dr. eirini karapistoli | electrical & computer...
TRANSCRIPT
+
Securing the information that resides in Wireless Sensor Networks
Dr. Eirini Karapistoli | Electrical & Computer EngineerPostdoctoral Researcher @ University of Macedonia, Thessaloniki, Greece
+Overview
Wireless Sensor Networks: Definition, Architecture, ComponentsAn introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open IssuesConclusions
+Overview: 1st Part
Wireless Sensor Networks: Definition, Architecture, ComponentsAn introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open IssuesConclusions
+Definition
The term Wireless Sensor Network (WSN) Wireless Sensor Network (WSN) refers to a wireless network consisting of a large number of autonomous sensors that are spatially distributed in an area of interest in order to a) cooperatively monitor physical or environmental conditions, suchas temperature, sound, vibration, pressure, motion, pollutants, etc., b) store the measurements temporally, and c) transmit the collected sensory information to a remote server for further processing and upon request.
In achieving these objectives, the sensor nodes have sensingsensing, processingprocessing and communication communication capabilities.
Because of these characteristics, we are safe to state that a WSN extends the usefulness of existing information systems
in suitable application domains
+WSN Architecture
Internet, Internet, SatelliteSatellite
Sink
Sink
Task Manager
UserUserSensor Sensor
FieldFieldSensor Sensor NodeNode
Figure – The big picture
+Basic Characteristics of WSNs
WSNs consist of a large number of nodes, often in the order of thousands
WSNs are large‐scale networks with dense node placement:Densities can be as high as 20 nodes/m2 need for multi hop communicationThe topology may change frequently due to node addition/removal/failure
Sensor nodes are:Battery operated devices Battery operated devices designed for long unattended operationIn many applications it is impossible to replace/recharge the battery
Low cost*, size, and weight per nodeLow processing capabilitiesProne to failures
*not as low as one would expect (!)
+Differences from Mobile Ad‐hoc NETworks (MANETs)
Both are deployed in an ad hoc (infrastructure‐less) fashion
In some applications though, sensor nodes are placed at fixed positions
However,
The number of sensor nodes can be several orders of magnitude higher
These nodes have limited power & computational capacities and are prone to failure
The topology of a sensor network may change frequently due to node failure and/or addition/removal of nodes and not due to node movement
Sensor nodes mainly use broadcast communications, while most ad hoc networks are based on peer‐to‐peer (p2p) communications
Sensor nodes have tight integration with sensing tasks
May not have global ID (like IP address)
+Application Areas
WSNs are envisaged to support various applications, such as:
Military applications
Environmental monitoring
Habitat monitoring
Seismic or Acoustic Detection
Health Monitoring
Home Automation
Disaster Relief
environmental data collection: temperature light, humidity, pressure, solar radiation.
+Communication models
The communication model refers to the way information exchange is initiated in the network.
In general, communications in a WSN are triggered by queries or events
When the communication is initiated by the information holder, we havean information pushing communication model
Information Flow: Sensor Nodes Sensor Nodes SinkSink
When the communication is initiated by the requester, we have aninformation pulling communication model
Information Flow: Sink Sink Sensor NodesSensor Nodes
+Communication models (cont.)
Consequently, and based on the communication model, a WSN can becategorized as a:
Querydriven or requestdriven system
Information pulling is used in such systems/applications
For instance, in precision agriculture irrigation.
Eventdriven system
Information pushing is used in such systems/applications
For instance, in a forest fire detection application.
Timedriven systems
When, for example, the data reporting/collection is performed in a periodic manner.
Hybrid systems
+The Sensor Network Protocol Stack
Application Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Power M
anagement Plane
Mobility M
anagement Plane
Task Managem
ent Plane
End‐to‐end reliability, congestion control
Routing and packet forwarding
Multiplexing of data stream, data frame detection, Medium Access Control, Error Control
Packet transmission & reception, signal detection/ modulation, data encryption , frequency selection
Task assignment, user interaction
+The Management Planes
A sensor node must always be aware of the following three management planes in order to function properly:
1)1) Task plane: Task plane: The task plane balances and schedules the sensing tasks assigned to the sensor nodes.
Note that not all nodes are assigned with sensing tasks. Several of them can focus their energy only on routing and data aggregation.
2)2) Mobility plane: Mobility plane: The mobility plane detects and registers the movement of nodes so a data route to the sink is always maintained.
3)3) Power management plane: Power management plane: The power management plane is responsible for minimizing the power consumption. It may also turn off the functionality of several nodes in order to preserve energy.
+Standardization
The IEEE 802.15.4 IEEE 802.15.4 ““ZigbeeZigbee”” standard is the de facto standard for WSNs
It is defined by IEEE for low‐rate wireless personal area networks (WPANs)
The standard defines the physical layer “PHYPHY” and the medium access control layer “MACMAC”.
Concerning the PHY, it offers two options:operation @ 2400MHz ISM bandoperation @ 868/915 MHz band
Concerning the MAC, it is responsible for:Network formation: both star, tree, and peer‐to‐peer topologies are supportedCSMA‐CA channel accessing (either slotted or unslotted)
+Sensor Node Hardware Components
Sensors
ADC
ProcessorProcessor
MemoryMemoryTransceiverTransceiver
Location finding systemLocation finding system(optional)
MobilizerMobilizer(optional)(optional)
Sensing Unit Processing Unit
Power unitPower unit
Communication UnitEach sensor node is equipped with four major hardware units:
Power unitPower unitSensing unitSensing unitProcessing unitProcessing unitCommunication unitCommunication unitSensors CPU TX RX IDLE SLEEP
RADIO
+Examples of Sensor Nodes
Mica2
Mica2 Dot
Stargate
Rene’“Experimentation”
MicaZ
Dot“Scale”
Telos“Integrated Platform”
+Sensor Motes Timeline
Mica “Open Experimental Platform”WeC
“Smart Rock”
Rene’“Experimentation”
Dot“Scale”
Spec “Mote on a
chip”
Telos“Integrate
d Platform”
Mica2Dot
Mica2
200620062005200520042004200320032002200220012001200020001999199919981998
IMote
MicaZ
Stargate 2.0&
IMote2
Stargate
20082008
+Sensor Node Types and Tasks
Sensor TypesSensor Types: : • Accelerometers, Temperature sensors, Pressure sensors, Touch sensors
• Light (IR, Visible Light), Acoustic, Sound (Ultrasound), Radar sensors
• Seismic, Low Sampling Rate Magnetic, Thermal, Visual sensors
Sensor TasksSensor Tasks::• Temperature, Humidity, Lightning Condition,
• Pressure, Soil Makeup, Noise Levels, Speed level
• Presence/Absence of certain types of objects
• Direction and size of an object,
• Mechanical Stress Levels
+An RF Mote with Multiple Sensors
Figure ‐ Mica sensor board
+Power Consumption for Communication
A sensor node spends maximum energy in communicating with other nodes:
Pte/re is the power consumed in the transmitter/receiver electronics P0 is the output transmit power Ton is the transmitter “on” timeRon is the receiver “on” timeTst is start‐up time of the transmitter Rst is start‐up time of the receiverNt is the number of times the transmitter is switched “on” per unit of timeNr is the number of times the receiver is switched “on” per unit of time
)]([)]()([ stonreRonOstonteTc RRPNTPTTPNP ++++=
Important Note: Idle listening that is, listening to an idle channel in order toreceive possible traffic, consumes significant energy.
