Combating persistent adversaries in Wireless Sensor Networks using directional antennas

Eliana Stavrou and Andreas Pitsillides Department of Computer Science

University of Cyprus Nicosia, Cyprus

{cs98is1, andreas.pitsillides}@cs.ucy.ac.cy

Abstract—Security is an important property in applications offering services in mission-critical areas, such as in healthcare, military, transportation, etc. Wireless sensor networks (WSN) support the mission of these applications by monitoring the environment and reporting observations to appropriate authorities that are responsible for decision-making. Often, their operation can be at risk by adversaries that launch attacks against the WSN with the aim of compromising the reliability and availability of the network and the respective application. The outcome of an attack highly depends on the experience of the adversary and his capabilities in terms of programming skills, security knowledge and resources. From the network perspective, the challenge is to reliably recover to a normal operation as soon as the adversary is been detected and allow for packet delivery to destination. The challenge is even greater in the presence of adversaries that adapt their intrusion strategy to break the deployed recovery countermeasures and continue affecting the network. Proposed recovery countermeasures typically assume the use of omni-directional antennas, which cannot take advantage of antenna directivity in order to manipulate communication paths between WSN nodes for the purpose of (physically) bypassing an adversary. This paper presents an intrusion recovery protocol in WSNs that uses directional antennas to create controlled communication paths, thus routing, and enhancing the reliability, self-healingness and resilience of the network. The proposed protocol is implemented within the AODV context and evaluated using ns-2. We demonstrate the effectiveness of the proposed protocol to deliver packets to the destination in the presence of multiple persistent adversaries that deploy different types of simple to extended attacks.

Keywords-WSN security, recovery, directional antennas, secure routing

I. INTRODUCTION A wireless sensor network (WSN) consists of a number of

distributed sensor nodes [1] that cooperate to monitor their environment and report their observations to a control center. WSNs are used in many civilian, military and industrial application areas [2] [8], including battlefield surveillance, traffic control, healthcare monitoring, and so on.

Often, sensor nodes are deployed in unrestricted or even hostile environments, making them vulnerable to attacks [3]. An adversary can physically capture or reprogram a sensor node and use it to launch attacks against the sensor network with the aim of compromising the reliability and availability of

the network. Secure routing protocols [4] have been mainly designed to protect the network and prohibit attacks from been successful and to detect intrusion incidents. However, the intrusion recovery aspects in WSNs have not been given much attention. A reliable and robust recovery countermeasure is a prerequisite for gaining network control after attack detection and ensuring that the adversary cannot manipulate any further the recovery countermeasure by extending his intrusion strategy. Most of the existing research on intrusion recovery typically uses omni-directional antennas. However, recovery countermeasures become vulnerable to persistent adversaries due to the omni-directional nature of transmissions.

This paper presents an intrusion recovery protocol in WSNs using directional antennas to create controlled routing and maintain the reliability, resilience and availability of the network after a security incident has been detected. The paper is organized as follows: section II covers the related work in existing recovery countermeasures, section III presents the proposed protocol and its assumptions regarding the network and the adversarial models. Section IV evaluates the proposed protocol against existing recovery countermeasures deployed in omni-directional networks and section V concludes the paper.

II. RELATED WORK A number of countermeasures have been proposed, mainly

in omni-directional WSNs, for the purpose of recovering the network into normal operation after an attack has been detected. Researchers have proposed key revocation protocols, e.g. [5], to revoke compromised cryptographic keys. By revoking a cryptographic key, it means that nodes do not accept and forward from or send packets to the compromised node, thus prohibiting if from communicating with the network. Even so, the malicious node can launch a number of attacks such as denial of service (DoS) [7] and affect the nodes located in its vicinity.

The nodes that are affected by an attack can deploy a go-to-sleep strategy [9] for a pre-agreed period of time to turn the attack ineffective. This would be successful only if the attack is not enabled after the nodes awake. If the attack continues, it can force the nodes into go–to-sleep again and again, making them unavailable for long periods of time, therefore inhibiting them from monitoring the environment.

Another proposed countermeasure to mitigate attacks is to

This research work is supported by ASPIDA project (KINHT/0506/03),funded by Cyprus Research Promotion Foundation.

