Upload
others
View
14
Download
0
Embed Size (px)
Citation preview
SYNCHRONIZATIONAND LOCALIZATION
WIRELESS INFIDELITYMURIUM IQBAL
SHEKHAR SUMAN
PANKTI MAJMUDAR
SIDDHANTH DESHPANDE
AGENDA Time synchronization
Wireless sensor network synchronizationschemes
Secure synchronization
Secure Localization in Wireless Networks
TOA-based secure localization scheme
Mobility assisted secure localizationframework
Time synchronization
Wireless sensor network synchronizationschemes
Secure synchronization
Secure Localization in Wireless Networks
TOA-based secure localization scheme
Mobility assisted secure localizationframework
RESEARCH WE WILL COVER Time Synchronization and Localization in Sensor
Networkshttp://www.vs.inf.ethz.ch/res/papers/roemer-phd-2005.pdf
Secure Time Synchronization in Sensor Networkshttp://www.syssec.ethz.ch/research/TISSEC08.pdf
Secure Localization in Wireless Sensor Networkshttp://wins.lab.asu.edu/files/milcom05.pdf
Time Synchronization and Localization in SensorNetworks
http://www.vs.inf.ethz.ch/res/papers/roemer-phd-2005.pdf
Secure Time Synchronization in Sensor Networkshttp://www.syssec.ethz.ch/research/TISSEC08.pdf
Secure Localization in Wireless Sensor Networkshttp://wins.lab.asu.edu/files/milcom05.pdf
TIME SYNCHRONIZATION
What is Time-Synchronization
A method which allows individual entities in agroup to synchronize their clocks w.r.t eachother or to some coordinated universal time
What is Time-Synchronization
A method which allows individual entities in agroup to synchronize their clocks w.r.t eachother or to some coordinated universal time
The Myth of Simultaneity: “Event 1 and event 2 at same time”
Event 1 Event 2
Observer A:Event 2 is earlier than Event 1Observer A:Event 2 is earlier than Event 1
Observer B:Event 2 is simultaneous to Event 1
Observer C:Event 1 is earlier than Event 2
TIME SYNCHRONIZATION
Why do we need time-synchronization
Ordering Events
Coordinated Action
Data Logging
Notion of Global time
Performance Measurement
Why do we need time-synchronization
Ordering Events
Coordinated Action
Data Logging
Notion of Global time
Performance Measurement
TIME SYNCHRONIZATION INWIRELESS NETWORK critical middleware service in Wireless networks
allows engineers to design simpler and elegant algorithms
measuring the time of events detected by the sensors
measuring the time-of-flight of sound
recognizing duplicate detections of the same event
ordered logging of events during system debugging,
integrating multi-sensor data, or
coordinating on future action
critical middleware service in Wireless networks
allows engineers to design simpler and elegant algorithms
measuring the time of events detected by the sensors
measuring the time-of-flight of sound
recognizing duplicate detections of the same event
ordered logging of events during system debugging,
integrating multi-sensor data, or
coordinating on future action
CURRENT SYNCHRONIZATIONSCHEMESTSPNRBSTiny-SyncMini-SyncLTSFTSPNone of these protocols were designed tooperate in adversarial settings
TSPNRBSTiny-SyncMini-SyncLTSFTSPNone of these protocols were designed tooperate in adversarial settings
TIMING-SYNC PROTOCOLFOR SENSOR NETWORKSTraditional sender-receiver synchronizationThe logic is split into two phases
Level Discovery Phase A root node is selected from within the network Floods the network with level discovery packets
Synchronization phase Sender-receiver synchronization Node A sends sync pulse to Node B, Node B responds, Node
A syncs with Node B
Traditional sender-receiver synchronizationThe logic is split into two phases
Level Discovery Phase A root node is selected from within the network Floods the network with level discovery packets
Synchronization phase Sender-receiver synchronization Node A sends sync pulse to Node B, Node B responds, Node
A syncs with Node B
TIMING-SYNC PROTOCOLFOR SENSOR NETWORKSThis process continues through the network until all nodesare syncedClaimed to be more precise than receiver to receiversynchronizationDesigned for multi-hop networksHas four associated delays: send time, access time,propagation time, and receive timeAttacks against this scheme
Corrupt non-root node with wrong time Malicious node lies about it’s level Countermeasure would be to use redundancy
This process continues through the network until all nodesare syncedClaimed to be more precise than receiver to receiversynchronizationDesigned for multi-hop networksHas four associated delays: send time, access time,propagation time, and receive timeAttacks against this scheme
Corrupt non-root node with wrong time Malicious node lies about it’s level Countermeasure would be to use redundancy
REFERENCE BROADCASTSYNCHRONIZATIONReceiver to receiver synchronization methodSome nodes selected as beacons to send out syncmessagesClients can exchange reception times to calculate mutualconstraints such as drift and offset
Receiver to receiver synchronization methodSome nodes selected as beacons to send out syncmessagesClients can exchange reception times to calculate mutualconstraints such as drift and offset
REFERENCE BROADCASTSYNCHRONIZATIONEliminates uncertainty in sync path by removing sender
Can be extended for multi-hop networks Network separated into clusters Gateway nodes established which fall into multiple clusters Gateway nodes transform timing data to go from one cluster
to another
Eliminates uncertainty in sync path by removing sender
Can be extended for multi-hop networks Network separated into clusters Gateway nodes established which fall into multiple clusters Gateway nodes transform timing data to go from one cluster
to another