+Addressing the Idle Listening problem
Solution: Duty cycling or equivalently periodic sleep / listening
Sensor nodes communicate with their peers in their scheduled listen times
Periodicity can be implemented either in:a straightforward way (namely in schedule‐based protocols)or not (i.e. in the case of contention‐based protocols)
Listen Listen ListenSleep Sleep
(the radio is turned off when sleeping) t
for SYNC for RTS for CTS for Data
+Schedule Maintenance
1) Choosing a schedule
A mechanism is needed to enable nodes to choose their sleep/listen schedule.
Periodic neighbor discovery: How often shall nodes exchange their schedules?
↑ the frequency, when a sensor node has no neighbors.
2) Following a schedule
Maintaining synchronization is an issue due to clock driftsListen
Sleepfor SYNC for RTS for CTS
Receiver
Sender
CS
Tx SYNC
CS
Tx RTS Got CTS Tx DATAGot SYNC
Got RTS Tx CTSExtend listening to receive DATA
+Collision Avoidance
Collision Avoidance Strategy ~= IEEE 802.11 (contention‐based)
RTS/CTS/DATA/ACK
Physical carrier sense (CS)
Virtual carrier sense: Network Allocation Vector (NAV)
RTSSender
Receiver CTS
Other Sensors
DATA
ACK
NAV (based on RTS)
NAV (based on CTS)
Contend for medium access
defer access
+Computation vs. Communication Energy Cost
Energy ratio of “sending one bit” vs. “computing one instruction” is:
To communicate (send & receive) one KB To communicate (send & receive) one KB
= =
computing three million instructions!computing three million instructions!
Try to compute instead of communicate whenever possible
Key technique to achieve this objective is the well‐known in‐network data processing (also referred to as data aggregationdata aggregation)
Moreover, one may exploit compression schemes, intelligent network coding schemes, etc.
+Data Aggregation in WSNs
Why is data aggregation necessary?Sensor networks are event‐driven systems generated massive amounts of data
Example Query:
What is the maximum temperature in area A between 10am and 11am?
Problems:
Individual sensor readings are of limited use
Redundancy in the event data is thus needed, but it has its cons:
Forwarding raw information is too expensive!
Solution:
Combine the data coming from different sources
Eliminate redundancy
Minimize the number of transmissions
+Data Aggregation Process
Deployment phase:
Organize sensor nodes into a tree hierarchy rooted at the Base Station
Non‐leaf nodes act as the aggregators
Query dissemination phase: queries are pushed down into the network
Collection phase: aggregate values that are routed up from children to parents
Leaf nodes….9 messagesLevel 1……….12 messagesLevel 2……….13 messagesTotal messages = 34
Leaf nodes….9 messagesLevel 1………..3 messagesLevel 2………..1 messageTotal messages = 13
With aggregation:
Without aggregation:
+Factors influencing the design of WSNs
Power Consumption
Network lifetime prolongation is the primary design objective in WSNs
Fault Tolerance (Reliability)
Ability to sustain sensor network functionality without any interruption
Scalability
Production Costs
The cost of a single node is very important to justify the overall cost of the network.
Hardware Constraints
All sub‐units need to be fitted into a very compact area and need to be designed carefully
Operating Environment (sometimes friendly, others hostile)
Security Concerns
+Overview: 2nd Part
Wireless Sensor Networks: Definition, Architecture, ComponentsAn introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open IssuesConclusions
+Are WSNs secure?
Internet, Internet, SatelliteSatellite
Sink
Sink
Task Manager
UserUserSensor Sensor
FieldFieldSensor Sensor NodeNode
+WSNs are vulnerable to various types of attacks
Internet, Internet, SatelliteSatellite
Sink
Sink
Task Manager
UserUserSensor Sensor
FieldFieldSensor Sensor NodeNode
Spoofed Spoofed Routing Routing
informationinformation
WormholeWormholeAttackAttack
+Security Goals – The CIA Triad
According to ISO/IEC 27002, “confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (guaranteeing the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required)”must be preserved.
+More Security Goals
AuthenticationAuthentication:: enabling a node to ensure the identity of the peer node with which it communicates.
Informally, data authentication allows a receiver to verify that the data was sent by the claimed sender.
FreshnessFreshness: ensuring that
Messages are recent,
Messages are ordered,
No old messages (duplicates) have been replayed.
NonNon‐‐repudiationrepudiation: ensuring that the origin of a message cannot deny having sent the message.
+Security Challenges
Constrained Resources
All security approaches require a certain amount of resource for their implementation.
However, these resources are very limited very limited in a wireless sensor node.
Table ‐ Sensor‐platform power consumption and resource data
+Security Challenges
Unattended Operation
Sensors are vulnerable to physical tamperingphysical tampering
Depending on the function of a particular WSN, the sensor nodes may be left unattended for long periods in an environment open to adversaries. The longer a sensor is left unattended the more likely an The longer a sensor is left unattended the more likely an adversary will compromise it.adversary will compromise it.
Overall, the limited physical protection of sensor nodes represents the major vulnerabilityvulnerability of a WSN.
+Security Challenges (cont.)
Selforganization
A WSN is an ad hoc network and there is no fixed infrastructure available for the purpose of network management.
This inherent feature brings a great challenge to several networThis inherent feature brings a great challenge to several network k security schemes security schemes (for instance to public key cryptography techniques)..
Unreliable Communication
WSNs are vulnerable to security attacks due to the broadcast nature of the transmission medium. This means that eavesdropping can be eavesdropping can be easily performed.easily performed.
The unreliable communication channel may also lead to damaged or dropped packets. If the protocol lacks appropriate error handling, it is possible to lose critical security packets, such as a cryptographic key.
+Threats and Attacks
A threat is a circumstance or event with the potential to adversA threat is a circumstance or event with the potential to adversely impact a ely impact a system through a security breach.system through a security breach.
Potential threats to WSNs include: power drainage, physical tampering, extinction upon deployment due to the hostile environment or deliberate attempts to subvert a node by breaching the security.
An attack can be defined as the action that intentionally aims tAn attack can be defined as the action that intentionally aims to cause o cause damage to the network by exploiting a particular vulnerability.damage to the network by exploiting a particular vulnerability.
The security of the WSNs is compromised due to the attacks.
+Threats and Attacks (cont.)
According to Karlof et. al., the threats in a WSN can be classified into the following categories:
External Vs Internal Attacks:External Vs Internal Attacks:
External attacks External attacks include attacks launched by a node that does not belong to the logical network, nor it has any internal information about the network, such as cryptographic information.
Internal attacks Internal attacks include attacks launched by either compromised sensor nodes running malicious code or adversaries who have stolen the key material, code, and data from legitimate nodes and who then use one or more laptop‐class devices to attack the network.
+Threats and Attacks (cont.)
Passive Vs Active attacks:Passive Vs Active attacks:
Passive attacks Passive attacks are able to retrieve data from the network that might be used later when launching an active attack.
These attacks do not have any direct effect on the network.
Passive attacks are in the nature of eavesdroppingeavesdropping or monitoring of packets exchanged within the network.
Active attacksActive attacks, on the other hand, can disrupt the normal functionality of the whole network by modifying the original data, by injecting falsehood data, and much more.
Most of these attacks result in a denialdenial‐‐ofof‐‐service (DoS)service (DoS), which is a degradation or a complete halt in communication between nodes.
It is difficult to recognize this type of attack, because the attacker behaves like a legitimate node in the network.
+Threats and Attacks (cont.)
MoteMote‐‐class Vs Laptopclass Vs Laptop‐‐class attacks:class attacks:
In motemote‐‐class class (sensor(sensor‐‐class) attacksclass) attacks, an adversary attacks a WSN by using a few nodes with similar capabilities as that of network nodes.
In laptoplaptop‐‐class attacksclass attacks, an adversary can use more powerful devices like laptop, etc. and can do much more harm to a network than a malicious sensor node.
