secure topology maintenance and events collection in wsns

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2011; 4:744–762Published online 25 February 2011 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.280

SPECIAL ISSUE PAPER

Secure topology maintenance and events collectionin WSNsMauro Conti1, Roberto Di Pietro†2, Andrea Gabrielli3∗ and Luigi V. Mancini3

1 Computer Science Department, Vrije Universiteit Amsterdam, De Boelelaan 1081a-1081 HV Amsterdam, The Netherlands2 Dipartimento di Matematica, Universita Roma Tre, L.go S. Leonardo Murialdo, 1-00146 Roma, Italy3 Dipartimento di Informatica, Universita di Roma La Sapienza, Via Salaria 113-00198 Roma, Italy

ABSTRACT

Topology Maintenance Protocols (TMPs) are key for operating Wireless Sensor Networks (WSNs). Their adoption servesa few goals, such as, to save energy, to avoid collisions in communications and to have an adequate number of nodesmonitoring the environment---by alternating duty cycles with sleep cycles on the sensor nodes. While effectiveness of TMPsprotocols is widely addressed, security is an overlooked feature. Indeed, while different TMPs have been presented inthe literature, few of them address the security issues. In particular, only recently a secure TMP protocol that does notrequire pair-wise node confidentiality has been proposed: Sec-TMP. The aim of Sec-TMP is to enforce event delivery to theBase Station while providing a standard topology maintenance service to the WSN. In this paper, we provide a thoroughassessment of our previous preliminary proposal of Sec-TMP, with particular reference to its effectiveness and security.First, we investigate the energy consumption introduced by TMPs protocols. Second, we show that Sec-TMP performs wellwithout any assumption neither on the show-up time of data-collecting node, nor on their mobility model. In particular,we test Sec-TMP against a realistic unpredictable data-collecting mobility scenario, that also brings in new security issues.A thorough security analysis of the proposed solutions to these new issues is also provided. Finally, extensive simulationssupport the quality of Sec-TMP as for effectiveness and security. Copyright © 2011 John Wiley & Sons, Ltd.

KEYWORDS

attack-resilient; sensor network security; topology maintenance protocol

†Roberto Di Pietro is also with UNESCO Chair in Data Privacy, Universitat Rovira i Virgili, Tarragona, Spain.*Correspondence

Andrea Gabrielli, Dipartimento di Informatica, Universita di Roma La Sapienza, Via Salaria 113-00198 Roma, Italy.E-mail: [email protected]

1. INTRODUCTION

Wireless Sensor Networks (WSNs) applications can rangefrom law enforcement, to disaster recovery, to search-and-rescue, to cite a few [1]. Hence, in a few settings, WSNsrun unattended and in a harsh environment. Furthermore,they operate without relying on existing infrastructure; forexample, nodes can be deployed by an UAV (UnmannedAerial Vehicle), and once on the ground, start communi-cating to each other, where the communication radius of anode determines its neighbourhood.

Due to the scarce resources sensors are equipped withone of the most challenging research problem of WSNs istopology maintenance [2,3]. In particular, if more than therequired number of nodes are present in a given area, it isdesirable that some of the nodes switch from working stateto sleeping state to save energy and to avoid communica-

tion congestion. Nodes in sleeping state could be activatedin a further moment, for instance to replace failed ones, orto assure an evenly spread energy consumption, in orderto maximize network lifetime. Under the (strong) assump-tion that the area sensors are deployed on is not infestedby an adversary, different Topology Maintenance Protocols(TMPs) have been proposed in the literature [2--5]. Thoseprotocols have been proved to be efficient and effective.However, if the hypothesis is relaxed---for instance, a mali-cious node is inserted in the above cited solutions---the WSNfunctionalities can be subverted. As an example, and adver-sary could keep nodes in a sleeping state, pretending someother (non-existing) nodes are active, hence compromisingthe main aim of a WSN, that is event sensing (note that oursolution do apply to time driven sensing as well). Indeed,just few preliminary works consider the security of TMPs,such as References [6,7].

744 Copyright © 2011 John Wiley & Sons, Ltd.

M. Conti et al. Secure TMP and events collection in WSNs

The ultimate goal of our Sec-TMP protocol is to enforcethe delivery of events intended to be received by the BS, or todetect that such a delivery failed, while enriching the func-tionalities of a standard topology maintenance protocol. Inparticular, our proposal does not rely on any assumptioneither for the mobility model of the data-collecting node, oron the show-up time.

As an example of the pay-off an adversary could gainfrom compromising a topology maintenance protocol, letus assume that a specific event (e.g. border trespassing)is sensed in a given neighbourhood. The adversary goalcould be to prevent the BS from learning such an event.To this aim, it could exploit a non-secure TMP so that, inthe neighbourhood interested by the event, only maliciousnodes are in working condition. Hence, if malicious nodesdo not report the trespassing, the BS will not be aware ofthe event.

In this paper, we assume WSNs do not necessarily have anunderlying routing protocol; each node is just programmedto sense data and to pass it on to the Base Station (BS). Inorder to increase the network lifetime, and to be resilient toattacks, nodes run our Sec-TMP protocol.

The rationale underlying our proposal is to have a mech-anism that, if a node (a) states to be in a Working state, itcould be designated by a node (b) as a rely node to deliversensed data to the BS, while b could go to Sleeping state(see Figure 1). However, node a is forced to remain inWorking state until the next BS arrival, otherwise it willbe considered failed or malicious. Note that our protocolimplementation, for a given neighbourhood, requires onlyd of the total number of nodes that claimed to be availableto stay in Working state, to remain in such a state---hencepreventing an excessive number of redundant nodes fromconsuming their battery. Finally, for a node to move to aProbing, then Sleeping state, it is required a proof---issuedby the BS---that someone else is taking its role, that is, thesubstituting node will be in the Working state. This mech-anism preserves the property of having for each node, atany given time, at least d of its neighbours in Workingstate.

Detailed protocol description, initialization phase,related security issues and guaranteed properties are thor-oughly discussed in this paper.

In this paper we propose, to the best of our knowledge,the first Secure Topology Maintenance Protocol (Sec-TMP)for Wireless Sensor Networks (WSNs) that: (i) does notrequire pair-wise node confidentiality, (ii) is scalable (newlydeployed nodes would be involved in the topology mainte-

Figure 1. Collaboration instance.

nance protocol by pre-existing nodes in the network), (iii)is resilient to standard attacks TMP are subject to Refer-ences [6,7], such as snooze attack, sleep deprivation attackand network substitution attack; (iv) tames the effect ofnode replication attack and (v) is independent from boththe time and the mobility model of the data-collectingnodes. Finally, extensive simulation results support ourfindings.

The rest of the paper is organized as follows. The nextsection reports the related work in the area. In Sections 3and 4, we describe the system assumptions and the threatmodel, respectively. The Sec-TMP protocol is introduced inSection 5, while details are reported in Section 6. In Section7, we analyse the security of our proposal, while simulationresults and consequent discussion are in Section 8. Finally,some concluding remarks are reported in Section 9.

2. RELATED WORK

One of the main issue in WSNs is energy consumption sincepower is often provided to a node by a small battery, and itis often impossible to replace nodes battery. For instance,this is the case when WSNs are deployed in a hostile or noteasy reachable environment.

Many different approaches have been proposed in theliterature to prolong the lifetime of a WSN. A classifi-cation of these techniques is presented in Reference [8].There are protocols, such as Reference [9], that are basedeither on changing and adjusting the transmission powerof each node, or on geometrical structure-based meth-ods to select next-hop neighbours. There is a class of socalled Power Management protocols [8], such as Reference[10], that aim to save the nodes’ energy by switching offthe radio in the active nodes when they do not need tocommunicate.

Between the proposed solutions to extend network life-time, there are the TMPs. The TMPs protocols leveragethe node redundancy to schedule working periods betweennodes. Only a subset of the nodes are in a working state,while the others goes in a sleeping state (stand-by) to saveenergy. Several TMPs have been proposed in the litera-ture (e.g. SPAN [2], ASCENT [3], GAF [11], PEAS [4],CCP [5], AFECA [12]). These TMPs differ not only in theapproach to schedule sleeping periods, but they differ alsoin their objectives. For example, SPAN [2] and ASCENT[3] aim to maintain only network connectivity. Others, suchas PEAS [4] and CCP [5], aim to maintain both connectivityand sensing coverage. Some of them, as for example GAF[11], rely upon nodes location information; they requirenodes with a GPS or some other location determinationsystem. The CCP approach is similar to the one of SPAN,and they share the same state activity diagram and the samecommunication pattern.

The protocol discussed in this work belongs to theTopology Maintenance Protocols that leverages sleep-wakeperiod management. So, the comparison of our solution andthe focus of this paper is within this category. In particular,

Security Comm. Networks 2011; 4:744–762 © 2011 John Wiley & Sons, Ltd. 745DOI: 10.1002/sec

Secure TMP and events collection in WSNs M. Conti et al.

all the cited protocols in the considered classification arevulnerable to attacks, as described in Reference [6].

