulator wassuccessfully used to produce also the defensive strategy. Secrecy amplifi-cation protocol for WSN [SM07] was evolved. This protocol might signifi-cantly increase resiliency of link keys against link compromise attack.

5.2 Basic concept

The basic concept for automatic design of attack strategies is a result of jointwork with my advisor Petr Svenda. It combines automatic attack strategygenerator with simulator or real system to generate and evaluate the largenumber of potential attack strategies. In this thesis we use this concept toautomatically generate attack strategies on routing protocols.

The basic concept consists of the following five steps:

1. Execution of the X-th round of generator→ attack strategy in a meta-language.

2. Translation from the metalanguage into a domain language.

3. Strategy execution (either by a simulation or in a real system).

4. Evaluation of the fitness function (obtaining attack success value).

5. Proceed to the (X+1)-th round.

We have to seed the generator with a set of elementary rules before theactual process of attack generation begins. These rules are basic buildingblocks creating the attack strategy. This action is viewed as a step 0.

We will discuss all steps in detail. Since this work examines the securerouting for WSNs, we use examples from this area.

5.2.1 Elementary rules

Prior to the actual generation process, we have to define elementary rules,which act as building blocks for new attack strategies. To do so, we firstobserve the attacked system and look for ways of influence that an attackercould have on it. For example he can intercept, send or generate message.These methods are then decomposed into elementary rules, such as inter-cept message from node X, change parameter X of the message or generate

26


Attack strategy generator

- random search- exhaustive search- educated guess- guided search

Translation

Simulator

Real system

Fitness function

Elementaryrules

Attack strategyin metalanguage

Attack strategyin domain language

StatisticsAttack success

Ways of in�uence that an attacker can have on simulated/real system

Figure 5.1: Basic concept for automatic attack generation. Attack strategyin metalanguage is generated from elementary rules. Strategy is translatedto the language of evaluation environment (simulator, real system). Dur-ing evaluation of attack strategy statistics are collected. These statistics areused for computation of fitness function, which qualify the success of thestrategy and provides guideline to the generator.

particular message. Granularity of these rules is a very important factor.The more detailed the rules are, the bigger the possibilities of the genera-tor. On the other hand, the larger the search space of attack strategies. Wedivide the granularity into three levels. Note that these levels are not strictand depends on the viewpoint. In one scenario we consider something asa primitive attack, whereas in other scenario it is only an elementary ruleof high granularity and vice versa. Moreover, we can use both primitiveattacks and detailed elementary rules in a single scenario.

• Recombination of primitive attacks - if we take primitive known at-tacks (sequences of elementary rules) as an elementary rules, we cangenerate new attacks by recombination of these known attacks. Thiscan significantly speed up generation process, because known con-

27


structions need not to be generated from scratch. On the other hand,novel primitive attacks cannot be generated. For example, elementaryrule can be replay message, delay message or drop message.

• Optimization of known attacks - we already have an attack strategy(e.g., compromise node and extract its keys) and we want to optimizeits parameters (e.g., which nodes should be compromitted). In thiscase, elementary rules represent the parameters.

• Novel attacks - if the elementary rules are detailed enough, generatorcan combine them into a completely novel attack. These rules shouldrepresent all the basic actions an attacker can do. For example, inter-cept a message or even modify X-th bit of the message. In this work,we will try to define high granularity rules and generate novel attacks.

5.2.2 Generation of attack strategy

Generator constructs the attack strategy from the elementary rules. One ofthe following techniques can be used for construction.

• Random search - elementary rules are randomly combined into an at-tack strategy. No information about previously generated attack strate-gies is used in generation process.

• Exhaustive search - all possible combinations of elementary rules aregenerated. This technique finds optimal attack strategy that can beconstructed from elementary rules. Exhaustive search is not conve-nient for large search spaces, which is our case.

• Educated guess - an expert combines elementary rules into a possiblysuccessful attack strategy. Information about previously generated at-tack strategies can be used to speed up the process.

• Guided search - new attack strategy is modification of the previouslygenerated attack strategy. Information about the quality of previousattack strategy is available and is shape the new attack strategy. Therepresentatives of the guided search are for example hill climbing 3 orevolutionary algorithms. We use evolutionary algorithms to generateattack strategies in this work.

3. Hill climbing is an optimization algorithm. It starts with a random solution and gradu-ally improves this solution by making small changes to it.

28


5.2.3 Translation

Elementary rules and resulting attack strategies are written in a metalan-guage, which is suitable for the generator. On the other hand, in most casesthis language cannot be interpreted by a simulator or a real system. There-fore we have to translate the attack strategy in order to execute it on thesimulator. Note that we can use multiple simulators or real systems, whichuse different languages, and single generator. Thus the translation into mul-tiple languages is necessary.

5.2.4 Strategy execution

Attack strategy is executed in the simulator or real system. The statisticsfrom the simulator or real system are used as an input of the fitness func-tion, that evaluates the success of the attack strategy. For example, the statis-tics can include average length of the message route or number of deliveredmessages. The possibility of using real system for the evaluation of the at-tack strategy can be very useful. No abstraction is used and the generatedattack strategies can exploit, for example, bugs in particular real system im-plementation.

5.2.5 Fitness function evaluation

In our concept, the feedback about the attack strategy success is very im-portant, especially if a form of the guided search is used for attack strategygeneration. This feedback is provided by the fitness function4, that evalu-ates the quality of the attack strategy. Note that the fitness function deter-mines the attacker’s goal. For example, if the goal is to decrease the net-work lifetime, the fitness function can be defined as the inverse value of theremaining energy. Thus having elementary rules, translation rules and sim-ulator, we can generate attack strategies with different goals by switchingthe fitness functions.

