1

Secure In-Network Aggregation for Wireless Sensor Networks

Bo Sun

Department of Computer Science

Lamar University

Research Supported by Texas Advanced Research Program under Grant 003581-0006-2006

2

Outline of Presentation• Introduction and Motivation• Assumptions and Network Model• Local Detection

– Challenges

– Extended Kalman Filter based Monitoring

– CUSUM GLR based Monitoring

• Collaboration between Intrusion Detection Module (IDM) and System Monitoring Module (SMM)

• Performance Evaluation• Conclusions and Future work

3

Introduction and Motivation

4

Wireless Sensor Networks (WSNs)

Target

Base Station

Internet

User

Sensor Node

Sensor Node

Sensor Field

•Many simple nodes with sensors deployed throughout an environment

Sensing + CPU +Radio = Thousands of Potential Applications

5

Why do we need Aggregation in WSNs?

• Example Query:– What is the maximum

temperature in area A between 10am and 11am?

– Redundancy in the event data

• Solution: Combine the data coming from different sources

• Eliminate redundancy• Minimize the number of

transmissions

2

1

3

4

5

6

Secure In-Network Aggregation Problem

I

C D

B

E

HA

F

G

Base Station

JK LM

NWireless Sensor Node

Data Transmission

Legend

v1 v2

v3

vi Sensor Measurement

f(v1, v2, v3)

f Aggregation Function

7

Observation

• There is very little work that aims at addressing secure in-network aggregation problem from the intrusion detection perspective

• Our Work– We set up the normal range of the neighbor’s

future transmitted values– We propose the integration between System

Monitoring Modules and Intrusion Detection Modules

8

Intrusion Detection Systems (IDSs)

Intrusion Prevention(Encryption, Authentication,etc.): Not Enough

Weakest Point

IntrusionDetection

LayeredProtection

Security Failure

IntrusionTolerance

• Why do we need IDSs?

• Goal: Highly secured Information Systems

9

1) Misuse Based Detection2) Anomaly Based Detection3) Combination of 1) and 2)

Intrusion Detection Systems

System

NormalActivities

IntrusiveActivities

DetectionEngine

Probes Audits

Database Configuration

Intrusion ResponseAlarms

10

Challenges

• It is difficult to achieve the real aggregated values– High packet loss rate– Individual sensor readings are subject to

environmental noise– Uncertainty of the aggregation function

• Sensor nodes suffer from stringent resources

11

Challenges

12

Assumptions and Network Models

13

Assumptions

• The majority of nodes around some unusual events are not compromised

• Falsified data inserted by compromised nodes are significantly different from real values

14

Network Models

N

Aggregation Node

N1 N2 Nn

v1 v2

vn

15

Local Detection

16

Kalman Filter• A set of mathematical equations

– Recursively estimate the state of a process

• Time Update: Project the current state estimate ahead of time

• Measurement Update: Adjust the projected estimate by an actual measurement

17

Extended Kalman Filter based Monitoring

18

Extended Kalman Filter based Monitoring – System Dynamic Model

• Process Model

• Measurement Model

19

Extended Kalman Filter based Monitoring – System Equations

• Time Update– State Estimate Equations:– Error Project Equations:

• Measurement Update– Kalman Gain Equation:– Estimate Update with Measurement:

– Error Covariance Update Equation:

20

EKF based Local Detection Algorithm

21

CUSUM GLR based Location Detection

• EKF based solution ignores the information given by the entire data sequence

• EKF based solution is not suitable if an attacker continuously forge values with small deviations

• Solution

– Cumulative Summation (CUSUM) Generalized Likelihood Ratio (GLR)

22

An Example of CUSUM • Cumulative sum:

Source: D.C. Montgomery (2004).

23

CUSUM GLR based Location Detection

24

Collaboration between IDM and SMM to Differentiate Malicious Events from

Emergency Events

Co-DetectorsNormal Nodes

Compromised Node

Compromised NodeFire

False Report

False ReportAlert Transmission

Base Station

25

Performance Evaluation

26

Simulation Setup

• Aggregation Function– Average, Sum, Min, and Max

• Simulation– Different packet loss ratio: 0.1, 0.25, 0.5– D: Attack Intensity

• The difference between attack data and normal data

• Performance Metric– False Positive Rate– Detection Rate

27

Performance Evaluation – Average of EKF

28

Performance Evaluation – Average of CUSUM GLR

29

Performance Evaluation – Sum of EKF

30

Performance of Evaluation – Sum of CUSUM GLR

31

Performance Evaluation – Min of EKF

32

Performance Evaluation – Min of CUSUM GLR

33

Performance Evaluation – Max of EKF

34

Performance Evaluation – Max of CUSUM GLR

35

Related Work

• Hu and Evans’ secure Aggregation

• Secure Information Aggregation

• Secure Hierarchical In-Network Aggregation

• Secure hop-by-hop data aggregation

• Topological Constraints based Aggregation

• Resilient Aggregation

36

Conclusions and Future Work

• Conclusions– Extended Kalman Filter based approach can

provide an effective local detection algorithm– Intrusion Detection Module and System

Monitoring Modules should work together to provide intrusion detection capabilities

• Future Work– Large scale test of the proposed approach– Further elaboration of interactions between IDM

and SMM

37

Thank You !