These types of attackers can jam the radio link in its immediatevicinity.
An attacker with laptop‐class devices have greater battery power, a more capable CPU, a high‐power radio transmitter, or a sensitive antenna and hence they can affect much more than an attacker with only ordinary sensor nodes.
+Attack Types
CategoryCategory AttackAttackCommon Attacks Eavesdropping | Traffic Analysis | Message Injection | Message
Modification | Replay Attack
DoS Attacks Jamming | Power Exhaustion | Misdirection | Flooding
Node Compromise (Invasive and Non‐Invasive) Physical Access Attacks
Impersonation Attacks Sybil Attack | Node Replication
Protocol‐specific Attacks Spoofed, Altered or Replayed Routing Information Attack | Selective Forwarding Attack | Sinkhole Attack | Wormhole Attack | Hello Flood Attack | Acknowledgement Spoofing Attack | Flooding Attack
+Common Attacks
EavesdroppingEavesdropping: an attacker intercepts packets transmitted over the air for further cryptanalysis or traffic analysis.
Traffic analysisTraffic analysis: allows an attacker to determine that there is activity in the network, the location of the BSs, and the type of protocols being used.
Message injection: Message injection: The message injection attack allows an adversary who can perform an active network attack to inject bogus controlinformation into the data stream.
Message modificationMessage modification: is a subset of a message injection attack where a previously captured message is modified before being retransmitted
Replay attack: Replay attack: Another active attack is message replay. The adversary performs a replay attack by first intercepting a valid, critical data packet, and then by retransmitting it at a later time.
Passive attacks
Passive attacks
Active attacks
Active attacks
+Denial‐of‐Service (DoS) Attacks
DenialDenial‐‐ofof‐‐Service (DoS) attacksService (DoS) attacks: In this form of attack, the attacker seeks to prevent any part of the WSN from functioning correctly or in a timely manner.
Accordingly, DoS Attacks can either cause
Service degradation (e.g., through generating collisions), or
Service disablement (e.g. through jamming, power exhaustion, etc.)
Layer‐based DoS attack categorization:Layer Attack
Physical layer JammingData Link Layer Collision, ExhaustionNetwork Layer MisdirectionTransport Layer Flooding, DesynchronizationApplication Layer Path‐based DoS
+DoS Attacks (cont.)
JammingJamming: Jamming is simply the transmission of a radio signal that interferes with the radio frequencies being used by the sensor nodes.
The jamming of a network can come in two forms: constant jammingconstant jamming, and intermittent intermittent jammingjamming. Constant jamming involves the complete jamming of the entire network. No messages are able to be sent or received. If the jamming is intermittent, then nodes are able to exchange messages periodically, but not consistently.
CollisionCollision: This is a DOS attack, where a node induces a collision in some small part of a transmitted packet. The packet will then fail the checksum check, because of the changes brought on by the collision, and the receiver node will then ask for a retransmission of the packet.
ExhaustionExhaustion: This attack is a collision attack taken a bit further. A malicious node may conduct a collision attack repeatedly in order to exhaust (deplete) the power supply of the communicating nodes.
+DoS Attacks (cont.)
MisdirectionMisdirection: In this attack a malicious node, that is part of a route, can instead of dropping packets, quite simply send them on a different path where there does not exist a route to the destination. The malicious node can do this for certain packets, or all packets.
JellyFish is a particular DoS attack in which relay nodes stealthily reorder, delay, or periodically drop packets that are expected to be forwarded, in a way that leads to end‐to‐end congestion control protocols astray.
Flooding: Flooding: can be as simple as sending many connection requests to a susceptible node. In this case, resources must be allocated to handle the connection request. Eventually, a node’s resources will be exhausted, thus rendering the node useless.
DesynchronisationDesynchronisation: In a de‐synchronization attack, an active connection is interrupted by an attacker by transmitting forged packets with control flags to desynchronize the endpoints so they retransmit the data.
PathPath‐‐based DoSbased DoS: An adversary overwhelms sensor nodes by flooding a multi hop end‐to‐end communication path with either replayed or injected false message to waste secure energy resources.
+Impersonation Attacks:The Sybil Attack
Newsome et al. describe the Sybil attack as a particularly harmful attack against sensor networks, where “a malicious node illegitimately claims multiple identities”
The Sybil attack can disrupt geographic and multi‐path routing protocols.
Adversary A at actual location (3,2) forges location advertisements for non‐existent nodes A1, A2, and A3 as well as he advertises his own location. After hearing these advertisements, if Bwants to send a message to C (0,2), it will attempt to do so through A3. This transmission can be overheard and handled by the adversary A.
+Node Compromise Attack
Most of the previously shown attacks can be performed by outsiders. However, if an attacker have access to the network as one of its elements, i.e. as an insider, it is possible to perform attacks that are more subtle and devastating.
The first step to become an insider is to compromise a node.
An embedded device is considered being compromised when an attacker, through various means, gains control or access to the node itself after it is being deployed. By compromising one node, an external attacker can become an internal attacker and launch more severe attacks.
It is very hard to detect this type of attack because the attacker follows the normal network protocols without showing an anomaly.
+Attacks on specific protocols
Acknowledgement spoofing: Acknowledgement spoofing:
Some routing protocols use link layer acknowledgments (ACKs).
An attacker may spoof these ACKs to trick other nodes to believe that a link or node is either dead or alive.
Attack against TinyOS beaconingAttack against TinyOS beaconing:
The base station periodically broadcasts beacons or “route updates”.
An attacker can use this mechanism to create routing loops by broadcasting spoofed beacons that announce a different node as the BS.
Figure‐ Attack against TinyOS beaconing
+Spoofed, altered, or replayed routing information
In this type of attack, the routing info is altered, falsified or replayed.
This type of attack may be used for:
loop construction
attracting or repelling traffic,
extending or shortening the source route
In this example, an adversary pollutes the entire network by sending bogus routing information in an attempt to be perceived as the base station and as such, it attracts the network traffic.
Figure ‐ An adversary sending bogus routing information and attracting the network trafficFigure – A representative topology constructed using TinyOS beaconing with a single base station.
+HELLO Flood Attack
Every new node broadcasts “Hello Hello messagesmessages” to find its neighbors. Also, it broadcasts its route to the BS.
Other nodes may choose to route data through this new node if the path is shorter.
A laptop‐class adversary that can retransmit a routing update with enough power to be received by the entire network can convince the network nodes to choose him as their parent.
Target nodes attempt to reply to the adversary node, but the adversary is out of out of radio rangeradio range.
This attack puts the network in a state of confusion.
Figure ‐ HELLO flood attack.
+Sinkhole Attack
Typically, all packets are directed to the base station
In sinkhole attack, a malicious node advertises a high quality link to the base station to attract the packets from his surrounding nodes.
This type of attack may enable other types of attacks, i.e., a wormhole attack or selective forwarding
Figure ‐ An example of a Sinkhole attack
+Wormhole Attack
The attacker does not need any key material. All it requires is two transceivers and one high quality out‐of‐band channel in order to create a ‘wormholewormhole’.
Then, the attacker tunnels the packets received at one location of the network and replays them in another location.
The wormhole can drop packets directly or more subtly selectively forward packets to avoid detection
Wormhole linkWormhole link
Figure ‐ A laptop‐class adversary using a wormhole to create a sinkhole in TinyOS beaconing.
+Selective Forwarding
Multi hop routing is prevalent in WSNs.
It is assumed that nodes faithfully forward the received messages.
In selective forwarding, a malicious node refuses to forward all or a subset of the packets it receives and simply drops them.