5.3 Concept realization via evolutionary algorithms

Now we demonstrate the practical use of the basic concept. Due to our fo-cus, we aim to generate attack strategies on the routing protocols for wire-

4. Term fitness function is borrowed from the terminology of evolutionary algorithms. Incontrast to the original fitness function used in evolutionary algorithms our fitness func-tion does not need to fulfill all its properties. Properties of the original fitness function arediscussed in section 4.3.

29


less sensor networks. The ultimate goal of our effort is to generate success-ful attack strategy on a secure routing protocol, that would reveal the con-ceptional weakness of the protocol. However we are aware of high com-plexity and hardness of achieving such goal, so we first focus on an insecureprotocols with known weaknesses. The attack strategy generator should beable to reveal these weaknesses and to generate appropriate attack strate-gies. We have chosen two insecure routing protocols, Minimum cost for-warding, described in section 5.4.1, and Implicit geographic forwarding,presented in section 3.3.1. The first was chosen because it represents widelyused class of routing protocols, that construct a minimum spanning tree asa routing structure. It also has several documented weaknesses which areeasy to find for a human expert. The second protocol is more robust andincorporates a randomness into the routing process. However also this pro-tocol contains weaknesses that can be turned into a successful attack. An-other reason, why to choose IGF is, that it can be easily upgraded to one ofthe security levels of SIGF. We could thus potentially analyze what impactthe attack strategy generated for IGF has on its secured version SIGF.

A particular instance of the basic concept is shown in the figure 5.2.If we follow the basic steps of the concept, we first define the elementaryrules. These rules are strongly dependant on the attacker’s abilities. There-fore, prior to the elementary rules definition we have revised the attackermodel in section 5.3.1. There are two kinds of elementary rules, triggersand instructions. Details are presented in subsequent section. We employevolutionary algorithms as the attack strategy generator . We do not needa translation step, because the simulator was designed to accept the outputof the generator. For routing simulation we have extended the Sensor Secu-rity Simulator. The feedback is provided by one of four fitness functions wehave implemented. Each fitness function guides the evolution to a slightlydifferent attack strategy with a different goal. Details on implementationand Sensor Security Simulator follow in subsequent sections.

5.3.1 Attacker model revised

To clarify the attacker’s capabilities, we have to define an attacker model.We have revised and extended the Karlof’s attacker model described in sec-tion 2.3.3 for this purpose.

We assume that our attacker is authorized to take part in the routingprocess, thus to mount insider attacks. This state can be achieved by cap-turing the legitimate node. However also outsider attacker can have abil-ities similar to insider attacker in some conditions. This is caused by the

30


- evolutionary algorithms

Translation

Fitness function

Elementaryrules

Attack strategyin metalanguage

Attack strategyin domain language

StatisticsAttack success

Ways of in�uence that an attacker can have on simulated/real system

SimulatorAttack strategy generator

- Sensor Security Simulator

Attack strategy in domain language

- triggers and instructions

- number of delivered messages- length of path

...

Figure 5.2: A particular instance of the basic concept. Evolutionary algo-rithms are used as the attack strategy generator. Translation step is omitted,because simulator accepts the generator’s output. Generated attack strat-egy runs on Sensor Security Simulator. Statistics include total number ofgenerated messages, number of delivered messages and many others. Oneof fitness functions evaluates the attack strategy success.

nature of wireless medium and the fact, that attacked protocols do not em-ploy cryptographic mechanisms for ensuring confidentiality, authenticityand integrity. Therefore if no link layer encryption is implemented, outsiderattacker can act as an insider in our case.

Our attacker falls into the category of mote-class attacker. Therefore,we further divide this category into three subclasses for our purpose. Sin-gle node attacker, Multiple nodes attacker with homogenous strategy andMultiple nodes attacker with heterogenous strategy. Single node attackercontrols only one node. Thus only one instance of attack strategy is exe-cuted at a time. Multiple nodes attacker with homogenous strategy con-trols multiple nodes and each one of these nodes executes the same attackstrategy. Thus there are multiple similar attack strategies running at a time.

31


In the simplest case, this attacker is nothing more than multiple instancesof single node attacker. But attack strategy can leverage the knowledge thatthere are several malicious nodes and implement some sort of cooperationbetween them. Multiple nodes attacker with heterogenous strategy controlsmultiple nodes. These nodes are divided into groups and each group actsas a multiple nodes attacker with homogenous strategy. The advantage is,that each group can run different attack strategy, and these attack strategiescan be designed to cooperate and support each other. So at the and we getseveral cooperating attackers. For example, suppose there are 2 groups ofmalicious nodes denoted as A and B. Then, attack strategy of group A canredirect the traffic to the malicious nodes of group B, which ,according totheir attack strategy B, drop the packets.

In our practical work, we are not interested in laptop-class attacker.Though, we can extend our attack strategy generator to generate attackstrategies for laptop-class attacker by defining additional elementary rules(and thus giving the attacker more capabilities).

5.3.2 Evolutionary algorithms and genome structure

As we have stated, we apply evolutionary algorithms to generate attackstrategies. We have chosen an open source library GAlib5 for practical im-plementation of evolution process. It is written in C++ and supports multi-ple genome representations and genetic operators.

