dr. eirini karapistoli | electrical & computer...

+

Securing the information that resides in Wireless Sensor Networks

Dr. Eirini Karapistoli | Electrical & Computer EngineerPostdoctoral Researcher @ University of Macedonia, Thessaloniki, Greece

+Overview

Wireless Sensor Networks: Definition, Architecture, ComponentsAn introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks

Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization

Research Challenges & Open IssuesConclusions

+Overview: 1st Part




+Definition

The term Wireless Sensor Network (WSN) Wireless Sensor Network (WSN) refers to a wireless network consisting of a large number of autonomous sensors that are spatially distributed in an area of interest in order to a) cooperatively monitor physical or environmental conditions, suchas temperature, sound, vibration, pressure, motion, pollutants, etc., b) store the measurements temporally, and c) transmit the collected sensory information to a remote server for further processing and upon request.

In achieving these objectives, the sensor nodes have sensingsensing, processingprocessing and communication communication capabilities.

Because of these characteristics, we are safe to state that a WSN extends the usefulness of existing information systems

in suitable application domains

+WSN Architecture

Internet, Internet, SatelliteSatellite

Sink

Sink

Task Manager

UserUserSensor Sensor

FieldFieldSensor Sensor NodeNode

Figure – The big picture

+Basic Characteristics of WSNs

WSNs consist of a large number of nodes, often in the order of thousands

WSNs are large‐scale networks with dense node placement:Densities can be as high as 20 nodes/m2 need for multi hop communicationThe topology may change frequently due to node addition/removal/failure

Sensor nodes are:Battery operated devices Battery operated devices designed for long unattended operationIn many applications it is impossible to replace/recharge the battery

Low cost*, size, and weight per nodeLow processing capabilitiesProne to failures

*not as low as one would expect (!)

+Differences from Mobile Ad‐hoc NETworks (MANETs)

Both are deployed in an ad hoc (infrastructure‐less) fashion

In some applications though, sensor nodes are placed at fixed positions

However,

The number of sensor nodes can be several orders of magnitude higher

These nodes have limited power & computational capacities and are prone to failure

The topology of a sensor network may change frequently due to node failure and/or addition/removal of nodes and not due to node movement

Sensor nodes mainly use broadcast communications, while most ad hoc networks are based on peer‐to‐peer (p2p) communications

Sensor nodes have tight integration with sensing tasks

May not have global ID (like IP address)

+Application Areas

WSNs are envisaged to support various applications, such as:

Military applications

Environmental monitoring

Habitat monitoring

Seismic or Acoustic Detection

Health Monitoring

Home Automation

Disaster Relief

environmental data collection: temperature light, humidity, pressure, solar radiation.

+Communication models

The communication model refers to the way information exchange is initiated in the network.

In general, communications in a WSN are triggered by queries or events

When the communication is initiated by the information holder, we havean information pushing communication model

Information Flow: Sensor Nodes Sensor Nodes SinkSink

When the communication is initiated by the requester, we have aninformation pulling communication model

Information Flow: Sink Sink Sensor NodesSensor Nodes

+Communication models (cont.)

Consequently, and based on the communication model, a WSN can becategorized as a:

Querydriven or requestdriven system

Information pulling is used in such systems/applications

For instance, in precision agriculture irrigation.

Eventdriven system

Information pushing is used in such systems/applications

For instance, in a forest fire detection application.

Timedriven systems

When, for example, the data reporting/collection is performed in a periodic manner.

Hybrid systems

+The Sensor Network Protocol Stack

Application Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Power M

anagement Plane

Mobility M

anagement Plane

Task Managem

ent Plane

End‐to‐end reliability, congestion control

Routing and packet forwarding

Multiplexing of data stream, data frame detection, Medium Access Control, Error Control

Packet transmission & reception, signal detection/ modulation, data encryption , frequency selection

Task assignment, user interaction

+The Management Planes

A sensor node must always be aware of the following three management planes in order to function properly:

1)1) Task plane: Task plane: The task plane balances and schedules the sensing tasks assigned to the sensor nodes.

Note that not all nodes are assigned with sensing tasks. Several of them can focus their energy only on routing and data aggregation.

2)2) Mobility plane: Mobility plane: The mobility plane detects and registers the movement of nodes so a data route to the sink is always maintained.

3)3) Power management plane: Power management plane: The power management plane is responsible for minimizing the power consumption. It may also turn off the functionality of several nodes in order to preserve energy.

+Standardization

The IEEE 802.15.4 IEEE 802.15.4 ““ZigbeeZigbee”” standard is the de facto standard for WSNs

It is defined by IEEE for low‐rate wireless personal area networks (WPANs)

The standard defines the physical layer “PHYPHY” and the medium access control layer “MACMAC”.

Concerning the PHY, it offers two options:operation @ 2400MHz ISM bandoperation @ 868/915 MHz band

Concerning the MAC, it is responsible for:Network formation: both star, tree, and peer‐to‐peer topologies are supportedCSMA‐CA channel accessing (either slotted or unslotted)

+Sensor Node Hardware Components

Sensors

ADC

ProcessorProcessor

MemoryMemoryTransceiverTransceiver

Location finding systemLocation finding system(optional)

MobilizerMobilizer(optional)(optional)

Sensing Unit Processing Unit

Power unitPower unit

Communication UnitEach sensor node is equipped with four major hardware units:

Power unitPower unitSensing unitSensing unitProcessing unitProcessing unitCommunication unitCommunication unitSensors CPU TX RX IDLE SLEEP

RADIO

+Examples of Sensor Nodes

Mica2

Mica2 Dot

Stargate

Rene’“Experimentation”

MicaZ

Dot“Scale”

Telos“Integrated Platform”

+Sensor Motes Timeline

Mica “Open Experimental Platform”WeC

“Smart Rock”

Rene’“Experimentation”

Dot“Scale”

Spec “Mote on a

chip”

Telos“Integrate

d Platform”

Mica2Dot

Mica2

200620062005200520042004200320032002200220012001200020001999199919981998

IMote

MicaZ

Stargate 2.0&

IMote2

Stargate

20082008

+Sensor Node Types and Tasks

Sensor TypesSensor Types: : • Accelerometers, Temperature sensors, Pressure sensors, Touch sensors

• Light (IR, Visible Light), Acoustic, Sound (Ultrasound), Radar sensors

• Seismic, Low Sampling Rate Magnetic, Thermal, Visual sensors

Sensor TasksSensor Tasks::• Temperature, Humidity, Lightning Condition,

• Pressure, Soil Makeup, Noise Levels, Speed level

• Presence/Absence of certain types of objects

• Direction and size of an object,

• Mechanical Stress Levels

+An RF Mote with Multiple Sensors

Figure ‐ Mica sensor board

+Power Consumption for Communication

A sensor node spends maximum energy in communicating with other nodes:

Pte/re is the power consumed in the transmitter/receiver electronics P0 is the output transmit power Ton is the transmitter “on” timeRon is the receiver “on” timeTst is start‐up time of the transmitter Rst is start‐up time of the receiverNt is the number of times the transmitter is switched “on” per unit of timeNr is the number of times the receiver is switched “on” per unit of time

)]([)]()([ stonreRonOstonteTc RRPNTPTTPNP ++++=

Important Note: Idle listening that is, listening to an idle channel in order toreceive possible traffic, consumes significant energy.

