confidentiality and integrity for data aggregation in wsn using peer monitoring

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks. 2009; 2:181–194Published online 7 January 2009 in Wiley InterScience(www.interscience.wiley.com) DOI: 10.1002/sec.93

Confidentiality and integrity for data aggregation in WSNusing peer monitoring

Roberto Di Pietro1∗,†,‡, Pietro Michiardi2 and Refik Molva2

1UNESCO Chair in Data Privacy, Universitat Rovira i Virgili—DEIM, Av. Paısos Catalans 26, E-43007Tarragona, Catalonia-Spain2Institut Eurecom, 2229 route des cretes, BP 193, F-06560 Sophia-Antipolis cedex, France

Summary

Hop-by-hop data aggregation is a very important technique used to reduce the communication overhead and energyexpenditure of sensor nodes during the process of data collection in a wireless sensor network (WSN). However,the unattended nature of WSNs calls for data aggregation techniques to be secure. Indeed, sensor nodes can becompromised to mislead the base station (BS) by injecting bogus data into the network during both forwarding andaggregation of data. Moreover, data aggregation might increase the risk of confidentiality violations: If sensors closeto the BS are corrupted, an adversary could easily access to the results of the ‘in network’ computation performedby the WSN. Further, nodes can also fail due to random and non-malicious causes (e.g., battery exhaustion), henceavailability should be considered as well.In this paper we tackle the above issues that affect data aggregation techniques by proposing a mechanism that:(i) provides both confidentiality and integrity of the aggregated data so that for any compromised sensor in the WSNthe information acquired could only reveal the readings performed by a small, constant number of neighboringsensors of the compromised one; (ii) detects bogus data injection attempts; (iii) provides high resilience to sensorfailures. Our protocol is based on the concept of delayed aggregation and peer monitoring and requires localinteractions only. Hence, it is highly scalable and introduces small overhead; detailed analysis supports our findings.Copyright © 2009 John Wiley & Sons, Ltd.

KEY WORDS: wireless sensor networks; secure data aggregation; bogus data injection attack; node failure; peermonitoring; resilience

1. Introduction

A wireless sensor network (WSN) is a collection ofsensors characterized by a size that can range from a

∗Correspondence to: Roberto Di Pietro, Universitat Rovira i Virgili—DEIM, Av. Paısos Catalans 26, E-43007 Tarragona,Catalonia-Spain.

†E-mail: [email protected]‡He is also with Dipartimento di Matematica, Universita di Roma Tre, L.go S. Murialdo, 00146, Roma, Italy.E-mail: [email protected]

few hundred sensors to a few hundred thousands orpossibly more. A WSN can be deployed in harsh en-vironments to fulfil the requirements of both militaryand civil applications [1]. Due to the lack of a network

Copyright © 2009 John Wiley & Sons, Ltd.

182 R. DI PIETRO, P. MICHIARDI AND R. MOLVA

infrastructure, sensors build a wireless multi-hop net-work in an autonomous way. Moreover, since powersupply of each individual sensor is provided by a bat-tery, both communication and computation activitiesmust be optimized. In particular, radio communica-tions are more demanding than computational oper-ations in terms of energy consumption [2--4]. To thateffect, data aggregation has been put forward as an es-sential technique to achieve power efficiency by reduc-ing data redundancy and minimizing bandwidth usage.Data aggregation consists of processing data collectedby sensor nodes at each intermediate node en route tothe sink in order to minimizing the number of messagestransmitted in the WSN.

The data sensed by a WSN is routed to a base station(BS) that can be viewed as a device that does not suf-fer from the limitations of the sensors and that acts as agateway towards the Internet. Sensor networks must berobust and durable in order to overcome individual sen-sor failure due to either malicious (e.g., destruction) ornon-malicious (e.g., malfunctioning) events. Indeed, itis likely that WSNs will be deployed in situations wherean adversary may be motivated to disrupt the functionof the network. For instance, an adversary may com-promise a node in the network and gain access to itskeying material. Furthermore, it is possible for a sen-sor to fail to properly execute the protocol due to hard-ware or software failures. In this paper, we focus onsecurity threats that mainly target the data aggregationmechanism in a WSN, namely: Confidentiality viola-tions of the aggregate data sensed by the WSN and datapoisoning attacks, aiming at tampering with aggregatevalue computed by the WSN. The main contribution ofour work is the design of an aggregation protocol thatis resilient to node exposures: Compromising a nodeshould not allow the adversary to jeopardize the wholecomputation performed by the WSN.