One of the key parameters of evolution is the representation of genome.In our case, genome stands for an attack strategy. In linear genetic program-ming, genom is usually represented as a sequence of instructions. This isnot totally suitable for our problem. We have thus extended this represen-tation. Attack on routing is not typically represented as a sequence of stepsexecuted one by one, but rather steps triggered by various events. Thereforewe have decided to represent the strategy as a composition of substrategies.These substrategies can be executed in an arbitrary order. The executionof a substrategy is triggered by the event corresponding to the substrat-egy. Hence the genome is a two-dimensional array, where each row repre-sents the substrategy. Each substrategy begins with its trigger. The genomestructure is shown in figure 5.3 by the black color. The gray color demon-strates the possible three-dimensional genome, which can represent the at-tack strategy of the Multiple nodes attacker with heterogenous strategy.Each two-dimensional layer acts as a strategy for one group of malicious

5. http://lancet.mit.edu/ga/ (May 2008)

32


Trig_2 INS INS INS...

Trig_x INS INS INS...


...




...




...

Figure 5.3: Genome structure. The black color describes the single at-tack strategy. Each row represents a substrategy. The first slot containstrigger, subsequent slots contain sequence of instructions. The gray colordemonstrates the possible three dimensional genome representing the at-tack strategies of Multiple nodes attacker with heterogenous strategy

nodes. Three-dimensional genom structure enables us to generate multiplecooperating strategies.

Now we present the structure of triggers and instructions. Our model ofnode contains several memory slots, which are used for temporal storage ofmessages and identities of nodes. In order to address these memory slots,instructions include one or more parameters. For example, the instructioncan be defined as INS SEND M P1, which mean: send message stored inmemory slot P1.

In addition to these parameters, we have incorporated the mechanismof conditional execution of instructions and triggers. Each node containsso called condition memory slots (cms). These slots contain numeric value,which acts as a basis for condition. Instruction has thus two additional pa-rameters, cms – addresses the conditional memory slot and cv – denotes thecondition value. If the condition value is lesser than the value in addressedconditional memory slot, instruction is executed, otherwise not. If the cmsrefers to the condition memory slot number 0, instruction is executed nomatter the condition value. Values in condition memory slots can be au-tomatically decremented by node or manipulated by special instructions.The same as for instructions holds for triggers. If the trigger is not executed,

33


whole corresponding substrategy is also skipped. We have designed condi-tion mechanism, to enable complex dependencies between various events,instructions and triggers.

Each node is also equipped with temporary memory, which is used forhandling incoming messages or messages loaded from memory slots.

As an elementary rules for generating the attack strategy on IGF, wehave define following triggers and instructions. We aimed to create highgranularity rules, which could lead to generation of completely novel at-tack.

Triggers

The majority of triggers contain parameters cms and cv described above.We briefly describe the event, which triggers the strategy execution.

• TRIG NOP – no operation trigger, the corresponding substrategy isnever executed

• TRIG TIME p1 – time trigger, the substrategy is repeatedly executedeach p1 time units (lets say milliseconds)

• TRIG DATA cms cv – data message not addressed to the maliciousnode was overheard

• TRIG DATA ME cms cv – data message was delivered to the mali-cious node

• TRIG ORTS cms cv – Open RTS was received

• TRIG CTS cms cv – CTS message not addressed to the malicious nodewas overheard

• TRIG CTS ME cms cv – CTS message was delivered to the maliciousnode

• TRIG ACK cms cv – acknowledgement not addressed to the mali-cious node was overheard

• TRIG ACK ME cms cv – acknowledgement was delivered to the ma-licious node

• TRIG COLLISION cms cv – collision on medium was detected

• TRIG RNG cms cv p1 – the substrategy is executed with probabilityp1

34


Instructions

All the instructions, except no operation instruction, contain parameters ofcondition mechanism cms and cv described above. Each instruction alsoincludes boolean switch, which determines, whether the instruction will beexecuted or not. This switch enables to temporarily prune away the instruc-tion and helps in pruning process (discussed in section 5.4).

• INS NOP - no operation

• INS DROP M cms cv p1 - drop message from memory slot p1

• INS SEND M cms cv p1 - send message from memory slot p1

• INS STORE M cms cv p1 - store message from temporary memoryinto memory slot p1

• INS LOAD M cms cv p1 - load message from memory slot p1 intothe temporary memory.

• INS GENERATE M cms cv p1 p2 p3 - generate message, store thismessage into memory slot p1, p2 denotes the type of the generatedmessage (ORTS,CTS,ACK,DATA), destination of the message is loadedfrom memory slot p3

• INS SEND ORTS cms cv - send Open Request To Send

• INS SEND ACK cms cv p1 - send acknowledge, destination is loadedfrom memory slot p1

• INS SEND CTS cms cv p1 - send CTS, destination is loaded frommemory slot p1

• INS GET N cms cv p1 p2 p3 - get the information from messagestored in memory slot p1, p2 denotes type of the information (ulti-mate source, ultimate destination, transmitting node, receiving node),store the information into memory slot p3

• INS FAKE N cms cv p1 p2p3 - forge the information in messagestored in memory slot p1, p2 denotes type of the information (ulti-mate source, ultimate destination, transmitting node, receiving node),load the information from memory slot p3

• INS SET CMEM cms cv p1 p2 - set the value in condition memoryslot p1 to value p2

35


• INS ADD CMEM cms cv p1 p2 - add the value p2 to the value storedin condition memory slot p1

• INS SUB CMEM cms cv p1 p2 - subtract the value p2 from the valuestored in condition memory slot p1

Our evolution process involves two genetic operators – crossover andmutation. Crossover derives two new genomes (offsprings), from two ex-isting ones (parents). We have implemented one point crossover. Both par-ents are split in the same point. One offspring inherits the first part fromthe one parent and second part from the other. Second offspring inheritsremaining parts. The point of splitting is chosen randomly, but have torespect the boundaries of substrategies. Hence the point is between twosubstrategies. We used the crossover with probability starting at 0 proba-bility (no crossover) up to 0.5, which means massive crossover. Note thatcrossover can substitute the reproduction operator, that we thus have notimplemented.