+Addressing the Idle Listening problem

Solution: Duty cycling or equivalently periodic sleep / listening

Sensor nodes communicate with their peers in their scheduled listen times

Periodicity can be implemented either in:a straightforward way (namely in schedule‐based protocols)or not (i.e. in the case of contention‐based protocols)

Listen Listen ListenSleep Sleep

(the radio is turned off when sleeping) t

for SYNC for RTS for CTS for Data

+Schedule Maintenance

1) Choosing a schedule

A mechanism is needed to enable nodes to choose their sleep/listen schedule.

Periodic neighbor discovery: How often shall nodes exchange their schedules?

↑ the frequency, when a sensor node has no neighbors.

2) Following a schedule

Maintaining synchronization is an issue due to clock driftsListen

Sleepfor SYNC for RTS for CTS

Receiver

Sender

CS

Tx SYNC

CS

Tx RTS Got CTS Tx DATAGot SYNC

Got RTS Tx CTSExtend listening to receive DATA

+Collision Avoidance

Collision Avoidance Strategy ~= IEEE 802.11 (contention‐based)

RTS/CTS/DATA/ACK

Physical carrier sense (CS)

Virtual carrier sense: Network Allocation Vector (NAV)

RTSSender

Receiver CTS

Other Sensors

DATA

ACK

NAV (based on RTS)

NAV (based on CTS)

Contend for medium access

defer access

+Computation vs. Communication Energy Cost

Energy ratio of “sending one bit” vs. “computing one instruction” is:

To communicate (send & receive) one KB To communicate (send & receive) one KB

= =

computing three million instructions!computing three million instructions!

Try to compute instead of communicate whenever possible

Key technique to achieve this objective is the well‐known in‐network data processing (also referred to as data aggregationdata aggregation)

Moreover, one may exploit compression schemes, intelligent network coding schemes, etc.

+Data Aggregation in WSNs

Why is data aggregation necessary?Sensor networks are event‐driven systems generated massive amounts of data

Example Query:

What is the maximum temperature in area A between 10am and 11am?

Problems:

Individual sensor readings are of limited use

Redundancy in the event data is thus needed, but it has its cons:

Forwarding raw information is too expensive!

Solution:

Combine the data coming from different sources

Eliminate redundancy

Minimize the number of transmissions

+Data Aggregation Process

Deployment phase:

Organize sensor nodes into a tree hierarchy rooted at the Base Station

Non‐leaf nodes act as the aggregators

Query dissemination phase: queries are pushed down into the network

Collection phase: aggregate values that are routed up from children to parents

Leaf nodes….9 messagesLevel 1……….12 messagesLevel 2……….13 messagesTotal messages = 34

Leaf nodes….9 messagesLevel 1………..3 messagesLevel 2………..1 messageTotal messages = 13

With aggregation:

Without aggregation:

+Factors influencing the design of WSNs

Power Consumption

Network lifetime prolongation is the primary design objective in WSNs

Fault Tolerance (Reliability)

Ability to sustain sensor network functionality without any interruption

Scalability

Production Costs

The cost of a single node is very important to justify the overall cost of the network.

Hardware Constraints

All sub‐units need to be fitted into a very compact area and need to be designed carefully

Operating Environment (sometimes friendly, others hostile)

Security Concerns

+Overview: 2nd Part




+Are WSNs secure?


Sink

Sink

Task Manager



+WSNs are vulnerable to various types of attacks


Sink

Sink

Task Manager



Spoofed Spoofed Routing Routing

informationinformation

WormholeWormholeAttackAttack

+Security Goals – The CIA Triad

According to ISO/IEC 27002, “confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (guaranteeing the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required)”must be preserved.

+More Security Goals

AuthenticationAuthentication:: enabling a node to ensure the identity of the peer node with which it communicates.

Informally, data authentication allows a receiver to verify that the data was sent by the claimed sender.

FreshnessFreshness: ensuring that

Messages are recent,

Messages are ordered,

No old messages (duplicates) have been replayed.

NonNon‐‐repudiationrepudiation: ensuring that the origin of a message cannot deny having sent the message.

+Security Challenges

Constrained Resources

All security approaches require a certain amount of resource for their implementation.

However, these resources are very limited very limited in a wireless sensor node.

Table ‐ Sensor‐platform power consumption and resource data

+Security Challenges

Unattended Operation

Sensors are vulnerable to physical tamperingphysical tampering

Depending on the function of a particular WSN, the sensor nodes may be left unattended for long periods in an environment open to adversaries. The longer a sensor is left unattended the more likely an The longer a sensor is left unattended the more likely an adversary will compromise it.adversary will compromise it.

Overall, the limited physical protection of sensor nodes represents the major vulnerabilityvulnerability of a WSN.

+Security Challenges (cont.)

Selforganization

A WSN is an ad hoc network and there is no fixed infrastructure available for the purpose of network management.

This inherent feature brings a great challenge to several networThis inherent feature brings a great challenge to several network k security schemes security schemes (for instance to public key cryptography techniques)..

Unreliable Communication

WSNs are vulnerable to security attacks due to the broadcast nature of the transmission medium. This means that eavesdropping can be eavesdropping can be easily performed.easily performed.

The unreliable communication channel may also lead to damaged or dropped packets. If the protocol lacks appropriate error handling, it is possible to lose critical security packets, such as a cryptographic key.

+Threats and Attacks

A threat is a circumstance or event with the potential to adversA threat is a circumstance or event with the potential to adversely impact a ely impact a system through a security breach.system through a security breach.

Potential threats to WSNs include: power drainage, physical tampering, extinction upon deployment due to the hostile environment or deliberate attempts to subvert a node by breaching the security.

An attack can be defined as the action that intentionally aims tAn attack can be defined as the action that intentionally aims to cause o cause damage to the network by exploiting a particular vulnerability.damage to the network by exploiting a particular vulnerability.

The security of the WSNs is compromised due to the attacks.

+Threats and Attacks (cont.)

According to Karlof et. al., the threats in a WSN can be classified into the following categories:

External Vs Internal Attacks:External Vs Internal Attacks:

External attacks External attacks include attacks launched by a node that does not belong to the logical network, nor it has any internal information about the network, such as cryptographic information.

Internal attacks Internal attacks include attacks launched by either compromised sensor nodes running malicious code or adversaries who have stolen the key material, code, and data from legitimate nodes and who then use one or more laptop‐class devices to attack the network.


Passive Vs Active attacks:Passive Vs Active attacks:

Passive attacks Passive attacks are able to retrieve data from the network that might be used later when launching an active attack.

These attacks do not have any direct effect on the network.

Passive attacks are in the nature of eavesdroppingeavesdropping or monitoring of packets exchanged within the network.

Active attacksActive attacks, on the other hand, can disrupt the normal functionality of the whole network by modifying the original data, by injecting falsehood data, and much more.

Most of these attacks result in a denialdenial‐‐ofof‐‐service (DoS)service (DoS), which is a degradation or a complete halt in communication between nodes.

It is difficult to recognize this type of attack, because the attacker behaves like a legitimate node in the network.


MoteMote‐‐class Vs Laptopclass Vs Laptop‐‐class attacks:class attacks:

In motemote‐‐class class (sensor(sensor‐‐class) attacksclass) attacks, an adversary attacks a WSN by using a few nodes with similar capabilities as that of network nodes.

In laptoplaptop‐‐class attacksclass attacks, an adversary can use more powerful devices like laptop, etc. and can do much more harm to a network than a malicious sensor node.