REFERENCE BROADCASTSYNCHRONIZATION
An attack against this synchronization schemewould involve compromising a node to give it anincorrect timeSince the synchronization is done from receiverto receiver, a malicious node within the networkcould send an incorrect time stamp duringsynchronizationTo avoid this attack an authentication processcan be implemented (using private keys) betweensending and receiving node pairs
An attack against this synchronization schemewould involve compromising a node to give it anincorrect timeSince the synchronization is done from receiverto receiver, a malicious node within the networkcould send an incorrect time stamp duringsynchronizationTo avoid this attack an authentication processcan be implemented (using private keys) betweensending and receiving node pairs
TINY-SYNC ANDMINI-SYNCMakes the assumption that each clock can be estimated bya fixed-frequency oscillatorTwo clocks can be associated with the following equation:
C1(t) = a12 • C2(t) + b12
Uses two-may messaging scheme to solve for a and b Node 1 sends message to Node 2 at timestamp to Node 2 receives message at tb and immediately sends reply Node 1 receives reply at tr
Makes the assumption that each clock can be estimated bya fixed-frequency oscillatorTwo clocks can be associated with the following equation:
C1(t) = a12 • C2(t) + b12
Uses two-may messaging scheme to solve for a and b Node 1 sends message to Node 2 at timestamp to Node 2 receives message at tb and immediately sends reply Node 1 receives reply at tr
TINY-SYNC ANDMINI-SYNCThe three time stamps together are one data pointMultiple exchanges are made to collect multiple data pointsA line is then fitted to these data pointsUpper and lower bounds for unknown values aregenerated:
The three time stamps together are one data pointMultiple exchanges are made to collect multiple data pointsA line is then fitted to these data pointsUpper and lower bounds for unknown values aregenerated:
TINY-SYNC ANDMINI-SYNC
TINY-SYNC ANDMINI-SYNCTiny-sync
Keeps only 4 data point constraints: those which yield thebest bounds on estimates among all the data points.
This may ignore important information by ignoring a currentdata point, that could be coupled with a future data point toyield better results
Mini-sync Also eliminates data points, but uses an algorithm to
determine if they are truly useless first Data points that may be useful in the future for obtaining
tighter bounds are stored
Tiny-sync Keeps only 4 data point constraints: those which yield the
best bounds on estimates among all the data points. This may ignore important information by ignoring a current
data point, that could be coupled with a future data point toyield better results
Mini-sync Also eliminates data points, but uses an algorithm to
determine if they are truly useless first Data points that may be useful in the future for obtaining
tighter bounds are stored
LIGHTWEIGHT TREE-BASEDSYNCHRONIZATIONHas two algorithms for synchronization in multi-hopnetworksThe first algorithm is centralized and requires a spanningtree to be formedSynchronization is done pair-wise across edges (similar toTSPN)The root node is given the entire trees depth and sizeRoot node calculates precision error at leaf nodes, entiretree’s synchronization time, and frequency ofresynchronization
Has two algorithms for synchronization in multi-hopnetworksThe first algorithm is centralized and requires a spanningtree to be formedSynchronization is done pair-wise across edges (similar toTSPN)The root node is given the entire trees depth and sizeRoot node calculates precision error at leaf nodes, entiretree’s synchronization time, and frequency ofresynchronization
LIGHTWEIGHT TREE-BASEDSYNCHRONIZATION
Reference nodes spread throughout networkEach node independently decides to synchronizeto nearest reference node as neededAll nodes along path to nearest reference nodesynchronize pair-wiseIf a neighbor of this node has already made async request, this node can tack onto that requestStops nodes from unnecessarily synchronizingentire tree
Reference nodes spread throughout networkEach node independently decides to synchronizeto nearest reference node as neededAll nodes along path to nearest reference nodesynchronize pair-wiseIf a neighbor of this node has already made async request, this node can tack onto that requestStops nodes from unnecessarily synchronizingentire tree
FLOODING TIME-SYNCHRONIZATIONPROTOCOL
Similar to TPSNAnchor node selected at randomBroadcasts time to entire networkperiodicallyNodes use delays across multiple broadcaststo calculate constraints Offset Drift
Anchor reselected periodically
Similar to TPSNAnchor node selected at randomBroadcasts time to entire networkperiodicallyNodes use delays across multiple broadcaststo calculate constraints Offset Drift
Anchor reselected periodically
SECURE TIMESYNCHRONIZATIONTime Synchronization is important henceprime target of Malicious Adversary
detrimental effect on functionality faulty estimates about the location of other nodes packets will be lost if the sleep-wakeup schedules
of nodes do not intersect trivial for adversaries to perform replay attacks in
security protocols that use time-stamping
Time Synchronization is important henceprime target of Malicious Adversary
detrimental effect on functionality faulty estimates about the location of other nodes packets will be lost if the sleep-wakeup schedules
of nodes do not intersect trivial for adversaries to perform replay attacks in
security protocols that use time-stamping
SECURE TIMESYNCHRONIZATIONSecure Time Synchronization in SensorNetworks - Ganeriwal et. al.