The first work that addressed the security issues on TMPs,Reference [7], described the snooze attack against someprevious protocols (e.g. GAF [11], SPAN [2] and AFECA[12]). However, Reference [7] does not discuss the use ofthe snooze attack to reduce the sensing coverage. More-over, Reference [7] does not take the sleep deprivation andthe network substitution attacks into consideration, nor dothey discuss any possible countermeasure. In Reference[13] the sleep deprivation attack is introduced in a contextdifferent than that of TMPs (and no countermeasures aredescribed).

In Reference [6], the security vulnerabilities of topol-ogy maintenance protocols for wireless sensor networks areanalysed. In particular, two new attacks in the context oftopology maintenance protocol, namely the sleep depriva-tion attack and the network substitution attack are described.In Reference [6], authors describe how these attacks can belaunched against PEAS, ASCENT and CCP, and suggestsome countermeasures to make these cited protocols robustagainst the exposed attacks.

We observe that the solutions proposed in Reference [6]require authenticated node pair-wise communication, e.g.a pair-wise scheme such as References [14--16] must beused in conjunction with the TMP protocol. Furthermore,Reference [6] requires the used pairwise key establishmentscheme to be resilient to node replication attacks [17]. Inparticular, in the proposed countermeasures it is requiredthat, even if the adversary captures a node w, the identity ofthe compromised node cannot be successfully impersonatedoutside the neighbourhood of w. One possible protocol forachieving this goal in a sensor network is LEAP [18]. How-ever, any scheme that meets these requirements can be used.

To the best of our knowledge, our preliminary proposalin Reference [19] has been the first secure topology mainte-nance protocol for Wireless Sensor Networks (WSNs) that(i) does not require pair-wise node confidentiality, (ii) isscalable (newly deployed nodes would be involved in thetopology maintenance protocol by pre-existing nodes in thenetwork), (iii) is resilient to standard attacks TMP are sub-ject to References [6,7]: snooze attack; sleep deprivationattack and network substitution attack and (iv) tames theeffect of node replication attack.

The protocol proposed in Reference [19] does not requirethe Base Station to be compliant to any specific mobilitymodel. However, the simulation results shown in Ref-erence [19] only considered fixed time interval betweenconsecutive Base Station arrivals. In this work, we furtherinvestigate the proposal in Reference [19] as for the basiccharacteristics of the secure topology maintenance, e.g. thenetwork coverage lifetime, and as for a specific realisticBase Station mobility model. In particular, we assume thebase station arrivals being distributed accordingly to a Pois-son process. We observe that this assumption is already usedin the literature for the distribution of real events [20].

In Reference [21], the authors propose the idea ofapplying mechanism inspired by biological systems and

processes in order to increase the security and fault-tolerance of TMP protocols. However, no practicalimplementation is analysed in that preliminary work.

The motivation of the importance of events detection anddata survival in unattended wireless sensor networks hasrecently been highlighted in Reference [22].

Finally, also the mobility of the BS, or the mobility of thenodes, has been considered for different purposes. As anexample, in Reference [23], the mobility of the BS is lever-aged to balance the power consumption of static nodes inthe network. In Reference [24], the authors proposed a pro-tocol to move nodes along the deployment area to maintainthe coverage.

3. SYSTEM ASSUMPTIONS ANDNOTATION

In the remainder of this work we assume the system modeldescribed in this section. In particular, we assume a staticnetwork---each node has an initial location that does notchange as the time goes by. However, nodes do not needto be deployed all at the same time---newly deployed nodeswill cooperate to the aim of the topology maintenance withthe nodes already present in the network area.

Our Secure Topology Maintenance Protocol (Sec-TMP)does not require any underlying routing protocol---it onlyresorts to one hop messages. Furthermore, each node, saya, can only contact the Base Station (BS) directly (via one-hop), when the BS is within the a’s transmission radius.However, since the BS moves within the network in anunpredictable way, the BS is not always reachable by everynode. Moreover, as assumed in References [25,26], the BScan also be absent from the network for a while (i.e. no nodeis able to reach it). As a result, from the single node pointof view, the BS can be reachable (appear/disappear) in anunpredictable way. In the following, we refer to the fact thatBS appears to a given node (via broadcasting its presence) asthe BS arrival. We observe that these assumptions of havingonly node-to-BS communication, and having a mobile BS,are practical in applications like environmental monitoringwhere periodic readings of punctual values are required.Furthermore, a mobile BS is a common assumption in theliterature, for instance to solve problems related to nodes’unbalanced energy consumption [27,28]---with a static BS,nodes close to the BS tend to consume more energy thanthe other ones.

In Sec-TMP, time synchronization between nodes is notnecessary---nodes are not required to share a common time.However, we assume that the clock drift (difference betweennodes’ clock speed) is negligible.

Sec-TMP does not require any pair-wise key to be sharedamong nodes. Node a only shares a symmetric key, Ka,with the BS. So, we remark that the BS is the only entitywithin the system that checks the authenticity of the mes-sages originated by the nodes. Furthermore, the nodes do notknow the set of the legitimate node IDs. To ease exposition,we assume that the following hypothesis holds: for each

746 Security Comm. Networks 2011; 4:744–762 © 2011 John Wiley & Sons, Ltd.DOI: 10.1002/sec


Table I. Summary of notation.

Symbol Meaning

N Number of network nodesd Desired number of node in Working state for each

neighbourhoodRt Transmission range (radius)Ts Sleeping timeKa Symmetric key shared between node a and the BS� The desired probing rate towards nodes in

Working state� Average of the received neighbours densities� Time interval between consecutive BS contactp Probability that a node starts in Working stateDensa Neighbour density of the node atBS Time information used by the BSCounterb A counter used by the node bAdv Adversary

neighbourhood, the number of nodes physically present isgreater or equal than the number of nodes, (d), desired to bein a working state. Otherwise, the security properties statedin this paper cannot be guaranteed.

We define the neighbourhood of node a as the circulararea having (i) center corresponding to a’s location; and(ii) radius Rt---the Transmission range. The nodes in theneighbourhood of a are its one-hop neighbours (also calledjust neighbours).Table I summarizes the notation used inthe paper.

4. THREAT MODEL

In this section, we describe the aim and the capabilitiesof the adversary. The aim of the adversary is to avoid asensed data to reach the Base Station. In particular, given theexistence of several nodes able to sense a data in a specificlocation (sensor redundancy is key in WSN [29]), the aim ofthe adversary is to let only compromised nodes being ableto report the data to the BS. The adversary can reach its aimby leveraging the TMP protocol in a malicious way.

To do so, we assume the adversary can (i) eavesdrop allthe communication between nodes and the BS, and betweennodes themselves, (ii) compromise nodes and make themcollude. Nodes are not considered to be tamper-proof. As aconsequence, all the information (including cryptographickeys) stored in a node the adversary compromised with areconsidered leaked to the adversary. Hence, we assume theadversary cannot only directly use compromised nodes butalso spoof the compromised nodes identity using a laptop-class device (that does not have the constraints of the sensornodes in terms of battery and communication range). Thatis, a compromised identity can be impersonated in differentplaces of the network at the same time. Finally, we assume(iii) the adversary is able to inject packets, while it is not ableto drop genuine messages. Indeed, coherently with otherworks on WSNs, we do not assume the adversary being able

(or willing to---in order to stay stealthy) to perform a denialof service attack by disrupting all the communication, orjust using message injection to induce the receiving node toexhaust its battery. Finally, as for the BS, we assume that itis trusted.

The presented attack are particularly challenging. In fact,they cannot be prevented by authentication mechanismssince the adversary knows all the crypto material possessedby the compromised nodes.

Given the aim and the capabilities of the adversary, in thefollowing we discuss how it could reach them. The adver-sary could try to achieve its goal also by using TMP attacks[6,7]:

• Sleep Deprivation Attack. The adversary tries toinduce a node to remain active. This attack has twoeffects. First, by increasing the energy expenditure ofsensor nodes, it reduces the lifetime of the node and ofthe network as well. Second, in the case of a denselypopulated area, it can lead to increased energy con-sumption due to congestion and contention at the datalink layer.

• Snooze Attack. The adversary forces the nodes toremain in sleeping state. The adversary can launch thisattack to reduce the sensing coverage in a region ofthe network. This kind of attack can be applied to thewhole network or to a subset of nodes.

• Network Substitution Attack. The adversary takes con-trol of the entire network or of a portion of it by usinga set of colluding malicious nodes.

As an example, if the adversary is able to let all the nodeexhaust their batteries through sleep deprivation attack,there would be no sensed data at all---so, the adversaryreaches its goal.

We assume that, for a neighbourhood composed of dnodes, the adversary holds at most d−1 compromised nodesidentity. We stress that it is not necessary for the adversaryto capture the node IDs in the same neighbourhood wherethey are intended to be used by the adversary.

Finally, we assume the adversary is also able to performthe following type of attack (that Sec-TMP is implicitly ableto defend from): Node replication attack. That is, the adver-sary cloning the identity (and the cryptographic material)of a captured node in other malicious nodes.

5. PROTOCOL OVERVIEW

In this section, we first give a brief description of the pro-posed protocol’s behaviour. Then, we describe the leadingrationales.

5.1. Behaviour

In Sec-TMP, each node has three operating states: Working,Sleeping, and Probing. The corresponding state diagram is



Figure 2. State transition diagram.

described in Figure 2. Once a node is deployed, it startsin Sleeping state having an initial sleeping time-out Ts,randomly selected over a given time interval. The nodebehaviour associated to each state is reported in the fol-lowing.