These types of attackers can jam the radio link in its immediatevicinity.

An attacker with laptop‐class devices have greater battery power, a more capable CPU, a high‐power radio transmitter, or a sensitive antenna and hence they can affect much more than an attacker with only ordinary sensor nodes.

+Common Attacks

EavesdroppingEavesdropping: an attacker intercepts packets transmitted over the air for further cryptanalysis or traffic analysis.

Traffic analysisTraffic analysis: allows an attacker to determine that there is activity in the network, the location of the BSs, and the type of protocols being used.

Message injection: Message injection: The message injection attack allows an adversary who can perform an active network attack to inject bogus controlinformation into the data stream.

Message modificationMessage modification: is a subset of a message injection attack where a previously captured message is modified before being retransmitted

Replay attack: Replay attack: Another active attack is message replay. The adversary performs a replay attack by first intercepting a valid, critical data packet, and then by retransmitting it at a later time.

Passive attacks

Passive attacks

Active attacks

Active attacks

+Denial‐of‐Service (DoS) Attacks

DenialDenial‐‐ofof‐‐Service (DoS) attacksService (DoS) attacks: In this form of attack, the attacker seeks to prevent any part of the WSN from functioning correctly or in a timely manner.

Accordingly, DoS Attacks can either cause

Service degradation (e.g., through generating collisions), or

Service disablement (e.g. through jamming, power exhaustion, etc.)

Layer‐based DoS attack categorization:Layer Attack

Physical layer JammingData Link Layer Collision, ExhaustionNetwork Layer MisdirectionTransport Layer Flooding, DesynchronizationApplication Layer Path‐based DoS

+DoS Attacks (cont.)

JammingJamming: Jamming is simply the transmission of a radio signal that interferes with the radio frequencies being used by the sensor nodes.

The jamming of a network can come in two forms: constant jammingconstant jamming, and intermittent intermittent jammingjamming. Constant jamming involves the complete jamming of the entire network. No messages are able to be sent or received. If the jamming is intermittent, then nodes are able to exchange messages periodically, but not consistently.

CollisionCollision: This is a DOS attack, where a node induces a collision in some small part of a transmitted packet. The packet will then fail the checksum check, because of the changes brought on by the collision, and the receiver node will then ask for a retransmission of the packet.

ExhaustionExhaustion: This attack is a collision attack taken a bit further. A malicious node may conduct a collision attack repeatedly in order to exhaust (deplete) the power supply of the communicating nodes.

+DoS Attacks (cont.)

MisdirectionMisdirection: In this attack a malicious node, that is part of a route, can instead of dropping packets, quite simply send them on a different path where there does not exist a route to the destination. The malicious node can do this for certain packets, or all packets.

JellyFish is a particular DoS attack in which relay nodes stealthily reorder, delay, or periodically drop packets that are expected to be forwarded, in a way that leads to end‐to‐end congestion control protocols astray.

Flooding: Flooding: can be as simple as sending many connection requests to a susceptible node. In this case, resources must be allocated to handle the connection request. Eventually, a node’s resources will be exhausted, thus rendering the node useless.

DesynchronisationDesynchronisation: In a de‐synchronization attack, an active connection is interrupted by an attacker by transmitting forged packets with control flags to desynchronize the endpoints so they retransmit the data.

PathPath‐‐based DoSbased DoS: An adversary overwhelms sensor nodes by flooding a multi hop end‐to‐end communication path with either replayed or injected false message to waste secure energy resources.

+Impersonation Attacks:The Sybil Attack

Newsome et al. describe the Sybil attack as a particularly harmful attack against sensor networks, where “a malicious node illegitimately claims multiple identities”

The Sybil attack can disrupt geographic and multi‐path routing protocols.

Adversary A at actual location (3,2) forges location advertisements for non‐existent nodes A1, A2, and A3 as well as he advertises his own location. After hearing these advertisements, if Bwants to send a message to C (0,2), it will attempt to do so through A3. This transmission can be overheard and handled by the adversary A.

+Node Compromise Attack

Most of the previously shown attacks can be performed by outsiders. However, if an attacker have access to the network as one of its elements, i.e. as an insider, it is possible to perform attacks that are more subtle and devastating.

The first step to become an insider is to compromise a node.

An embedded device is considered being compromised when an attacker, through various means, gains control or access to the node itself after it is being deployed. By compromising one node, an external attacker can become an internal attacker and launch more severe attacks.

It is very hard to detect this type of attack because the attacker follows the normal network protocols without showing an anomaly.

+Attacks on specific protocols

Acknowledgement spoofing: Acknowledgement spoofing:

Some routing protocols use link layer acknowledgments (ACKs).

An attacker may spoof these ACKs to trick other nodes to believe that a link or node is either dead or alive.

Attack against TinyOS beaconingAttack against TinyOS beaconing:

The base station periodically broadcasts beacons or “route updates”.

An attacker can use this mechanism to create routing loops by broadcasting spoofed beacons that announce a different node as the BS.

Figure‐ Attack against TinyOS beaconing

+Spoofed, altered, or replayed routing information

In this type of attack, the routing info is altered, falsified or replayed.

This type of attack may be used for:

loop construction

attracting or repelling traffic,

extending or shortening the source route

In this example, an adversary pollutes the entire network by sending bogus routing information in an attempt to be perceived as the base station and as such, it attracts the network traffic.

Figure ‐ An adversary sending bogus routing information and attracting the network trafficFigure – A representative topology constructed using TinyOS beaconing with a single base station.

+HELLO Flood Attack

Every new node broadcasts “Hello Hello messagesmessages” to find its neighbors. Also, it broadcasts its route to the BS.

Other nodes may choose to route data through this new node if the path is shorter.

A laptop‐class adversary that can retransmit a routing update with enough power to be received by the entire network can convince the network nodes to choose him as their parent.

Target nodes attempt to reply to the adversary node, but the adversary is out of out of radio rangeradio range.

This attack puts the network in a state of confusion.

Figure ‐ HELLO flood attack.

+Sinkhole Attack

Typically, all packets are directed to the base station

In sinkhole attack, a malicious node advertises a high quality link to the base station to attract the packets from his surrounding nodes.

This type of attack may enable other types of attacks, i.e., a wormhole attack or selective forwarding

Figure ‐ An example of a Sinkhole attack

+Wormhole Attack

The attacker does not need any key material. All it requires is two transceivers and one high quality out‐of‐band channel in order to create a ‘wormholewormhole’.

Then, the attacker tunnels the packets received at one location of the network and replays them in another location.

The wormhole can drop packets directly or more subtly selectively forward packets to avoid detection

Wormhole linkWormhole link

Figure ‐ A laptop‐class adversary using a wormhole to create a sinkhole in TinyOS beaconing.

+Selective Forwarding

Multi hop routing is prevalent in WSNs.

It is assumed that nodes faithfully forward the received messages.

In selective forwarding, a malicious node refuses to forward all or a subset of the packets it receives and simply drops them.

More dangerous: If a malicious node drops all the packets, the attack is then called blackholeblackhole.

+Overview ‐ 3rd Part




+Preserving the CIA of WSNs: An Overview of Countermeasures

Confidentiality is provided through the use of encryption technologiesencryption technologies. .

Cryptographic algorithms such as the DES, RC5, RSA are used to protect the secrecy of a message.

