A Survey of Secure Location Schemes in Wireless Networks - 2010/5/21.
-
Upload
suzanna-sutton -
Category
Documents
-
view
217 -
download
0
Transcript of A Survey of Secure Location Schemes in Wireless Networks - 2010/5/21.
2/35
Outline
Introduction Secure Location Schemes
Location Verification Range-independent Scheme (SeRLoc) Base Station Assisted Secure Localization Detect Compromised Beacon Nodes Defeat Non-cryptographic Attacks
Summary
3/35
Location & Identity in Wireless Networks Application
Location Based Service (LBS) privacy issues Solution: legal framework, k-anonymity, etc.
Network Geographical routing, location based access control
Physical Layer Location could be used to detect source spoofing attacks
(in wireless networks)
4/35
Wireless Sensor Network (WSN) WSN
Have mission-critical tasks Sensor nodes: low cost,
limited resource, multifunctional
Usually has one BS Prone to failure, easy to be
compromised Location matters
The location of sensors is a critical input to many higher-level networking tasks [5]
5/35
Localization in WSN
Techniques: GPS Ultrasound Radio (RF)
RSSI, ToA, TDoA, AoA, etc. Usually has Beacon nodes
With known locations and sending beacon signals Security issues:
Location discovery in hostile environments Attacker could masquerade or compromise beacon nodes,
or perform replay attacks
6/35
Threat Model
(Internal) dishonest or compromised nodes Can authenticate itself (to other sensor nodes) Report false position
(External) malicious nodes Can not authenticate itself (as an honest nodes) Can perform timing attack (delaying or speeding-up)
Other attacks PHY-layer attack
7/35
Examples
Compromised beacon node
Masquerade beacon node
Replay attack(locally replay or through wormhole)
8/35
Taxonomy
Secure Location
w/ beacon nodes w/o beacon nodes
Localization:• Location Verification
• Range-independent
localization
• Base Station Assisted
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Non-
cryptographic Attacks
9/35
Location Verification(Location-based Access Control) In-region verification Roles:
Claimants & Verifiers
Method: Distance bounding techniques
Upper bound the distance of one device to another (dishonest) device
C: I’m at some location l
V C
R
Region of interest
[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM
Workshop Wireless Security, 2003, pp. 1-10.
10/35
Location Verification(Location-based Access Control)
. p (prover)
• A simplified case
c: light speeds: sound speed
More complex cases: Consider processing/transmission delay, Consider non-uniform regions, Consider multiple verifiers
(why sound?)
Echo Protocol: (secure, lightweight)
11/35
Distance Enlargement Attacks Distance bounding – vulnerable to distance enlargement
attacks but not to distance reduction attacks Propose VM (Verifiable Multi-lateration)
Also relies on distance bounding (at least 3 verifiers)
[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 1917-1928.
T: set of verifiers that form triangles around u (claimant)
(MMSE: Min. Mean Square Estimate)
13/35
SPINE (Secure Positioning In sensor NEtwork) SPINE: a system for secure positioning of a network of sensor
s, that is based on VM Possible Attacks: (Attacker-x-y) x: # of compromised nodes (c)
y: # of malicious nodes (m)
14/35
SPINE (Secure Positioning In sensor NEtwork) (cont’d) Operate in 2 phases:
Sensors measure distance bounds to their neighbors Central authority compute sensors’ positions (according to
the distance bounds)
BDV (Basic Distance Verification)
(Verify db(s), then compute positions based on verified db(s))(Positioning is also based on MMSE)
15/35
SPINE (Secure Positioning In sensor NEtwork) (cont’d) Effectiveness:
The effectiveness of this system depends on the number of node neighbors (node density) and on the number and the distribution of the reference nodes (verifiers)
16/35
Taxonomy
Secure Location
w/ beacon nodes w/o beacon nodes
Localization:• Location Verification
• Range-independent
localization
• Base Station Assisted
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Non-
cryptographic Attacks
17/35
Range-Independent Localization Motivation:
Distance measure is vulnerable Do not count on distance measure to infer the sensor locati
on Secure localization ≠ location verification
Goal: Decentralized, resource efficiency, robust
Contributions: Propose SeRLoc, a range-independent localization scheme Propose security mechanism for SeRLoc Evaluate the performance of SeRLoc
[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21-30.
18/35
SeRLoc
Concept: Locators use sectored antennas (with range R) A sensor can identify the region it resides by computing the
overlap between all the sectors it resides Then estimates its location at the center of gravity of the
overlapping region
19/35
Secure SeRLoc
Encryption: To protect the localization information, encrypt all beacons t
ransmitted from locators Sensors and locators share a global symmetric key K0
Locator ID authentication: Use one-way hash chains to provide locator ID auth. Each sensor has a table containing {IDi , Hn(PWi)} of each lo
cator Storage issues
20/35
Threat Analysis
Authors analyze (1) wormhole attacks and (2) Sybil attack and compromised sensors
Analyze the vulnerabilities of other 3 range-independent localization schemes Dv-hop, Amorphous localization, APIT
21/35
Taxonomy
Secure Location
w/ beacon nodes w/o beacon nodes
Localization:• Location Verification
• Range-independent
localization
• Base Station Assisted
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Non-
cryptographic Attacks
22/35
Base Station Assisted Approaches Contribution:
New approach, relies on a set of covert base stations Enables secure localization with a broad spectrum of localization
techniques (ultrasound, RF, etc)
Covert Base Station (CBS): Known position Passively listen to the on-going communication Could be hidden or mobile base station
[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, 2006.
