A Survey of Secure Location Schemes in Wireless Networks - 2010/5/21.

A Survey of Secure Location Schemes in Wireless Networks

- 2010/5/21

2/35

Outline

Introduction Secure Location Schemes

Location Verification Range-independent Scheme (SeRLoc) Base Station Assisted Secure Localization Detect Compromised Beacon Nodes Defeat Non-cryptographic Attacks

Summary

3/35

Location & Identity in Wireless Networks Application

Location Based Service (LBS) privacy issues Solution: legal framework, k-anonymity, etc.

Network Geographical routing, location based access control

Physical Layer Location could be used to detect source spoofing attacks

(in wireless networks)

4/35

Wireless Sensor Network (WSN) WSN

Have mission-critical tasks Sensor nodes: low cost,

limited resource, multifunctional

Usually has one BS Prone to failure, easy to be

compromised Location matters

The location of sensors is a critical input to many higher-level networking tasks [5]

5/35

Localization in WSN

Techniques: GPS Ultrasound Radio (RF)

RSSI, ToA, TDoA, AoA, etc. Usually has Beacon nodes

With known locations and sending beacon signals Security issues:

Location discovery in hostile environments Attacker could masquerade or compromise beacon nodes,

or perform replay attacks

6/35

Threat Model

(Internal) dishonest or compromised nodes Can authenticate itself (to other sensor nodes) Report false position

(External) malicious nodes Can not authenticate itself (as an honest nodes) Can perform timing attack (delaying or speeding-up)

Other attacks PHY-layer attack

7/35

Examples

Compromised beacon node

Masquerade beacon node

Replay attack(locally replay or through wormhole)

8/35

Taxonomy

Secure Location

w/ beacon nodes w/o beacon nodes

Localization:• Location Verification

• Range-independent

localization

• Base Station Assisted

Attack Detection:

• Detect Compromised

Beacon Nodes

• Defeat Non-

cryptographic Attacks

9/35

Location Verification(Location-based Access Control) In-region verification Roles:

Claimants & Verifiers

Method: Distance bounding techniques

Upper bound the distance of one device to another (dishonest) device

C: I’m at some location l

V C

R

Region of interest

[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM

Workshop Wireless Security, 2003, pp. 1-10.

10/35

Location Verification(Location-based Access Control)

. p (prover)

• A simplified case

c: light speeds: sound speed

More complex cases: Consider processing/transmission delay, Consider non-uniform regions, Consider multiple verifiers

(why sound?)

Echo Protocol: (secure, lightweight)

11/35

Distance Enlargement Attacks Distance bounding – vulnerable to distance enlargement

attacks but not to distance reduction attacks Propose VM (Verifiable Multi-lateration)

Also relies on distance bounding (at least 3 verifiers)

[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 1917-1928.

T: set of verifiers that form triangles around u (claimant)

(MMSE: Min. Mean Square Estimate)

12/35

Detection of Distance Enlargement Attack

u’

Enlarging db1 is impossible

13/35

SPINE (Secure Positioning In sensor NEtwork) SPINE: a system for secure positioning of a network of sensor

s, that is based on VM Possible Attacks: (Attacker-x-y) x: # of compromised nodes (c)

y: # of malicious nodes (m)

14/35

SPINE (Secure Positioning In sensor NEtwork) (cont’d) Operate in 2 phases:

Sensors measure distance bounds to their neighbors Central authority compute sensors’ positions (according to

the distance bounds)

BDV (Basic Distance Verification)

(Verify db(s), then compute positions based on verified db(s))(Positioning is also based on MMSE)

15/35

SPINE (Secure Positioning In sensor NEtwork) (cont’d) Effectiveness:

The effectiveness of this system depends on the number of node neighbors (node density) and on the number and the distribution of the reference nodes (verifiers)

16/35

Taxonomy

Secure Location

w/ beacon nodes w/o beacon nodes

Localization:• Location Verification

• Range-independent

localization

• Base Station Assisted

Attack Detection:

• Detect Compromised

Beacon Nodes

• Defeat Non-

cryptographic Attacks

17/35

Range-Independent Localization Motivation:

Distance measure is vulnerable Do not count on distance measure to infer the sensor locati

on Secure localization ≠ location verification

Goal: Decentralized, resource efficiency, robust

Contributions: Propose SeRLoc, a range-independent localization scheme Propose security mechanism for SeRLoc Evaluate the performance of SeRLoc

[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21-30.

18/35

SeRLoc

Concept: Locators use sectored antennas (with range R) A sensor can identify the region it resides by computing the

overlap between all the sectors it resides Then estimates its location at the center of gravity of the

overlapping region

19/35

Secure SeRLoc

Encryption: To protect the localization information, encrypt all beacons t

ransmitted from locators Sensors and locators share a global symmetric key K0

Locator ID authentication: Use one-way hash chains to provide locator ID auth. Each sensor has a table containing {IDi , Hn(PWi)} of each lo

cator Storage issues

20/35

Threat Analysis

Authors analyze (1) wormhole attacks and (2) Sybil attack and compromised sensors

Analyze the vulnerabilities of other 3 range-independent localization schemes Dv-hop, Amorphous localization, APIT

21/35

Taxonomy

Secure Location

w/ beacon nodes w/o beacon nodes

Localization:• Location Verification

• Range-independent

localization

• Base Station Assisted

Attack Detection:

• Detect Compromised

Beacon Nodes

• Defeat Non-

cryptographic Attacks

22/35

Base Station Assisted Approaches Contribution:

New approach, relies on a set of covert base stations Enables secure localization with a broad spectrum of localization

techniques (ultrasound, RF, etc)

Covert Base Station (CBS): Known position Passively listen to the on-going communication Could be hidden or mobile base station

[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, 2006.