MAC (Message Authentication Code) or Digital Signature AlgorithmMAC (Message Authentication Code) or Digital Signature Algorithmss (DSA) (DSA) can be used to assure the recipient’s integrity of the data and authenticity of the message

Digital Signatures Digital Signatures can be used to ensure nonrepudiation.

Availability can be achieved by adding redundant nodes. Multi path adding redundant nodes. Multi path and probabilistic routing and probabilistic routing can also be used to minimize the impact of unavailability.

Data freshness is ensured by adding a counter value counter value in each message.

+Cryptography Review

The standard approach for achieving confidentiality is to encrypt the data with a secret key that only intended receivers possess.

The security of a cryptographic system relies mainly on the secrecy of the key it uses.

If an attacker can find the key, the entire system is broken because he or she can use the key to decrypt the intercepted ciphertexts and find the original plaintexts.

Figure Encryption and Decryption Processes

+Cryptographic Systems

Symmetric key cryptographySymmetric key cryptography

Uses a shared secret key for both encryption and decryptionPros: more resource‐efficientCons: Problem with key distribution

E.g.: DES (Data Encryption Standard), AES, RC5 (Rivest Cipher 5), etc.

Public key (or asymmetric) cryptographyPublic key (or asymmetric) cryptography

Uses a two‐key pair (a private one and a public one): the public key is used for encryption and can be published, while the private key is used for decryption.No need to share a secret key!

Pros: easier to manage and more resilient to node compromiseCons: computationally expensive ‐ RC5 is 200 times faster than ECC!

E.g., RSA (Rivest–Shamir–Adleman), El‐Gamal, Elliptic‐Curve cryptography ‐ECC

+Key Management

An important issue is how to securely manage the keys between the sender and the receiver.

Generally speaking, two are the major strategies to symmetric key management:

Master key based solutionsMaster key based solutions

Use a single secret key for the entire network

Pros: efficient in terms of computational and memory costs.

Cons: the compromise of only a single sensor node exposes all communications over the entire WSN

PairPair‐‐wise key based solutionswise key based solutions

Each sensor stores distinct pair wise keys for all possible pair of sensors

Pros: The scheme has good resilience against attacks

Cons: The scheme is not scalable and raises memory issues.

+Master Key based solutions

Network wise key preNetwork wise key pre‐‐distributiondistribution

A naïve approach will be to pre distribute a single (master) key to all the sensors before deployment.

After deployment, the sensors communicate with their neighbors and achieve new pair wise keys using the master key.

If one of the nodes is compromised, the whole network is compromised as it is easy to derive all the pair wise keys from the master key.

Centralized key distribution through a trusted base stationCentralized key distribution through a trusted base station

Each node needs to share only a single master key with the base station, which acts as a key distribution center (KDC).

Then, nodes dynamically set up keys with other nodes through the BS.

The BS becomes a single point of failuresingle point of failure. Only if a tamper‐resistant packaging is used for the BS, one may reduce the threat of physical attack.

+Pair‐Wise Key based solutions

PairPair‐‐wise key prewise key pre‐‐distributiondistribution

A naïve approach would be to pre distribute (n‐1) keys to each sensor, n is the WSN size

Security is perfect, but memory is an issue. Moreover, new nodes cannot be added.

Random key preRandom key pre‐‐distributiondistribution

Instead of storing all the keys on each sensor a subset of these keys is stored.

A random subset of keys (n) of a large pool (m) of keys is distributed to each node, n<m

In order to communicate, two nodes search their pools for a common key:

If they find one, they use it to establish a session key

Not every pair of nodes shares a common key, but if the key establishment probability is high, nodes can communicate with sufficiently many nodes to obtain a connected network.

Relatively simple to implement avoiding the need to include a trusted BS

Attackers who compromised sufficiently many nodes could also reconstruct the complete key pool and break the scheme.

+More Solutions

Key Management Schemes Using Deployment KnowledgeKey Management Schemes Using Deployment KnowledgeThis method first models sensor node deployment knowledge in a WSN and then develops a key pre‐distribution scheme based on this model.

LocationLocation‐‐based key management schemebased key management scheme

This method decides which keys to put on each node depending on their locations.

Session based Key ManagementSession based Key Management

These schemes are using timestamps to generate keys to communicate with other sensor nodes.

GroupGroup‐‐Based Key ManagementBased Key Management

Most proposed solutions for group based key management use a session key concept.

HierarchicalHierarchical‐‐Based Key ManagementBased Key Management

These schemes are based on the use of a tree topology, where the child and parent sensor nodes establish keys using various schemes. As such, they are useful for hierarchical networks.

+Message Authentication Code (MAC)

MAC is the common solution to ensure integrityintegrity and authenticationauthentication of messages in conventional networks.

A MAC can be viewed as a hash function* applied on each data packet.

Computing the MAC requires the senders and receivers to share a secret cryptographic key, and this key is part of the input to the above computation.

A receiver sharing the same key can verify the integrity of the message by computing the MAC value and by comparing it with the received one.

If the two hashes are equal the receiver accepts the packet.

* Common hashes include MD5 and SHA

+IEEE 802.15.4: Security Suites

From a standard’s perspective, the IEEE 802.15.4 (ZigBee) Standard defines several security suites

Name Description

Null No securityAES‐CTR Encryption only, CTR modeAES‐CBC‐MAC‐128 128‐bit MACAES‐CBC‐MAC‐64 64‐bit MACAES‐CBC‐MAC‐32 32‐bit MACAES‐CCM‐128 Encryption and 128‐bit MACAES‐CCM‐64 Encryption and 64‐bit MACAES‐CCM‐32 Encryption and 32‐bit MAC

CTR: Counter Mode | CBC: Cipher Block Chaining | CCM: Counter with CBC‐MAC

+Standalone Security Protocols for WSNs

Secure Network Encryption Protocol (SNEPSNEP)SNEP provides with confidentiality, two‐party data authentication, and data freshness

μμTESLATESLAextension of the TESLA protocol (by considering resource limitations)focuses on the need for authenticated broadcast in WSNs

TinySecTinySecA lightweight and generic link‐layer security packageSupports two different security options:1. authenticated encryption (TinySec‐AE)

Data payload is encryptedMAC is used to authenticate packet

2. authentication only (TinySec‐Auth)

+Digital Signatures (DSs)

Digital signatures (DSs) are used to support authentication, non‐repudiation, and data integrity

It can be thought of as the digital equivalent of handwritten signatures in real life.

The basic idea is to associate something unique with the signer, which can be verified later.

At the pre‐phase:

A public‐private key pair is generated.

The private key is given to the signer and the public key to the verifier.

The signer uses a hash function to find the hash of the data to be signed.

+Digital Signature Generation and Verification Processes

To create a digital signature the signer simply encrypts the hash using his private key and sends this along with the data to the receiver.

The verifier uses the same hash function as the signer to find the hash of the data (Hash 1).

The verifier uses the public key of the signer to decrypt the signature he received.

This decryption gives the verifier a hash (Hash 2). If it matches with the hash of the data, we can be sure that the data hasn’t been modified or tampered.

Figure – Digital Signature Generation

Figure – Digital Signature Verification

Data Hash

Private Key

Signature Data

Message

Hash 2

Hash 1

Public Key

Message

Signature Data

= ?

Yes = Data/Hash un‐tamperedNo = Data/Hash tampered

+Secure Routing

Proper routing and forwarding are essential for communication in WSNs.