in-depth security analysis of sender-receiver synchronization protocols
proposes a protocol for secure pair-wisetime synchronization in sensor networks
proposes a protocol for secure groupsynchronization
Secure Time Synchronization in SensorNetworks - Ganeriwal et. al.
in-depth security analysis of sender-receiver synchronization protocols
proposes a protocol for secure pair-wisetime synchronization in sensor networks
proposes a protocol for secure groupsynchronization
TIME SYNCHRONIZATION INSENSOR NETWORKS
Two type of synchronization
sender-receiver synchronization
Receiver-receiver synchronization
Two type of synchronization
sender-receiver synchronization
Receiver-receiver synchronization
NETWORK-WIDE CLOCKSYNCHRONIZATION
Relies on above two protocols Establish a path among all nodes
like MST (spanning tree) Synchronize nodes pair-wise
Relies on above two protocols Establish a path among all nodes
like MST (spanning tree) Synchronize nodes pair-wise
SENSOR NODE CLOCK Each node maintains its own clock Only notion of time it has Essentially a timer that counts the
oscillations of a quartz crystal running ata particular frequency
Difference in the clocks of two sensornodes is referred as the offset error
Each node maintains its own clock Only notion of time it has Essentially a timer that counts the
oscillations of a quartz crystal running ata particular frequency
Difference in the clocks of two sensornodes is referred as the offset error
WHY DIFFERENT CLOCKTIME
Three reasons for the nodes to be representingdifferent times in their respective clocks
started at different time [Offset] running at different frequency [Skew] frequency of clock changes over time [Drift]
Three reasons for the nodes to be representingdifferent times in their respective clocks
started at different time [Offset] running at different frequency [Skew] frequency of clock changes over time [Drift]
WHY DIFFERENT CLOCKTIMELet clock for node A is represented by CA
This paper only addresses instantaneous timesynchronization which is Offset Error.
no fix for Skew or Drift
SENDER-RECEIVERSYNCHRONIZATION
SENDER-RECEIVERSYNCHRONIZATION
ARecv at T4
Send at T1 Recv at T2
T2 = T1 + DELAY + OFFSET
BClient Peer
Send at T3Recv at T4
T4 = T3 + DELAY- OFFSET
OFFSET = {(T2-T1)-(T4-T3)}/2
DELAY = {(T2-T1)+(T4-T3)}/2
ATTACKS ON TIMESYNCHRONIZATIONSome attacks on sender-receiver protocols
System Model Set of sensor nodes communicate over radio
transmissions Radio links are bi-directional Pair of nodes holds a shared secret key
Some attacks on sender-receiver protocols
System Model Set of sensor nodes communicate over radio
transmissions Radio links are bi-directional Pair of nodes holds a shared secret key
ATTACKS ON TIMESYNCHRONIZATIONAttacker Model Omnipresent but computationally bounded
adversary Constraints of the used cryptographic methods Able to eavesdrop, insert, modify, and block
arbitrary messages
Two Types External Attacker Internal Attacker
Attacker Model Omnipresent but computationally bounded
adversary Constraints of the used cryptographic methods Able to eavesdrop, insert, modify, and block
arbitrary messages
Two Types External Attacker Internal Attacker
ATTACKS ON TIMESYNCHRONIZATIONExternal Attack cannot authenticate herself as an honest network
node Attacker manipulates the communication
between pairs of mutually trusted nodes Cause them to de-synchronize attack is successful if faulty offset value is
calculated at node
External Attack cannot authenticate herself as an honest network
node Attacker manipulates the communication
between pairs of mutually trusted nodes Cause them to de-synchronize attack is successful if faulty offset value is
calculated at node
ATTACKS ON TIMESYNCHRONIZATIONThree possible attacks
Modify value of T1 and T3 Message forging and replay Delaying the transmission of
message thus increasing T2 and T4
Three possible attacks
Modify value of T1 and T3 Message forging and replay Delaying the transmission of
message thus increasing T2 and T4
ATTACKS ON TIMESYNCHRONIZATION First two can be fixed by traditional
security primitives Encryption, Hash and signature
Third attack pulse-delay attack Challenging to detect Jam the initial pulse and replay it at some
arbitrary time in the future Create a wormhole and then schedule the
packets between the nodes at will Sensor platforms are vulnerable to broadband
jamming
First two can be fixed by traditionalsecurity primitives Encryption, Hash and signature
Third attack pulse-delay attack Challenging to detect Jam the initial pulse and replay it at some
arbitrary time in the future Create a wormhole and then schedule the
packets between the nodes at will Sensor platforms are vulnerable to broadband
jamming
PULSE-DELAY ATTACK
PULSE-DELAY ATTACK
δ is estimated offset in clocksd is end-to-end delay∆ is delay introduced by attacker
δ is estimated offset in clocksd is end-to-end delay∆ is delay introduced by attacker
PULSE-DELAY ATTACK
Important observation is that by performing apulse-delay attack, the attacker also changesthe computed end-to-end delay