More dangerous: If a malicious node drops all the packets, the attack is then called blackholeblackhole.
+Layer‐based Attack Categorization
Application Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Flooding Attack | Desynchronization attacks
Sybil Attack | Spoofed, altered, or replayed routing information | Sinkhole, Wormhole Attack | Hello Flood Attack | MisdirectionCollision Attack | Sybil Attack | Node Replication | Acknowledgement Spoofing AttackEavesdropping | Jamming | Battery Exhaustion | Node tampering
Data Aggregation Distortion | Message Injection | Message Modification
Figure – Sensor Network Protocol Stack
+Overview ‐ 3rd Part
Wireless Sensor Networks: Definition, Architecture, ComponentsAn introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open IssuesConclusions
+Preserving the CIA of WSNs: An Overview of Countermeasures
Confidentiality is provided through the use of encryption technologiesencryption technologies. .
Cryptographic algorithms such as the DES, RC5, RSA are used to protect the secrecy of a message.
MAC (Message Authentication Code) or Digital Signature AlgorithmMAC (Message Authentication Code) or Digital Signature Algorithmss (DSA) (DSA) can be used to assure the recipient’s integrity of the data and authenticity of the message
Digital Signatures Digital Signatures can be used to ensure nonrepudiation.
Availability can be achieved by adding redundant nodes. Multi path adding redundant nodes. Multi path and probabilistic routing and probabilistic routing can also be used to minimize the impact of unavailability.
Data freshness is ensured by adding a counter value counter value in each message.
+Cryptography Review
The standard approach for achieving confidentiality is to encrypt the data with a secret key that only intended receivers possess.
The security of a cryptographic system relies mainly on the secrecy of the key it uses.
If an attacker can find the key, the entire system is broken because he or she can use the key to decrypt the intercepted ciphertexts and find the original plaintexts.
Figure Encryption and Decryption Processes
+Cryptographic Systems
Symmetric key cryptographySymmetric key cryptography
Uses a shared secret key for both encryption and decryptionPros: more resource‐efficientCons: Problem with key distribution
E.g.: DES (Data Encryption Standard), AES, RC5 (Rivest Cipher 5), etc.
Public key (or asymmetric) cryptographyPublic key (or asymmetric) cryptography
Uses a two‐key pair (a private one and a public one): the public key is used for encryption and can be published, while the private key is used for decryption.No need to share a secret key!
Pros: easier to manage and more resilient to node compromiseCons: computationally expensive ‐ RC5 is 200 times faster than ECC!
E.g., RSA (Rivest–Shamir–Adleman), El‐Gamal, Elliptic‐Curve cryptography ‐ECC
+Key Management
An important issue is how to securely manage the keys between the sender and the receiver.
Generally speaking, two are the major strategies to symmetric key management:
Master key based solutionsMaster key based solutions
Use a single secret key for the entire network
Pros: efficient in terms of computational and memory costs.
Cons: the compromise of only a single sensor node exposes all communications over the entire WSN
PairPair‐‐wise key based solutionswise key based solutions
Each sensor stores distinct pair wise keys for all possible pair of sensors
Pros: The scheme has good resilience against attacks
Cons: The scheme is not scalable and raises memory issues.
+Master Key based solutions
Network wise key preNetwork wise key pre‐‐distributiondistribution
A naïve approach will be to pre distribute a single (master) key to all the sensors before deployment.
After deployment, the sensors communicate with their neighbors and achieve new pair wise keys using the master key.
If one of the nodes is compromised, the whole network is compromised as it is easy to derive all the pair wise keys from the master key.
Centralized key distribution through a trusted base stationCentralized key distribution through a trusted base station
Each node needs to share only a single master key with the base station, which acts as a key distribution center (KDC).
Then, nodes dynamically set up keys with other nodes through the BS.
The BS becomes a single point of failuresingle point of failure. Only if a tamper‐resistant packaging is used for the BS, one may reduce the threat of physical attack.
+Pair‐Wise Key based solutions
PairPair‐‐wise key prewise key pre‐‐distributiondistribution
A naïve approach would be to pre distribute (n‐1) keys to each sensor, n is the WSN size
Security is perfect, but memory is an issue. Moreover, new nodes cannot be added.
Random key preRandom key pre‐‐distributiondistribution
Instead of storing all the keys on each sensor a subset of these keys is stored.
A random subset of keys (n) of a large pool (m) of keys is distributed to each node, n<m
In order to communicate, two nodes search their pools for a common key:
If they find one, they use it to establish a session key
Not every pair of nodes shares a common key, but if the key establishment probability is high, nodes can communicate with sufficiently many nodes to obtain a connected network.
Relatively simple to implement avoiding the need to include a trusted BS
Attackers who compromised sufficiently many nodes could also reconstruct the complete key pool and break the scheme.
+More Solutions
Key Management Schemes Using Deployment KnowledgeKey Management Schemes Using Deployment KnowledgeThis method first models sensor node deployment knowledge in a WSN and then develops a key pre‐distribution scheme based on this model.
LocationLocation‐‐based key management schemebased key management scheme
This method decides which keys to put on each node depending on their locations.
Session based Key ManagementSession based Key Management
These schemes are using timestamps to generate keys to communicate with other sensor nodes.
GroupGroup‐‐Based Key ManagementBased Key Management
Most proposed solutions for group based key management use a session key concept.
HierarchicalHierarchical‐‐Based Key ManagementBased Key Management
These schemes are based on the use of a tree topology, where the child and parent sensor nodes establish keys using various schemes. As such, they are useful for hierarchical networks.
+Message Authentication Code (MAC)
MAC is the common solution to ensure integrityintegrity and authenticationauthentication of messages in conventional networks.
A MAC can be viewed as a hash function* applied on each data packet.
Computing the MAC requires the senders and receivers to share a secret cryptographic key, and this key is part of the input to the above computation.
A receiver sharing the same key can verify the integrity of the message by computing the MAC value and by comparing it with the received one.
If the two hashes are equal the receiver accepts the packet.
* Common hashes include MD5 and SHA
+IEEE 802.15.4: Security Suites
From a standard’s perspective, the IEEE 802.15.4 (ZigBee) Standard defines several security suites
Name Description
Null No securityAES‐CTR Encryption only, CTR modeAES‐CBC‐MAC‐128 128‐bit MACAES‐CBC‐MAC‐64 64‐bit MACAES‐CBC‐MAC‐32 32‐bit MACAES‐CCM‐128 Encryption and 128‐bit MACAES‐CCM‐64 Encryption and 64‐bit MACAES‐CCM‐32 Encryption and 32‐bit MAC
CTR: Counter Mode | CBC: Cipher Block Chaining | CCM: Counter with CBC‐MAC
+Standalone Security Protocols for WSNs
Secure Network Encryption Protocol (SNEPSNEP)SNEP provides with confidentiality, two‐party data authentication, and data freshness
μμTESLATESLAextension of the TESLA protocol (by considering resource limitations)focuses on the need for authenticated broadcast in WSNs
TinySecTinySecA lightweight and generic link‐layer security packageSupports two different security options:1. authenticated encryption (TinySec‐AE)
Data payload is encryptedMAC is used to authenticate packet
2. authentication only (TinySec‐Auth)
+Digital Signatures (DSs)
Digital signatures (DSs) are used to support authentication, non‐repudiation, and data integrity
It can be thought of as the digital equivalent of handwritten signatures in real life.
The basic idea is to associate something unique with the signer, which can be verified later.
At the pre‐phase:
A public‐private key pair is generated.
The private key is given to the signer and the public key to the verifier.
The signer uses a hash function to find the hash of the data to be signed.