Basic tasks relevant to routing:

Route discovery

Packet Forwarding

Route maintenance

However, there is an inherent tradeoff when designing a routing protocol for WSNs:

energy Vs. security energy Vs. security or equally

optimizing route Vs. susceptibility to attacksoptimizing route Vs. susceptibility to attacks

B

D E

F G

CA

+Routing in WSNs

WSN technology has a strong heritage from MANETs. However, in most cases, mobility of sensors is not present, and the network has a data reporting role to special nodes. Thus, the conventional anyone‐to‐anyone unicast routing protocols is abandoned.

Moreover, intermediate nodes can perform data aggregation and caching in addition to routing.

Not node‐to‐node packet switching, but node‐to‐node data propagation.

b) Stationary, sink−based reporting architecturea) Classic ad hoc architecture. Any‐to‐any node communication

+Routing Challenges

Constrained Resources:

Sensor nodes are energy‐ and computationally‐limited

Sensor node failures may lead to connectivity issues

Node heterogeneity:

Heterogeneous nodes with different roles & capabilities

Scalability issues:

Fully distributed network without global knowledge

Large numbers of sources and sinks covering a large area

Large coverage area

Topological and geographical issues exist since value of data is a function of time and location

outout‐‐ofof‐‐date data is not valuable! date data is not valuable!

+Taxonomy of Routing Protocols: Based on the Routing Scheme

Flat rFlat routing schemesouting schemes which employ a uniform role on the forwarding policy among the nodes.FLOODING: Broadcast data to all neighbor nodes regardless if they have received it

GOSSIPING: Send data to one randomly selected neighbor

B

D E

F G

CA

+Taxonomy of Routing Protocols: Based on the Routing Scheme (cont.)

Hierarchical routing Hierarchical routing schemes schemes : Sensor nodes form clusters where the cluster‐heads aggregate and fuse data before sending it to the sink to conserve energy. Clustering includes:Selection of the nodes that will become CHs Cluster formation based on the received signal strength (grouping of sensors around each CH)CHs compress data received by the nodes in the cluster and sends them to the Sink (usually after aggregation)Advanced features:Energy‐aware CH selectionCH role rotation and cluster re‐formation

Sink

CHCM

e.g. a 2‐level hierarchical routing scheme

Sink

CHCM

+Taxonomy of Routing Protocols: Based on the Routing Scheme (cont.)

LocationLocation‐‐based routing schemes based routing schemes where nodes are addressed based on their location.

These approaches require the sensor nodes to be equipped with GPS or other similar location‐finding devices.

An example: the Geographic Adaptive Fidelity (GAF) protocol

− Associate each node with a point in the virtual grid

− Nodes associated with the same point on the grid are considered equivalent in terms of the cost of packet routing

− Figure: Node 1 reaches node 5 via nodes 2, 3 & 4 which are equivalent; Any of the other two nodes in Grid B can sleep without affecting routing.

1

2

3

4

5

Grid A Grid B Grid C

rgrid size

r r

+Taxonomy of Routing Protocols: Based on the Addressing Scheme

NodeNode‐‐centric addressing schemes centric addressing schemes are the classic addressing schemes in which a packet is addressed and routed with respect to the destination node’s id. LocationLocation‐‐centric addressing schemes centric addressing schemes use the naming of a location for specifying the destination. Some addressing schemes may allow situations such as more than one nodes satisfying the location being addressed, in which case all those node may serve the packet.DataData‐‐centric addressing schemes centric addressing schemes use the naming of the wanted information as the destination of packets. In such addressing schemes, packet forwarding usually follows a flooding or gossiping policy, mainly because it is not known at what node the addressed information may reside. For instance, request

"the areas where the temperature is over 50F" rather than

"the temperature read by a certain node (e.g., #27)”

+Are Routing Protocols for WSNs Secure?

Unfortunately, most sensor network routing protocols are not designed with security considerations.

This is why a number of well‐known routing protocols are susceptible to attacks.Protocol Relevant Attacks

Directed diffusion and its multipath variants

Bogus routing information, selective forwarding,sinkholes, Sybil attack, wormholes, HELLO floods

Geographic routing (GPSR, GEAR) Bogus routing information, selective forwarding, Sybil attack

Minimum cost forwarding Bogus routing information, selective forwarding,sinkholes, wormholes, HELLO floods

Clustering‐based protocols (LEACH, TEEN) Selective forwarding, HELLO floods

Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes

Energy conserving topology maintenance (SPAN, GAF, CEC, AFECA)

Bogus routing information, Sybil attack, HELLO floodsTable ‐ A summary of attacks against routing protocols

+Secure Routing ‐ Countermeasures

Link layer security

Simple link layer encryption and authentication using a globally shared key can prevent the majority of outsider attacks: bogus routing information, Sybil, Selective Forwarding, Sinkholes.

Link layer security mechanisms provide little protection against insiders, HELLO floods, and Wormholes.

Wormhole and sinkhole attacks

Routing protocols that construct a topology initiated by a base station are the most vulnerable against these types of attacks.

Solution: Geographic protocols that construct topology on demand using localized node interactions instead of using the base station s can provide with a solution.

+Secure Routing ‐ Countermeasures (cont.)

Sybil Attack:

Solution #1: Defending against Sybil attacks can be as simple as sharing a unique symmetric key between the sensor nodes and a trusted base station.

This verifies the bidirectionality of links and prevents an attacker that have claimed multiple identities

Solution #2: The base station can also limit the number of nodes an insider can have communication.

This also limits the number of nodes an adversary can communicate with.

Hello Flood Attacks:

Measures against Sybil Attack, like limiting the number of verified neighbors to a node, will also prevent Hello Flood Attacks.

+Secure Routing ‐ Countermeasures (cont.)

Geographic routing attacks

Geographic routing is secure against wormhole, sinkhole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted.

Solution #1: Use fixed topology to eliminate the need for location information.

Solution #2: Restricting the structure of the topology can eliminate the need for nodes to advertise their locations if all nodes’ locations are known.

Selective forwarding

Solution #1: Multipath and probabilistic routing limits effects of selective forwarding.

Solution #2: Probabilistic selection of next hop can also add to security.

Solution #3: Messages routed over N paths whose nodes are completely disjoint is also an effective solution.

+Resilience to Node Capture

In traditional networks, physical security is often taken for granted.

Sensor nodes, by contrast, are likely to be placed in open locations and remain unattended for long periods. This means that an attacker might:

capture one or several sensor nodes and extract cryptographic secrets

modify their programming

possibly replace them with malicious nodes

Camouflage housing or tamper‐resistant packaging of the sensor nodes may be one defense.

However, these methods are expensive.

+Possible Defenses to DoS Attacks

Jamming AttacksJamming Attacks: Deliberate interference of radio reception to deny the target’s use of a communication channel

Defense techniques:

Use of spread spectrum techniques, frequency hopping

Knowledge of jamming detection can allow avoiding of the jamming route.

Power exhaustion attacksPower exhaustion attacks: An attacker may simply violate the communication protocol, and continually transmit messages in an attempt to generate collisionscollisions. Using this technique an attacker could deplete a sensor node’s power supply by forcing too many retransmissions and causing power exhaustion.

Defense Techniques:

Use of error‐correcting codes

Use of rate‐limiting schemes (excessive requests will be ignored)

+Other Network Security Services

So far, we have explored low‐level security primitives for securing wireless sensor networks.