Infeasible for the attacker to just change thecomputed clock offset δ without changing thecomputed end-to-end delay d
Important observation is that by performing apulse-delay attack, the attacker also changesthe computed end-to-end delay
Infeasible for the attacker to just change thecomputed clock offset δ without changing thecomputed end-to-end delay d
SECURE PAIR-WISE TIMESYNCHRONIZATION
Where d* is maximum end-to-end delay between pairof node
SECURE PAIR-WISE TIMESYNCHRONIZATION Message integrity and authenticity are ensured
using MAC hash and KAB secret key
Prevents external attackers from modifying values
Attacker cannot impersonate node B [without KAB]
Replay attacks are prevented by using a randomnonce NA
Pulse-delay attacks are detected if delay isexceeded maximum delay d*
Requires d* estimation accurately
Message integrity and authenticity are ensuredusing MAC hash and KAB secret key
Prevents external attackers from modifying values
Attacker cannot impersonate node B [without KAB]
Replay attacks are prevented by using a randomnonce NA
Pulse-delay attacks are detected if delay isexceeded maximum delay d*
Requires d* estimation accurately
END-TO-END DELAYESTIMATION Three major component
Medium access time [microseconds to minutes] Packet transmission time [microseconds]
deterministic in future Signal propagation time [nanoseconds]
Medium Access Time Introduces highest uncertainty time-stamp the packets below the MAC layer packets are time-stamped as they are about to be
transmitted at the physical layer Achieve an accuracy of few microseconds
Three major component Medium access time [microseconds to minutes] Packet transmission time [microseconds]
deterministic in future Signal propagation time [nanoseconds]
Medium Access Time Introduces highest uncertainty time-stamp the packets below the MAC layer packets are time-stamped as they are about to be
transmitted at the physical layer Achieve an accuracy of few microseconds
MEASUREMENT ON MICA2MOTES
Implemented SPS Used TPSN protocol for synchronization MAC layer time stamping to achieve accuracy
of approx. 10 μs TinySec, a symmetric cryptography library is
used to calculate MAC on the fly
Implemented SPS Used TPSN protocol for synchronization MAC layer time stamping to achieve accuracy
of approx. 10 μs TinySec, a symmetric cryptography library is
used to calculate MAC on the fly
MEASUREMENT ON MICA2MOTES
MEASUREMENT ON MICA2MOTES 14 different discrete values Limited cock granularity on Mica2 motes (about 0.25µs) Software delay happens at the granularity of the CPU
clock cycles
Very low std deviation Roughly 0.5% of the absolute value of davg
Implies that the end-to-end packet delay will be within arange of 3% of the average delay davg, with a probabilityof 99.9%
Allows us to choose an appropriate and stable value ofthe maximal expected delay d*
14 different discrete values Limited cock granularity on Mica2 motes (about 0.25µs) Software delay happens at the granularity of the CPU
clock cycles
Very low std deviation Roughly 0.5% of the absolute value of davg
Implies that the end-to-end packet delay will be within arange of 3% of the average delay davg, with a probabilityof 99.9%
Allows us to choose an appropriate and stable value ofthe maximal expected delay d*
PERFORMANCE EVALUATION Synchronization precision achieved in a non-malicious
setting
Follows Gaussian distribution ϵ ~ N(davg, σ/sqrt(2))
Maximum impact of a pulse-delay attack on the achievedsynchronization precision
Maximum end-to-end delay – d* = davg + 3* σ
Maximum pulse delay - ∆ = 12*σ 40 ms for Mica2 Mote
Synchronization precision achieved in a non-malicioussetting
Follows Gaussian distribution ϵ ~ N(davg, σ/sqrt(2))
Maximum impact of a pulse-delay attack on the achievedsynchronization precision
Maximum end-to-end delay – d* = davg + 3* σ
Maximum pulse delay - ∆ = 12*σ 40 ms for Mica2 Mote
WHY SPS WORKS Attacker requires sufficiently fast and sophisticated
hardware to carry out this pulse-delay attack So it should not increase delay by more than 40 ms
Infeasible for an external mote-class attacker radio speed of Mica2 motes is 78.5 kbps just receive and forward will cause 100ms
Even it is possible for faster hardware, delay is stillbounded
No distance-dependent delay, end-to-end delay is onlycaused by slow radio so no need to calculate d* at run time Different but fixed for different type of radios
Attacker requires sufficiently fast and sophisticatedhardware to carry out this pulse-delay attack So it should not increase delay by more than 40 ms
Infeasible for an external mote-class attacker radio speed of Mica2 motes is 78.5 kbps just receive and forward will cause 100ms
Even it is possible for faster hardware, delay is stillbounded
No distance-dependent delay, end-to-end delay is onlycaused by slow radio so no need to calculate d* at run time Different but fixed for different type of radios
RECOVERY can nodes detect attack, and calculate correct