978-1-4577-0024-8/11/$26.00 ©2011 IEEE

2011 18th International Conference on Telecommunications

433

instruct nodes to switch to a new frequency, i.e. [10], and exclude the malicious node from participating in the network communication. However, the recovery can get ineffective if the malicious node is reprogrammed to scan available frequency channels to find the new frequency. The malicious node can then continue the attack against the network.

Reprogramming [11][12] the malicious node into the correct operation is another means of recovering the network operation. Such an operation is considered complicated and costly that may not be easy or efficient to perform on-line, especially as malicious node number increases [6][13].

Researchers have also utilized path redundancy [13] [14] to recover from attacks in WSNs. Nodes use alternative paths to bypass the malicious nodes and stop attacks, such as the selective forward [3]. They also exclude malicious nodes from their routing tables, e.g. [15], so they are never chosen as a forwarding point nor are packets from the malicious node accepted for further processing. However, if the malicious node still has neighbors in its vicinity, it can continue compromising the network.

Existing recovery strategies in WSNs focus on the use of omni-directional antennas. However, little research has been performed to utilize the security benefits of directional antennas and support recovery mechanisms in WSNs. Directional antennas are used, for example, to prevent the wormhole attack [17] [18]. This paper contributes a new intrusion recovery protocol in WSNs that uses directional antennas to create controlled routing and address the limitations of the existing recovery schemes.

III. PROTOCOL DESCRIPTION This section defines the application scenario, the

assumptions regarding the network and adversary models and presents the proposed protocol.

A. Application and network assumptions A typical traffic monitoring and control application

scenario is considered as an example application. Sensors are deployed on city traffic lights and monitor their surrounding area for the occurrence of car accidents. The application considers deployment of sensors on a grid area that communicate on a hop-by-hop manner to report observations to a control center, called the sink. Sensors are assumed to have the same capabilities and are equipped with multiple directional antennas. Each sensor can communicate with neighboring cross-edge node on the grid (Fig.1). More than one antenna at each sensor can be active at a given time through the use of radio frequency switches. The sink is considered robust with enhanced resources in terms of memory, computational power and battery. We assume the existence of an intrusion detection system (IDS), i.e. [19] [20], in the network that detects malicious behavior and interacts with the recovery protocol to inform sensor nodes of the identity of the malicious node(s). As soon as a security incident is been detected, the protocol’s recovery mechanisms are triggered to mitigate the attack.

Figure 1. Antenna setup model

B. Adversary model An attack is most effective if a malicious node is located on

the active routing path or is a neighbor to a node on the active path, since it has a better opportunity to affect packet delivery. This work considers such a case. An adversary can compromise an existing sensor node, for example, by exploiting a software bug on the node, and reprogramming it to launch attacks against the network. The compromised node retains its original location. It is also assumed that the adversary has advanced programming skills and security-related knowledge. The adversary adopts a dynamic intrusion strategy launching both passive and active attacks against the sensor network. The adversary’s objective is to compromise the recovery countermeasures deployed by sensor nodes when they have detected the malicious node(s).

C. Protocol operation In a network, a reliable and robust intrusion recovery is a

prerequisite for an effective result. Beyond the obvious target of an intrusion recovery mechanism, which is to recover the network into a normal state after the attack detection, it is also imperative for the recovery countermeasures to be resistant to malicious nodes. This means that recovery has to be resistant and not get compromised by adversaries that extend their intrusion strategy in an attempt to manipulate the deployed countermeasures. The challenge is to isolate the malicious nodes in such a way so that compromisation of nodes cannot be easily achieved. This section presents the proposed protocol which aims to accommodate the aforementioned properties.

The proposed intrusion recovery protocol interacts with an IDS, as assumed previously, and deploys the appropriate recovery countermeasures as soon as an incident is been detected. Its operation is not constrained by the underlying routing protocol. This research work implements the proposed protocol in the context of AODV [21] protocol, but other routing protocols can be used as well. The main idea of the protocol is to apply recovery countermeasures based on the intrusion strategy deployed by an adversary and adapt its recovery strategy according to how the adversary moves forward with his strategy. Adaptability of recovery countermeasures is a desirable property of a security reaction plan since adversary’s actions can be unpredictable as he extends his attacks in such a way as to compromise the deployed recovery. To mitigate such a case, the security recovery strategy will have to react to maintain its robustness

434

and effectiveness against the new threats. The proposed protocol exploits multiple antenna directivity to create controlled routing paths and support adaptability of its recovery strategy. The antenna setup should be selected according to the deployed scenario and application requirements. This work considers communication established between adjacent sensor nodes arranged on a grid layout (Fig.1).