Now, let us consider high‐level security mechanisms.

These include the following:

Secure Data Aggregation

Intrusion Detection

Security Visualization

+Secure Data Aggregation

Data aggregation Data aggregation is employed in WSNs in order to avoid sending overwhelming amounts of sensed values back to the base station.

A serious issue connected with data aggregation is data securitydata security.

This is because, existing schemes assume that every network node is honest. However, any compromised (aggregator) node can inject faulty any compromised (aggregator) node can inject faulty data in the networkdata in the network.

+Secure Data Aggregation Schemes

HopHop‐‐byby‐‐hop encryption schemes:hop encryption schemes:The sensing nodes generate data, encrypt it and send it to the aggregator.The encrypted data is decrypted at the next hop node, & encrypted back after aggregation. This process is repeatedrepeated at every node on the way to the base station.

Sink

Operations:

Aggregator Nodes

Sensor Nodes

1. Decryption

1. Decryption 2. Aggregation3. Encryption

1. Sensing2. Encryption

Figure ‐ Overview of hop‐by‐hop aggregation

+Secure Data Aggregation Schemes (cont.)

EndEnd‐‐toto‐‐end encryption schemes:end encryption schemes:In end‐to‐end encryption, the data is NOT decrypted at the intermediate nodesthe data is NOT decrypted at the intermediate nodes. Only the BS has the ability to decrypt it!Only the BS has the ability to decrypt it!From a computational view, this approach helps save resources since aggregators do not have to carry out costly decryption operations

Figure ‐ Overview of end‐to‐end aggregation

Sink

Operations:

Aggregator Nodes

Sensor Nodes

1. Decryption

1. Aggregation applied on the encrypted data

1. Sensing2. Encryption

+Intrusion Detection: The Second Line of Network Defence

Intrusion detection Intrusion detection is the process of discovering, analyzing, and classifying malicious activities that have penetrated the network. Every network activity can be categorized as NORMAL, ABNORMAL (but NOT malicious),MALICIOUS

Intrusions AttacksMisuse of resources Data correlations

Response Terminate Connection

Block IP Add. Recovery

Firewalls Encryption ‐ Authentication

+

CollectionCollection of the audit data

Localization data

Routing information

Analysis and classification Analysis and classification of the audited data

Identify the intrusion characteristics

Detect the intrusions. Two common types exist:

AnomalyAnomaly‐‐basedbased (categorizes the traffic as either normal or abnormal based on heuristics or rules, rather than known attack patterns)

MisuseMisuse‐‐basedbased (creates “signatures” of known attacks)

Locate the intrusions (i.e. perform attack attribution)

By doing this, the effects of the detected attack can easily be mitigated by taking prompt counteractionscounteractions.

Required Technologies

+Intrusion Detection in WSNs

In wired networks, network traffic is typically monitored and analyzed for anomalies at various concentration points.

WSNs, however, require a solution that is fully distributed fully distributed and inexpensive inexpensive in terms of energy and memory requirements.

Current strategies to WSN anomaly detection identify the following attacks:

Sinkholes and Wormholes

DoS attacks

Sybil attacks

Hello Floods

Selective Forwarding

+Overview – 4th Part

Wireless Sensor Networks: Definition, Architecture, Components

An introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks


Research Challenges & Open Issues

Conclusions

+The problem

Various security mechanisms have been proposed to address the network security concerns.

Despite the fast development of computer security mechanisms, the scale the scale and complexity of the generated network data and complexity of the generated network data put ever increasing challenges to the representation and understanding of the security‐relevant information.

Thus, we have:

1) the problem of information growth on one hand

The problem The problem of of

information information growthgrowth

This infographic by DOMO

breaks down the amount of data

generated on the Internet

every minute!

+The problem

Various security mechanisms have been proposed to address the network security concerns.

Despite the fast development of computer security mechanisms, the scale the scale and complexity of the generated network data and complexity of the generated network data put ever increasing challenges to the representation and understanding of the security‐relevant information.

Thus we have:

1) the problem of information growth on one hand, and

To address the soTo address the so‐‐called security overload problem called security overload problem researchers turned to information visualization!researchers turned to information visualization!

2) the problem of the increased cyber‐/net‐criminality on the other hand

+Definition

“Information visualization is a technique that has been used for a long

time to represent information clearly and effectively through

graphical means.

By creating interactive visual representations of the information, it

exploits the human’s perceptual and cognitive capabilities of problem

solving to extract information”.

+Why visualization?

One of the major contributions of visualization is that it facilitates the network traffic analysis.

Traditional network analysis software only provide detailed text‐based output.

Consider how difficult and time‐consuming is for the system administrators to read a

text‐based log file recording the traffic exchanged over the

network the past twenty‐four hours.

+Until now…Visualization for network traffic analysisNetwork traffic visualization is one of the first directions to take when it comes to understanding, and analyzing information in vast amounts of network data.

Many visualization tools graphically monitor real‐world or simulated wired and wireless networks (e.g., TOSSIM, OPNET, NS‐3, etc.).

While these tools offer some form of visualization, they are designed for applications other than network securityother than network security. Accordingly, these tools:

Lack the specialized techniques in visualizing security‐related data.

Tend to miss abnormalities attacks that occur unpredictably.

+

Network a

nalysis ba

sed on

advanced

visual an

alytics

Now…Visualization for network security

The power of visualization should go beyond the simple ”illustration” of network behavior so as to enable the security analysts to discriminate between normal and abnormal network activities.

Simple ne

twork tra

ffic analys

is

+Definition

“Network security visualization is the process of mapping

network data into meaningful visual representations that

enable the user to efficiently integrate automated, data

mining methods with expert human intuition for the

detection of complex patterns of abnormal network activity. “

In other words, it is where Data Mining Data Mining and VisualizationVisualization

converge to provide with tools that give better insight into

the network security problem.

+A bit of history

Visualization and data mining have always been, and still are, somewhat in competition. From the one hand, data miners see visualization as a too soft data miners see visualization as a too soft disciplinediscipline, lacking of enough formalism and with the original sin of having poor evaluation methods in its toolbox. From the other hand, visualizers think data visualizers think data mining is too rigid and narrowly focusedmining is too rigid and narrowly focused on a plethora of insignificant small details to algorithms that nobody will ever understand.

Both are partially right or wrong. What has been missing during the last decade is a fruitful exchange of ideas from these divided communities to take the best out of them. There is no question that what one discipline lacks is perfectly filled up, in a complementary fashion, by the other.

The truth is that today we just cannot afford taking the two completely today we just cannot afford taking the two completely separatedseparated.

+Why Visualization cannot afford ignoring Data Mining

Data is full of rubbish: Data never comes for free, you have to manipulate it in order toaccommodate the needs you have for your project. The most classical things you will need to deal with are: missing values, outliers detection, normalization, aggregation, sampling, etc. Each one of these requires robust and solid techniques from data miners.

Humans don’t scale, machines do: There is no way to visualize a billion items. If you assign every item to one single pixel (known as pixel‐based visualization), which is the maximum scalability available, you will need either a huge screen or very tiny pixels. On the other hand, machines do scale and can crunch monstrous amounts of data.

