A Framework for Secure Data Aggregation in Sensor Networks Yi Yang Joint work with Xinran Wang, Sencun Zhu and Guohong Cao Dept. of Computer Science &

A Framework for Secure Data Aggregation in Sensor

Networks Yi Yang

Joint work with Xinran Wang,

Sencun Zhu and Guohong Cao

Dept. of Computer Science & Engineering

The Pennsylvania State University

Yi Yang - SDAP 2

Sensor networks• Functions

– Sensing– In-network processing– Ad-hoc communication

• Applications– Real-time traffic monitor– Military surveillance– Homeland security

Berkeley Mica Motes

BS

Yi Yang - SDAP 3

Why data aggregation? (1)

• Without data aggregation– Data redundancy – Communication cost– Energy expenditure

BS

Reporting raw data is unnecessary!

Yi Yang - SDAP 4

Why data aggregation? (2)

• With data aggregation

Reduce data redundancy, communication cost and energy expenditure in data collection!

BS

Yi Yang - SDAP 5

Security challenges in aggregation? (1)

• A lossy data compression process– Individual sensor readings

are lost in aggregation

• A compromised intermediate node may change the aggregated data

• BS cannot verify the result without knowing original readings

Compromised node False Alarm

BS

Yi Yang - SDAP 6

Security challenges in aggregation? (2)

• Question:– How can BS obtain a

good approximation of the fusion result when a fraction of nodes are compromised?

Compromised node False Alarm

BS ?

Yi Yang - SDAP 7

Network model

• An unbalanced tree rooted at BS• Data are aggregated hop by hop• Each aggregate is a tuple (value,

count)• Every node only forwards one copy

BS B S

. . . . . .

Yi Yang - SDAP 8

Attack model

• Example:– Without modifying the

received aggregate• (98.7F~101F, 51)

– Count change attack• (100F~150F, *)

– Value change attack• (32F~150F, 51)

Goal: Inject false data without being detected by BS

Legitimate temperature (32F ~ 150F)

BS

(100F, 50)

(?, ?)

The combination of count and value change attacks, and collusion among compromised nodes are more destructive!

Yi Yang - SDAP 9

Observations• Hop-by-hop aggregation

– Aggregates computed by a higher-level node are from more low-level nodes

– If a compromised node is closer to BS, false value from it has more impact on the final result computed by BS

Legitimate temperature (32F ~ 150F)

BS

Yi Yang - SDAP 10

Our solutionsDivide and conquerCommit and attest

• Tree construction and query dissemination• Probabilistic grouping

– Partition nodes in the tree into multiple logical groups (subtrees) of similar size

• Hop-by-hop aggregation– Each group generates a commitment which cannot be denied later

• Attestation between BS and suspicious groups– BS identifies abnormal groups from the set of received group commitments– Groups under suspicion prove the correctness of submitted commitments to BS

• BS discards commitments from groups failing to support previous values when computing final aggregates

Yi Yang - SDAP 11

Tree Construction & Query Dissemination

• Tree construction– Similar to TAG

• Query dissemination– BS * : Fagg, Sg

• Fagg: an aggregation function, e.g., avg, count

• Sg: a random number as grouping seed

B S

. . . . . .

Legitimate temperature (32F ~ 150F)

avg avg

avg avg avg

avg avg avg avg

avg avg avg avg avg avg avg avg

avg avg avg avg avg avg avg avg avg

Yi Yang - SDAP 12

Probabilistic grouping & data aggregation

• Probabilistic grouping is conducted through group leader selection– H(Kx, Sg|x) < Fg(c)•x : node id•Kx : master key of x•H : pseudorandom function, uniform output in [0,1) •Sg : for security and load balance•c : count•Fg : grouping function, [0,1) output increasing with c

Legitimate temperature (32F ~ 150F)

B S

. . . . . .x

y

w '

H(Kid, Sg|id) > Fg(1)

H(Kw’, Sg|w’) < Fg(8)

H(Kx, Sg|x) < Fg(15)

H(Ky, Sg|y) < Fg(c)

Yi Yang - SDAP 13

Probabilistic grouping & data aggregation

• Probabilistic grouping is conducted through group leader selection– H(Kx, Sg|x) < Fg(c)•x : node id•Kx : master key of x•H : pseudorandom function, uniform output in [0,1) •Sg : for security and load balance•c : count•Fg : grouping function, [0,1) output increasing with cBy choosing appropriate grouping

functions, group sizes are roughly even with small deviation, providing good basis for attestation

