Adviser: Frank,Yeong -Sung Lin Present by Chris Chang

Determining sink location through Zeroing-In attackers in wireless sensor networks

Zhenhua Liu • Wenyuan Xu

Adviser: Frank,Yeong-Sung LinPresent by Chris Chang

Agenda

• Introduction• System model• Zeroing-In attack overview • Hop-count-based Zeroing-In attacks • Time-of-arrival based Zeroing-In attacks • Evaluate the effectiveness of Zeroing-In attacks • Cope with Zeroing-In attacks • Concluding remarks

Introduction

• Wireless sensor networks (WSNs) have been deployed for a wide variety of applications:• Animal habitat monitoring • Critical infrastructure monitoring • Target tracking • Battle field surveillance

Introduction

• Typically, those wireless sensor networks consist of :1. A large collection of low power and resource-

constrained sensor nodes that monitor the underlying physical phenomena.

2. A small set of base stations, aka. sinks, that collect sensor measurements in a multi-hop fashion.

Introduction

• A many-to-one communication pattern lead to the fact that adversaries can easily leverage the sink location information to launch a series of attacks interrupting the network communication.

• After obtaining the sink location information…• Adversary can destroy the sinks physically by human

intervention, such as hammering them.• This pattern also makes sinks the ideal spots to sniff

packets for off-line analysis or the initial points to launch attacks.

Introduction

• In this paper , we focus on studying the sink location privacy issue.• Several attacks have been proposed to determine the

locations of sinks:• trace-back attacks• traffic analysis attacks

Introduction

• Most of them assume resource-intensive adversaries: • Some require the adversary to equip with special

radio devices that can measure the angle of arrival• Some require the adversary to have a global view by

deploying its own sensors throughout the network

Introduction

• In this paper, we focus on studying the sink location privacy problem in the presence of budget adversaries. • We assume that budget adversaries do not have

specialized radio devices, nor are they able to monitor the entire networks simultaneously.

Introduction

• Several network metrics are two dimensional (2D) functions of locations in the network, and their values either maximize or minimize at the sink.

Introduction

• From the attackers’ point of view:• A few resource-constrained attackers can launch

Zeroing-In attacks, whereby each of them samples her local network metric and collectively they can derive the locations of the sinks by combining their measurements.

Introduction

• From the defenders’ point of view:• The network should design a routing protocol that can

break the correlation between the network metric extreme value.• Due to highly constrained resources(wireless network),

we design a light-weighted routing protocol to cope with Zeroing-In attacks.

Agenda


System model

1. Network model 2. Adversary model

System model (Network model)

• Many-to-one data dissemination:• The sensor network utilizing the popular many-to-one

data dissemination methods, whereby the sink is connected to a large portion of the sensor nodes. • Without loss of generality, we assume that there is

only one sink in the network. (our work can also be applied to networks with multiple sinks local extrema


• Tree-based routing schemes:• We focus on tree-based routing schemes, a popular

family of routing protocols whereby the network establishes and maintains a forwarding tree rooted at the sink. • This forwarding tree is often built with the assistance

of hop counts, i.e., the number of hops from the sink.


• Broadcast enabled: • We assume that the sink will flood the network with

controlling commands or query requests from time to time.

• Homogeneous networks:• Finally, each node uses the same type of hardware

platform and sends messages at the same transmission power level. As a result, they have a similar radio range.

System model (Adversary model)

• Eavesdrop-enabled:• Adversaries have the same radio devices as network

nodes for eavesdropping. • Although the adversaries are unable to decipher

packet contents, they are able to record the time that they witness a packet.

• Resource-limited:• Adversaries are not equipped with specialized radio

devices, such as spectrum analyzers or super sensitive antenna arrays.• Adversaries cannot afford to deploy their own sensor

network to monitor the entire network

System model (Adversary model)

• Able to collude: • Multiple adversaries are available.• They collude with each other to infer the location of

the sink by sharing their local views

• Location-aware: • Each adversary is able to determine its own location.

• Protocol-aware:• Adversaries know the networking and privacy-related

protocols used in the sensor networks.

Agenda


Zeroing-In attack overview

• In this section, we overview the proposed ‘‘Zeroing-In’’ attacks. • Several metrics in a sensor network are functions of

locations. Typically, moving towards the sink either increases the values of those network metrics or decreases them monotonically.