• Sleeping: the node turns off the radio and just waitsfor the time out Ts to expire. When Ts expires the nodemoves in Probing state.

• Probing: the node probes its neighbours to determinewhether to go either in Sleeping or in Working state.The node sends a PROBE message within its transmis-sion range Rt , and it waits for P-REPLY messages inresponse.

• Working: the node executes the regular node opera-tions such as sensing and communicating to the BSas required by our protocol. When the BS claims itspresence, and the node off-loads the data it stores tothe BS, it also sends a request to the BS to receive aproof of the upload activity. Then, it goes in Prob-ing state. Moreover, if the node receives a PROBEmessage from one of its neighbours, it replies to theneighbour sending a P-REPLY. Via the P-REPLY, thenode informs the neighbours that it is in Workingstate.

5.2. Rationales

The main idea underlying our proposal is to have a mech-anism that, if a node (a) states to be in a Working state(e.g. replying to a PROBE originated by node b), thennode a is forced to remain in Working state until the nextBS arrival (there is no other event that can let the nodemove to another state). Otherwise, a will be consideredfailed or malicious. In the proposed protocol implemen-tation, we actually require only d of the nodes that claimedto be in Working state, to remain in such a state. Theonly condition for which a node can go to Probing, thenSleeping state, is after the BS arrival, under the condi-tion that it has a proof that someone else is taking itsrole---that is, the substituting node will be in the Work-ing state. This mechanism aims at having at any giventime, for each node, at least d of its neighbours in Workingstate.

Enforcement is implemented using the evidence issuedby the BS to the node in Working state. Let us assume nodeb sends a PROBE to node a, and a replies being in Working

state. If the BS enters the communication range of a beforethe next b’s probe, a has to prove to b it was in Working statewhen the BS come---that is, it uploaded b’s data to the BS.To this aim, we require a to ask the BS for a specific proof(provided by an authenticated token‡). Node a sends backthe token to b, allowing b to check that a was in Workingstate and interacted with the BS. This is required for anynode to which a replied to as a consequence of a PROBE.However, it is not necessary that the BS releases a new tokenbefore the next b’s probe. If this is the case, node a repliesto b using the last token received from the BS. In Section7.1, we show that this protocol does not introduce a securityissue.

We observe that the random selection of the sleepingtime Ti at the deployment time is motivated to avoid (prob-abilistically) having the nodes moving to the Probing allat once. Furthermore, we remind that we do not assumeany confidentiality layer in the node pair-wise communica-tions. Finally, note that there is a specific transient case todeal with before the first BS arrival, no node can provide atoken to a probing node. We describe this situation (protocolStart-up), in Section 6.4.

6. PROTOCOL DESCRIPTION

In this section, we provide a detailed description of ourprotocol. In particular, to ease exposition we first assumethat each node already exchanged messages directly withthe BS, and received a token from the BS. Under thisassumption, we describe the behaviour of a node while itis in the different states (Figure 2): Section 6.1 describesthe Sleeping state; Section 6.2 describes the Probing stateand finally, Section 6.3 describes the Working state. Forthe Probing and the Working state, we first describethe protocol operations, and later describe the relatedrationales.

After the description of the main operations, we describethe specific case of the protocol Start-up in Section 6.4, anddiscuss the mobility of the BS in Section 6.5.

6.1. Sleeping state

A node in Sleeping state does nothing but waiting for theTs timer expiration. In this state, the node saves energyhaving its radio turned off. When the sleeping timer Ts

expires, the node turns the radio on and enters the Probingstate.

6.2. Probing state

In this section, we describe the operations that a node per-forms while it is in Probing state (Algorithm 1).

‡ Note that the token authenticity is enforced using symmetric keys.



The executing node, say b, broadcasts a PROBE (line1.5). The PROBE--- containing a counter value, counterb---is authenticated by the node b with its key Kb. Note thatcounterb is different for each following PROBE message.Once the PROBE has been broadcasted (line 1.5), the nodewaits for a time δ (set in line 1.4) to receive the associatedreply P-REPLY from its neighbours in Working state.

In each P-REPLY message, there is a token generatedby the BS. The token contains: a time information tBS; theidentity of the replying node a; the neighbour density of thereplying node Densa; and a reveiced MAC, called RMAC,to authenticate the token itself. The value tBS is used inthe following way: if b receives a P-REPLY with a givenBS time (t′BS), then b will not consider the tokens havingt′′BS < t′′BS for the computation of d.

For each received P-REPLY that is authenticated, theexecuting node increases the value of the received repliesCreply. In particular, the authenticity of the P-REPLYis verified if the following holds (line 1.8): RMAC =MACKb

(tBS, Densa, a). In fact, we observe that such aRMAC can be generate only by the BS, or the node b itself:the only ones that know Kb.

Once a node collected all the P-REPLYs, it has to take adecision about its next state. In particular, if less than thedesired P-REPLYs are received (check line 10), the execut-ing node will move to Working state (line 1.11). Otherwise,if the number of P-REPLYs is enough for the node, it willset the Sleeping time (line 1.13) and it will go in Sleepingstate (line 1.14).The node sets the Sleeping time accordingto an exponential distribution [4]:

f (Ts) = (λ/�)e−(λ/�)Ts (1)

where λ is the desired probing rate towards working nodes(λ is the same for each node), and ρ is the estimated neigh-bours density.

The ρ value is computed by each node independentlyas the average of the received densities (Densa of line1.8). The Densa is the neighbour density of the replyingnode a. Note that the value Densa is computed by theBS. In particular, the BS computes Densa by counting thenumber of TOKEN requested by a node a in Workingstate. Then, the BS inserts Densa into the TOKENs repliedto a (Algorithm 2, line 2.6). This value represents theneighbours density of node a---node a requests a TOKENfor each of its neighbours.

6.3. Rationales

The aim of the Probing state is to determine the next state(Sleeping or Working) of the executing node. As explainedin Section 7.1, the value counterb, that is different for eachfollowing PROBE message, is necessary to avoid replayattacks. The tBS is used to inform the probing node aboutthe time when the token has been created. In fact, let usassume node c stated to be in Working state; if it is not ableto show to b a BS token with time t′BS, that means c didnot have the chance to communicate with the BS duringthe BS arrival time t′BS: c was sleeping or not following theprotocol. In either case, the P-REPLY of c will be ignored.

Observe that the BS needs time to move and to interactwith the different nodes in the neighborhood. As a result,the tBS values released to two neighbour nodes can actuallybe different by a small amount of time. To ease exposition,in the following we do not explicitly consider this problem.However, we note that this could be solved either (i) imple-menting tBS as just a counter managed by the BS---that isnot changed while the BS interacts with different nodes inthe same BS passage; (ii) comparing the different tBS valuestaking into consideration the amount of time the BS needsto move.

Finally, the idea behind Equation (1) is to leverage thenetwork density; we decrease the probing rate of a sleepingnode together with the increase of its neighbours density.



6.4. Working state

In this section we describe the operations performed by anode that is contacted by the BS. When node a is aware ofthe presence of the BS within its communication range, itruns Algorithm 2.

In particular, node a sends to the BS a request (REQ typemessage) containing the last PROBEs a received from itsneighbours (line 2.2). The REQ message is authenticatedusing Ka. If the BS fails to authenticate the message, thenthe BS just discards the request.

However, if the authentication succeeds, with this mes-sage node a implicitly requires the BS to produce a token(that is different for each neighbour of a) to prove that a wasin Working state and interacted with the BS. In fact, for eachreceived token (TOKEN message, line 2.6) that passes theauthentication check (line 2.7), a updates the token avail-able for the corresponding neighbour b (line 2.8). That is,this token will be used as a P-REPLY for the next PROBEof node b. Furthermore, at the end of every BS contact, amoves to Probing state (line 2.10).

6.5. Rationales

The fact that at the end of every BS contact the executingnode moves to the Probing state is required to recover froma situation that tends to put in Working state all the nodes ina neighbourhood. The latter situation is rooted in failure ofa working node. Assume that d nodes in the neighbourhoodare in Working state, as required by the protocol. Assumethat one of these nodes, say a, exhausts its battery. As aresults, less that d nodes are in Working state. In this set-ting, as soon as the first node in this neighbourhood, say b,sends out a PROBE, it will receive less than d P-REPLYswith a token. As a consequence, node b will go in Workingstate. Any other further nodes in this neighbourhood, sayc, executing a probe, would receive less than d P-REPLYswith a token (also if ≥ d node are now in Working state),because less than d nodes would be able to send a P-REPLYwith a token. So, if a working node fails, the result is thatevery node executing a probe in the neighbourhood of thefailed node would go in Working state, having D > d nodesin Working state.

However, when the BS arrives, all the nodes in Workingstate are required to ask tokens for their neighbours, and goin Probing state. As a result, only the last d out of the Dnodes executing the probe will go back in Working state.In general, this procedure could be leveraged to select thed out of the D nodes in some optimal way. As an example,it could be desirable that the d nodes out of D are the oneswith more available energy---to do so, we can distribute thetime of the probe execution of the D nodes such that thehigher is the battery power, the later is the performed theprobe.