+Digital Signature Generation and Verification Processes
To create a digital signature the signer simply encrypts the hash using his private key and sends this along with the data to the receiver.
The verifier uses the same hash function as the signer to find the hash of the data (Hash 1).
The verifier uses the public key of the signer to decrypt the signature he received.
This decryption gives the verifier a hash (Hash 2). If it matches with the hash of the data, we can be sure that the data hasn’t been modified or tampered.
Figure – Digital Signature Generation
Figure – Digital Signature Verification
Data Hash
Private Key
Signature Data
Message
Hash 2
Hash 1
Public Key
Message
Signature Data
= ?
Yes = Data/Hash un‐tamperedNo = Data/Hash tampered
+Secure Routing
Proper routing and forwarding are essential for communication in WSNs.
Basic tasks relevant to routing:
Route discovery
Packet Forwarding
Route maintenance
However, there is an inherent tradeoff when designing a routing protocol for WSNs:
energy Vs. security energy Vs. security or equally
optimizing route Vs. susceptibility to attacksoptimizing route Vs. susceptibility to attacks
B
D E
F G
CA
+Routing in WSNs
WSN technology has a strong heritage from MANETs. However, in most cases, mobility of sensors is not present, and the network has a data reporting role to special nodes. Thus, the conventional anyone‐to‐anyone unicast routing protocols is abandoned.
Moreover, intermediate nodes can perform data aggregation and caching in addition to routing.
Not node‐to‐node packet switching, but node‐to‐node data propagation.
b) Stationary, sink−based reporting architecturea) Classic ad hoc architecture. Any‐to‐any node communication
+Routing Challenges
Constrained Resources:
Sensor nodes are energy‐ and computationally‐limited
Sensor node failures may lead to connectivity issues
Node heterogeneity:
Heterogeneous nodes with different roles & capabilities
Scalability issues:
Fully distributed network without global knowledge
Large numbers of sources and sinks covering a large area
Large coverage area
Topological and geographical issues exist since value of data is a function of time and location
outout‐‐ofof‐‐date data is not valuable! date data is not valuable!
+Taxonomy of Routing Protocols: Based on the Routing Scheme
Flat rFlat routing schemesouting schemes which employ a uniform role on the forwarding policy among the nodes.FLOODING: Broadcast data to all neighbor nodes regardless if they have received it
GOSSIPING: Send data to one randomly selected neighbor
B
D E
F G
CA
+Taxonomy of Routing Protocols: Based on the Routing Scheme (cont.)
Hierarchical routing Hierarchical routing schemes schemes : Sensor nodes form clusters where the cluster‐heads aggregate and fuse data before sending it to the sink to conserve energy. Clustering includes:Selection of the nodes that will become CHs Cluster formation based on the received signal strength (grouping of sensors around each CH)CHs compress data received by the nodes in the cluster and sends them to the Sink (usually after aggregation)Advanced features:Energy‐aware CH selectionCH role rotation and cluster re‐formation
Sink
CHCM
e.g. a 2‐level hierarchical routing scheme
Sink
CHCM
+Taxonomy of Routing Protocols: Based on the Routing Scheme (cont.)
LocationLocation‐‐based routing schemes based routing schemes where nodes are addressed based on their location.
These approaches require the sensor nodes to be equipped with GPS or other similar location‐finding devices.
An example: the Geographic Adaptive Fidelity (GAF) protocol
− Associate each node with a point in the virtual grid
− Nodes associated with the same point on the grid are considered equivalent in terms of the cost of packet routing
− Figure: Node 1 reaches node 5 via nodes 2, 3 & 4 which are equivalent; Any of the other two nodes in Grid B can sleep without affecting routing.
1
2
3
4
5
Grid A Grid B Grid C
rgrid size
r r
+Taxonomy of Routing Protocols: Based on the Addressing Scheme
NodeNode‐‐centric addressing schemes centric addressing schemes are the classic addressing schemes in which a packet is addressed and routed with respect to the destination node’s id. LocationLocation‐‐centric addressing schemes centric addressing schemes use the naming of a location for specifying the destination. Some addressing schemes may allow situations such as more than one nodes satisfying the location being addressed, in which case all those node may serve the packet.DataData‐‐centric addressing schemes centric addressing schemes use the naming of the wanted information as the destination of packets. In such addressing schemes, packet forwarding usually follows a flooding or gossiping policy, mainly because it is not known at what node the addressed information may reside. For instance, request
"the areas where the temperature is over 50F" rather than
"the temperature read by a certain node (e.g., #27)”
+Are Routing Protocols for WSNs Secure?
Unfortunately, most sensor network routing protocols are not designed with security considerations.
This is why a number of well‐known routing protocols are susceptible to attacks.Protocol Relevant Attacks
Directed diffusion and its multipath variants
Bogus routing information, selective forwarding,sinkholes, Sybil attack, wormholes, HELLO floods
Geographic routing (GPSR, GEAR) Bogus routing information, selective forwarding, Sybil attack
Minimum cost forwarding Bogus routing information, selective forwarding,sinkholes, wormholes, HELLO floods
Clustering‐based protocols (LEACH, TEEN) Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance (SPAN, GAF, CEC, AFECA)
Bogus routing information, Sybil attack, HELLO floodsTable ‐ A summary of attacks against routing protocols
+Secure Routing ‐ Countermeasures
Link layer security
Simple link layer encryption and authentication using a globally shared key can prevent the majority of outsider attacks: bogus routing information, Sybil, Selective Forwarding, Sinkholes.
Link layer security mechanisms provide little protection against insiders, HELLO floods, and Wormholes.
Wormhole and sinkhole attacks
Routing protocols that construct a topology initiated by a base station are the most vulnerable against these types of attacks.
Solution: Geographic protocols that construct topology on demand using localized node interactions instead of using the base station s can provide with a solution.
+Secure Routing ‐ Countermeasures (cont.)
Sybil Attack:
Solution #1: Defending against Sybil attacks can be as simple as sharing a unique symmetric key between the sensor nodes and a trusted base station.
This verifies the bidirectionality of links and prevents an attacker that have claimed multiple identities
Solution #2: The base station can also limit the number of nodes an insider can have communication.
This also limits the number of nodes an adversary can communicate with.
Hello Flood Attacks:
Measures against Sybil Attack, like limiting the number of verified neighbors to a node, will also prevent Hello Flood Attacks.
+Secure Routing ‐ Countermeasures (cont.)
Geographic routing attacks
Geographic routing is secure against wormhole, sinkhole, and Sybil attacks, but the remaining problem is that the location advertisement must be trusted.
Solution #1: Use fixed topology to eliminate the need for location information.
Solution #2: Restricting the structure of the topology can eliminate the need for nodes to advertise their locations if all nodes’ locations are known.
Selective forwarding
Solution #1: Multipath and probabilistic routing limits effects of selective forwarding.
Solution #2: Probabilistic selection of next hop can also add to security.
Solution #3: Messages routed over N paths whose nodes are completely disjoint is also an effective solution.
+Resilience to Node Capture
In traditional networks, physical security is often taken for granted.
Sensor nodes, by contrast, are likely to be placed in open locations and remain unattended for long periods. This means that an attacker might:
capture one or several sensor nodes and extract cryptographic secrets
modify their programming
possibly replace them with malicious nodes
Camouflage housing or tamper‐resistant packaging of the sensor nodes may be one defense.
However, these methods are expensive.
+Possible Defenses to DoS Attacks
Jamming AttacksJamming Attacks: Deliberate interference of radio reception to deny the target’s use of a communication channel
Defense techniques:
Use of spread spectrum techniques, frequency hopping
Knowledge of jamming detection can allow avoiding of the jamming route.