Fig. 2 illustrates the main idea. The proposed recovery countermeasures are applied in layers, as the adversary moves from passive to active and more extended attacks.

As soon as an attack is detected, the neighboring nodes of the malicious node blacklist it, drop received packets which were sent by the malicious node and switch off the respective antenna that communicates with the adversary. It is assumed that by switching off the antennas towards an adversary, the communication link between the malicious node and the legitimate nodes become unavailable due to the network’s node antenna gain which is not present anymore. Furthermore, in the case where a malicious node was located in an active path, its downstream node initiates a local repair and updates the active path to maintain the network’s connectivity and packet delivery. Since communication exists only with the cross-points, the adversary is blocked from participating in the network and his attack is no longer effective.

When the malicious node cannot overhear any network activity from the neighboring nodes that have switched off the respective antennas, it can be assumed that it moves to a new attack. For example, the malicious node launches an active attack, such as a denial of service (DoS). However, the attack is still ineffective since the malicious node’s signal either does not reach the legitimate nodes, or if it does reach them, it should be of very low power compared to legitimate communications which are further enhanced by the directional antenna gain. It can then be further assumed that the adversary may perform a more extended attack by increasing its transmission power in an attempt to increase the affected coverage area. Since it is blocked out of the network, it cannot evaluate if its attack was launched at any node. The worst case scenario would be for the adversary to increase his transmission power to the point it can reach legitimate nodes and continue with an active attack. In such an event, the nodes switch to a new frequency and continue their operation. The malicious node may continue to launch attacks at the default frequency channel. In this case, it cannot affect the communication since the network communicates over another channel. Even in the case where the malicious node was reprogrammed to scan frequency channels, since it cannot overhear anything it cannot easily evaluate the network status and discover the new frequency.

Therefore, the proposed dynamic recovery protocol allows the network to adapt its recovery countermeasures according to the misbehavior strategy adopted by the adversary. The protocol has the property of maintaining its robustness against a persistent adversary and offers a graceful degradation of the network’s packet reliability after the adversary deploys a more extended set of attacks.

Figure 2. Protocol operation

IV. PERFORMANCE EVALUATION The effectiveness of the proposed protocol to mitigate

persistent adversaries in IEEE 802.15.4 networks is evaluated using ns-2 simulations. The proposed protocol, called Dir, is compared against a baseline protocol, called Base, which implements the blacklist, go-to-sleep and frequency switch recovery countermeasures in omni-directional networks. Both

435

protocols are implemented in the context of the AODV protocol.

Figure 3. Average throughput – blackhole attacks and intrusion detection

The network is deployed on a grid 6x6 topology and the sensor nodes are equipped with 4 patch directional antennas having 8dBi gain as in [16]. Fig. 1 presents the antennas’ beam orientation. Nodes distance is set 300m apart from each other, achieving communication between the cross points only. The network includes 3 source nodes that generate CBR traffic with a rate of 2 packets per second, and the packet size is 70 bytes. There is only one sink node. The propagation model that is used in the simulations is the two-ray ground and the receiver’s sensitivity is considered to be -90dBm. The network is simulated for 500 seconds.

Performance evaluation assesses the proposed and the baseline protocols in terms of network throughput and routing overhead. Throughput will indicate the capabilities of each protocol for reliable packet delivery, while routing overhead allows one to asses if nodes along active route paths can offer a resilient operation when nodes are under attack.

The evaluation’s objective is to show that the proposed recovery protocol is effective, while existing recovery mechanisms are vulnerable, against persistent adversaries that implement simple to extended attacks. The evaluation scenario firsts considers a passive attack, the blackhole, which is expected to show that both protocols can successfully restore the normal operation of the sensor network when they deploy their recovery countermeasures. Then, it is assumed that the malicious nodes change their intrusion strategy and launch a DoS attack in order to compromise the recovery measures. Evaluation is expected to demonstrate that the proposed protocol retains its resistance against active attacks while existing recovery protocols get compromised. The evaluation ends by considering a persistent malicious node that extends the DoS attack, by increasing its transmission power, with the aim of increasing the affected coverage area. The proposed protocol adapts its recovery strategy to mitigate the attack and the assessment is expected to show that the network’s reliability is restored.