We assume that sensors use symmetric key encryp-tion to provide confidentiality [5,6]. It is worth notic-ing how key management impacts data aggregation. Onone hand, providing all sensors with a single shared keyis not a robust solution, since a single node compro-mise would impact the security of the whole WSN. Onthe other hand, pairwise key distribution as suggestedin Reference [7], is a more robust solution. However,even in this case, if the adversary is able to compromisea single node that has aggregated a sufficient amountof data, information leakage on the aggregated databecomes possible. Meanwhile there is an inherent con-flict between data confidentiality and data aggregationdue to the fact that data aggregation requires interme-diate nodes to access data in cleartext in order to pro-

cess it whereas data confidentiality calls for end-to-endencryption of each data segment between the sensorsand the sink. Homomorphic encryption techniques ap-pear to be the mandatory solution to this conflict sincethey allow some operations to be performed on en-crypted data. Hence, we resort to homomorphic en-cryption schemes that allow sensors to perform the ag-gregation over encrypted data. In this case, single nodecompromise does not cause any information leakage ofthe aggregated data [8].

Our proposal at glance: In a standard tree-based dataaggregation solution, each sensor node would computethe aggregate sum of all its inputs one level down in thetree hierarchy and pass the computed value up in thehierarchy. In our proposal, nodes perform delayed ag-gregation; each node aggregates the encrypted valuesof sensed data provided by nodes down in the hierarchyand passes up in the hierarchy a triplet that consists of:the result of the aggregate computation, the number ofcontributors to the aggregate value, and the encryptionof the node’s own reading. In addition to the basic dataaggregation, our proposal also involves a mechanismfor integrity verification: some peer nodes of the WSNmonitor the data exchanged by neighboring nodes inorder to perform the data aggregation operation andto compare the result they compute with the aggregatevalue forwarded by their neighbors. Delayed aggrega-tion thus trades off a slight increase in communicationoverhead during the aggregation phase in return for thecapability to perform result checking.

Contributions: This paper presents a data aggregationprotocol based on additive homomorphic encryption toprovide data confidentiality. Furthermore, we introducea local peer monitoring mechanism to detect the injec-tion of false data. In particular, the proposed protocol is

� Secure, since in a successful attack on the aggregateddata, an oblivious adversary has to compromise atleast a number of sensors proportional to the numberof readings the aggregated data is composed of;

� Efficient, since each sensor is required to performonly local communications to achieve the global taskcarried out by the WSN;

� Robust with respect to both false data injection andconfidentiality;

� Scalable, since the protocol continues to provide theabove properties as the number of sensors in theWSN increases. For instance, our protocol is stilleffective for a WSN composed of 65 516 sensors;

� Resilient, a node compromise would only compro-mise the node itself and its neighboring nodes; thiscould provide access to the readings of these nodes,

Copyright © 2009 John Wiley & Sons, Ltd. Security Comm. Networks. 2009; 2:181–194

DOI: 10.1002/sec

CONFIDENTIALITY AND INTEGRITY FOR DATA AGGREGATION 183

but not to the aggregated values received by thesenodes.

Organization: The paper is organized as follows:Section 2 reports on the related work in the field, whileSection 3 states the rationale and the assumptions oursolution relies on. In Section 4 we formalize our secu-rity requirements, while in Section 5 we describe oursecure data aggregation protocol. In Section 6 we dis-cuss the properties provided by our protocol. Finally,Section 7 presents some concluding remarks.

2. Related Work

Early work in data aggregation for WSN assumed ev-ery node to be honest [9,10]. This restrictive assump-tion has been relaxed in Reference [11], addressing theproblem of a single compromised node. However, theproposed protocol may be vulnerable if just a pair ofparent and child nodes at the logical tree used to conveydata to the BS are compromised. Further, each aggre-gator sensor has to forward a number of messages thatis proportional to the number of contributors. The workin Reference [6] enables the BS to verify whether theaggregated value provided by the WSN is a good ap-proximation of the values that are actually collected bythe sensors even when a fraction of the sensor nodesare corrupted. However, this objective is achieved viainteractive proof between the aggregators and the cen-tral server (BS). Hence, due to the computational andcommunication cost incurred by this scheme the aggre-gators are less likely to be common sensors. The workin Reference [12] analyzes the security of various ag-gregation functions that could be used in WSN. Theauthor describes attacks against these existing aggre-gation schemes and provides a framework to evaluatethe security of these schemes.

The Concealed Data Aggregation (CDA) conceptwas first introduced in References [13,14]. The CDAis a solution for end-to-end encryption that uses homo-morphic encryption functions to enforce secure data ag-gregation in the context of WSNs. In Reference [15] theCDA concept is further extended: The authors presenta generalization of the approach for a class of rout-ing protocols and also propose a key predistributionalgorithm that limits the capability of an adversary todisrupt confidentiality of the aggregated data.