PBS sensornonce

broadcastnonce

(PBS: Public Base Station)

PBSPBSCBSmeasure TDoA and compute sensor’s position

23/35

1. Infrastructure-centric Positioning with Hidden Base Stations

TDoA: Position a source by findingthe intersection of multiple hyperboloids. Pros: does not require communication from BSs and mobile node

s Security analysis:

TDoA drawback: using directional antennas, attackers could cheat BSs

Δ: tolerant size (also means the size of attacker’s guessing space)

T: signal propagation time + node processing time

24/35

2. Node-centric Positioning with Hidden Base Stations

Node compute its position,

then verified by CBS Node-centric:

Attacker might spoofs node’s position and then cheats on the position verification mechanism

CBS again verify the reported position by distance measure

25/35

3. Secure Positioning with Mobile Base Stations

26/35

Taxonomy

Secure Location

w/ beacon nodes w/o beacon nodes

Localization:• Location Verification

• Range-independent

localization

• Base Station Assisted

Attack Detection:

• Detect Compromised

Beacon Nodes

• Defeat Non-

cryptographic Attacks

27/35

Detecting Malicious Beacon Nodes Motivation:

None of previous techniques can work properly when some of the beacon nodes are compromised

Goal: Try to detect and remove compromised beacon nodes Ensure correct location discovery

Approach: Detect malicious beacon signals Detect replayed beacon signals to avoid false positive Revoke malicious beacon nodes

[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. ICDCS, 2005, pp. 609-619.

28/35

Detecting Malicious Beacon Signals Idea:

Use beacon node (known location) to detect other beacon nodes Locations of beacon nodes must satisfy the measurements (of

their locations) derived from their beacon signals Method:

(By request & reply)

Note: to mislead the location estimation, the attacker has to make the estimated distance inconsistent with the calculated one.

29/35

Filtering Replayed Beacon Signals(Goal: avoid False Positive) Malicious signal ≠ this node is malicious !

Due to replay attack Replay through a wormhole attack

Detect this attack by checking the measured distance and the radio communication range

If within the communication range, go to next step (locally replay) Locally replayed beacon signals

Detect extra delay by measuring RTT between two neighbors RTT measure in a real setup (does NOT consider the impacts of

MAC protocol or any processing delay) Extra delay larger than RTTmax

(Assumption required) authenticated and unicasted beacon signal !!

30/35

Revoke Malicious Beacon Nodes Use the base station to further remove malicious

beacon nodes from the network Each beacon node shares a unique random key with BS Beacon nodes can report the detecting results to BS

securely BS evaluates the suspiciousness of each beacon nodes

BS Maintains alert counters and report counters

This mechanism requires more beacon nodes and incurs more communication overhead

31/35

Taxonomy

Secure Location

w/ beacon nodes w/o beacon nodes

Localization:• Location Verification

• Range-independent

localization

• Base Station Assisted

Attack Detection:

• Detect Compromised

Beacon Nodes

• Defeat Non-

cryptographic Attacks

32/35

Focus on Non-cryptographic Attacks Non-cryptographic attacks (physical attacks)

Such as signal attenuation and amplification Degrade the performance of localization Algo.

Propose a general attack detection model Based on this model, analyze two broad localization approa

ches (Multi-lateration based & signal strength based) The attack detection mainly depends on statistical significa

nce testing Other test statistics are also discussed

Conduct trace driven evaluations Using an 802.11 network and an 802.15.4 (ZigBee) network

[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, 2007.

33/35

Models

Linear attack model on RSS Conduct Exp. in two real

office buildings Detection model:

Statistical significance testing

Define test statistic T, null hypothesis H0, and its acceptance region Ω

Metrics: Detection Rate ROC curve

34/35

Reference

[1] N. Sastry, U. Shankar, and D. Wanger, “Secure Verification of Location Claims,” in Proc. ACM Workshop Wireless Security, 2003, pp. 1-10. UC Berkeley

[2] S. Capkun and J.-P. Hubaux, “Secure Positioning of Wireless Devices with Application to Sensor Networks,” in Proc. INFOCOM, 2005, vol. 3, pp. 1917-1928. EPFL Switzerland

[3] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-Independent Localization for Wireless Sensor Networks,” in Proc. ACM Workshop Wireless Security, 2004, pp. 21-30. Univ. of Washington

[4] S. Capkun, M. Cagalj, and M. Srivastava, “Secure Localization with Hidden and Mobile Base Stations,” in Proc. INFOCOM, 2006.

35/35

Reference

[5] Y. Chen, W. Trappe, and R. P. Martin, “Attack Detection in Wireless Localization,” in Proc. INFOCOM, 2007. Rutgers Univ.

[6] D. Liu, P. Ning, and W. Du, “Detecing Malicious Beacon Nodes for Secure Location Discovery in Wireless Sensor Networks,” in Proc. International Conf. Distributed Computing Systems (ICDCS), 2005, pp. 609-619. NCSU, Syracuse Univ.

[7] D. Liu, P. Ning, and W. Du, “Attack-Resistant Location Estimation in Sensor Networks,” in Proc. International Symposium Information Processing Sensor Networks (IPSN), 2005, pp. 99-106.

[8] L. Fang, W. Du, and P. Ning, “A Beacon-less Location Discovery Scheme for Wireless Sensor Networks,” in Proc. INFOCOM, 2005.

[9] W. Du, L. Fang, and P. Ning, “LAD: Localization Anomaly Detection for Wireless Sensor Networks,” in Proc. IEEE International Parallel Distributed Processing Symposium (IPDPS), 2005, pp. 41a-41a.