Note that, before releasing a TOKEN for a node b, theBS verifies the b’s PROBE message. The BS discards therequest without releasing the TOKEN, if either the authen-

tication of the PROBE using Kb fails, or the BS has alreadyseen the counterb value. The counterb value avoids replayattacks, as described later in Section 7.1.

Finally, we remind that the BS has a GPS: this allowsthe BS to build a map of the network topology as follows.The first time it receives a message from a node a, the BSbounds the location of a into a region compliant with theBS location at the moment of the contact (depending onthe transmission radius of nodes). In particular, after thefirst contact with the BS, node a location is bounded into acircular area of radius Rt . For each following contact withnode a, the BS refines the boundary region. The BS storesthe network topology map for security reasons describedlater in Section 7.1.

6.6. Protocol start-up

We remind that we assume that an adversary can be presentfrom the time of the network deployment (also, be thereduring the start-up). Also, we note that before the first BSarrival, no node can provide a token to a probing node. Anaıve solution for the start-up phase would be to have everynode in the Working state after the first PROBE, until thefirst BS arrival. This solution would be energy-consumingand could cause transmission congestion.

We propose a more efficient probabilistic solution. Atthe beginning, every node decides, with probability p, togo in Working state. Otherwise, with probability 1−p, thenode goes in Probing state and accepts P-REPLYs withoutrequiring tokens. These latter nodes accept P-REPLYs with-out requiring tokens, until they receive a P-REPLY with atoken. The states transition during the start-up phase is sum-marized in Figure 3. Observe that, after the start up phase,nodes behave accordingly to state transition described inFigure 2.

As a result, even in the presence of an adversary, a hon-est node will be in Working state in a neighbourhood witha given probability p. Then, at the first BS arrival, it willreceive the token from the BS.

Figure 3. Start-up state diagram.



Note that node a ends the start-up phase when it receivesa token (either from the BS, if a is in Working state, or froma node in Working state, if a sends a PROBE). Thus, theend of the start-up propagates in the network thanks to thenodes in Working state.

6.7. A realistic base station mobilityscenario

In this section, we present a relistic unpredictable mobilityscenario for the base station that comes over the network tocollect event data. The protocol presented in Section 6 doesnot require the base station to be compliant to any specificmobility model. However, we are interested to understandwhat would be the performances of our protocol undera realistic unpredictable base station arrival time. In fact,previous work [19] considered only fixed interval time, τ,between consecutive BS arrival times.

Since other work in literature consider the distributionof real events to be modeled as a Poisson process [20]we thought that also the BS arrivals might be modeledas a Poisson process. In fact, each BS arrival might beindependently of the time since the last event, while theinterval lengths might concentrate on a central averagevalue.

In particular, in the simulation results shown in Sec-tion 8.4, we considered the following probability densityfunction describing the times between BS arrivals:

f (τavg) = (1/τavg)e−(1/τavg)τavg (2)

where τavg is the rate of the Poisson process described bythe arrival times.

7. SECURITY ANALYSIS

We remind that the protocol goal is to enforce the deliv-ery of a sensed event from the generator node to the BS,while providing a standard topology management service.That is, assuming at most d−1 compromised nodes in theneighbourhood, there is at least a non compromised nodein Working state for each neighbourhood. The idea is thatif there is a sensed event that should be reported to theBase Station, there will be at least one (honest) node doingthat.

As outlined in Section 4, the adversary could try toreach its goal in a direct way---i.e. leveraging the specificbehaviour of our protocol---or through standard attacks onTMPs. In Section 7.1, we describe why our protocol fea-tures cannot be leveraged by the adversary. In Section 7.2,we discuss the resilience of our protocol to the standardattacks on TMPs [6,7] (to the best of our knowledge, all theknown attacks on TMPs): sleep deprivation attack, snoozeattack and network substitution attack. Finally, in Section7.3, we discuss how Sec-TMP tames the node replicationattack.

7.1. Sec-TMP security property

In the following we first revise the possible attacks, and laterexplain how Sec-TMP thwarts it.

Using a node’s ID in more than one neighbourhood(Spoofing Attack). Once an adversary captured a node, itcan know the ID (and the secrets, such as symmetric keys)of that node (we remind from Section 3 that we do notassume to have tamper proof sensors). The adversary canplug all the known IDs in a single device (e.g. a laptopclass node) that pretends to be in every neighbourhood. Inthis way, compromising a total of d nodes, one might thinkthat the adversary could be able to use the d IDs in everyneighbourhood, taking over the network. In the followingwe discuss why this cannot happen.

In Section 6.3, we described how the BS can estimate thenetwork topology. We now observe that this allows the BSto prevent the above described attack. In fact, let us assumethe adversary already used a node’s ID, say a, in a givenlocation, say loca, to ask for tokens. Then, the BS will linkthe node’s ID a to the claimed location loca. When a furtherasks for other tokens, the BS will check whether the currenta’s location is coherent with loca. If this is not the case, theBS will not give any token to a ---and possibly take furtheractions. Furthermore, the neighbours declared by node a(for which it asks the BS appropriate tokens) should alsobe coherent with the other information the BS collectedabout the network. As an example, a node b cannot be a’sneighbour if b appeared in a location not coherent with theneighbourhood area of a.

Assuming a two dimensional space we can formallydescribe the concept of coherent locations as follows. Weremind that we assume a static network. Hence, if a nodea is detected by the BS to be in a give location loca (corre-sponding to a specific point in the three-dimensional space)the only thing that can affect this value to change over timeis the error in the position measurement. Let us assume thatthe error is bound to φ units from the true node locationloca. Hence, a location value should be accepted only ifit is within the circular area with center loca and radius φ

units. However, the BS does not know the precise loca. BScan only detect (with a possible error) locations of nodea: loc′

a, loc′′a, . . .. Hence, the BS only checks that all these

locations could be within such a circle; that is the BS checksthat each possible pair of observed locations are within amaximum distance of 2φ units (see Figure 4). This concept

Figure 4. Coherence of claimed positions for a node a.



also applies to the case where node b is reported to be aneighbour of a. In this case the BS checks that each loca-tion previously detected for node b (that is loc′

a, loc′′a, . . .)

is at most 4φ + Rt units from each location detected for a,where Rt is the maximum radius for a to consider b as aneighbour.

7.1.1. Facing the Sybil attack.

An adversary can eavesdrop the communicationsbetween honest nodes and the BS. Assume that the honestnode a requests a TOKEN for one of its neighbours, say b.The adversary eavesdrops and stores this TOKEN receivedby node a. Assume that the number of working neighboursof b is less than d. Then, after the following probe, node bwill go in Working state. One might think that the adver-sary could send multiple P-REPLYs to b, using the storedTOKENs and identities different from a (Sybil attack [30]).In this way, the adversary could induce b to figure out it hasmore than d working neighbours---triggering node b to goin Sleeping state.

The above attack cannot be played by the adversary forthe following reason. The BS includes into each TOKENreleased the identity of the requesting node, in this case a.Note that the TOKEN message is authenticated with thesymmetric key Kb (Algorithm 2, line 6). As a consequence,the authentication check of the TOKEN (received fromthe adversary) performed by probing node b fails, becausethe sender identity does not match (check done in line 8,Algorithm 1).

7.1.2. TOKEN freshness.

As for the previous attack, assume that an adversaryeavesdrops the communication between honest nodes andthe BS. Assume that a honest node a requests a TOKEN forone of its neighbours, say b. The adversary eavesdrops andstores the TOKENs received by node a (see Figure 5).

After node a fails (for instance, because its batterydepleted), the adversary could send the stored TOKENs tonode b. In this way, the adversary tries to induce b to believethat a is still alive and in Working state.

Such an attack would fail for the following reason. TheBS includes into the released TOKENs, a time tBS (andthe identity of the TOKEN requesting node, say a). ThetBS value changes (increases) for each BS arrival. Becauseof the mechanism described in Section 6.3, every node thatends the sleeping time before the next BS arrival will remainin Working state. Since there are at most d−1 compromisednodes in the neighbourhood, after a while a honest node, sayc, will be in Working state (remind that, by the protocol, d

Figure 5. Eavesdropped messages.

Figure 6. Probing a honest node.

Figure 7. Adversary trying to impersonate a no more presentnode (reply attack).

nodes must be in Working state). The next time the BSwill come over the neighbourhood, c will ask the BS for aTOKEN for node b. Being c a honest node, it will take thecorrect TOKEN with the updated t′BS. In particular, in thiscase (see Figure 6) node b will receive a RMAC that it isable to verify, i.e. it should be equal to MACKb

(t′BS, a).When b executes the probe, if it receives a TOKEN with

the updated t′BS, b will ignore any other TOKEN with t′′BS <

t′BS. In fact, the adversary Adv trying to impersonate nodea through replying a’s messages can only use the old tBS

(see Figure 7). On the other hand, Adv is not able to forge acorrect message for t′BS, since it would not be able to forgethe corresponding RMAC.