Power exhaustion attacksPower exhaustion attacks: An attacker may simply violate the communication protocol, and continually transmit messages in an attempt to generate collisionscollisions. Using this technique an attacker could deplete a sensor node’s power supply by forcing too many retransmissions and causing power exhaustion.
Defense Techniques:
Use of error‐correcting codes
Use of rate‐limiting schemes (excessive requests will be ignored)
+Other Network Security Services
So far, we have explored low‐level security primitives for securing wireless sensor networks.
Now, let us consider high‐level security mechanisms.
These include the following:
Secure Data Aggregation
Intrusion Detection
Security Visualization
+Secure Data Aggregation
Data aggregation Data aggregation is employed in WSNs in order to avoid sending overwhelming amounts of sensed values back to the base station.
A serious issue connected with data aggregation is data securitydata security.
This is because, existing schemes assume that every network node is honest. However, any compromised (aggregator) node can inject faulty any compromised (aggregator) node can inject faulty data in the networkdata in the network.
+Secure Data Aggregation Schemes
HopHop‐‐byby‐‐hop encryption schemes:hop encryption schemes:The sensing nodes generate data, encrypt it and send it to the aggregator.The encrypted data is decrypted at the next hop node, & encrypted back after aggregation. This process is repeatedrepeated at every node on the way to the base station.
Sink
Operations:
Aggregator Nodes
Sensor Nodes
1. Decryption
1. Decryption 2. Aggregation3. Encryption
1. Sensing2. Encryption
Figure ‐ Overview of hop‐by‐hop aggregation
+Secure Data Aggregation Schemes (cont.)
EndEnd‐‐toto‐‐end encryption schemes:end encryption schemes:In end‐to‐end encryption, the data is NOT decrypted at the intermediate nodesthe data is NOT decrypted at the intermediate nodes. Only the BS has the ability to decrypt it!Only the BS has the ability to decrypt it!From a computational view, this approach helps save resources since aggregators do not have to carry out costly decryption operations
Figure ‐ Overview of end‐to‐end aggregation
Sink
Operations:
Aggregator Nodes
Sensor Nodes
1. Decryption
1. Aggregation applied on the encrypted data
1. Sensing2. Encryption
+Intrusion Detection: The Second Line of Network Defence
Intrusion detection Intrusion detection is the process of discovering, analyzing, and classifying malicious activities that have penetrated the network. Every network activity can be categorized as NORMAL, ABNORMAL (but NOT malicious),MALICIOUS
Intrusions AttacksMisuse of resources Data correlations
Response Terminate Connection
Block IP Add. Recovery
Firewalls Encryption ‐ Authentication
+
CollectionCollection of the audit data
Localization data
Routing information
Analysis and classification Analysis and classification of the audited data
Identify the intrusion characteristics
Detect the intrusions. Two common types exist:
AnomalyAnomaly‐‐basedbased (categorizes the traffic as either normal or abnormal based on heuristics or rules, rather than known attack patterns)
MisuseMisuse‐‐basedbased (creates “signatures” of known attacks)
Locate the intrusions (i.e. perform attack attribution)
By doing this, the effects of the detected attack can easily be mitigated by taking prompt counteractionscounteractions.
Required Technologies
+Intrusion Detection in WSNs
In wired networks, network traffic is typically monitored and analyzed for anomalies at various concentration points.
WSNs, however, require a solution that is fully distributed fully distributed and inexpensive inexpensive in terms of energy and memory requirements.
Current strategies to WSN anomaly detection identify the following attacks:
Sinkholes and Wormholes
DoS attacks
Sybil attacks
Hello Floods
Selective Forwarding
+Overview – 4th Part
Wireless Sensor Networks: Definition, Architecture, Components
An introduction to WSN SecuritySecurity Goals – The CIA TriadSecurity Challenges and VulnerabilitiesThreats and Attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open Issues
Conclusions
+The problem
Various security mechanisms have been proposed to address the network security concerns.
Despite the fast development of computer security mechanisms, the scale the scale and complexity of the generated network data and complexity of the generated network data put ever increasing challenges to the representation and understanding of the security‐relevant information.
Thus, we have:
1) the problem of information growth on one hand
The problem The problem of of
information information growthgrowth
This infographic by DOMO
breaks down the amount of data
generated on the Internet
every minute!
+The problem
Various security mechanisms have been proposed to address the network security concerns.
Despite the fast development of computer security mechanisms, the scale the scale and complexity of the generated network data and complexity of the generated network data put ever increasing challenges to the representation and understanding of the security‐relevant information.
Thus we have:
1) the problem of information growth on one hand, and
To address the soTo address the so‐‐called security overload problem called security overload problem researchers turned to information visualization!researchers turned to information visualization!
2) the problem of the increased cyber‐/net‐criminality on the other hand
+Definition
“Information visualization is a technique that has been used for a long
time to represent information clearly and effectively through
graphical means.
By creating interactive visual representations of the information, it
exploits the human’s perceptual and cognitive capabilities of problem
solving to extract information”.
+Why visualization?
One of the major contributions of visualization is that it facilitates the network traffic analysis.
Traditional network analysis software only provide detailed text‐based output.
Consider how difficult and time‐consuming is for the system administrators to read a
text‐based log file recording the traffic exchanged over the
network the past twenty‐four hours.
+Until now…Visualization for network traffic analysisNetwork traffic visualization is one of the first directions to take when it comes to understanding, and analyzing information in vast amounts of network data.
Many visualization tools graphically monitor real‐world or simulated wired and wireless networks (e.g., TOSSIM, OPNET, NS‐3, etc.).
While these tools offer some form of visualization, they are designed for applications other than network securityother than network security. Accordingly, these tools:
Lack the specialized techniques in visualizing security‐related data.
Tend to miss abnormalities attacks that occur unpredictably.
+
Network a
nalysis ba
sed on
advanced
visual an
alytics
Now…Visualization for network security
The power of visualization should go beyond the simple ”illustration” of network behavior so as to enable the security analysts to discriminate between normal and abnormal network activities.
Simple ne
twork tra
ffic analys
is
+Definition
“Network security visualization is the process of mapping
network data into meaningful visual representations that
enable the user to efficiently integrate automated, data
mining methods with expert human intuition for the
detection of complex patterns of abnormal network activity. “
In other words, it is where Data Mining Data Mining and VisualizationVisualization
converge to provide with tools that give better insight into
the network security problem.
+A bit of history
Visualization and data mining have always been, and still are, somewhat in competition. From the one hand, data miners see visualization as a too soft data miners see visualization as a too soft disciplinediscipline, lacking of enough formalism and with the original sin of having poor evaluation methods in its toolbox. From the other hand, visualizers think data visualizers think data mining is too rigid and narrowly focusedmining is too rigid and narrowly focused on a plethora of insignificant small details to algorithms that nobody will ever understand.
Both are partially right or wrong. What has been missing during the last decade is a fruitful exchange of ideas from these divided communities to take the best out of them. There is no question that what one discipline lacks is perfectly filled up, in a complementary fashion, by the other.
The truth is that today we just cannot afford taking the two completely today we just cannot afford taking the two completely separatedseparated.
+Why Visualization cannot afford ignoring Data Mining
Data is full of rubbish: Data never comes for free, you have to manipulate it in order toaccommodate the needs you have for your project. The most classical things you will need to deal with are: missing values, outliers detection, normalization, aggregation, sampling, etc. Each one of these requires robust and solid techniques from data miners.
Humans don’t scale, machines do: There is no way to visualize a billion items. If you assign every item to one single pixel (known as pixel‐based visualization), which is the maximum scalability available, you will need either a huge screen or very tiny pixels. On the other hand, machines do scale and can crunch monstrous amounts of data.