offset ? only if only packet transmission was delayed not possible if attack is done on both packet
transmission Each packet transmission will introduce a new
unknown variable ∆ pulse delay
can nodes detect attack, and calculate correctoffset ? only if only packet transmission was delayed not possible if attack is done on both packet
transmission Each packet transmission will introduce a new
unknown variable ∆ pulse delay
VARIATION OF SPS FOR FASTHARDWARE on-the-fly MAC insertion is infeasible for fast
hardware MAC need to be generated after timestamp prediction-based, add delay of computing MAC
Enhanced SPS - Hardware independent send two different packets First message is refresh packet and does not
contain Timestamp value Second message send timestamps of first
message hence no on-the-fly MAC required
on-the-fly MAC insertion is infeasible for fasthardware MAC need to be generated after timestamp prediction-based, add delay of computing MAC
Enhanced SPS - Hardware independent send two different packets First message is refresh packet and does not
contain Timestamp value Second message send timestamps of first
message hence no on-the-fly MAC required
ENHANCED SPS
SECURE GROUPSYNCHRONIZATION System model
Each node can authenticate messages Can not impersonate and send valid message on
behalf of other
Lightweight SGS Notations
N – Number of nodes in group Ti - sending time of the packet at node i (Ci) Tij - time at which the packet broadcasted by node i
is received at j (Cj) δij - offset between local clocks at node I and j dij - delay for the packet transfer from node i to j
System model Each node can authenticate messages Can not impersonate and send valid message on
behalf of other
Lightweight SGS Notations
N – Number of nodes in group Ti - sending time of the packet at node i (Ci) Tij - time at which the packet broadcasted by node i
is received at j (Cj) δij - offset between local clocks at node I and j dij - delay for the packet transfer from node i to j
LIGHTWEIGHT SECUREGROUP SYNCHRONIZATION
LIGHTWEIGHT SECUREGROUP SYNCHRONIZATION Each node broadcast challenge packet After receiving Nmin, broadcast Response packet
contains triples [Tij, Nj, Gj] for all challenge packets contains N-1 MACs to authenticate each triplet sending time Ti‘
Each node Gi estimates local clock of other nodes Estimate clock offset for each node
Estimate group clock, take median of all local clocks
Each node broadcast challenge packet After receiving Nmin, broadcast Response packet
contains triples [Tij, Nj, Gj] for all challenge packets contains N-1 MACs to authenticate each triplet sending time Ti‘
Each node Gi estimates local clock of other nodes Estimate clock offset for each node
Estimate group clock, take median of all local clocks
LIGHTWEIGHT SECURE GROUPSYNCHRONIZATION Complexity
For each node, challenge and response packet 2N packet transmission only problem, N-1 on-the-fly MAC generation
can be delayed as E-SPS use public key infrastructure
Each node will sign packet with its privatekey
Complexity For each node, challenge and response packet 2N packet transmission only problem, N-1 on-the-fly MAC generation
can be delayed as E-SPS use public key infrastructure
Each node will sign packet with its privatekey
INTERNAL ATTACKERS Can introduce variable offset delay Synchronization fails because estimates are
different, not because wrong estimate local clock estimates should be consistent Can be solved using Byzantine agreement model of
consensus Calculate and broadcast pair-wise offset set Run Byzantine consensus algorithm at each node
Works only if number of compromised nodes areless than (N – 1)/3
Can introduce variable offset delay Synchronization fails because estimates are
different, not because wrong estimate local clock estimates should be consistent Can be solved using Byzantine agreement model of
consensus Calculate and broadcast pair-wise offset set Run Byzantine consensus algorithm at each node
Works only if number of compromised nodes areless than (N – 1)/3
SECURE TIMESYNCHRONIZATION Time Synchronization in Wireless Network
Pair-wise synchronization Network-wide synchronization
Different Attacks Internal/External Attack Pulse-delay Attack
Secure Pair-wise Time Synchronization End-to-end delay estimation Enhanced SPS for fast hardware
Lightweight Secure Group Synchronization Byzantine Consensus solution for internal attackers
Time Synchronization in Wireless Network Pair-wise synchronization Network-wide synchronization
Different Attacks Internal/External Attack Pulse-delay Attack
Secure Pair-wise Time Synchronization End-to-end delay estimation Enhanced SPS for fast hardware
Lightweight Secure Group Synchronization Byzantine Consensus solution for internal attackers
LOCALIZATIONSeveral applications and protocols in wireless sensornetworks require a near exact location estimation of sensornodes.Eg: tracking, precision navigation, surveillance
LOCALIZATIONProper functioning depends onaccurate position estimation ofnodes.