PBS sensornonce
broadcastnonce
(PBS: Public Base Station)
PBSPBSCBSmeasure TDoA and compute sensor’s position
23/35
1. Infrastructure-centric Positioning with Hidden Base Stations
TDoA: Position a source by findingthe intersection of multiple hyperboloids. Pros: does not require communication from BSs and mobile node
s Security analysis:
TDoA drawback: using directional antennas, attackers could cheat BSs
Δ: tolerant size (also means the size of attacker’s guessing space)
T: signal propagation time + node processing time
24/35
2. Node-centric Positioning with Hidden Base Stations
Node compute its position,
then verified by CBS Node-centric:
Attacker might spoofs node’s position and then cheats on the position verification mechanism
CBS again verify the reported position by distance measure
26/35
Taxonomy
Secure Location
w/ beacon nodes w/o beacon nodes
Localization:• Location Verification
• Range-independent
localization
• Base Station Assisted
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Non-
cryptographic Attacks
27/35
Detecting Malicious Beacon Nodes Motivation:
None of previous techniques can work properly when some of the beacon nodes are compromised
Goal: Try to detect and remove compromised beacon nodes Ensure correct location discovery
Approach: Detect malicious beacon signals Detect replayed beacon signals to avoid false positive Revoke malicious beacon nodes
[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. ICDCS, 2005, pp. 609-619.
28/35
Detecting Malicious Beacon Signals Idea:
Use beacon node (known location) to detect other beacon nodes Locations of beacon nodes must satisfy the measurements (of
their locations) derived from their beacon signals Method:
(By request & reply)
Note: to mislead the location estimation, the attacker has to make the estimated distance inconsistent with the calculated one.
29/35
Filtering Replayed Beacon Signals(Goal: avoid False Positive) Malicious signal ≠ this node is malicious !
Due to replay attack Replay through a wormhole attack
Detect this attack by checking the measured distance and the radio communication range
If within the communication range, go to next step (locally replay) Locally replayed beacon signals
Detect extra delay by measuring RTT between two neighbors RTT measure in a real setup (does NOT consider the impacts of
MAC protocol or any processing delay) Extra delay larger than RTTmax
(Assumption required) authenticated and unicasted beacon signal !!
30/35
Revoke Malicious Beacon Nodes Use the base station to further remove malicious
beacon nodes from the network Each beacon node shares a unique random key with BS Beacon nodes can report the detecting results to BS
securely BS evaluates the suspiciousness of each beacon nodes
BS Maintains alert counters and report counters
This mechanism requires more beacon nodes and incurs more communication overhead
31/35
Taxonomy
Secure Location
w/ beacon nodes w/o beacon nodes
Localization:• Location Verification
• Range-independent
localization
• Base Station Assisted
Attack Detection:
• Detect Compromised
Beacon Nodes
• Defeat Non-
cryptographic Attacks
32/35
Focus on Non-cryptographic Attacks Non-cryptographic attacks (physical attacks)
Such as signal attenuation and amplification Degrade the performance of localization Algo.
Propose a general attack detection model Based on this model, analyze two broad localization approa
ches (Multi-lateration based & signal strength based) The attack detection mainly depends on statistical significa
nce testing Other test statistics are also discussed
Conduct trace driven evaluations Using an 802.11 network and an 802.15.4 (ZigBee) network
[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, 2007.
33/35
Models
Linear attack model on RSS Conduct Exp. in two real
office buildings Detection model:
Statistical significance testing
Define test statistic T, null hypothesis H0, and its acceptance region Ω
Metrics: Detection Rate ROC curve
34/35
Reference
[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM Workshop Wireless Security, 2003, pp. 1-10. UC Berkeley
[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 1917-1928. EPFL Switzerland
[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21-30. Univ. of Washington
[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, 2006.
35/35
Reference
[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, 2007. Rutgers Univ.
[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. International Conf. Distributed Computing Systems (ICDCS), 2005, pp. 609-619. NCSU, Syracuse Univ.
[7] D. Liu, P. Ning, and W. Du, “Attack-Resistant Location Estimation in Sensor Networks,” in Proc. International Symposium Information Processing Sensor Networks (IPSN), 2005, pp. 99-106.
[8] L. Fang, W. Du, and P. Ning, “A Beacon-less Location Discovery Scheme for Wireless Sensor Networks,” in Proc. INFOCOM, 2005.
[9] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks,” in Proc. IEEE International Parallel Distributed Processing Symposium (IPDPS), 2005, pp. 41a-41a.