• For instance :1. Hop count : is the smallest number of intermediate

nodes a packet has to traverse in order to reach the sink. The hop count associated with a network node decreases as the node becomes closer to the sink, and it becomes zero at the sink.

2. Traffic rate : is the number of packet transmissions in a unit time in a region. It increases as the distance to the sink decreases and reaches maxima at the sink.


• Thus, from the attackers’ point of view, the problem of determining sink location becomes a problem of finding the extremum (maximum or minimum) of those functions. • Without loss of generality, in this paper, we focus on

network metrics that minimize at the sink.


• To identify the position of the sink leveraging 2D models of the network metrics, ‘‘Zeroing-In’’ attacks consist of two steps: 1. Sampling step. 2. Zeroing-In step.


• Sampling step:- m adversaries place themselves in an area S within

which the network is deployed. - The coordinates of the i-th adversary as zi = (xi, yi),

and the i-th observation as a tuple (xi, yi, hi), where hi is a network metric.

- The network metric hi is either the hop count or the arrival time of a packet at (xi, yi).


• Zeroing-In step:• Goal : Identify the position of the sink. • Adversaries first determine the 2D network metric

function h = f(x, y) by analyzing m observations：

• Find the sink location zs = (xs, ys) as the point where f(x, y) reaches the minimum :

Agenda


Hop-count-based Zeroing-In attacks

• Assumption: 1. We consider the adversaries that can acquire the

hop count of any node in the network but is limited to acquiring the hop count at one location once.

2. We assume that adversaries can inject broadcast packets to the network to estimate the hop count between them.


• To illustrate the attacks, we start by providing a brief description on the tree-based routing protocol that is implemented in TinyOS 1.x, an operating system for sensor networks.


• Tree-based routing protocol :• Eventually a shortest-path-based routing tree is

formed with the sink node serving as the root of the tree. • To build the routing tree, each node selects its routing

parent as the neighbor that contains the smallest hop count, and then it announces its hop count, which is one greater than its parent’s. • To make the underlying routing tree adaptive to

topology changes, nodes periodically broadcast routing announcements, which include the ID of the origin and the hop count in plaintext.

Hop-count-based Zeroing-In attacks 1. Model hop counts and hop sizes • Distribution of α

2. Determine the sink location 3. Adversary placement4. Least squares without flooding


• Model hop counts and hop sizes• In this section, we analyze hop counts as a function of

locations, e.g., h = f(x, y). • A node’s hop count h depends on many factors,

including its own location, the sink location, the positions of other nodes located towards the sink, the irregular radio range of each node, etc.


• Model hop counts and hop sizes• Grid-based coverage model for WSNs.• In particular, the network deployment region S is

divided into equal-sized small grids, and each grid contains at least one randomly positioned network node.


• Thus, we can model hop counts as :

• α is hop size, a coefficient describing the relationship between hop counts and distances. • If α is a known constant, then we can find (xs, ys) by

searching for the root of the following questions :


• Most contours are roughly concentric, but some small contours exist between two neighboring ones.

Hop-count-based Zeroing-In attacks• As a result, it takes an extra hop for the node within that

fading dip region to reach the sink, and its hop size to the sink is smaller than its neighbors’. Therefore, hop sizes exhibit irregularity, as well.


• Model hop counts and hop sizes• Being a variable, the distribution of α determines the

accuracy of estimating hop counts using Eq. 1 and affects the feasibility of the Zeroing-In attacks. • If α has a small variance and can be estimated, then

the sink location can be considered as the point that minimizes the estimation errors using the estimation â :


• Distribution of α• We denote the hop size between nodes i and j as,

• hij is the hop count between them.

• αis = αi (omit the subindex s when one of the nodes is the sink)


• Distribution of α• Let Lij be the line segment that connects node i and

node j• let pk be the projection of the k-th link onto Lij. • For a random pair of nodes i and j :

• θk is the angle between the line Lkk+1 and Lij, θk

• Ik is the ID of the k-th node on the shortest path from nodes i to j


• Distribution of α• We can predict the distribution of a as a normal

distribution according to the Central Limit Theorem (CLT) • We carried out experiments using Castalia. We studied

the hop size distribution in two node densities, e.g., 400 and 900 nodes in a 200 X 200 m square, respectively. • For each node density, we created 25 network

topologies, and chose several random pairs in each topology to calculate the hop sizes.