We need order, in order to thrive: No matter how clever your visualization is and how skilled you are as a designer, visualization just cannot afford answering some questions without some kind of automatic abstraction and order. Data visualization is very powerful when lots of details can be exposed about every single item, but this is not scalable, plus finding the right set up for any given question is hard and inefficient. Data mining offers some clear scaffolds around which one can build clear questions and receive somewhat clear answers.
+Why Data Mining cannot afford ignoring Visualization
Parameter setting is voodoo science. Despite the all encompassing goal of making things as automatic as possible without human intervention, almost all data mining techniques require some kind of parameter setting. It is that the user has to go through a lengthy trial‐and‐error process in a feedback loop fashion: (1) set the setting, (2) run it, (3) look at the results …satisfied? Not really … go back to point (1) and repeat. There is clearly a huge role of visualization here. Visualization can help to better understand the output, compare alternative results, understand the relationship between the parameters an the output.
You cannot trust black boxes. The issue of trust is very well known among data miners: the models data mining algorithms build are often arcane and even if something seems to work, there is no way to really understand why and how it works. Visualization has the power to shorten this gap and help model builders gain better confidence on the babies they build.
There is no right answer. Data Mining has a long tradition for providing tools to build models that give clear cut answers automatically: “should I give the loan to this customer or not?“. This is fine and useful, but many of the modern inquiries on data are not so clear‐cut. Data analysis is often exploratory and there’s no right answer. When mining is used for this purpose it necessarily needs a certain level of flexibility: ask a question, produce some initial results, visualize them, understand better the problem, change the parameters, use another algorithm, compare alternative results etc … and how do you do that without visualization?and how do you do that without visualization?
+The convergence
It became apparent that there is no way to tackle the data analysis challenges data analysis challenges of
the new millennium without integrating these two branches of knowledge. The
problems we face today require at least the following two broad features that no
discipline is able to cover alone:
1.1. Coping withCoping with monstrousmonstrous datadata
2.2. Harnessing the complexity of the Harnessing the complexity of the machinemachine
Some few (feeble) signs of a new marriage seems to be coming to light. What is
Visual Analytics Visual Analytics if not an attempt from the visualizers to acknowledge the fact
that visualization without analytics is like tilting at windmills?
Source: http://fellinlovewithdata.com/reflections/why‐visualization‐cannot‐afford‐ignoring‐data‐mining‐and‐vice‐versa
+The visualization process
The visualization process consists of 4 basic steps:
The visualization software first has to capture the raw network data. The raw data shall then be transformed in a way to support visualization and analysis (typically one data attribute is mapped to one visual attribute).The transformed data is then displayed on the screen using the computer‘s windowing and rendering system. To provide appropriate user control, the GUI incorporates interaction methods.Finally, the human visual cortex will reverse the transform to provide the user with a better understanding of the data.
Data Collection
Data Transformation & Mapping
Visual Representation & User Integration
Computer Graphics
Automated Algorithms
Human Perception
Human Analytical Reasoning
Visualanalytics
+Visualization Advantages
Improves situational awareness
Visualization speeds detection of patterns in volumes of data
Innate capabilities for visual pattern detection allow people to see patterns they might miss in textual information.
Efficiently combines the output of heterogeneous data into an easily understood picture
With visualization it is easier to communicate the results of an analysis to others in pictorial form
Visualization reduces mental workload of a person scrolling and sifting through pages of data
+Security Visualization Techniques
Most of the work done in the field of security visualization stems from the area of computer security.
Common visual techniques incorporated in security visualization systems include the following:
Parallel Coordinates
Scatterplots
Node Link Graphs
Glyphs
Color maps and treemaps
Radial panels
Buddle Diagrams
Color, size, shapes, position, and transparency, amongst others, are used to communicate information
+The VisAlert W3 visualization concept
Figure – The VisAlert W3 visualization concept: a line connecting an alert type (what) at time (when) to a resource (where) represents an alert instance.
VisAlert is based on the notion that an alert must possess three attributes namely: whatwhat, whenwhen, and wherewhere and that these attributes can be used as a basis for comparing heterogeneous events.
The radial panel displays the local network topology map in the center with the various IDS alerts along the outer rings.
The ring’s width represents time and is divided into several history periods. A line is drawn from an alert type on the outer ring to a particular host on the topology map to represent a triggered alarm. Thicker lines show a higher number of alerts of a single type, and larger nodes in the topology map represent hosts experiencing unique alerts.
S. Foresti, J. Agutter, Y. Livnat, S. Moon, and R. Erbacher,“Vi l l i f k l ” 2006
+Parallel coordinates
http://www.rumint.org/
Rumint is a data visualization tool that can display network traces in a variety of ways.
Next example uses Rumint to generate some parallel coordinates plots that display four values: source IP address, TCP source port, TCP destination port and destination IP address.
For each packet in a capture file Rumint will plot these four values onto their respective axis and draw a line connecting them.
On the right, is what traffic on my home network normally looks like when plotted in Rumint using the settings discussed above. Source IP TCP Source
PortTCP Dest. Port Dest .IP
+Parallel coordinates (cont.)
http://www.rumint.org/
Source IP TCP Source Port
TCP Dest. Port Dest .IP
Lets take a closer look at this graph. Starting from the left you see the hosts that are sending packets.
As you follow the lines to the right you see the ports those packets originated from.
Continue to follow the lines to discover which ports the packets are heading towards.
Finally the lines reach the right side of the plot which shows the destination IP addresses of the packets.
+Parallel coordinates (cont.)
http://www.rumint.org/
Source IP TCP Source Port
TCP Dest. Port
Dest .IP
Next NmapNmap (nmap ‐sS ‐O ‐PI ‐PT 192.168.1.5) was run against a system on the network. Using the same settings as before this capture file was feed into Rumint to generate the following image.
Notice anything different? Notice anything different? Those big V shapes are hard to miss.
Looking at the graph you see packets are being sent to a large number of ports and this new activity is between just two hosts.
To get a clearer picture of what is happening, I filtered the network capture to only show packets between those two hosts, which nicely shows a port scan port scan taking place.
+Scatterplots
PortVis employs a colored based grid visualization to map network activity to cells of a grid. The main display contains a 256 x 256 grid where each point represents the possible 65,536 port numbers.
The location of a port on the gird is determined by breaking the port number into a 2‐byte (X,Y) location. X being the high byte of the port number and Y being the low byte. Changes and variations of each point, with respect to time, is depicted using color. Black portrays no variation or change, blue depicts a small level of variance, red refers to a larger level of variance, while white denotes the most variant.
The grid can be magnified to provide further detailed information about specific ports.
J. McPherson, K. Ma, P. Krystosk, T. Bartoletti, and M. Christensen,“PortVis: a tool for port‐based detection of security events,” 2004.
+Glyph‐based Visualizations
http://digital.cs.usu.edu/~erbacher
Example of a glyph‐based visualization with a single server, and several hosts.
Multiple visual attributes are assigned to each node as they are depicted using glyphs. For the monitored server, for example, spikes extending from its perimeter represent the number of connected users. Also, communication links are shown with different line patterns.
The ring of a node depicts the difference between its IP address and that of the monitored system, resulting in hosts residing inside the local subnet to appear closest to the monitored system.
These visual illustrations give an analyst an exploratory framework to work with as it strengthens her abilities to detect unknown relationships within the underlying data.
Failed Connections
Lost NFS Mount
+NFlowVis Treemap visualization
F. Fischer, F. Mansmann, D. A. Keim, S. Pietzko, and M. Waldvogel, “Large‐scale network monitoring for visual analysis of attacks,” 2008.