We need order, in order to thrive: No matter how clever your visualization is and how skilled you are as a designer, visualization just cannot afford answering some questions without some kind of automatic abstraction and order. Data visualization is very powerful when lots of details can be exposed about every single item, but this is not scalable, plus finding the right set up for any given question is hard and inefficient. Data mining offers some clear scaffolds around which one can build clear questions and receive somewhat clear answers.

+Why Data Mining cannot afford ignoring Visualization

Parameter setting is voodoo science. Despite the all encompassing goal of making things as automatic as possible without human intervention, almost all data mining techniques require some kind of parameter setting. It is that the user has to go through a lengthy trial‐and‐error process in a feedback loop fashion: (1) set the setting, (2) run it, (3) look at the results …satisfied? Not really … go back to point (1) and repeat. There is clearly a huge role of visualization here. Visualization can help to better understand the output, compare alternative results, understand the relationship between the parameters an the output.

You cannot trust black boxes. The issue of trust is very well known among data miners: the models data mining algorithms build are often arcane and even if something seems to work, there is no way to really understand why and how it works. Visualization has the power to shorten this gap and help model builders gain better confidence on the babies they build.

There is no right answer. Data Mining has a long tradition for providing tools to build models that give clear cut answers automatically: “should I give the loan to this customer or not?“. This is fine and useful, but many of the modern inquiries on data are not so clear‐cut. Data analysis is often exploratory and there’s no right answer. When mining is used for this purpose it necessarily needs a certain level of flexibility: ask a question, produce some initial results, visualize them, understand better the problem, change the parameters, use another algorithm, compare alternative results etc … and how do you do that without visualization?and how do you do that without visualization?

+The convergence

It became apparent that there is no way to tackle the data analysis challenges data analysis challenges of

the new millennium without integrating these two branches of knowledge. The

problems we face today require at least the following two broad features that no

discipline is able to cover alone:

1.1. Coping withCoping with monstrousmonstrous datadata

2.2. Harnessing the complexity of the Harnessing the complexity of the machinemachine

Some few (feeble) signs of a new marriage seems to be coming to light. What is

Visual Analytics Visual Analytics if not an attempt from the visualizers to acknowledge the fact

that visualization without analytics is like tilting at windmills?

Source: http://fellinlovewithdata.com/reflections/why‐visualization‐cannot‐afford‐ignoring‐data‐mining‐and‐vice‐versa

+The visualization process

The visualization process consists of 4 basic steps:

The visualization software first has to capture the raw network data. The raw data shall then be transformed in a way to support visualization and analysis (typically one data attribute is mapped to one visual attribute).The transformed data is then displayed on the screen using the computer‘s windowing and rendering system. To provide appropriate user control, the GUI incorporates interaction methods.Finally, the human visual cortex will reverse the transform to provide the user with a better understanding of the data.

Data Collection

Data Transformation & Mapping

Visual Representation & User Integration

Computer Graphics

Automated Algorithms

Human Perception

Human Analytical Reasoning

Visualanalytics

+Visualization Advantages

Improves situational awareness

Visualization speeds detection of patterns in volumes of data

Innate capabilities for visual pattern detection allow people to see patterns they might miss in textual information.

Efficiently combines the output of heterogeneous data into an easily understood picture

With visualization it is easier to communicate the results of an analysis to others in pictorial form

Visualization reduces mental workload of a person scrolling and sifting through pages of data

+Security Visualization Techniques

Most of the work done in the field of security visualization stems from the area of computer security.

Common visual techniques incorporated in security visualization systems include the following:

Parallel Coordinates

Scatterplots

Node Link Graphs

Glyphs

Color maps and treemaps

Radial panels

Buddle Diagrams

Color, size, shapes, position, and transparency, amongst others, are used to communicate information

+The VisAlert W3 visualization concept

Figure – The VisAlert W3 visualization concept: a line connecting an alert type (what) at time (when) to a resource (where) represents an alert instance.

VisAlert is based on the notion that an alert must possess three attributes namely: whatwhat, whenwhen, and wherewhere and that these attributes can be used as a basis for comparing heterogeneous events.

The radial panel displays the local network topology map in the center with the various IDS alerts along the outer rings.

The ring’s width represents time and is divided into several history periods. A line is drawn from an alert type on the outer ring to a particular host on the topology map to represent a triggered alarm. Thicker lines show a higher number of alerts of a single type, and larger nodes in the topology map represent hosts experiencing unique alerts.

S. Foresti, J. Agutter, Y. Livnat, S. Moon, and R. Erbacher,“Vi l l i f k l ” 2006

+Parallel coordinates

http://www.rumint.org/

Rumint is a data visualization tool that can display network traces in a variety of ways.

Next example uses Rumint to generate some parallel coordinates plots that display four values: source IP address, TCP source port, TCP destination port and destination IP address.

For each packet in a capture file Rumint will plot these four values onto their respective axis and draw a line connecting them.

On the right, is what traffic on my home network normally looks like when plotted in Rumint using the settings discussed above. Source IP TCP Source

PortTCP Dest. Port Dest .IP

+Parallel coordinates (cont.)


Source IP TCP Source Port

TCP Dest. Port Dest .IP

Lets take a closer look at this graph. Starting from the left you see the hosts that are sending packets.

As you follow the lines to the right you see the ports those packets originated from.

Continue to follow the lines to discover which ports the packets are heading towards.

Finally the lines reach the right side of the plot which shows the destination IP addresses of the packets.

+Parallel coordinates (cont.)


Source IP TCP Source Port

TCP Dest. Port

Dest .IP

Next NmapNmap (nmap ‐sS ‐O ‐PI ‐PT 192.168.1.5) was run against a system on the network. Using the same settings as before this capture file was feed into Rumint to generate the following image.

Notice anything different? Notice anything different? Those big V shapes are hard to miss.

Looking at the graph you see packets are being sent to a large number of ports and this new activity is between just two hosts.

To get a clearer picture of what is happening, I filtered the network capture to only show packets between those two hosts, which nicely shows a port scan port scan taking place.

+Scatterplots

PortVis employs a colored based grid visualization to map network activity to cells of a grid. The main display contains a 256 x 256 grid where each point represents the possible 65,536 port numbers.

The location of a port on the gird is determined by breaking the port number into a 2‐byte (X,Y) location. X being the high byte of the port number and Y being the low byte. Changes and variations of each point, with respect to time, is depicted using color. Black portrays no variation or change, blue depicts a small level of variance, red refers to a larger level of variance, while white denotes the most variant.

The grid can be magnified to provide further detailed information about specific ports.

J. McPherson, K. Ma, P. Krystosk, T. Bartoletti, and M. Christensen,“PortVis: a tool for port‐based detection of security events,” 2004.

+Glyph‐based Visualizations

http://digital.cs.usu.edu/~erbacher

Example of a glyph‐based visualization with a single server, and several hosts.

Multiple visual attributes are assigned to each node as they are depicted using glyphs. For the monitored server, for example, spikes extending from its perimeter represent the number of connected users. Also, communication links are shown with different line patterns.

The ring of a node depicts the difference between its IP address and that of the monitored system, resulting in hosts residing inside the local subnet to appear closest to the monitored system.

These visual illustrations give an analyst an exploratory framework to work with as it strengthens her abilities to detect unknown relationships within the underlying data.

Failed Connections

Lost NFS Mount

+NFlowVis Treemap visualization

F. Fischer, F. Mansmann, D. A. Keim, S. Pietzko, and M. Waldvogel, “Large‐scale network monitoring for visual analysis of attacks,” 2008.