• In total, we calculated hop sizes between more than 10,000 pairs and displayed the experiment results :

• Bell-like shape• Approximate normal distributions• The variance of the estimated hop sizes decreases when

the hop count between the random node pair increases.


• Determine the sink location • To launch the hop- count-based Zeroing-In attack in

two steps: 1. Sampling step. 2. Zeroing-In step.

Hop-count-based Zeroing-In attacks • Determine the sink location • 1.Sampling step – • obtain , where hi is the hop count and â

is the estimated hop size between the i-th adversary and the sink. • To estimate â ; each adversary floods a message to all

other adversaries and get the hop counts between them. The â is calculated as the average hop size between i-th adversary and all other adversaries:


• Determine the sink location • 2.Zeroing-In step –

After obtaining m observations• We determine the position (xs, ys) of the sink by

searching for minimizing the estimation error :


• Determine the sink location • We use least squares (LS) to solve Eq. 4.• We start with m equations:


• Determine the sink location • Assume that , subtract equation from

both sides of the first m - 1 equations, we can write the derived set of linear equations in the form of Az = b with :


• Determine the sink location • The least squares solution of for Eq. 5 can be

calculated by

• b^ is the estimation.


• Adversary placement • (1) Whether their sample locations have impacts on

the estimation errors of the sink location• (2) What the best strategies is to position the

attackers so that the estimation errors can be reduced.

• We assume that the attackers are aware of the deployment region without knowing the sink location.


• Adversary placement • Based on Eq. 6, the sink location estimation error is bounded

by

• Matrix A+ is the Moore-Penrose pseudo-inverse of A• eb = - b.(b is the true distance vector, and b^ is the

estimated distance vector. )• Thus, two factors affect the sink location estimation errors:

A+ and eb. We now examine each factor.


• Adversary placement

• e • We denote as the true hop size between the i-th adversary and

the sink• â as the estimated hop size using Eq. 3.


• Adversary placement • The expected estimation error of is bounded by


• Adversary placement• We plug the above equation into eb, and apply the

assumption :

• The expected eb is


• Adversary placement• It is extremely difficult, if possible, to find a numerical

solution of the global optimal adversary placement that minimizes the upper bound of E(eb).

• To decrease the upper bound of E(eb), two heuristics can be applied: 1. The adversaries should be placed further apart

from each other to increase 2. They should be place close to the sink to decrease

hi.


• Adversary placement• To leverage the concept of Voronoi diagram. • Given adversaries’ location Z = {zi} i=1...m, we can get

the Voronoi diagram of Z, Vor(Z),• : the subdivision of the network S into m

cells ,one for each adversary


• Adversary placement• Define the maximum span of a cell as :

• We aim to find a near-optimal placement for the adversaries such that dmin is bounded from above, that is, the maximum value of among all cells should be minimized.


• Adversary placement • We found that the near-optimal placement for Eq. 8

follows simple symmetric patterns. We choose to show two layouts of adversaries that we will use in our experiment in Fig. 4, e.g., 5 and 8 adversary cases.


• Adversary placement

• A+ is a matrix determined only by the coordinates of adversaries and the results presented by Chen et al. show the pattern of m points that minimize ||A+||. • It turns out that their optimal patterns coincide with the

near-optimal placements displayed in Fig. 4.


• Least squares without flooding• In case that the adversaries cannot flood the network

to estimate the hop sizes, they can estimate the sink location directly by treating hop sizes as an unknown variable e.g.,


• Least squares without flooding • We re-organize Eq. 5 and write them in the form of

Az=b, we have :


• Least squares without flooding• Similarly, the least squares solution can be calculated

by :

• Each adversary only needs to obtain its location and the hop count associated at it to calculate A and b for sink location determination.

Agenda


Time-of-arrival based Zeroing-In attacks • This ToA-based Zeroing-In attack can be used when

entire packets are encrypted, and the hop count is not accessible to the adversaries. • Instead, adversaries can only distinguish whether two

received packets are the same and witness the arrival times of packets.