Legitimate temperature (32F ~ 150F)

B S

x

D ef au lt L ead er

. . . . . .

y

w '

Yi Yang - SDAP 14

B S

. . . . . .

u

v

w

x

y

Group aggregation (1)• Format of aggregates

flag valuecount MACid seed

Encrypted

Authenticated

• Leaf node aggregation– uv : u, 0, E(Kuv ,1|Ru|Sg)|MACu

MACu=MAC(Ku, 0|1|u|Ru|Sg)

Flag: initialized to 0, set to 1 after leaders finish group aggregation, so that other nodes on the path just forward group commitments

H(Ku, Sg|u) > Fg(1)

Yi Yang - SDAP 15

B S

. . . . . .

u

v

w

x

y

• Immediate node aggregation– vw : v, 0, E(Kvw ,3|Aggv|Sg)|MACv

Aggv=Fagg(Rv, Ru, Ru’)

MACv=MAC(Kv, 0|3|v|Aggv| MACu MACu’ |Sg)

Group aggregation (2)

MAC is also computed hop by hop, thus representing authentication of all the nodes contributing to the data

H(Kv, Sg|v) > Fg(3)

Yi Yang - SDAP 16

B S

. . . . . .

u

v

w

x

y

• Leader node aggregation– xBS : x, 1, E(Kx ,15|Aggx|Sg)|MACx

Aggx=Fagg(Rx, Aggw, Aggw’)

MACx=MAC(Kx, 1|15|x|Aggx|MACw MACw’|Sg)

Group aggregation (3)

H(Kx, Sg|x) < Fg(15)

Default leader of leftover nodes

Tracking the forwarding path:• A forwarding table (incoming link, group id)• Group id is the id of group leader• Bloom filter may help scale up

Yi Yang - SDAP 17

Verification & attestation(1)

• Outlier detection by Grubbs’ Test– Hypothesis test: H0 vs. H1

– Our extensions: multiple outliers, bivariate• Pc * Pvalue <α? (significance level, e.g., 0.05)

• One-sided test for count and two-sided test for values

– Attackers tend to forge false values as well as large counts correspondingly, to make false values count for larger fraction in the final result

BS identifies suspicious groups for attestation

(x, 142F, 50) (y, 100F, 20)(w’, 95F, 25) (BS, 90F, 28)

Yi Yang - SDAP 18

Verification & attestation(1)

• Outlier detection by Grubbs’ Test– Hypothesis test: H0 vs. H1

– Our extensions: multiple outliers, bivariate• Pc * Pvalue <α? (significance level, e.g., 0.05)

• One-sided test for count and two-sided test for values

– Attackers tend to forge false values as well as large counts correspondingly, to make false values count for larger fraction in the final result

BS identifies suspicious groups for attestation

(x, 142F, 50) (y, 100F, 20)(w’, 95F, 25) (BS, 90F, 28)

Yi Yang - SDAP 19

Verification & attestation(2)

Forwarding attestation requests from BS

• Suppose group x is under suspicion– BS y: x, Sa, Sg

– Node y then forwards this request to leader x

• Sa: a random number as attestation seed

B S

. . . . . .

u

v

w

x

y

Yi Yang - SDAP 20

• Probabilistic attestation path selection– From x, each parent sums

up counts of all the children, then computes , picks up ith child on the path, if

Verification & attestation(3)

d

kka cidSHw

1

)|(

Group attestation

),[1

1 1

i i

kk ccw

A node with larger count has more chances to be attested

B S

v '

w

x

u

v

w '

u '

y

. . . . . .

Yi Yang - SDAP 21

• Each node on the path sends back count and reading

• Sibling node sends back count, aggregate and MAC (leaf only sends count and reading)

Verification & attestation(4)

Attestation response from groups

B S

v '

w

x

u

v

w '

u '

y

. . . . . .

Yi Yang - SDAP 22

Verification & attestation(5)

Group response validation by BS

• BS reconstructs Aggx and MACx based on responses– If both match the submitted

values, accepts them– Otherwise, rejects them

B S

v '

w

x

u

v

w '

u '

y

. . . . . .

Yi Yang - SDAP 23

Conclusion & future work

• Analysis and simulation results are skipped

• A probabilistic grouping based secure data aggregation protocol– Divide-and-conquer– Commit-and-attest

• Challenges:– Max/Min– Content-based attestation

• Readings from nodes in the same neighborhood should bear certain temporal/spatial correlations

Yi Yang - SDAP 24

Thank you!

•Questions?