The background represents the university’s network structure with computer systems as rectangles.

Source IPs of external machines are shown as colored circles at the borders.

The splines represent the connections between attackers and computers within the network.

This reveals a distributed attack originating from hundreds of hosts working together in attempt to break into specific computer systems.

The picture shows a brute force SSH attacks from the Internet to computers located at the University of Konstanz.

+Node Link Graphs and Glyphs

http://www.graphviz.org/

See also http://secviz.org

http://labs.asteriskinfosec.com.au/tag/prenus/

http://afterglow.sourceforge.net/

+Radial Layout

Avisa security visualization system assigns scores to hosts based on a collection of metrics that reflect change related to the alerts received by a particular host in a monitored network.

The system utilizes three categories of heuristic functions to collectively identify hosts with peculiar, irregular, and variant behaviors. The top n hosts are arranged along a radial display, while multiple statistics are mapped to various visual attributes.

The intrusion alerts regarding each host are depicted using Beta‐Splines starting from the alert type category on the top left to the specific host on the bottom right.

Figure ‐ Radial design of Avisa depicting prioritized hosts and alert categories.

H. Shiravi, A. Shiravi, and A. Ghorbani, “IDS alert visualization and monitoring through heuristic host selection,” 2010.

+3D Visualization for Intrusion Detection

http://www.securedecisions.com/main.htm

Each box on the grid represents a host on a network.

Lines point to hosts on which IDS sensors report attacks or suspicious activities.

Interaction tools include: Data Sorting Right Click Filtering Right Click Drill‐In

+Traceroute Visualizations

3D TraceRoute Developer: http://www.hlembke.de/prod/3dtraceroute/XTraceRoute Developer: http://www.dtek.chalmers.se/~d3august/xt/

Xtraceroute

basic traceroute/tracert

3D TraceRoute

+MeerCAT® wireless cyber asset discovery visualization

http://securedecisions.com/products/meercat/

(a) Device Treelist of detected devices; (b)Geographic Visualizations showing location of devices; (c) Node Link Visualization showing communication patterns; (d) Network

Visualizationshowing connections

between transmitters; (e) Channel Visualization showing channel

distributions; and (f) Table showing details of networks

and clients.

+Security Visualization Systems for WSNs: A summary

System Data Source(s) Visualization Technique

Anomaly Detection Technique

Suitable for Protection against

MDS‐VOW,W. Wang, and B. Bhargava, 2004

Network topology data

MDS with 3D surface Impulse graph displaying the wormhole indicator

Static WSNs Wormhole attacks

IVoW,W. Wang and A. Lu, 2006


Incremental MDS with adaptive visualizations

An integration of visual representation, user interaction & automatic detection

Mobile WSNs Wormhole attacks

ViSAA. Luand W. Wang, 2006


Colormap &3D Scatter Plot

An integration of visual correlation& automatic detection algorithms

Mobile WSNs Sybil attacks

SecVizer, G. Abuaitah and B. Wang, 2009

Qualnet‐likePacket traces

3D Topology View& Parallel Coordinates

Visual pattern detection Qualnet‐generated WSNs

DDoS attacks

SAVE,L. Shi et al. 2011

GreenOrbs data Radial Panel & Link Graphs

Cluster‐based mapping Real‐world WSNs

Attacks against Routing

+Overview


An introduction to WSN SecuritySecurity Challenges Security GoalsThreats and attacks



Conclusions

+Research Challenges

Security is somewhat difficult to achieve in WSNs:

Public‐key cryptographic systems are inefficient on low‐end devices. Moreover, cryptography by itself is not enough for insiders.

Link layer security with key management can prevent the majority of outsider attacks. However, it provides little protection against insiders, HELLO floods, and wormholes.

Wormholes and DoS attacks are difficult to defend against and can be mounted effectively by both laptop‐class insiders and outsiders.

Nodes that are near to base stations are attractive to compromise requiring protocols to reduce their significance.

The development of secure routing protocols is challenging because sensor nodes are prone to failures and the topology of a sensor network changes frequently due to node failures and possible mobility.

+Open Issues

Improving the efficiency of symmetric key operations on sensor nodes efficiency of symmetric key operations on sensor nodes is still an open research issue.

Although most secure schemes are able to limit the effects of attacks, intelligent intelligent attack detecting mechanismsattack detecting mechanisms are still of need for security.

Currently, there are some protocols that let routing paths bypass the detected compromised nodes or attacks. However, current secure routing algorithms have no effect to conquer undetected attacks. Hence, new secure routing protocols that can secure routing protocols that can defend against undetected attacksdefend against undetected attacks or even node compromise or even node compromise are highly desirable.

Most approaches assume the base station is secure and robust enough. However, in some special application environments, such as battlefield surveillance, base stations may be easy to be destroyed or attacked. Under such conditions, base base station protectionstation protection must be carefully investigated.

Most current security studies focus on individual topics of security issues. However, security overhead will degrade other performances of the WSN. Hence, the tradeoff tradeoff between security and Quality of Service (QoS) between security and Quality of Service (QoS) needs to be evaluated.

+Overview


An introduction to WSN SecuritySecurity Challenges Security GoalsThreats and attacks



Conclusions

+Conclusions

Without doubt, Wireless Sensor Networks Wireless Sensor Networks represent an important wireless networking technology enjoying an increased penetration in our everyday lives.

Unfortunately, constraints and the WSN deployment environment, make security for these systems increasingly challenging.

Good NewsGood News: Despite the inherent vulnerabilities, research on securing the WSNs constantly evolve. Powerful protocols are being developed to address the security issues.

The security recipe necessitates link layer encryption and The security recipe necessitates link layer encryption and authentication, multipath routing, identity verification, bidireauthentication, multipath routing, identity verification, bidirectional ctional

link verification and authenticated broadcastlink verification and authenticated broadcast.

Security visualization Security visualization as part of the larger field of information visualization is the latest addition in the arsenal of a security professional.

+Major References

1. I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, ‘Wireless Sensor Networks: A Survey’, Computer Networks (Elsevier) Journal, vol.3, no. 4, 2002, pp. 393‐422.

2. R., Kay and F. Mattern, "The Design Space of Wireless Sensor Networks", IEEE Wireless Communications 11 (6): 54–61, Dec. 2004.

3. D. Ganesan, A. Cerpa, Y. Yu, D. Estrin, W. Ye and J. Zhao, “Networking Issues in Wireless Sensor Networks”, Journal of Parallel and Distributed Computing (JPDC), Elsevier Publishers, 2006.

4. Perrig, A., Stankovic, J., and Wagner, D. 2004. Security in Wireless Sensor Networks. Commun. ACM 47, 6 (Jun. 2004), 53‐57.

5. Karlof, C. and Wagner, D. Secure routing in Wireless Sensor Networks: Attacks and countermeasures. In Proceedings of the 1st IEEE International Workshop on Sensor Network Protocols and Applications (Anchorage, AK, May 11, 2003).

6. Conti, Security Data Visualization. No Starch Press, 2007.

7. R. Marty, Applied Security Visualization. Addison‐Wesley Professional, 2008.

8. H. Shiravi, A. Shiravi, A.A. Ghorbani, "A Survey of Visualization Systems for Network Security," IEEE Transactions on Visualization and Computer Graphics, pp. 1313‐1329, Aug., 2012

dr. eirini karapistoli | electrical & computer...

Documents