Time-of-arrival based Zeroing-In attacks • The attack starts with m adversaries placing themselves

across the network. When the sink broadcasts a controlling message at t0, the message floods throughout the network.• When the i-th adversary overhears the message at ti, she

records the packet arrival time as ti. • In total, m adversaries record m data samples

and collectively identify the sink location.

Time-of-arrival based Zeroing-In attacks • We start by assuming that messages travel in the

network at a constant speed• Then we have m equations:

Time-of-arrival based Zeroing-In attacks • Eliminating the quadratic components, we can get Az = b with:

Time-of-arrival based Zeroing-In attacks • To estimate the distribution of packet travel speeds s, we

studied the communication in a 400-node network and a 900- node network, both deployed in the 200 x 200 m area.

• Despite the fact that s cannot be negative, the distribution of s approximates a normal distribution N(μs,σs

2 ) with N(42.90, 24.22) for the 400-node density and N(43.56, 14.40) for the 900-node case.

Time-of-arrival based Zeroing-In attacks • Thus, the adversaries can determine the sink location by

Agenda


Evaluate the effectiveness of Zeroing-In attacks • Evaluation metrics • Experiment results

1. The location of the sink 2. The network size and the number of adversaries3. The node density 4. The attack algorithms 5. The adversary placement

Evaluate the effectiveness of Zeroing-In attacks • Evaluation metrics • 1. Estimation accuracy • It indicates how well the adversaries estimate the

sink location on average. • We define estimation accuracy as the mean error:

• 2. Attack stability • It is the standard deviation of the estimation errors

Evaluate the effectiveness of Zeroing-In attacks • Evaluation metrics • 3. Attack cost • It measures how much resource in terms of the number

of adversaries is used. • Consider the extreme case where a global adversary is

involved.(eavesdrops the entire network )• The adversary’s antenna has similar sensitivity as the one

on a network node.• The minimum number of observation points required for

a global adversary is approximately : • Adversaries can identify the location of the sink using a

much smaller number than by performing a Zeroing-In attack.

Evaluate the effectiveness of Zeroing-In attacks • Experiment results• We evaluated the performance of Zeroing-In attacks

using Castalia 2.1b, an OMNeT++-based simulator for wireless sensor networks. • Given that the average node transmission range is

18m, we divided the square network area into 10 * 10m grids, and placed one node randomly inside each grid. • We repeated our experiments in 1000 different

network topologies for each factor which will affect the Zeroing-In attack performance.

Evaluate the effectiveness of Zeroing-In attacks • Experiment results• We studied three attack strategies: • (1) Hop-LS, the hop-count-based Zeroing-In attack

involving flooding to estimate the hop size• (2) Hop-LS-NF, the hop-count-based attack that treats

the hop size as a variable and does not flood the network• (3) ToA, the time-of-arrival-based Zeroing-In attack.

Evaluate the effectiveness of Zeroing-In attacks • The location of the sink • We studied the impact of the sink location to the attack performance

by considering two cases: the center case and the corner case

• The ρe in the corner case is approximately twice as the one in the center case. (The correlations among measured network metric leads to that the measurements get biased.)

Evaluate the effectiveness of Zeroing-In attacks • The location of the sink

• Thus, we randomly placed the sink anywhere inside the network region.

Evaluate the effectiveness of Zeroing-In attacks • The network size and the number of adversaries • This set of experiments aim at answering two

important questions: 1. Does increasing the network size help to hide the

location of the sink? 2. (2) Does increasing the number of adversaries

always yield a better estimation of the sink location?

• We studied the attack performance in three network sizes where {100, 400, 900} nodes were placed in a {100 x 100, 200 x 200, 300 x 300} square, respectively.

Evaluate the effectiveness of Zeroing-In attacks • The network size and the number of adversaries

• Network size has little impact on both the mean error and the standard deviation of the attacks.


• For the Hop-LS attack : 1. The mean errors decrease first, and increase when more than 5

adversaries are involved.2. To launch Hop-LS attack : 5 adversaries provide a good trade-

off between mean error and attack cost.


• For the ToA attack :1. As the number of adversary increases, the mean error and standard

deviation of ToA attacks diminish monotonically. 2. Increasing the number of adversaries improves the ToA attack

accuracy. 3. Hop-LS- NF attack is similar to the ToA attack.