Fig. 3 presents a comparison of throughput under normal network conditions and when the network is under attack. Different attack setups have been evaluated, where more that one compromised nodes exist and each node may or may not be on one of the active route paths. First, the case where a compromised node is on one of the active paths is considered,

which launches a blackhole attack. The packet delivery capability of both schemes is negatively affected, reducing the network throughput as shown in Fig. 3. However, if the adversary has compromised another node, not located in any of the active paths, the blackhole attack is not effective and the throughput is not affected any further. By having another node in the active path launching a blackhole attack, the adversary can reduce even more the packets that can be delivered to the destination (Fig. 3). As shown, the blackhole attack has a higher affect as the number of compromised nodes on the active paths increases. These observations apply for both schemes prior to deploying any recovery countermeasures.

As soon as the blackhole attacks along the active paths are detected, the recovery countermeasures are triggered. Both protocols blacklist detected malicious nodes, drop packets received by them and update the active paths to exclude misbehaving nodes. Further to these countermeasures, the proposed protocol instructs neighboring nodes of the detected compromised nodes to switch off the respective antennas towards these nodes. The recovery strategy of both protocols

Figure 4. Routing overhead – blackhole attacks and intrusion detection

can effectively mitigate the blackhole attack as depicted in Fig. 3. When the recovery countermeasures are applied, the packet delivery is restored and throughput is increased. On the other hand, recovery increases the routing overheard of both protocols as the route maintenance/recovery mechanism of AODV is triggered to update the active paths and exclude the detected malicious nodes (Fig. 4). Routing overhead is measured as the actual number of routing control packets sent. Each hop-by-hop packet transmission is counted as one transmission. Under normal operation the baseline scheme has less routing overhead in terms of RREQ and RREP packets. This is due to the fact that in the baseline simulated scenario source nodes establish routes to destination with less control packets exchanged between the nodes since intermediate nodes know a route to destination and respond to the source rather than having the sink replying. Therefore, RREQ and RREP packets have to travel less hops in the baseline scheme than in the proposed scheme. However, this is depended on the routing protocol’s route discovery and maintenance operations, which in this case is AODV.

In this research work, the existence of a persistent adversary was considered. Since the blackhole attacks are no more effective after the countermeasures are applied, the

436

adversary adapts his intrusion strategy and launches a DoS attack. After the active routes have been updated to exclude the malicious nodes, two of the malicious nodes are still neighbors to the active paths. First, the case where the malicious node, not located near an active path, launching a DoS attack by sending a RREQ packet every 10ms was evaluated. As depicted in Fig. 5, the throughput in both schemes is not affected since the compromised node does not affect legitimate nodes that participate in the packet routing. The same observation applies for the routing overhead (Fig. 6). In the case where the adversary uses two out of the three compromised nodes to launch an attack, the throughput in the baseline scheme is decreased (Fig. 5). This occurs since one of the attacking nodes is a neighbor of an active path. The attacker causes interference at receiving and sending nodes, forcing them to drop packets and triggering route maintenance operation. This results in increased number of control routing overhead (Fig. 6). However, performance in the proposed protocol is not affected in any of the two cases because the adversary is been blocked from communicating with the neighboring nodes.

Figure 5. Average throughput – blackhole, intrusion detection, DoS attacks

Figure 6. Routing overhead – blackhole, intrusion detection, DoS attacks

When the adversary uses all three compromised nodes to launch DoS attacks, the network establishes paths to destination that avoid some of the compromised nodes. This results in increasing the network throughput at the baseline scenario (Fig. 5). Also, the routing overhead is decreased since the new routing paths are more robust in comparison to the old paths (Fig. 6). The recovery countermeasure of the proposed protocol maintains its robustness to these attacks, prohibiting

the adversary from affecting the network after the recovery countermeasure is deployed. As it can be observed, the property of the proposed protocol does not apply in the baseline scheme since the adversary can compromise its recovery and continue to launch attacks. However, the severity of the attack outcome depends on the number and location of compromised nodes.