Mutation simply goes through the genome elements (triggers, instruc-tions and all the parameters and switches) and each one randomly changeswith the probability of mutation. This probability is fixed for the wholeevolution process, we used both massive mutation (probability was 0.1),and normal mutation (probability was 0.01). After the actual mutation, weperformed a validation step to validate the resulting genome. Unwantedconstructions can be removed from the genome in this phase. We are thusable to ban some kind of attacks.

Regarding the population size, we have tried small population of 5 in-dividuals as well as larger population of 20 individuals.

Natural selection was based on fitness function. One third of individualswith the best fitness value became parents of the new generation.

5.3.3 Network simulator

Generated attack strategies are evaluated using wireless sensor networksimulator Sensor Security Simulator [SM07]. This simulator was developedat FI MUNI for security analysis of the key distribution protocols for WSNs.It supports evolutionary algorithms, GAlib package is included. We haveextended Sensor Security Simulator by implementation of advanced sup-port of routing protocols containing time dimension of routing. We havealso implemented two routing protocols: Minimum Cost Forwarding (de-tails in section 5.4.1) and Implicit Geographic Forwarding (details in sec-tion 3.3.1). The implementation was designed to support the execution of

36


generated attack strategies. Furthermore it accepts the language of the at-tack strategy generator, thus no translation of generated attack strategy isneeded.

One of the goals of the implementation was high performance of thesimulator, because we needed to evaluate large number of attack strategiesin reasonable time. Hence the simulator contains some level of abstraction,for example, time of the message transmission between two nodes is con-stant. However we believe that this abstraction should not have much im-pact on our aims.

We have also considered the possibility of using existing simulator suchas NS-2 simulator [NS08]. But these simulators are mainly designed to max-imally emulate real conditions and thus are significantly slower than oursimulator.

5.3.4 Fitness functions

In order to successfully use the evolutionary algorithms, it is necessary tofind an appropriate fitness function. We have implemented four differentfitness functions. Each represents slightly different attacker’s goal.

number of delivered messages fitness value is computed as a fraction ofall generated messages and messages delivered to the base stations.This value reflects the ability of attacker to deny the service and dis-rupt the message availability.

number of messages passing through malicious nodes fitness value equalsto the number of legitimate messages (not generated by attacker),passed through the malicious nodes. Each message is counted onlyonce, although it may pass through many malicious nodes. The valueindicates the ability of attacker to attract the traffic and include itselfto the path of the data flow. Attacker controlling data flow may effec-tively eavesdrop or perform selective forwarding.

length of the path average physical length of the path taken by legitimatemessages. Attacker may extend the length of the path, to increase thelatency and involve more nodes into routing process, thus bring inthe inefficiency and energy wastage.

length of the path in unique hops average path of the legitimate messagescounted in unique hops. The goals of this attacker are similar to thegoals of previous one. However previous fitness function could trade

37


on the loops in the routing scheme. Since such loops could be de-tected, we have decided to implement fitness function, that does notsupport creating loops. Another difference is, that this function re-flects only length in hops, whereas the previous one include physicallength of the path no mater the hop count.

The design of the proper fitness function is often matter of intuition andeducated guess. At least in the initial phases of the design process. Somefitness functions can turn out to be inconvenient after some time. Experi-ence are very important and may lead to further improvement of the fitnessfunction. We have decided to implement our fitness functions, because wefelt they could express the attacker’s gradual progress.

5.4 Results

We have tried to generate attack strategies on two insecure routing proto-cols, Minimum Cost Forwarding and Implicit Geographic Forwarding. Thegranularity of the elementary rules corresponded to the level suitable forgenerating novel attack strategies. Prior to the presentation of results, wehave to admit, that we have understood only a fraction of all generatedstrategies and we were not able to fully analyze the results. It is extremelyhard in general to understand the outcome of the evolution algorithms.We have implemented a pruning technique, which is common techniquethat helps to analyze the results of evolution. It prunes out the instructions,which have no impact on the fitness value. Our analyses are further basedon statistics from the simulator. We have also implemented simple graphi-cal interface to display the deployment of the network.

We took into account two types of attacker: Single node attacker andMultiple nodes attacker with homogenous strategy. However we were notable to distinguish the fundamental differences in the resulting strategiesfor both attackers. The impact of the discovered attacks was more or lessproportional to the number of malicious nodes involved in the attack. Wehave not detected any interconnection between the actions of maliciousnodes (which unfortunately does not mean there are no such interconnec-tions). Thus we will discuss the results without respect to the number ofmalicious nodes.

38


5.4.1 Minimum Cost Forwarding

We first briefly describe the protocol and review its security weaknesses.Minimum Cost Forwarding [YCLZ01] is a simple routing technique, whichindirectly constructs minimum spanning tree routing structure. The rout-ing is based on cost fields (cost of the optimal path from node to the basestation) established by periodic broadcast of beacons. The process starts atbase station, which broadcasts its cost fields 0. Nodes in the range of thebroadcast set their cost field to the sum of their own cost (e.g. remainingenergy, latency, ...) and the broadcasted cost field. Then they broadcast theirown cost field. It is obvious each node receives multiple different cost fields.The node only accepts such cost field, that is equal or lower then previousone. In that case, the node modifies its cost field and starts a new broad-cast. After some time, all nodes have their cost fields equal to the cost of theoptimal path to the base station.