What if attackers in hostileenvironments take advantage ofvulnerabilities in the localizationalgorithm?Adversaries can subvert normalfunctionalities of location-dependentWSNs by exploiting weakness(es) inlocalization algorithm
Proper functioning depends onaccurate position estimation ofnodes.
What if attackers in hostileenvironments take advantage ofvulnerabilities in the localizationalgorithm?Adversaries can subvert normalfunctionalities of location-dependentWSNs by exploiting weakness(es) inlocalization algorithm
TYPES OF LOCALIZATIONALGORITHMS
Range-free (using coarse metrics to place bounds on candidatepositions), eg: SeRLoc N. Bulusu, J. Heidemann, and D. Estrin, Gps-less low costoutdoor localization for very small devices, IEEE PersonalCommun. Mag., vol. 7, no. 5, pp. 2834, Oct. 2000. T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. F.Abdelzaher, Range-free localization scheme in large scale sensornetworks, in ACM MOBICOM'03, San Diego, CA, Sep. 2003. D. Niculescu and B. Nath, DV based positioning in ad hocnetworks, Journal of Telecommunication Systems, 2003. L. Hu and D. Evans, Localization for mobile sensor networks,in ACM MOBICOM'04, Philadephia, PA, Sep/Oct 2004.
Range-free (using coarse metrics to place bounds on candidatepositions), eg: SeRLoc N. Bulusu, J. Heidemann, and D. Estrin, Gps-less low costoutdoor localization for very small devices, IEEE PersonalCommun. Mag., vol. 7, no. 5, pp. 2834, Oct. 2000. T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. F.Abdelzaher, Range-free localization scheme in large scale sensornetworks, in ACM MOBICOM'03, San Diego, CA, Sep. 2003. D. Niculescu and B. Nath, DV based positioning in ad hocnetworks, Journal of Telecommunication Systems, 2003. L. Hu and D. Evans, Localization for mobile sensor networks,in ACM MOBICOM'04, Philadephia, PA, Sep/Oct 2004.
TYPES OF LOCALIZATIONALGORITHMS
Range-based (estimating distances to landmarks based onvarious physical properties) eg: Distance Bounding Protocol L. Doherty, K. S. Pister, and L. E. Ghaoui, Convex optimizationmethods for sensor node estimation, in IEEE INFOCOM'01,Anchorage, Alaska, April 2001. A. Savvides, C. Han, and M. Srivastava, Dynamic fine-grainedlocalization in ad-hoc networks of sensors, in ACMMOBICOM'01, Rome, Italy, July 2001. D. Niculescu and B. Nath, Ad hoc positioning system (APS)using AoA, in IEEE INFOCOM'03, San Francisco, CA, April 2003. X. Cheng, A. Thaeler, G. Xue, and D. Chen, TPS: A time-basedpositioning scheme for outdoor wireless sensor networks, inIEEE INFOCOM'05, Miami, FL, March 2005.
Range-based (estimating distances to landmarks based onvarious physical properties) eg: Distance Bounding Protocol L. Doherty, K. S. Pister, and L. E. Ghaoui, Convex optimizationmethods for sensor node estimation, in IEEE INFOCOM'01,Anchorage, Alaska, April 2001. A. Savvides, C. Han, and M. Srivastava, Dynamic fine-grainedlocalization in ad-hoc networks of sensors, in ACMMOBICOM'01, Rome, Italy, July 2001. D. Niculescu and B. Nath, Ad hoc positioning system (APS)using AoA, in IEEE INFOCOM'03, San Francisco, CA, April 2003. X. Cheng, A. Thaeler, G. Xue, and D. Chen, TPS: A time-basedpositioning scheme for outdoor wireless sensor networks, inIEEE INFOCOM'05, Miami, FL, March 2005.