Using old PROBE messages (replay attack). Assume thatan adversary replies old PROBE messages of a node b to itsneighbour a that is in Working state. The scope of such anattack can be to induce the BS to consider b alive even if bfailed. As a result, the BS would compute a false neighboursdensity. Indeed, the number of TOKENs requested from anode a is used by the BS to compute the neighbours densityof node a. The density estimation is then included into theTOKEN that the BS sends back to the node a. Eventually,the density is used by the neighbour of a that are in Sleep-ing state to set the next sleeping timer (see Section 6.2). Ifthe adversary could successfully use old b’s PROBE mes-sages, it could generate a fake BS estimation. In this way,it could increase the length of the nodes’ sleeping peri-ods. Furthermore, the adversary could increase the nodesenergy depletion. In fact, the BS would continue to releasethe TOKEN for the already failed node, b, to the node a.As a consequence, protocol abiding node a will be requiredto receive the TOKEN, to store it, and then to send it tob in the following P-REPLY---resulting in a useless energyexpenditure.

We observe that the adversary cannot succeed in theabove attack because of the counterb value included intoeach PROBE. In particular, each time a node probes theneighbourhood, it includes into the PROBE message thevalue counterb. If the attacker uses old counterb values, thenode a discards the corresponding PROBE requests---andpossibly take further actions. Observe that, if the attackerpretends to use forged counterb values, the node a cannotfurther identify the counterb as a forged one (a does not



know the keys that b shares with the BS). However, detec-tion can be carried out by the BS---it knows the key thatb should have used to generate the MAC part of the b’smessage.

7.1.3. Node impersonation (injection attack).

The PROBE and the REQ messages are authenticatedby the senders through keyed MAC (line 5, Algorithm 1,and line 2, Algorithm 2, respectively). Thus, an adversarycan send valid PROBE and REQ messages on behalf of anidentity a if, and only if, the adversary has compromisedthe node a (i.e. insider adversary).

7.1.4. Maintaining the network in start-up.

Assume the adversary is present from the moment of theinitial network deployment. As described in Section 6.4,the adversary can send P-REPLYs without any token, usingd different identities, to maintain a node in Sleeping state.However, the adversary cannot force the nodes that startin Working state to go in Sleeping state. In fact, to do so,the adversary would need P-REPLYs with a token that canbe only obtained from the BS. A node a ends the start-up when it receives a token (either from the BS, if a is inWorking state, or from a node in Working state, if a sendsa PROBE). Thus, the end of the start-up propagates in thenetwork thanks to the nodes in Working state. When thenode a completes the start-up, it pretends P-REPLYs witha token. As a consequence, on the one hand the adversarycan increase the time needed by the network to end theprotocol start-up (i.e. all the nodes have received at leasta P-REPLY with a token). On the other hand, it cannotindefinitely keep the network in the start-up. In Section 8.2,we report the simulation results of the time needed by thenetwork to complete the start-up, assuming an adversary ispresent from the moment of the network deployment.

7.1.5. Event hiding.

Let us assume that the start-up completed, while theadversary goal is to hide to the BS an event generated bynode b. To do so, the adversary could leverage the TMPprotocol to have (i) b in Sleeping state and (ii) just mali-cious nodes in Working state in the b’s neighborhood---amalicious node would not send the sensed target event tothe BS.

As for (i), if the adversary wants b to move to Sleepingstate, it must be able to provide d P-REPLYs with token.In fact, node b ended the start-up and it goes in Sleepingstate only if it receives at least d P-REPLYs with token. Thesame condition is required for (ii). In fact, any other honestnode should be forced to switch to Sleeping state by theadversary. Otherwise, an honest node in Working state willreport the event to the BS.

As we assume that the adversary uses at most d−1 iden-tity in a neighborhood, it would not be able to provide dmalicious P-REPLYs.

7.2. Sec-TMP resilience to standard TMPsattacks

In this section, we describe how Sec-TMP faces standardTMPs known attacks [6,7].

7.2.1. Resilience to sleep deprivation attack.

In this attack, the adversary wants to induce a node, saya, to remain in Working state, even if the node a already hasd neighbours in Working state. Note that the node a, regard-less if it is in Sleeping or Working state, periodically goesin Probing state. In Probing state, a sends out a PROBE. Ifit receives at least d P-REPLYs, it goes in Sleeping state.Thus, avoiding the reception of the P-REPLYs by node ais the only way the adversary has to successfully launch aSleep Deprivation Attack against a. In other words, for theadversary to reach its goal, it has to jam the node a to preventthe reception of the P-REPLY messages. However, due tothe periodic and asynchronous transitions of the nodes to theProbing state, this operation must be performed quite often,making the attack not affordable for node-class adversary,and resource consuming even for a laptop-class adversary.Moreover, note that a denial-of-service attack involvingcontinuous jamming (e.g. constant or deceptive jamming)can be performed in any sensor network, regardless of thetopology maintenance protocol being used. Hence, we donot consider this as an attack that is specific to topologymaintenance protocols. It is worth noticing that selectivejamming can also be applied during BS tokens releasingphase. However, this behaviour can be detected by the BS,that can possibly react.

We can estimate the effort of the adversary to attack anode a as follows. We assume that the adversary has a devicein the proximity of node a, and that is able to detect eachmessage that is sent inside the communication range of a.Thus, the adversary is able to jam each message sent to nodea. The adversary has to jam node a for a total of secondsthat are

[(awn−d + 1)β](1 + Attackd/τ) (3)

where awn is the number of neighbours of a that are in Work-ing state, β is the length of the P-REPLYs transmission inseconds, and Attackd is the attack duration in seconds, thatis for how long the adversary wants to attack node a. Thevalue in square brackets is the number of seconds the jam-ming has to be performed for each probing phase of thetarget node. In fact, if the node a needs d P-REPLYs to goin Sleeping state, then the adversary has to jam all the P-REPLYs minus (d−1) to induce node a to go in Workingstate. The jamming has to be performed this number of sec-onds for each probing phase of node a, that is, for the firstprobing phase, when the node move from Sleeping to Prob-ing state, plus each time the node a contacts the BS. Hence,the number of seconds the jamming lasts for each probingphase is multiplied by (1 + Attackd/τ). However, note thatwith high network densities, instead of selectively jamming



the messages, the adversary could jam the node a during allthe probing period. As a consequence, the jamming timeduration of the attack can be upper bounded by

[γ + δ](1 + Attackd/τ) (4)

where γ is the maximum number of seconds that a nodewaits before starting the probing phase after a BS contact,and δ is the number of seconds the probing node waits forP-REPLYs.

To further increase the resilience of Set-TMP to thisattack, the BS, after the tokens releasing phase, could waitthe completion of the probing phase of the nodes beforemoving away. In this way, the BS could check for any jam-ming being performed---hence discouraging the adversaryto perform such an attack. With this additional protection,the adversary could attack the node a just during the probingphase that follows a Sleeping state.

7.2.2. Resilience to snooze attack.

In the snooze attack, the adversary wants to induce anode, say a, to remain in Sleeping state, even if the node ahas less than d neighbours in Working state---as required bythe Sec-TMP protocol. As previously described in Section7.1, the only way for the adversary to reach such a goal is tocompromise d node identities that are neighbours of a. Thus,Sec-TMP is resilient to an adversary that compromises upto d−1 nodes within a neighbourhood.

7.2.3. Resilience to network substitution

attack.

The adversary substitutes legitimate nodes with mali-cious ones in a portion of the network. To carry out thisattack, the adversary has to induce all the legitimate nodesin that portion of the network to go in Sleeping state. Thus,the resilience of Sec-TMP to this attack is the same of theresilience to the snooze attack (Section 7.2.2).

7.3. Sec-TMP to thwart node replicationattack

We observe that our Sec-TMP protocol, while designed as aTMP for event delivery enforcement, has also some abilityto detect the node replication attack [31]: the adversary cap-tures a node, and clone the identity (and the cryptographicmaterial) of the captured node in other malicious nodes. Infact, as described in Section 6.3, the BS estimates the net-work topology. This allows the BS to detect if the same nodeID, say a, is used in two different locations, e.g. loca andloc′

a. Remind that the BS can estimate the location of (i) thenode that directly asks for tokens ---a in Figure 1; and (ii) thenodes tokens are asked for---b in Figure 1. Once detected acloned ID, the BS can take the appropriate actions, such asrevoking the node.

8. SIMULATIONS AND DISCUSSION

In this section, we describe the simulation results weobtained for the Sec-TMP protocol.

We implemented a simulator for our protocol. Weassumed nodes uniformly distributed in a 50 × 50 m2 area(nodes remain stationary after deployment). That is, thenodes are randomly distributed in the network area---eachpoint of the area having the same probability for a node tobe placed there. We considered deployments with N = 10,12, 14, 16, 18, 20, 30, 50,100, 200, 250, 500, 750, 1000,2000 and 4000 nodes. In particular, for each network size,the shown results are the average of 100 different randomnetwork deployment.

The parameters that represent the node characteristics arereported in Table II. The values are similar to the hardwarecharacteristics of the Berkeley Motes [32] sensors. In partic-ular, we use the energy model proposed in Reference [33],and the TinySec [34] model for the power consumption ofsymmetric cryptography operations.

In Section 8.1, we describe the simulation results relatedto the network coverage lifetime, while in Section 8.2 westudy the start-up completion time assuming the presence ofan adversary. Finally in Section 8.5, we study the resilienceagainst the Spoofing Attack (described in Section 7.1).