As soon as the DoS attacks are been detected, the baseline scheme triggers the next recovery countermeasure. The proposed protocol does not take any further action yet since the DoS attack is not effective. The baseline protocol instructs affected nodes to go to sleep for a pre-agreed period of time and mitigate DoS attack. Furthermore, in terms of availability, the sleep mode turns respective nodes unavailable for the specified sleep time period. If we assume that the adversary stops the attacks after the nodes are awaken, then the network can maintain its restored performance (Fig. 7). However, if the adversary restarts the attacks, he can continue affecting the network, forcing the nodes to return to sleep mode (Fig. 7). The

Figure 7. Average throughput – sleep and frequency switch recovery

Figure 8. Extended attack and recovery in DIR

baseline protocol instructs nodes to apply a new recovery countermeasure and change their frequency channel. It is assumed that appropriate encryption is used to prohibit compromised nodes from learning the new frequency. As presented in Fig. 7, throughput is increased as the packet delivery is restored and nodes cannot be blocked. However, since the adversary follows a persistent strategy, he can reprogram the nodes to enter a promiscuous mode and scan available frequencies. If he can eavesdrop to communications, he can discover the new frequency and can continue the

437

attacks. This means that he can compromise the recovery and can affect the network once again (Fig. 7). So far, recovery in the proposed protocol is shown to maintain its robustness against a dynamic misbehavior strategy while the baseline’s recovery countermeasures can be compromised after they are applied. It has been shown that the level of compromisation in the baseline scheme highly depends on the number and location of malicious nodes and the type of the deployed attack.

The case where an adversary continues persisting to compromise the proposed protocol’s operation also needs to be considered. Such a case can occur if the adversary can increase its transmission power in an attempt to reach the nodes. In our scenarios it is mostly assumed that sensors are of similar type and transmit power capabilities, and that the adversary cannot overhear anything after the nodes in his vicinity have switched off their antennas. Nevertheless, the scenario where an adversary has increased his transmission power and reaches sensor nodes launching a DoS attack, is also considered. As it can be observed from Fig. 8, the adversary compromises packet delivery as a large number of sensor nodes are affected, and thus throughput is decreased. The protocol triggers a frequency switch to mitigate the attack. This countermeasure is very effective since it aids the network to restore its operation (Fig. 8). Even if the compromised nodes try to scan available frequencies as in the baseline scheme, they cannot overhear anything and discover the new frequency.

V. CONCLUSIONS This paper proposes an intrusion recovery protocol in

WSNs, utilizing directional antennas. The proposed protocol deploys a dynamic recovery strategy that is adapted according to the adversary’s misbehaving strategy. Its operation is not constrained by the underlying routing protocol. The proposed protocol addresses limitations of existing recovery schemes in WSNs by creating controlled routing and aiding the network to maintain its reliability and availability after attacks are detected and recovery is deployed. An adversary usually deploys a layered attack strategy in order to conserve his own resources. He starts by deploying simple attacks and moves to more sophisticated and resource-consuming attacks if there is a reason to do so. The proposed recovery protocol maintains its robustness against a persistent attack and offers a graceful degradation of the network’s packet delivery capability when the adversary has exhausted all attempts to compromise the network and moves to an even more extended set of attacks. Such type of attacks can be performed, for example, by having the malicious node increasing its transmission power in order to increase its compromisation area. Even in this case, the protocol can apprehend persistent adversaries by switching to a new frequency and turning the attack ineffective. In this way, the proposed protocol can restore the network’s performance in the presence of extended attacks. Future work will consider random network topologies and different antenna setups and modify the proposed protocol accordingly.

REFERENCES [1] J. N. Al-Karaki and A.E. Kamal, ”Routing techniques in wireless sensor

networks: a survey”, IEEE Wireless Communications, pp. 6-28, 2004.

[2] C. F. Garcia-Hernandez, P. H. Ibarguengoytia-Gonzalez, J. Garcia-Hernandez, and J. A. Perez-Diaz, “Wireless sensor networks and application: a survey”, International Journal of Computer Science and Network Security (IJCSNS). 7, 3 (Mar. 2007), pp. 264-273.