TYPES OF LOCALIZATIONALGORITHMSBoth range-free and range-based methods depend on theuse of anchors (nodes that know their own location) Anchors may know their own location through GPS or by
means of manual configuration
Range-free methods have less demand onsensor hardware, BUT localization isrelatively coarse Hence may beunsuitable for military applications
Comparatively, range-based methods canproduce much finer-grained solutions
[Note: This survey primarily covers range-based methods]
PROBLEMS WITH RANGE-BASED LOCALIZATIONALGORITHMSAlmost all previous range-based localization algorithmsdesigned for non-adversarial scenarios Unsuitable forhostile environmentsAdversaries can easily subvert normal functionalities byexploiting weaknesses of algoirthms make sensors obtainwrong locations away from true ones
DIRE IMPLICATIONS!Types of adversaries Internal adversaries External adversaries
Almost all previous range-based localization algorithmsdesigned for non-adversarial scenarios Unsuitable forhostile environmentsAdversaries can easily subvert normal functionalities byexploiting weaknesses of algoirthms make sensors obtainwrong locations away from true ones
DIRE IMPLICATIONS!Types of adversaries Internal adversaries External adversaries
ADVERSARY MODELSExternal Adversaries No access to authentic keying material of the network Can be isolated from network by effective authentication
schemes
Internal Adversaries Compromised nodes running malicious code or
adversaries steal authentic keying material from legitimatenodes
Can authenticate self to other legitimate nodes More difficult to defend against
External Adversaries No access to authentic keying material of the network Can be isolated from network by effective authentication
schemes
Internal Adversaries Compromised nodes running malicious code or
adversaries steal authentic keying material from legitimatenodes
Can authenticate self to other legitimate nodes More difficult to defend against
TIME OF ARRIVALBASED LOCALIZATIONAssume three anchors- A, B & C B transmits at time t1 to locatee S
and receives response at time t2
Hence dSA = (t2-t1)/c Similary, A calculates dSA and C
calculates dSC
Using any standard multilaterationtechnique, location estimate of Scan be obtained
A
BdSA
dSB
Assume three anchors- A, B & C B transmits at time t1 to locatee S
and receives response at time t2
Hence dSA = (t2-t1)/c Similary, A calculates dSA and C
calculates dSC
Using any standard multilaterationtechnique, location estimate of Scan be obtained C
Locatee dSB
dSC
ADVERSARY MODEL TOA-based schemes work in 2 phases:
Distance measurements between anchors and locatee Data fusion to estimate location
Distance enlargement attacks
Distance reduction attacks
TOA-based schemes work in 2 phases: Distance measurements between anchors and locatee Data fusion to estimate location
Distance enlargement attacks
Distance reduction attacks
SECURE LOCALIZATIONSCHEME (SLS) Few anchor nodes localize sensor nodes in the presence
of adversaries
A1 A2
A3Adversary
Locatee
NETWORK AND TRUST MODEL= Set of anchor nodes
S = Locatee= No of anchor nodes (>=3)
Anchors know their own location All anchors and S within transmission range of each other An effective MAC protocol exists Anchors share a pair-wise secret key Anchors are trusted (a reasonable assumption) = Pairwise secret key between S and
= Set of anchor nodesS = Locatee
= No of anchor nodes (>=3)
Anchors know their own location All anchors and S within transmission range of each other An effective MAC protocol exists Anchors share a pair-wise secret key Anchors are trusted (a reasonable assumption) = Pairwise secret key between S and
OVERVIEW Anchor leader broadcasts “start” message Each Ai runs K-Distance to estimate Dsi After measurements, run CalPos to estimate Run TestValid to test estimate Use , … cardinality subsets to
estimate if TestValid fails Report abnormality if no estimate passes
Anchor leader broadcasts “start” message Each Ai runs K-Distance to estimate Dsi After measurements, run CalPos to estimate Run TestValid to test estimate Use , … cardinality subsets to
estimate if TestValid fails Report abnormality if no estimate passes
K-DISTANCE
LocateeSAnchor
Ai
= 2l/b l = length of nonce Nj and Ns,j
K-DISTANCE Adversaries cannot reduce…. and
Message Authentication Code S can guess with probabilty
K Distance estimations protect against distance-enlargementattacks
Mitigate sporadic measurement errors K = tradeoff between algorithm overhead, measurement
errors and level of resilience
Adversaries cannot reduce…. and
Message Authentication Code S can guess with probabilty
K Distance estimations protect against distance-enlargementattacks
Mitigate sporadic measurement errors K = tradeoff between algorithm overhead, measurement
errors and level of resilience
USING K-DISTANCE Mean can be affected by just one adversarial attack Use median of K time estimatesTsi = Median(T) = T(r) r = (K+1)/2 For 1 enlarged estimate T(j’)
If T(j’), T(j) < T(r), no change in estimate Else Tsi = [ T(r-1), T(r+1) ]