8.1. Network lifetime and area coverage

In this subsection, we evaluate the ability of Sec-TMP toincrease the coverage lifetime of the network as the numberof deployed nodes increase.

To measure the coverage, we logically divide the entiresensing region into adjacent 5 × 5 m2 patches. The coverageof the deployment area is approximated by monitoring thecoverage of the top left corner of each patch, excluding thosepoints that are on the border of the deployment area. A simi-lar approach is used in Reference [5]. The coverage lifetimeis defined as the time interval from the activation of the net-work until the time of the following event: the percentage ofthe total area being monitored (by at least K nodes in Work-ing state, K-coverage) drops below a specified threshold.The coverage lifetime characterizes how long the systemensures that the events are monitored with a probability of

Table II. Sensor parameters for simulations.

Parameter Value

Rt 10 mRs 10 mTx consumption 0.0074 mW per bitRx consumption 0.003575 mW per bitIdle consumption 13.8mW per secondSleeping consumption 0.075 mW per secondSignature consumption 2% of the packet transmission costInitial energy of a node 60 J



Figure 8. Network coverage lifetime: fixed-�. (a) � = 600, � = 900; (b) d = 1; (c) d = 5 and (d) d = 10.

success higher than the specified threshold. In particular, weconsidered the threshold to be 80%. The coverage degree Kis set to 1. With the minimum number of sensors in the net-work being equal to 250, we are quite sure we have enoughnodes for 1-coverage in the area.

Figure 8 reports the coverage lifetime (y-axis) for net-works with 250, 500, 750, 1000, 2000 and 4000 nodes(x-axis). Results are reported for different values of d (1, 5and 10), and for different values of the BS arrival intervals,τ. Here, we considered fixed interval time τ. In particu-lar, Figure 8(a) shows the results for τ = 600 and 900 s, forthe different values of d. Figures Figure 8(b)--(d) show theresults for τ = 600, 900 and 1800 s, where d = 1, 5 and 10,respectively.

From the results shown in Figure 8, we can concludethat Sec-TMP achieves the main goal of a TMP, that is thenetwork lifetime grows almost linearly with the numberof nodes. Note that the curves trend are similar. However,while d increases, the network lifetime gain is smaller. Thisis because of the greater number of simultaneously activenodes. As discussed in Section 7, the value d is relatedto the resilience of Sec-TMP to the adversary. More pre-cisely, an adversary has to compromise at least d nodeswithin the transmission range of a to successfully attacknode a. In line with the expectation, the greater the requiredresilience to adversaries, the smaller the performance ofSec-TMP. For simulations with τ equal to 600 s, the gain

in network lifetime is bigger than for simulations with τ

equals to 900 s, or even 1800 s. This result also matchesour forecast because, as described in Section 6.3, the morenodes fail, the more nodes go in Working state; however,the number of nodes in Working state start decreasing withthe BS arrival. Thus, when τ = 600 the number of nodesin Working state is reduced quickly by the BS, comparedto the case of τ = 900. The same motivation applies forthe difference between τ = 900 and τ = 1800 s.Concluding,the smaller the τ, the higher the increase in the networklifetime.

8.1.1. Non-dense deployment.

To measure the performance in case of non-dense deploy-ment, we perform simulations for networks with 10, 12,14, 16, 18, 20, 30 and 50 nodes. Figure 9 reports thecoverage lifetime (y-axis) for τ = 600 and for different val-ues of d (1, 5 and 10). Moreover, the figure shows thelifetime of a network that is not using any TMP proto-col (no-TMP); with no-TMP, the node are always active,and the lifetime is estimated considering the node keep-ing the radio on. As we can see from the Figure 9, evenwith non-dense deployment the network lifetime increasestogether with N. However, there is a lower bound on thenetwork density after which the protocol energy consump-tion overhead is greater than the energy saved thanks to the



Figure 9. Network coverage lifetime for non-dense deployment:fixed-� = 600.

Sec-TMP. For example, this lower bound is around N = 14for τ = 600 and d = 5 or 10, while is between N = 20 andN = 30, for τ = 600 and d = 1. Note that the TMP lever-ages the density of the network to increase the networklifetime, thus are expected low performances for non densedeployment.

Finally, we can see that for N smaller than 30, the networklifetime is greater for d = 5 and 10 than for d = 1. In fact,when d = 1 the number of nodes that are in Sleeping state isgreater than for d = 5 and 10, thus the energy consumptionoverhead due to the probing phases is greater.

8.2. Start-up completion time

In this section, we study the time needed by the networkto complete the protocol start-up when an outsider adver-sary is present. In particular, we assume the adversary ispresent from the moment of the initial network deploy-ment. As described in Section 6.4, the adversary can sendP-REPLYs without any token to maintain a node in Sleep-ing state. However, the adversary cannot force the nodesthat start in Working state to go in Sleeping state. In fact,to do so, the adversary would need P-REPLYs with token---that can be obtained from the BS only. Without loss ofgenerality, for the following simulations we assume: a sin-gle adversary node is present in every neighbourhood; theadversary responds to each PROBE with d P-REPLYs; foreach of the provided reply, the adversary uses a differ-ent identity (for a total of d different identities); and theprobability p that a node starts in Working state is equalto 0.1.

In Figure 10, we plot the network start-up time (y-axis),that is the time from the deployment of the network until allthe nodes completed the start-up, as a function of the num-ber of nodes. Note that, a node a ends the start-up whenit receives a token (either from the BS, if a is in Work-ing state, or from a node in Working state, if a sends aPROBE). Thus, the end of the start-up propagates in thenetwork thanks to the nodes in Working state. In Figure 10,

Figure 10. Time to end the protocol start-up, when an adversaryis present.

we can see that the time to end the start-up decreases withthe increase of the network density---the more the nodes, thehigher the density, being our deployment area fixed. Thisis due to the fact that, the higher is the network density,the higher is the probability to have a neighbour in Workingstate. In fact, both the number of nodes that start in Workingstate and the number of neighbours is higher with a highernodes density. The number of nodes that are simultaneouslyin Working state grows together with values of d. This isthe reason why, when τ is fixed (i.e. τ = 600), the time toend the start-up is higher for higher values of d. Finally,we can see from Figure 10 that the time to end the start-up shows a strong dependence from τ. Indeed, if it takeslonger for the BS to join the WSN (higher values for τ), ittakes longer to release the tokens (higher the time to end thestart-up).

In Figure 11(a), we plot the number of nodes thatcompleted the start-up (y-axis) over time (x-axis), for sim-ulations with d = 10 and τ = 600. The vertical lines pointout the BS arrival interval, that is, every τ seconds. We cansee that just after the first BS arrival (600 s) almost all thenodes in the network completed the start-up. For example,when N = 2000, 198 nodes completed the start-up beforethe BS arrival (these are the nodes that started in Workingstate); 2000 nodes completed the start-up after the BS arrival(750 s). For N equal to 2000 and 4000 there are no pointsin the plot after the 750th second. In fact, with N = 2000and N = 4000, the simulations stop 750 s after the networkdeployment. This is because both the networks completethe start-up within 750 s. For smaller network density, thenetwork takes more time to complete the start-up, as wepreviously discussed (describing Figure 10). The results inFigure 11(a) confirm that, even in presence of an adversary,almost all nodes complete the start-up just after the first BSarrival.

Figure 11(b) reports the number of nodes that have com-pleted the start-up (y-axis) for simulations with N = 250,τ = 600, and different values of d. As pointed out in Fig-ure 10, the higher is d, the faster the network completes thestart-up.



Figure 11. Number of nodes that completed the start-up, when an adversary is present: (a) d = 1, � = 600 and (b) N = 250, � = 600.

8.3. Nodes battery exhaustion

During the network lifetime, nodes can fail because of bat-tery exhaustion. As discussed in Section 6.3, the node thatwas in Probing state after a node failure, goes in Work-ing state until the next BS arrival. As a consequence ofnode failure, there will be multiple nodes in Working statewhere just one would be required. However, the situationis temporary---it is recovered at the next BS arrival (seeSection 6.3).

In Figure 12(a), we plot the number of nodes in Work-ing state (y-axis) within the first 10 000 s after the nodesdeployment (time on x-axis). In particular, the plotted pointsrepresent the number of nodes in Working state (y-axis)taken every 150 s (x-axis). We run simulation with: N = 250,d = 1 and τ = 600. The vertical lines indicate the BS arrivaltime (every τ seconds).

We note that, within the first 150 s, all the nodes (proba-bilistically) took their decision about whether starting inWorking or Sleeping state. Furthermore, the nodes that

Figure 12. Number of nodes in working state: (a) N = 250, d = 1, �=600; (b) N = 250, � = 600; (c) d = 1, � = 600 and (d) N = 250, d = 1.



started in Sleeping state already made at least one probe,that is, they took a decision whether going in Working state.We know from the simulation results that no node fails forbattery exhaustion before 4800 s. So, all the nodes that arein Working state within the 150th second will remain inWorking until the first BS contact (at the 600th second).For this reason, the points in the figure remain constant (28nodes) before the first BS arrival.