When the node generates new message, it assigns a credit to that mes-sage. The credit equals to the node’s cost field minus the cost of the node.Message is then broadcasted to all neighboring nodes. One of these nodeshas the cost equal to the message credit. This node lies on the optimal pathand thus forwards the message. First, it modifies the credit of the messageand then rebroadcasts it.

The routing does not require IDs of the nodes for the routing purposes.The path of the message is optimal with respect to the costs of the nodes.Hence the routing structure forms a minimum spanning tree rooted at thebase station. The initial flooding can be reduced by forcing the nodes towait some time before rebroadcasting the beacon. They can obtain lowercost during this time interval.

Karlof and Wagner [KW03] have analyzed the security of this protocol.It is obvious, that attacker can claim itself to be a base station and attract alltraffic. Also HELLO flood attack is possible. The missing authentication iscritical in this case.

We suggest to use ARMS protocol for authentication of local broadcast.This could prevent HELLO floods, because each node knows its neighborsand messages are authenticated. It could also discourage the outsider at-tacker. If a node is compromitted, it can easily advertise extremely low costpath also in case that ARMS is implemented. However, such node could besomehow detected by its neighbors and eliminated from the network. Thispossibility can be subject of further research. Ideas of algorithm SeRINS andits neighbor report system could be helpful.

39


Several basic attacks were discovered by our mechanism.

Forging beacons

The generated attack strategy exploited the fundamental weakness of thealgorithm. Attacker based on this strategy impersonated the base stationby sending the beacon packet with cost field equal to 0. We consider thisresult as trivial, because one of the instructions was SEND BEACON withparameter cost field. However attacker understood the need of broadcast-ing the low cost field. This attack was extremely powerful and stoppedfurther evolution. New individuals were always getting back to this so-lution. We thus decided to ban broadcasting cost field 0, but attacker keptbroadcasting as low cost field as possible. Finally we banned the instruc-tion SEND BEACON completely. Attacker, who was not able to generatefake beacons, came up with replay attack. After obtaining a beacon fromhis neighbor, he immediately forwarded it without proper modification ofthe cost field. Hence he was able to decrease its realcost field. In this case,the impact on routing was not so dramatic.

Selective forwarding

Evolution also generated attack strategy capable of dropping messages pass-ing through his malicious nodes. This can be classified as a selective for-warding or blackhole attack. Attacker found out several techniques for drop-ping messages. The basic one is using simple DROP MESSAGE instructionfrom the set of elementary rules. But he was also able to find more compli-cated mechanism for dropping messages. He first stored the message into amemory slot, without its forwarding. Subsequently he overwrote the mem-ory slot with another message. This approach is complicated and unneces-sary indeed, but it demonstrates the capabilities of evolutionary algorithmsto come up with several procedures to achieve the same goal.

Dropping messages occurred in strategies, whose evolution used the fit-ness functions based on number of delivered messages. This result was ex-pected. However, it became also the basic principal of the strategies whichtried to extend the path of the messages. This holds for both fitness func-tions including the length of path.

Attacker tried to maximize the average length of the path by droppingmessages which traveled only short distances. To evolve these attack strate-gies, we have used three basic settings. First settings has fixed networktopology and the message flows. Thus the attacker is able to identify mes-

40


sages witch travel only short distances by trying to drop them. Fitness valueprovides him with the feedback on how the average length has changed. Inthe next generation, attacker can try to drop another message. The attackeris thus learning the flows of data during the evolution. The ability of at-tacker to adapt the strategy for the concrete topology and traffic patterncan be classified as success. There can be applications with a priori knownand fixed data flows and topology. In such scenario, attacker can optimizeitself to achieve optimal results.

Another settings used random topology and data flow for each attackstrategy. This setting was not suitable for evolution. The fitness value achievedby an individual was highly dependant on the topology generated. Henceeven poor individual was able to achieve good fitness value in the specificrun of simulator. This led to varying fitness values and elimination of goodindividuals.

Last settings uses the set of multiple different topologies and data flowsfor evaluation of a single attack strategy. We expected the downgrade ofthe fitness value, because evolution could not optimize the strategy for spe-cific pattern. This expectation was confirmed. However the evolution wasstill able to find at least some strategy for dropping the messages whichimproved its fitness value.

These results have confirmed the predominating opinion, that evolutionalgorithms are primarily suitable for simple optimization problems. We seethe great potential in this. We should focus more on optimization-like prob-lems in the future.

Attacks revealed by evolution has confirmed the weakness of IGF, whichis the missing authentication of messages and check of their integrity. Re-play attack also drew the attention to the problem of message freshness.Possible countermeasures were discussed above.

5.4.2 Implicit Geographic Forwarding

Evolution was also successful in generating attack strategies on IGF. Im-plicit geographic forwarding is described in section 3.3.1. Elementary rulesused for evolution of attack strategies aiming IGF are presented in section5.3.2.

41


TRIG_ORTS

STORE_M 1

LOAD_M 1

GET_N 1 0 1

SEND_CTS 1 ORTS ID

M

ORTS ID

CTS MY ID ID

incoming ORTS

M

ID

sending immediate CTS

temporary memory

1

2

34

5

5

1

2

3

4

5

message memory

identity memory

temporary memory

Figure 5.4: Rushing attack. The action is triggered by incoming Open RTSmessage M. This message is stored into the message memory slot 1. Then,M is loaded from the slot into temporary memory. Instruction GET N 1 01 extracts from the message in slot 1 the ID of the sender (0) and stores itinto identity memory slot 1. Last instruction sends the CTS message to theID from identity memory slot 1. We were not able to identify the purposeof loading the message into the temporary memory.