Another work [8], leveraging the key concepts intro-duced in References [13,14], introduces a new scheme(CMT) that addresses both confidentiality issues andefficient data-aggregation algorithms. This scheme re-

lies on a simple but provably secure homomorphicencryption function. However, some drawbacks affectthis scheme: First, it is not robust against node compro-mise, that is a single node failure can disrupt the wholeWSN computation; second, the data packet size is notoptimal; finally, there is the need to piggyback towardthe BS either the IDs of all nodes that contributed tothe computation or the IDs of the nodes that did notcontribute.

Recently, in Reference [16] the authors presentedthe first algorithm for provably secure hierarchi-cal in-network data aggregation. The proposed algo-rithm incurs a node congestion message overhead ofO(� log2 n), where � is the maximum degree of anynode in the aggregation tree. The main algorithm isbased on performing the sum aggregation securely byfirst forcing the adversary to commit to its choice ofintermediate aggregation results, and then having thesensor nodes independently verify that their contribu-tions to the aggregate are correctly incorporated. How-ever, while this proposal achieves integrity, the confi-dentiality of the aggregated value is not addressed. Inthis scheme, the closer to the BS the compromisingnodes, the more information is leaked to an adversary.Adding confidentiality to the proposed scheme, whileretaining integrity, is not addressed. A recent improve-ment to this algorithm is discussed in Reference [17].A further contribution to the field of data aggregationin WSN is in Reference [18], where the authors presenta novel outlier elimination technique designed for sen-sor networks. This technique is called RANBAR andit is based on the RANSAC (Random Sample Consen-sus) paradigm—well known in computer vision andin automated cartography. The proposed RANBAR al-gorithm is capable to handle a high per cent of out-lier measurement. However, their proposal rely on astrong pre-assumption, namely that the sample is i.i.d.in the unattacked case. Further, this latter proposal, asthe former one, does not address the confidentiality ofthe aggregated data. A recent solution inspired by theseproposals, but taking into consideration security issuesas well, can be found in Reference [19].

Our proposal takes the structure of the aggregationtree as given and leverages results that allow to establishpairwise keys between nodes in the WSN. One methodfor constructing an aggregation tree is described in TAG[4] while, as for pairwise key establishment, followingthe seminal work in Reference [20], several solutionsnowadays exist, that provide a secure pairwise key es-tablishment [5,7,21,22].

Finally, note that a form of delayed aggregation—as expressed in the previous section—was used in


DOI: 10.1002/sec


References [23] and [16] with totally different goals:in the former paper to implement a quantile summaryalgorithm; in the latter to balance the path length in theaggregation tree.

3. System Model

3.1. Adversary Model

We identify the objectives that an adversary has inthwarting a WSN as twofold:

� The adversary could be interested in eavesdroppingthe aggregated value computed by a relevant fractionof the nodes in the WSN. Note that this scenario caneasily occur within the data aggregation framework,in which a hierarchy is imposed over nodes. Indeed,the impact of a node compromise increases as thedistance of that node from the BS decreases;

� The adversary could provide the BS with bogus data,so that the decision process of the BS could be pos-sibly disrupted or subverted towards incorrect deci-sions. This goal has been described in Reference [6]as a stealthy attack, i.e., to cause the querier to accepta false aggregate that is higher or lower than the trueaggregate value. It is out of the scope of the paper toconsider denial-of-service (DoS) attacks where thegoal of the adversary is to prevent the querier fromgetting any aggregation result at all. Furthermore,any maliciously induced extended loss of service isa detectable anomaly which will (eventually) signalthe presence of the adversary; subsequent protocolsor manual intervention are assigned the task to re-solve the problem.

Finally, note that the injection of bogus or forgeddata also depletes the constrained resources of sen-sor nodes, shortening the network lifetime. Hence,data injection attacks must be detected as early aspossible.

In this paper we consider an adversary able to com-promise any sensor in the WSN. In particular, we referto the oblivious adversary: at each step of the attack se-quence, the next sensor to be tampered with is chosenrandomly among the ones that have yet to be compro-mised. This adversary model has been adopted also inReferences [7,8,20,24] to cite a few.

3.2. Sensor Failure Model

Sensors can fail due to either malicious (e.g.,destruction, capture, and re-programming) or

non-malicious (e.g., malfunctioning and batteryexhaustion) events. For the latter case, we assumethat a sensor uf can fail with a probability fp

which is equal for every sensor and does not dependon the history of sensor failure or compromise.That is, Pr[uf fails|ui1 , . . . , uij already failed ∨uh1 , . . . , uhm already compromised] = Pr[uf fails]= fp. We refer to this model as random failure model.

We note that a sensor that fails is less harmfulfrom the point of view of security for our scheme, ascompared to a sensor that has been captured and re-programmed.

We also make the conservative assumption that oncea sensor fails, it can be considered as corrupted by theadversary. The consequence is that if we can prove ourprotocol to be resilient to the adversary model withprobability (1 − ε), then the resilience in the randomfailure model is at least (1 − ε).