When the BS arrives at the 600th second, it releasestokens to two set of nodes that are in Working state. Thefirst set is composed of nodes that are in Working statebecause they have not received a P-REPLY for a PROBEmessage---a node in this set does not have a neighbour inWorking state (remind that d is equal to 1). The second setis composed of nodes that are in Working state because theyinitially decided to start in Working state---a node in this setcan have a neighbour in Working state. Both the sets ofnodes perform a probe after the BS contact. However, theformer set of nodes remains in Working state because noone of these nodes has a neighbour in Working state. Notethat in the latter set some nodes can go in Sleeping state;this is because these nodes have a neighbour in Workingstate. For this reason, the first point in the plot after the BSarrival (that is the point for time equals to 750 s) has a valuelower than the previous points.

The points for 900, 1050 and 1200 s are slightly higherthan the point for 750 s. The motivation follows. At the750th second many nodes go in Sleeping state, as described.When the neighbours of these nodes perform a probe, theywill not receive P-REPLYs. So, they will move to Work-ing state---increasing the number of Working nodes. In theinterval from 4800 to 5600 s, the number of nodes in Work-ing state grows because of the failures of nodes. Again, thenumber is then reduced by the BS contact at 5600 s. Thispattern is repeated in the following intervals. Note that, thevariation of the number of nodes in Working state decreasesover time, mainly for the following three reasons. First, inthe interval from 4800 to 5600 s, there is a high rate of nodefailures, because all the nodes that are in Working state fromthe network deployment fail in this interval. Second, assumetwo neighbour nodes go in Working state in the same inter-val, say i. They obtain tokens from the BS one for each other.Then, assume they both try to go in Working state in theinterval i + 1, because of the failure of a common Workingneighbour. As a result, one of them will remain in Sleepingstate. Third, the number of nodes that are alive decreasesduring time. Then, the number nodes that can go in Workingstate after the failure of a neighbour decreases as well.

In Figure 12(b), we plot the number of nodes in Workingstate for d equals to 1, 5 and 10. The points relates to simula-tions with: N = 250 and τ = 600. As expected, the numberof nodes that are in Working state after the deploymentis higher for higher values of d. Note that, the number ofnodes in Working state decreases quickly with the increasesof the value of d, because of the higher rate of nodes fail-ure. In fact, the higher is the number of nodes that are inWorking state simultaneously, the higher is the rate of nodesfailure.

Figure 12(c) reports the number of nodes in Working statefor several values of N. The points are obtained for: d = 1and τ = 600. The effect of the failure of a node in Workingstate grows with the density of the network. In other words,the number of nodes that go in Working state after the fail-ure of a node is higher for higher network density. This isreasonable, because the number of neighbours grows withthe network density. For example, when N is equal to 4000,the nodes in Working state are between 50 and 120, after50 000 s from the deployment. Instead, when N is 250, thenodes in Working state are between 10 and 15, after 50 000 sfrom the deployment.

Finally, Figure 12(d) plots the number of nodes in Work-ing state for values of τ equals to 600 and 900 s, whenN = 250 and d = 1. On the one hand, before the first nodefails (i.e before 4800 s), the number of nodes in Workingstate is the same for both τ = 600 and τ = 900. On the otherhand, when the nodes start failing, the number of nodes inWorking state is higher for τ = 900 than for τ = 600. Theplots confirm that when the nodes are not failing, the numberof nodes that are in Working state are the same, regardlessof the rate of the BS arrivals.

8.4. Unpredictable-τ

In Section 8.1, we studied the influence of Sec-TMP onthe network lifetime. The evaluations in Section 8.1 havebeen made considering a fixed time interval τ between con-secutive base station arrivals. Since the Sec-TMP does notrequire a fixed time interval between consecutive arrivals,the aim of this section is to investigate the behaviour of Sec-TMP when the arrival time is unpredictable. In particular,we assumed the base station mobility scenario describedin Section 6.5, while the coverage lifetime is defined asdescribed in Section 8.1.

Figure 13 reports the coverage lifetime (y-axis) for net-works with 250, 500, 750, 1000, 2000, and 4000 nodes(x-axis). Results are reported for different values of d (1,5and 10). In order to compare the behaviour of Sec-TMPwhen the base station moves in an unpredictable way (Sec-tion 6.5) while maintaining the previous fixed inter-arrivaltime τ, all the graphs in Figure 13 plot the results for bothfixed and unpredictable τ.

In particular, on the one hand, Figure 13(a) show theresults for d = 1, 5 and 10, for both τ and τavg equal to600 s. On the other hand, each of the Figures Figure 13(b)--(d) show the results for the fixed inter-arrival times τ = 600,900 and 1800 s, and for the unpredictable arrival times mod-eled accordingly to a Poisson process described by Equation2 and with average τavg equals to 600, 900 and 1800 s,respectively. Figures 13(b)--(d) show the results for d = 1,5 and 10, respectively.

From the results shown in Figure 13, we observe thatthere is a difference in performance between a static and avariable time interval. As an example, on the one hand thenetwork lifetime for network with 2000 nodes and d = 5 isabout 8400 s in presence of a fixed inter-arrival time τ equals



Figure 13. Network coverage lifetime: fixed-� vs. Unpredictable-�. (a) � = �avg = 600; (b) d = 1; (c) d = 5 and (d) d = 10.

to 600 s (see Figure 13(c)). On the other hand, we observefrom the same figure that the network lifetime (for the samevalues of N and d) is less than 8000 s for time interval fol-lowing a Poisson distribution with average τavg equals to600, i.e the network lifetime decreases of almost 5%.

In general, from the plots in Figure 13, we can concludethat having a variable value for τ reduces the network life-time with respect to having a fixed value for τ---set to theaverage value computed over the values assumed by τ whenit is variable. The intuition behind this phenomenon follows;in the unpredictable inter-arrival time scenario, two casescan influence this difference: (i) the base station arrives laterthan in the fixed τ and (ii) the base station arrives earlier.While the energy consumption due to the scenarios of type(i) brings an energy consumption---due to the fact that manynodes switch to Working state, this consumption is not com-pensated by the energy savings due to the scenarios of type(ii), where an earlier base station arrival should avoid morenodes to go in Working state, then saving energy. How-ever, note that this difference is milder and milder when thenumber of nodes is small, or when the average value for τ

is high.

8.5. Spoofing attack

In this section, we study the resilience of the proposed pro-tocol against the Spoofing Attack. As described in Section

7.1, an adversary that captures a node could try to use thecompromised node’s ID in more than a neighbourhood.However, as described in Section 6.3, the BS can estimatethe network topology, and since we assume that the nodesdo not change their location as the time goes by, the BS candetect the Spoofing Attack.

We simulate that the adversary captures a node, say a, andit moves the node from its original location, say loca, to anew location loca′ . To measure the adversary gain, we countthe increase in the number of neighbours of the attackednode located in loc′

a with respect to the number of neigh-bours of the node in its old location loca. The new loc′

a israndomly chosen such that the distance of loc′

a from loca issmaller that φ, and the gain of the adversary is not negative.We also measure the duration of the attack, counting howmany contacts the BS has with the compromised ID beforethe BS detects the attack. In fact, each time the BS contactsthe node a, the BS estimates the position of the node a witha distance error bounded by φ = 0.5 m (that is 5% of the Rt)from the true node location. If the BS estimates a positionthat is more than 2φ distant from one of the previous esti-mated locations for a, then the BS decides that the node hasbeen maliciously moved from its original position.

We considered deployments with N = 100 and 200 nodes.We run multiple simulations assuming that the attack startsbefore the 2nd, 4th, 6th, 8th, 10th and 12th BS contact. Here,we considered fixed interval time τ = 600. The results arethe mean of the simulations ran for the attack against each



Figure 14. Number of neighbours increase. � = 600.

Figure 15. Attack detection. � = 600.

of the node of the network. Moreover, the results for thesimulation of the attack against a single node, say a, is themean of the results of 100 different simulations with 100different randomly chosen new location loc′

a, such that thedistance of loc′

a from loca is smaller that φ.In Figure 14, we plot the adversary gain (y-axis), that is

the increase in the number of neighbours of the attackednode located in its new malicious location, with respect tothe number of neighbours of the node in its old originallocation. In particular, the figure reports the results for net-works with 100 and 200 nodes for values of d = 5 and 10(x-axis). We note that the adversary gain is low, in particularit is never greater than 0.4 neighbours on the average.

Figure 15 reports the duration of the attack before itis detected, measured in number of BS contacts (y-axis).We simulate attacks that start before the 2nd, 4th, 6th, 8th,10th and 12th BS contact (x-axis). Results are reported forτ = 600, different values of d (5 and 10), and different val-ues of N (100 and 200). The figure shows that the morethe attack is delayed, the shorter is the attack duration. Infact, the BS detects the attack comparing the locations esti-mated before the attack with the locations estimated after

the attack. Thus, the more location estimations BS storesbefore the attack takes place, the sooner it is detected anincoherence with the locations estimated after the attack.We can see that, for d = 5 and N = 200, the duration of theattack is smaller than 2.6 BS contacts when the attack startsbefore the 2nd BS contact. Such a duration drops to lessthan 1.4 when the attack starts before the 4th BS contact.

Concluding, we can say that with this kind of attack,not only the adversary gain is small---in our simulations theadversary never gained more than 0.4 neighbours on theaverage---but also the attack detection is fast.