Rushing attack

We have defined four different fitness functions. Each one stands for slightlydifferent attacker’s goal. However, all these goals have some sub-goals incommon. On of these sub-goal is to attract as much traffic as possible. There-fore the evolution has developed the attack strategy, which mounts so calledrushing attack. This attack is one of the known attacks on IGF and its goalis to attract the traffic flowing through the neighboring nodes. Maliciousnode does not respect the CTS timer an immediately answer the Open RTS.Thus sender choose him as the next hop. The generated strategy consists offive substrategies. The pruned substrategy describing the rushing attack is

42


described in the figure 5.4. There are 4 instructions in the substrategy, how-ever only 3 of them form rushing attack. The extra instruction is instructionLOAD M, which loads the message into temporary memory. Unfortunatelywe were not able to identify the purpose of this step. The message storedin the temporary memory may be send by another substrategy or used tooverwrite the memory slot. We consider this attack as the a nice example ofevolution capabilities.

The problem of rushing attack is addressed and solved in SIGF. Thesender waits for multiple CTS messages and selects on of them. The se-lection can be random or based on a reputation system.

MAC layer jamming

IGF is integrated in RTS/CTS handshake, thus elementary rules contain in-structions such as SEND ORTS and SEND CTS, which enable the attackstrategy to control the medium access. Evolution exploited these instruc-tions to cause collisions on the medium. Two or more packets have to besend during the short time period (during one substrategy) to block themedium for all neighboring nodes. This fact led to the DoS attack strategy,which totaly crippled the neighborhood.

The probability that this attack occurs in the substrategy is very highand the blocked medium can limit also the attacker not only his neigh-bors. We have thus banned this kind of attack. In the new settings, attackstrategies could send just single message at a time. This was exploited to se-lectively corrupt communication and thus to perform selective forwarding(dropping). Attacker sent a message at the time another node was transmit-ting. The impact was same as in the case of IGF and selective forwarding.The evolution started to optimize the occurrence of collisions to achieve thebest fitness value. Same settings of topology as for IGF were tested and theresults were similar.

These attacks exploited the properties of physical layer. Majority of rout-ing protocol designs neglects this kind of attacks and let the lower layerssolve it. However IGF and also SIGF are integrated into the RTS/CTS hand-shake and cannot be build on a different MAC protocol. We consider thisas a weakness of both IGF and SIGF. No robust MAC protocol can be usedwith them. However local jamming attacks decrease the performance of allMAC protocols and therefore this weakness should not be taken as critical.

43


Neighborhood congestion

Also another attack strategy has turn out to be a DoS attack. Sensor nodeshave limited buffers for storing forwarded messages. Attack strategy re-peatedly sending data in combination with blocked medium results intothe congestion of these buffers. Thus nodes are forced to drop subsequentincoming messages. Overloading the system is typical DoS attack which isusually protected using intrusion detection systems. Malicious node send-ing extreme number of packets should be thus detected by IDS and elimi-nated from the network.

5.4.3 Experience and future work

We have collected lot of experience during the work with evolutionary al-gorithms. We see the greatest potential of their use in optimization prob-lems. Thus in optimization of known attacks strategies rather than in gen-eration of novel attacks. We also have encountered an ability of evolution-ary algorithms to exploit the bugs in implementation. At the early phases ofour experiments, the strategies were sometimes achieving unusually highfitness values. This was caused by unexpected constructions of strategies.These strategies have exploited incomplete specification of routing protocoland thus incomplete implementation or the fitness functions. The weird be-havior of an attacker has also revealed bugs in code, which led to massivememory leaks. Therefore we suggest using real system instead of simula-tor. Evolution could find out bugs in particular implementation or in theincomplete specification of the routing algorithm.

There is lot of space for future research in this area. We would like tofocus on development of tools for better analysis of generated strategies.We have designed the architecture of a graphical module, which woulddisplay the routing and attacker actions in time step by step. Implemen-tation of this module is awaiting. Furthermore, we would like to designmore complex fitness functions combining several metrics. Redefinition ofelementary rules could also bring new results. There is also possibility toimplement and test another routing protocols.

We are aware of the evolution power in optimization. Therefore we willtry to formulate the task as an optimization problem in the future. It is chal-lenging for us to find out such problems in the area of secure routing.

We are also considering to generate the attack strategies against particu-lar defenses or detection mechanisms rather than routing protocols. Similarapproach as for IDS testing [FL06] could be beneficial. Attacker is trying to

44


modify the appearance of known attack strategy to bypass particular IDS.Completely different idea is to automatically generate defensive strate-

gies. We know that it is unlikely to evolve universal defense strategy, how-ever evolution could be useful in case of generating defensive strategy againstparticular attack. Evolution was already successful in this task [SM07].

45

Chapter 6

Conclusion

In this thesis, we have examined the security in the wireless sensor net-works with special emphasis on security of routing protocols. We have re-viewed two mechanisms for authenticated broadcast (µTesla, ARMS) andseveral secure routing protocols (SIGF, SDD, SeRINS, Clean Slate Approach).We also have considered their weaknesses and strong points. The resultsshow, that these protocols are suitable for sensor networks and provide suf-ficient level of security for most of the applications.