Evaluate the effectiveness of Zeroing-In attacks • The node density• We are interested in whether increasing the number

of network nodes in an area of the same size can provide a better privacy for the sink location.• We depicted the attack performance in two node

density configurations, e.g., 400 nodes and 900 nodes in a 200 x 200 m square, in Fig. 8.

Evaluate the effectiveness of Zeroing-In attacks • The node density

• Increasing the node density will help the adversaries to determine the sink location using any of the Zeroing-In attacks.

• E(es) is proportional to the variance of network metrics. The variance of hop size and packet travel speed in higher network density are smaller (as shown in our simulation), and thus it leads to smaller ρe.

Evaluate the effectiveness of Zeroing-In attacks • The attack algorithms • In cases when adversaries are able to obtain hop counts and flood the

network to estimate the hop size, all the three types of attacks are feasible.

• When more than 10 adversaries are involved in ToA, they can achieve higher attack performance than the Hop-LS.

• On average the estimation error is close to one radio range.

Evaluate the effectiveness of Zeroing-In attacks • The attack algorithms

• Thus, if the hop count information is available to the adversaries, Hop-count-based attacks should be used.

• In cases when at most 6 adversaries are available, they shall determine the sink location via Hop-LS strategies. Otherwise, Hop-LS-NF is preferred.

Evaluate the effectiveness of Zeroing-In attacks • The adversary placement

• Fig. 10 shows that the near optimal pattern improves the attack accuracy in all three scenarios: 5 adversaries launching Hop-LS attack, 8 adversaries launching Hop-LS attacks or ToA attacks.

Agenda


Cope with Zeroing-In attack

• We will focus on coping with ToA-based Zeroing-In attack since the hop-count-based Zeroing-In attacks can be addressed by hiding the node’s hop count in the routing announcement.

• Approaches:1. Random buffering 2. Directed walk


• Random buffering• One natural defense strategy is to have every node

buffer a flooding message for a random amount of time before forwarding it to the next hop • We can add a normal delay

at each node.• however, It does not change the statistical relationship

between the packets’ end-to-end travel time Ti and the location of a node zi,


• Directed walk • To alter the relationship between Ti and zi, the sink can

unicast the message Mf to a designated node nds located many hops away. • Once nds receives Mf ; it will start the flooding. The

challenge of this method involves choosing nds and finding the route to nds because The routing protocols in sensor networks aim at facilitating reporting data to the sink in a multi-hop fashion.


• Directed walk • When the sink creates a flooding message, Mf ; it sets a

counter hTTL in the message header to indicate how many hops away nds is located.

• Then the sink unicasts Mf to one of its children ni. After ni receives Mf ; it first decreases the hTTL by one. If the hTTL equals 0 then ni starts to flood the message Mf : Otherwise, ni sends Mf to one of its children. This process repeats until the hTTL in Mf is reduced to zero.

Cope with Zeroing-In attack• Experiment evaluation

• Directed walk of 8 hops can consistently deceive the adversaries into thinking the sink is 100 meters away from its true location.

• Figure 11c shows that the level of protection for the sink location grows linearly when the number of hops of the designated nodes increases.

Agenda


Concluding remarks

• In this paper, we have studied the sink location privacy problem from both the attack and the defense sides. • Leveraging these 2D functions to launch Zeroing-In attack

(the network metrics are either minimized or maximized at the sink) • The Zeroing-In attacks that utilize hop counts and the

packet Time-of-Arrival (ToA).

Concluding remarks

• From the attackers’ point of view:• Our experiment results show that both hop-count-

based attacks and ToA-based attacks can localize the sink at the accuracy level of one radio range, which is accurate enough for performing a jamming attack to disable the communication of the sink.• Our extensive analysis of Zeroing- In attacks shows

that increasing the network size or network density cannot reduce the accuracy of the attacks.

Concluding remarks

• From the defenders’ point of view:• To prevent hop-count-based attacks, one has to

encrypt the routing announcements containing hop counts. • To address ToA-based attacks, we presented a

directed-walk-based defense strategy, whereby the sink unicasts the message to a designated node nds and has nds initiate the flooding.

Thank you for your attention

Adviser: Frank,Yeong -Sung Lin Present by Chris Chang

Documents

Transcript of Adviser: Frank,Yeong -Sung Lin Present by Chris Chang