For m enlarged estimates, possibly Tsi = [ T(r-m), T(r+m) ] Tolerates enlargement of about half estimates Works if K is large…. TestValid helps otherwise
Mean can be affected by just one adversarial attack Use median of K time estimatesTsi = Median(T) = T(r) r = (K+1)/2 For 1 enlarged estimate T(j’)
If T(j’), T(j) < T(r), no change in estimate Else Tsi = [ T(r-1), T(r+1) ]
For m enlarged estimates, possibly Tsi = [ T(r-m), T(r+m) ] Tolerates enlargement of about half estimates Works if K is large…. TestValid helps otherwise
CALPOS – CALCULATE ALOCATION ESTIMATE
Anchor leader calculates location estimate
(Xi, Yi) = Location of anchor i
Anchor leader calculates location estimate
(Xi, Yi) = Location of anchor i
TESTVALID – TEST VALIDITY OFLOCATION ESTIMATES
No enlargementattacks
TESTVALID – TEST VALIDITY OFLOCATION ESTIMATES Check if estimated position inside polygon
Adversaries must enlarge and minimize estimates .. But K- Distance prevents minimization
Small measurement errors 2-sided max allowable limit
Check
Check if estimated position inside polygon Adversaries must enlarge and minimize estimates .. But K- Distance prevents minimization
Small measurement errors 2-sided max allowable limit
Check
TESTVALID – TEST VALIDITYOF LOCATION ESTIMATESMeasurement errors or Minor adversarial impact
TESTVALID – TEST VALIDITYOF LOCATION ESTIMATESTest if estimate within polygon
SECURE LOCALIZATION INWIRELESS SENSOR NETWORKS Test SLS on heterogenous WSNs
Assumptions: Na (total number of) mobile anchorsAttributes: known locations; computationally morepowerful than standard sensors Na = ng (>= 1; no. of groups) x na (>=3; size of group) ng determines trade-off betweem n/w bootstrappingdelay and localization overhead
[Note: Also assume that mobile anchors have data mulecapabilities] possibly improves data-delivery performance
Test SLS on heterogenous WSNsAssumptions: Na (total number of) mobile anchorsAttributes: known locations; computationally morepowerful than standard sensors Na = ng (>= 1; no. of groups) x na (>=3; size of group) ng determines trade-off betweem n/w bootstrappingdelay and localization overhead
[Note: Also assume that mobile anchors have data mulecapabilities] possibly improves data-delivery performance
SECURE LOCALIZATION INWIRELESS SENSOR NETWORKSThree phases of implementation: Each anchor of an ng-member group obtains distance
estimate to locatee through two-way TOA ranging Anchors collaboratively run SLS to get valid location
estimate Location estimate determined is securely transmitted to
traget sensor
[As opposed to traditional sensor localization methods,individual distance measurement & multilateration notrequired proposed scheme shifts resource-hungry ranging& computation to relatively powerful anchors]
Three phases of implementation: Each anchor of an ng-member group obtains distance
estimate to locatee through two-way TOA ranging Anchors collaboratively run SLS to get valid location
estimate Location estimate determined is securely transmitted to
traget sensor
[As opposed to traditional sensor localization methods,individual distance measurement & multilateration notrequired proposed scheme shifts resource-hungry ranging& computation to relatively powerful anchors]
Benefits?
Reduction in sensor cost
Anchors are less common &can be augmented to be madetamper proof withouttremendous extra cost
MOBILITY ASSISTEDSENSOR LOCALIZATION
MOBILITY ASSISTEDSENSOR LOCALIZATIONLocalization information is securely transmitted from anchorgroup to individual sensors using pairwise shared secretkeys
Pairwise key establishment is very efficient each sensor eeds to memorize only it’s own ID-based key
and computational overhead is negligible master key Kma is known to network planner and tamper
proof anchor each sensor is loaded with individual key corresponding
to its unique ID, calculated by means of a hanshingfunction
Localization information is securely transmitted from anchorgroup to individual sensors using pairwise shared secretkeys
Pairwise key establishment is very efficient each sensor eeds to memorize only it’s own ID-based key
and computational overhead is negligible master key Kma is known to network planner and tamper
proof anchor each sensor is loaded with individual key corresponding
to its unique ID, calculated by means of a hanshingfunction
MOBILITY ASSISTEDSENSOR LOCALIZATIONWhenever pausing after one movement, the anchor leader A1announces group existence by broadcasting a helloLocationmessage All sensors hear helloLocation message but only those
that are not yet localized respond (out of these, mostsensors are inside the sensor polygon, determined by A1)
Possible MAC-layer collisions possible Process for localizing sensor inside anchor polygon
Whenever pausing after one movement, the anchor leader A1announces group existence by broadcasting a helloLocationmessage All sensors hear helloLocation message but only those
that are not yet localized respond (out of these, mostsensors are inside the sensor polygon, determined by A1)
Possible MAC-layer collisions possible Process for localizing sensor inside anchor polygon
QUESTIONS?