In the second half of the thesis, novel concept for automatic design ofattack strategies was described. This concept is a result of my joint workwith Petr Svenda. Usability of the concept was tested. New attack strategieson routing protocols for wireless sensor networks were generated usingevolutionary algorithms. Several basic attacks were found. These attacksdemonstrate the possibilities and potential of evolutionary algorithms.

We have also extended the Sensor Security Simulator and implementedtwo routing algorithms (Minimum cost forwarding, Implicit geographicrouting).

We take the results of this thesis as a solid basis for further research inthis field. Both, problematic of the secure routing in WSN and problematicof the automatic attack design, require novel research directions.

46

Bibliography

[AKK04] J. N. Al-Karaki and A. E. Kamal. Routing techniques in wirelesssensor networks: a survey. IEEE Wireless Communications, vol.11, issue 6, pages 6–28, 2004.

[ASSC02] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci.Wireless sensor networks: a survey. Comput. Netw., vol. 38,issue 4, pages 393–422, 2002.

[BHSS03] B. Blum, T. He, S. Son, and J. Stankovic. Igf: A state-free ro-bust communication protocol for wireless sensor networks. InTechnical Report, CS-2003-11. Department of Computer Sci-ence, University of Virginia, USA, 2003.

[BNKF98] W. Banzhaf, P. Nordin, R.E. Keller, and F.D. Francone. GeneticProgramming – An Introduction. Morgan Kaufmann Publish-ers, San Francisco, CA, 1998.

[DHM02] J. Deng, R. Han, and S. Mishra. Insens: Intrusion-tolerant rout-ing in wireless sensor networks. In Technical Report CU CS-939-02. Department of Computer Science, University of Col-orado, 2002.

[EG02] Laurent Eschenauer and Virgil D. Gligor. A key-managementscheme for distributed sensor networks. In CCS ’02: Proceed-ings of the 9th ACM conference on Computer and communica-tions security, pages 41–47, New York, NY, USA, 2002. ACM.

[FL06] Prahlad Fogla and Wenke Lee. Evading network anomaly de-tection systems: formal reasoning and practical techniques. InCCS ’06: Proceedings of the 13th ACM conference on Com-puter and communications security, pages 59–68, New York,NY, USA, 2006. ACM.

[HPJ03] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: adefense against wormhole attacks in wireless networks. In

47

6. CONCLUSION

INFOCOM 2003. Twenty-Second Annual Joint Conference ofthe IEEE Computer and Communications Societies. IEEE, vol-ume 3, pages 1976–1986, 2003.

[HSW+00] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David E.Culler, and Kristofer S. J. Pister. System architecture directionsfor networked sensors. In Architectural Support for Program-ming Languages and Operating Systems, pages 93–104, 2000.

[IEE99] Wireless LAN Medium Access Control (MAC) and PhysicalLayer (PHY) Specifications. IEEE Standard 802.11, June 1999.

[IGE00] Chalermek Intanagonwiwat, Ramesh Govindan, and DeborahEstrin. Directed diffusion: a scalable and robust communicationparadigm for sensor networks. In MobiCom ’00: Proceedings ofthe 6th annual international conference on Mobile computingand networking, pages 56–67, New York, NY, USA, 2000. ACMPress.

[KLP03] Chris Karlof, Yaping Li, and Joseph Polastre. Arrive: Algorithmfor robust routing in volatile environments. Technical ReportUCB//CSD-03-1233, Berkeley, CA, March 2003.

[Koz92] John R. Koza. Genetic Programming: On the Programming ofComputers by Means of Natural Selection (Complex AdaptiveSystems). The MIT Press, December 1992.

[KSW04] Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: a linklayer security architecture for wireless sensor networks. In Sen-Sys ’04: Proceedings of the 2nd international conference on Em-bedded networked sensor systems, pages 162–175, New York,NY, USA, 2004. ACM Press.

[KW03] Chris Karlof and David Wagner. Secure routing in wireless sen-sor networks: Attacks and countermeasures. Elsevier’s AdHocNetworks Journal, Special Issue on Sensor Network Applica-tions and Protocols, vol. 1, issue 2-3, pages 293–315, September2003.

[Lam81] Leslie Lamport. Password authentication with insecure com-munication. Communications of the ACM, vol. 24, issue 11,pages 770–772, 1981.

48

6. CONCLUSION

[LC06a] Suk-Bok Lee and Yoon-Hwa Choi. A secure alternate path rout-ing in sensor networks. Computer Communications, vol. 30,issue 1, pages 153–165, December 2006.

[LC06b] Suk-Bok Lee and Yoon-Hwa Choi. Secure Mobile Ad-hoc Net-works and Sensors, volume Volume 4074/2006 of Lecture Notesin Computer Science, chapter ARMS: An Authenticated Rout-ing Message in Sensor Networks, pages 158–173. SpringerBerlin / Heidelberg, 2006.

[Mer80] Ralph C. Merkle. Protocols for public key cryptosystems. sp,vol. 00, page 122, 1980.

[MGL+06] Frederic Massicotte, Francois Gagnon, Yvan Labiche, LionelBriand, and Mathieu Couture. Automatic evaluation of intru-sion detection systems. In ACSAC ’06: Proceedings of the 22ndAnnual Computer Security Applications Conference on An-nual Computer Security Applications Conference, pages 361–370, Washington, DC, USA, 2006. IEEE Computer Society.

[NC07] Nidal Nasser and Yunfeng Chen. Secure multipath routing pro-tocol for wireless sensor networks. In ICDCSW ’07: Proceedingsof the 27th International Conference on Distributed ComputingSystems Workshops, page 12, Washington, DC, USA, 2007. IEEEComputer Society.