9. CONCLUDING REMARKS

In this paper, we presented a Secure Topology MaintenanceProtocol Sec-TMP with the goal to enforce event deliveryto the BS, while providing the functionalities of a standardtopology management protocol.

To the best of our knowledge, it is the first Secure Topol-ogy Maintenance Protocol (Sec-TMP) for Wireless SensorNetworks that enjoys the following features: it does notrequire pair-wise node confidentiality; it does not need anyunderlying routing---just one-hop communications are usedand it is highly scalable. Moreover, it enjoys a unique fea-ture: there is no assumption neither on the mobility modelof the BS, nor on its arrival time.

Sec-TMP provide the above features while being alsoresilient to the known attacks on TMPs: snooze attack; sleepdeprivation attack and network substitution attack. Further-more, Sec-TMP confines node replication attack: once anode is compromised, the protocol limits the possible usageof the corresponding node’s ID to a single neighbourhood.Finally, simulation results support our findings.

ACKNOWLEDGEMENTS

The authors thank the anonymous reviewers for their use-ful suggestions. This work is partially supported by Caspurunder grant HPC-2007 and HPC-2010. Roberto Di Pietrowas partly supported by the Spanish Ministry of Educa-tion through projects TSI2007-65406-C03-01 ‘E-AEGIS’and CONSOLIDER CSD2007-00004 ‘ARES’, and by theGovernment of Catalonia under grant 2009 SGR 1135.

REFERENCES

1. Akyildiz IF, Su W, Sankarasubramaniam Y, CayirciE. Wireless sensor networks: a survey. Interna-

tional Journal of Computer and Telecommunications

Networking---Elsevier 2002; 38(4): 393--422.2. Chen B, Jamieson K, Balakrishnan H, Morris R. Span:

an energy-efficient coordination algorithm for topologymaintenance in ad hoc wireless networks. ACM Wireless

Networks Journal 2002; 8(5): 481--494.



3. Cerpa A, Estrin D. Ascent: adaptive self-configuring sen-sor networks topologies. IEEE Transactions on Mobile

Computing 2004; 3(3): 272--285.4. Ye F, Zhong G, Lu S, Zhang L. Peas: a robust energy

conserving protocol for long-lived sensor networks. InProceedings of the 23rd IEEE International Conference

on Distributed Computing System (ICDCS’03), 2003;28--37.

5. Wang X, Xing G, Zhang Y, Lu C, Pless R, Gill C.Integrated coverage and connectivity configuration inwireless sensor networks. In Proceedings of the 1st ACM

International Conference on Embedded Networked Sen-

sor Systems (SenSys’03), 2003; 28--39.6. Gabrielli A, Mancini LV, Setia S, Jajodia S. Securing

topology maintenance protocols for sensor networks.IEEE Transactions on Dependable and Secure Com-

puting, 03 Dec. 2009. IEEE computer SocietyDigital Library. IEEE Computer Society, http://doi.ieeecomputersociety.org/10.1109/TDSC.2009.46.

7. Karlof C, Wagner D. Secure routing in wireless sensornetworks: attacks and countermeasures. Ad Hoc Net-

works 2003; 1(2--3): 293--315.8. Anastasi G, Conti M, Francesco MD, Passarella A.

How to prolong the lifetime of wireless sensor networks(Chapter 6). In Mobile Ad Hoc and Pervasive Commu-nications. American Scientific Publishers: 25650 LewisWay Stevenson Ranch, CA, US, 2007.

9. Wang Y, Li F, Dahlberg TA. Energy-efficient topologycontrol for three-dimensional sensor networks. Interna-

tional Journal of Sensor Networks 2008; 4 (1/2): 68--78.10. Rhee I, Warrier A, Aia M, Min J, Sichitiu ML. Zmac:

a hybrid mac for wireless sensor networks. IEEE/ACM

Transactions on Networking 2008; 16(3): 511--524.11. Xu Y, Heidemann J, Estrin D. Geography-informed

energy conservation for ad hoc routing. In Proceedings of

the 7th ACM International Conference on Mobile Com-

puting and Networking (MobiCom ’01), 2001; 70--84.12. Xu Y, Heidemann J, Estrin D. Adaptive Energy-

Conserving Routing for Multihop Ad Hoc Networks,

Research Report 527, USC/Information Sciences Insti-tute: 2000.

13. Stajano F, Anderson R. The resurrecting duckling: Secu-rity issues for ad-hoc wireless networks. In Proceedings

of the 7th International Workshop on Security Protocols,1999; 172-182.

14. Eschenauer L, Gligor VD. A key-management schemefor distributed sensor networks. In Proceedings of the

9th ACM International Conference on Computer and

Communications Security (CCS’02), 2002; 41--47.15. Di Pietro R, Mancini LV, Mei A. Energy efficient

node-to-node authentication and communication confi-dentiality in wireless sensor networks. Wireless Sensor

Networks 2006; 12(6): 709--721.

16. Conti M, Di Pietro R, Mancini LV. Ecce: enhancedcooperative channel establishment for secure pair-wisecommunication in wireless sensor networks. Ad Hoc

Networks (Elsevier) 2007; 5(1): 49--62.17. Conti M, Di Pietro R, Mancini LV, Mei A. A random-

ized, efficient, and distributed protocol for the detectionof node replication attacks in wireless sensor networks.In Proceedings of the 8th ACM International Symposium

on Mobile Ad Hoc Networking and Computing (Mobi-

Hoc’07), 2007; 80--89.18. Zhu S, Setia S, Jajodia S. Leap: Efficient security mech-

anisms for large-scale distributed sensor networks. InProceedings of the 10th ACM International Conference

on Computer and Communications Security (CCS’03),2003; 62--72.

19. Gabrielli A, Conti M, Di Pietro R, Mancini LV. SEC-TMP: a secure topology maintenance protocol for eventdelivery enforcement in WSN. In Proceedings of the

5th International Conference on Security and Privacy in

Communication Networks (SecureComm 2009), 2009;265--284.

20. Diaz C, Seys S, Claessens J, Preneel B. Towardsmeasuring anonymity. Third Internation Workshop in

Privacy Enhancing Technologies (PET2003), 2003;184--188.

21. Gabrielli A, Mancini LV. Bio-inspired topology mainte-nance protocols for secure wireless sensor networks. InProceedings of the Bio-Inspired Computing and Com-

munication: 1st Workshop on Bio-Inspired Design of

Networks (BIOWIRE’07), 2008; 399--410.22. Di Pietro R, Mancini LV, Soriente C, Spognardi A,

Tsudik G. Catch me (if you can): data survival in unat-tended sensor networks. In Proceedings of the 6th IEEE

International Conference on Pervasive Computing and

Communications (PERCOM’08), 2008; 185--194.23. Basagni S, Carosi A, Melachrinoudis E, Petrioli C,

Wang ZM. Controlled sink mobility for prolong-ing wireless sensor networks lifetime. ACM/Springer

Journal on Wireless Networks (WINET) 2008; 14(6):831--858.

24. Jiang Z, Wu J, Agah A, Lu B. Topology control forsecured coverage in wireless sensor networks. In Pro-

ceedings of the 4th IEEE Internatonal Conference on

Mobile Adhoc and Sensor Systems (MASS’07), 2007;1--6.

25. Di Pietro R, Mancini LV, Soriente C, Spognardi A,Tsudik G. Data security in unattended wireless sen-sor networks. IEEE Transactions on Computers 2009;58(11): 1500--1511.

26. Di Pietro R, Mancini LV, Soriente C, Spognardi A,Tsudik G. Playing hide-and-seek with a focused mobileadversary in unattended wireless sensor networks. Ad

Hoc Networks 2009; 7(8): 1463--1475.



27. Anastasi G, Conti M, Di Francesco M, Passarella A.Energy conservation in wireless sensor networks: a sur-vey. Ad Hoc Networks 2009; 7(3): 537--568.

28. Basagni S, Carosi A, Melachrinoudis E, Petrioli C,Wang ZM. Controlled sink mobility for prolonging wire-less sensor networks lifetime. Wireless Networks 2008;14(6): 831--858.

29. Eschenauer L, Gligor V. A key-management scheme fordistributed sensor networks. Proceedings of the 9th ACM

Conference on Computer and Communications Security

(CCS’02), Washington, DC, October 2002.30. Newsome J, Shi E, Song D, Perrig A. The Sybil attack in

sensor networks: analysis and defenses. In Proceedings

of the 3rd IEEE and ACM International Symposium on

Information Processing in Sensor Networks (IPSN’04),2004; 259--268.

31. Bryan P, Perrig A, Gligor V. Distributed detection of nodereplication attacks in sensor networks. In Proceedings of

the 26th IEEE International Symposium on Security and

Privacy (S&P’05), 2005; 49--63.32. Crossbow Technology Inc. 2010. MICA Sensor Node.

Available at: www.xbow.com33. Wander A, Gura N, Eberle H, Gupta V, Shantz SC.

Energy analysis of public-key cryptography for wirelesssensor networks. In PERCOM’05, 2005; 324--328.

34. Karlof C, Sastry N, Wagner D. Tinysec: a link layersecurity architecture for wireless sensor networks. InSenSys’04, 2004; 162--175.


secure topology maintenance and events collection in wsns

Documents