The background represents the university’s network structure with computer systems as rectangles.
Source IPs of external machines are shown as colored circles at the borders.
The splines represent the connections between attackers and computers within the network.
This reveals a distributed attack originating from hundreds of hosts working together in attempt to break into specific computer systems.
The picture shows a brute force SSH attacks from the Internet to computers located at the University of Konstanz.
+Node Link Graphs and Glyphs
http://www.graphviz.org/
See also http://secviz.org
http://labs.asteriskinfosec.com.au/tag/prenus/
http://afterglow.sourceforge.net/
+Radial Layout
Avisa security visualization system assigns scores to hosts based on a collection of metrics that reflect change related to the alerts received by a particular host in a monitored network.
The system utilizes three categories of heuristic functions to collectively identify hosts with peculiar, irregular, and variant behaviors. The top n hosts are arranged along a radial display, while multiple statistics are mapped to various visual attributes.
The intrusion alerts regarding each host are depicted using Beta‐Splines starting from the alert type category on the top left to the specific host on the bottom right.
Figure ‐ Radial design of Avisa depicting prioritized hosts and alert categories.
H. Shiravi, A. Shiravi, and A. Ghorbani, “IDS alert visualization and monitoring through heuristic host selection,” 2010.
+3D Visualization for Intrusion Detection
http://www.securedecisions.com/main.htm
Each box on the grid represents a host on a network.
Lines point to hosts on which IDS sensors report attacks or suspicious activities.
Interaction tools include: Data Sorting Right Click Filtering Right Click Drill‐In
+Traceroute Visualizations
3D TraceRoute Developer: http://www.hlembke.de/prod/3dtraceroute/XTraceRoute Developer: http://www.dtek.chalmers.se/~d3august/xt/
Xtraceroute
basic traceroute/tracert
3D TraceRoute
+MeerCAT® wireless cyber asset discovery visualization
http://securedecisions.com/products/meercat/
(a) Device Treelist of detected devices; (b)Geographic Visualizations showing location of devices; (c) Node Link Visualization showing communication patterns; (d) Network
Visualizationshowing connections
between transmitters; (e) Channel Visualization showing channel
distributions; and (f) Table showing details of networks
and clients.
+Security Visualization Systems for WSNs: A summary
System Data Source(s) Visualization Technique
Anomaly Detection Technique
Suitable for Protection against
MDS‐VOW,W. Wang, and B. Bhargava, 2004
Network topology data
MDS with 3D surface Impulse graph displaying the wormhole indicator
Static WSNs Wormhole attacks
IVoW,W. Wang and A. Lu, 2006
Network topology data
Incremental MDS with adaptive visualizations
An integration of visual representation, user interaction & automatic detection
Mobile WSNs Wormhole attacks
ViSAA. Luand W. Wang, 2006
Network topology data
Colormap &3D Scatter Plot
An integration of visual correlation& automatic detection algorithms
Mobile WSNs Sybil attacks
SecVizer, G. Abuaitah and B. Wang, 2009
Qualnet‐likePacket traces
3D Topology View& Parallel Coordinates
Visual pattern detection Qualnet‐generated WSNs
DDoS attacks
SAVE,L. Shi et al. 2011
GreenOrbs data Radial Panel & Link Graphs
Cluster‐based mapping Real‐world WSNs
Attacks against Routing
+Overview
Wireless Sensor Networks: Definition, Architecture, Components
An introduction to WSN SecuritySecurity Challenges Security GoalsThreats and attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open Issues
Conclusions
+Research Challenges
Security is somewhat difficult to achieve in WSNs:
Public‐key cryptographic systems are inefficient on low‐end devices. Moreover, cryptography by itself is not enough for insiders.
Link layer security with key management can prevent the majority of outsider attacks. However, it provides little protection against insiders, HELLO floods, and wormholes.
Wormholes and DoS attacks are difficult to defend against and can be mounted effectively by both laptop‐class insiders and outsiders.
Nodes that are near to base stations are attractive to compromise requiring protocols to reduce their significance.
The development of secure routing protocols is challenging because sensor nodes are prone to failures and the topology of a sensor network changes frequently due to node failures and possible mobility.
+Open Issues
Improving the efficiency of symmetric key operations on sensor nodes efficiency of symmetric key operations on sensor nodes is still an open research issue.
Although most secure schemes are able to limit the effects of attacks, intelligent intelligent attack detecting mechanismsattack detecting mechanisms are still of need for security.
Currently, there are some protocols that let routing paths bypass the detected compromised nodes or attacks. However, current secure routing algorithms have no effect to conquer undetected attacks. Hence, new secure routing protocols that can secure routing protocols that can defend against undetected attacksdefend against undetected attacks or even node compromise or even node compromise are highly desirable.
Most approaches assume the base station is secure and robust enough. However, in some special application environments, such as battlefield surveillance, base stations may be easy to be destroyed or attacked. Under such conditions, base base station protectionstation protection must be carefully investigated.
Most current security studies focus on individual topics of security issues. However, security overhead will degrade other performances of the WSN. Hence, the tradeoff tradeoff between security and Quality of Service (QoS) between security and Quality of Service (QoS) needs to be evaluated.
+Overview
Wireless Sensor Networks: Definition, Architecture, Components
An introduction to WSN SecuritySecurity Challenges Security GoalsThreats and attacks
Defensive MeasuresCryptographyMAC authenticationSecure RoutingIntrusion DetectionSecurity Visualization
Research Challenges & Open Issues
Conclusions
+Conclusions
Without doubt, Wireless Sensor Networks Wireless Sensor Networks represent an important wireless networking technology enjoying an increased penetration in our everyday lives.
Unfortunately, constraints and the WSN deployment environment, make security for these systems increasingly challenging.
Good NewsGood News: Despite the inherent vulnerabilities, research on securing the WSNs constantly evolve. Powerful protocols are being developed to address the security issues.
The security recipe necessitates link layer encryption and The security recipe necessitates link layer encryption and authentication, multipath routing, identity verification, bidireauthentication, multipath routing, identity verification, bidirectional ctional
link verification and authenticated broadcastlink verification and authenticated broadcast.
Security visualization Security visualization as part of the larger field of information visualization is the latest addition in the arsenal of a security professional.
+Major References
1. I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, ‘Wireless Sensor Networks: A Survey’, Computer Networks (Elsevier) Journal, vol.3, no. 4, 2002, pp. 393‐422.
2. R., Kay and F. Mattern, "The Design Space of Wireless Sensor Networks", IEEE Wireless Communications 11 (6): 54–61, Dec. 2004.
3. D. Ganesan, A. Cerpa, Y. Yu, D. Estrin, W. Ye and J. Zhao, “Networking Issues in Wireless Sensor Networks”, Journal of Parallel and Distributed Computing (JPDC), Elsevier Publishers, 2006.
4. Perrig, A., Stankovic, J., and Wagner, D. 2004. Security in Wireless Sensor Networks. Commun. ACM 47, 6 (Jun. 2004), 53‐57.
5. Karlof, C. and Wagner, D. Secure routing in Wireless Sensor Networks: Attacks and countermeasures. In Proceedings of the 1st IEEE International Workshop on Sensor Network Protocols and Applications (Anchorage, AK, May 11, 2003).
6. Conti, Security Data Visualization. No Starch Press, 2007.
7. R. Marty, Applied Security Visualization. Addison‐Wesley Professional, 2008.
8. H. Shiravi, A. Shiravi, A.A. Ghorbani, "A Survey of Visualization Systems for Network Security," IEEE Transactions on Visualization and Computer Graphics, pp. 1313‐1329, Aug., 2012