[NS78] Roger M. Needham and Michael D. Schroeder. Using encryp-tion for authentication in large networks of computers. Com-munications of the ACM, vol. 21, issue 12, pages 993–999, 1978.

[NS08] The Network Simulator NS-2. http://www.isi.edu/nsnam/ns/, (May 2008).

[NSSP04] James Newsome, Elaine Shi, Dawn Song, and Adrian Per-rig. The sybil attack in sensor networks: analysis & defenses.In IPSN’04: Proceedings of the third international symposiumon Information processing in sensor networks, pages 259–268,New York, NY, USA, 2004. ACM Press.

[PCST01] Adrian Perrig, Ran Canetti, Dawn Song, and Doug Tygar. Effi-cient and secure source authentication for multicast. 2001.

49

http://www.isi.edu/nsnam/ns/

http://www.isi.edu/nsnam/ns/

6. CONCLUSION

[PLGP06] Bryan Parno, Mark Luk, Evan Gaustad, and Adrian Perrig.Secure sensor network routing: a clean-slate approach. InCoNEXT, page 11, 2006.

[PPG05] Bryan Parno, Adrian Perrig, and Virgil Gligor. Distributed de-tection of node replication attacks in sensor networks. In SP ’05:Proceedings of the 2005 IEEE Symposium on Security and Pri-vacy, pages 49–63, Washington, DC, USA, 2005. IEEE ComputerSociety.

[PST+02] Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, andDavid E. Culler. Spins: security protocols for sensor networks.Wirel. Netw., vol. 8, issue 5, pages 521–534, 2002.

[SHJ+02] Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann,and Jeannette M. Wing. Automated generation and analysis ofattack graphs. In SP ’02: Proceedings of the 2002 IEEE Sympo-sium on Security and Privacy, page 273, Washington, DC, USA,2002. IEEE Computer Society.

[SM07] Petr Svenda and Vaclav Matyas. Key distribution and secrecyamplification in wireless sensor networks. In Technical Report,FIMU-RS-2007-05, Brno, CR, 2007. Masaryk University.

[TM006] Tmote Sky: Datasheet. http://www.sentilla.com/pdf/eol/tmote-sky-datasheet.pdf, 2006.

[WFSH06] Anthony D. Wood, Lei Fang, John A. Stankovic, and Tian He.Sigf: a family of configurable, secure routing protocols for wire-less sensor networks. In SASN ’06: Proceedings of the fourthACM workshop on Security of ad hoc and sensor networks,pages 35–48, New York, NY, USA, 2006. ACM Press.

[WS02] Anthony D. Wood and John A. Stankovic. Denial of service insensor networks. IEEE Computer, vol. 35, issue 10, pages 54–62,2002.

[WYC04] Xiaoyun Wang, Lizhen Yang, and Kefei Chen. Sdd: Secure di-rected diffusion protocol for sensor networks. In Security in Ad-hoc and Sensor Networks, volume 3313/2005 of Lecture Notesin Computer Science, pages 205–214, First European Work-shop, ESAS 2004, Heidelberg, Germany, August 2004. SpringerBerlin/Heidelberg.

50

http://www.sentilla.com/pdf/eol/tmote-sky-datasheet.pdf

http://www.sentilla.com/pdf/eol/tmote-sky-datasheet.pdf

6. CONCLUSION

[YCLZ01] F. Ye, A. Chen, S. Liu, and L. Zhang. A scalable solution to mini-mum cost forwarding in large sensor networks. In Proceedingsof Tenth International Conference on Computer Communica-tions and Networks, pages 304 – 309, 2001.

[YM06] Jian Yin and Sanjay Madria. Secrout: A secure routing protocolfor sensor networks. In AINA ’06: Proceedings of the 20th In-ternational Conference on Advanced Information Networkingand Applications - Volume 1 (AINA’06), pages 393–398, Wash-ington, DC, USA, 2006. IEEE Computer Society.

[ZSJ03] Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap: efficient se-curity mechanisms for large-scale distributed sensor networks.In CCS ’03: Proceedings of the 10th ACM conference on Com-puter and communications security, pages 62–72, New York,NY, USA, 2003. ACM.

51

Appendix A

Example of generated attack strategy

Here is the example of generated attack strategy after pruning. It does notuse the conditional memory slots, hence the instructions do not containall parameters that are showed in section 5.3.2. All presented instructionsare necessary for achieving maximum fitness value. This strategy containsrushing attack (substrategy triggered by TRIG ORTS). It also disturb send-ing of selected messages by causing collisions on the medium (two mes-sages are send in the single substrategy – e.g. two subsequent SEND ORTSinstructions in the last substrategy).

This example illustrates the hardness of the strategy analysis. We werenot able to completely interpret this strategy.

TRIG CTSSEND ORTSGENERATE M 1 2 1LOAD M 1STORE M 1SEND M 1GENERATE M 0 0 1***TRIG CTS MESTORE M 0LOAD M 0SEND CTS 0DROP M 1SEND M 0***

52

A. EXAMPLE OF GENERATED ATTACK STRATEGY

TRIG COLLISIONSEND ORTSLOAD M 1SEND ACK 0DROP M 1GENERATE M 0 1 0GET N 0 2 1***TRIG ORTSSTORE M 1LOAD M 1GET N 1 0 1SEND CTS 1***TRIG ACKGET N 0 1 0SEND ORTSSEND ORTSGENERATE M 1 2 0

53

Documents

2-Thesis-Secure Routing Protocols For