[3] C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and Countermeasures”, In Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, May 2003, pp. 113-127.

[4] E. Stavrou and A. Pitsillides, “A Survey on Secure Multipath Routing Protocols in WSNs”, Computer Networks Journal, Elsevier,2010, 54, 13.

[5] H. Chan, V. Gligor, A. Perrig, G. and Muralidharan, “On the distribution and revocation of cryptographic keys in sensor networks”, IEEE Transactions on Dependable and Secure Computing, 2005, 2, 3, pp. 233–247.

[6] Y. Yang, E. Bai, J. Hu, and W. Wu ,“MRBCH: A Multi-Path Routing Protocol Based on Credible Cluster Heads for Wireless Sensor Networks”, International Journal of Communications, Network and System Sciences, 2010, pp. 689-696.

[7] A. D. Wood and J. A. Stankovic, “Denial of Service in Sensor Networks”, IEEE Computer, 2002, 35, 10, pp 54-62.

[8] E. Stavrou, A. Pitsillides, G. Hadjichristofi, and C. Hadjicostis, “Security in future mobile sensor networks - Issues and Challenges”, International Conference on Security and Cryptography, 26-28 July 2010, Athens, Greece.

[9] S. Kaplantzis “Security Models for Wireless Sensor Networks”, Report, Department of Electrical and Computer Systems Engineering, Monash University, 2006.

[10] K. Jones, A. Wadaa, S. Oladu, L. Wilson, and M. Etoweissy, “Towards a new paradigm for securing wireless sensor networks”, Proceedings of the 2003 workshop on New security paradigms, Ascona, Switzerland, Aug 2003, pp. 115-121.

[11] M. Strasser and H. Vogt, “Autonomous and Distributed Node Recovery in Wireless Sensor Networks”, In Proceedings of the Fourth ACM CCS Workshop on Security of Ad Hoc and Sensor Networks (SASN), Alexandria, Virginia, USA, 2006, pp. 113-122.

[12] K.-S. Hung, C.-F. Law, K.-S. Lui, and Y.-K. Kwok, “On Attack-Resilient Wireless Sensor Networks with Novel Recovery Strategies”, In IEEE Wireless Communications & Networking Conference (WCNC), Budapest, Hungary, 2009, pp. 2272-2277.

[13] J. Deng, R. Hang, and S. Mishra, “INSENS: Intrusion-Tolerant routing in wireless Sensor Networks”, Computer Communications, Elsevier, 2006, 29, 2, pp. 216-230.

[14] S. Lee and Y. Choi, “A secure alternate path routing in sensor networks”, Computer Communications, Elsevier, 2006,30,1,pp.153-165.

[15] N. Abu-Ghazaleh, K. Kang, and K. Liu, “Towards resilient geographic routing in WSNs”, In Proceedings of the 1st ACM international workshop on quality of service & security in wireless and mobile networks, Montreal, Quebec, Canada, 2005, pp. 71 – 78.

[16] G. Giorgetti, A. Cidronali, S.K.S Gupta. And G. Manes, “Exploiting Low-Cost Directional Antennas in 2.4GHz IEEE 802.15.4 Wireless Sensor Networks”, EUMW07: The 37th European Microwave Conference, 8-12 October 2007, Munich, Germany.

[17] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole Attacks”, In Proceedings of the 11th Network and Distributed System Security Symposium, 2004, pp. 131–141.

[18] L. Lazos, R. Poovendran, and S. Čapkun, “ROPE: robust position estimation in wireless sensor networks”, In Proceedings of the 4th international symposium on Information processing in sensor networks, Los Angeles, California, Apr. 2005, 43.

[19] C. M. Trang, H-Y. Kong, and H-H. Lee, “A Distributed Intrusion Detection System for AODV”, Asia-Pacific Conference on Communications (APCC '06), 2006, 1-4.

[20] Y. Zhang, J. Yang, and H. T. Vu, “The Interleaved Authentication for Filtering False Reports in Multipath routing based sensor networks”, 20th Int. IEEE Parallel and Distributed Processing Symposium, 2006.

[21] C. Perkins, E. M. Royer and S. Das, “Ad hoc On-Demand Distance Vector (AODV) Routing”, IETF RFC 3561, 2003.

438