3.3. Aggregation Function

In this paper we follow the idea first introduced in Ref-erence [11] and consider the value computed (in a dis-tributed way) by the WSN as the result of a function thataccepts as inputs the readings of a reasonable portionof the sensors the WSN is composed of.

In this work we focus on the mean value of the read-ings, as it has been done for example in References[8] and [12]. This choice allows to compare our re-sults with previous work on secure data aggregation,and in particular with [8]. However, we point out thatthe mechanisms described hereafter can be adapted tosupport the computation of several aggregated valuesbesides the mean.

3.4. Network Setup

We consider a large sensor network with densely de-ployed nodes. Due to dense deployment, nodes mayhave overlapping sensing ranges, hence events can bedetected by multiple nodes providing a certain level ofredundancy in sensed data. As in other data aggrega-tion protocols, e.g., [11], we assume a topological treerooted at the BS, as the one presented in Reference [25].There are various methods for constructing the aggre-gation tree based on different application requirements[4,26,27]. Our solution does not rely on a specific treeconstruction algorithm.

Note that data aggregation requires all sensors tosend their data to the BS within the same samplingperiod. Hence, in the following we assume that sen-sors have loosely synchronized clocks [28--31] and the


DOI: 10.1002/sec


aggregation scheme to operate in rounds. Time syn-chronization has been leveraged to design several so-lutions for security in WSN, like Reference [6,32,22].

As a direct consequence of the high density andredundancy in data acquisition that characterizes theWSN network under investigation, in our model weassume the existence of a mechanism that assigns acertain portion of sensors to cover the role of peermonitoring nodes. Peer monitoring nodes are used toverify that the aggregation process is carried out cor-rectly, i.e., they detect the subversive activity aimingat compromising the integrity of the aggregated data.Peer monitors are selected during the setup of the topo-logical tree to achieve data aggregation, wherein nodesusually take up the role of data aggregators (see Sec-tion 5). It should be noted that the mechanism used todesignate roles should not statically assign the func-tion carried out by a sensor node: a sensor could playdifferent roles at different instants of time. However,for the sake of clarity, we assume roles to be staticin the following discussion. It is outside the scope ofthis current work to describe a mechanism to selectpeer monitors: however, we point the reader to nu-merous related works that treat sensor selection as aminimum or dominant covering set problem [33,34].In particular, Reference [35] discusses distributed al-gorithms to select backup sensors to complement ag-gregation topologies. Such mechanisms can be easilyadapted to solve the problem of selecting a minimumset of peer monitors that would cover the aggregationtree.

When taking up the role of a peer monitor a sensorexploits the broadcast nature of radio communicationsand processes messages that are not originally destinedto it, instead of discarding them. Note that a node as-signed to this role does not bear any additional ener-getic costs, in terms of communication, as compared toany other node in the network. Indeed, all active nodesreceive (and spend energy to do so) any message sentwithin their wireless transmission range. Peer monitorsare asked to support only a small additional overhead(which is analyzed in Section 6.5) that is the trade-offto accept to enjoy data integrity.

3.5. Sketch of the Protocol

In this section we provide an overview of the aggrega-tion protocol (see Figure 1), which is described in moredetail in Section 5. A sensor can be either an aggregatoror a peer-monitor.

During the ith round, the aggregator ua—assumingthe aggregator has j contributors—combines the ag-

Fig. 1. Sketch of the aggregation protocol: aggregators, con-tributors, and peer monitoring nodes on a partial tree.

gregated values Acq,i (q = 1, . . . , j) with each contri-bution scq,i to generate a new aggregated value Aa,i;Then, node ua will invoke its sensing function, andwill encrypt the sensed data (sa, i). Node ua will thensend to the aggregator ub up in the hierarchy the triple〈sa,i, Aa,i, na,i〉, where na,i is the number of sensorsthat contributed to Aa; Note that if the aggregatoris a leaf in the tree hierarchy, it will send the triple〈sa,i, 0, 0〉. In the following, to ease the notation, wewill not report the second index relative to the currentround, unless required by the context.

Peer monitoring sensors uw,i, which we describe indetails in Section 5.1, receive the same data as the ag-gregator and act as independent verifiers checking if theaggregator correctly executed the aggregation functionover the received values.

4. Security Requirements

We have identified the following requirements for se-cure data aggregation protocols:

� Confidentiality: as discussed in Section 3.3, confi-dentiality of the aggregated data is a fundamentalproperty of a secure aggregation protocol;

� Resilience: as sensors have a short lifetime, data ag-gregation protocols need to be designed to be re-silient to sensor failure;

� Scalability: as the size of a WSN can vary over time,secure aggregation protocols should scale with thenumber of sensors;

� Efficiency: as stated in Section 3.1 resources, e.g.,energy and bandwidth, are scarce in a WSN.An efficient protocol for secure data aggregation


DOI: 10.1002/sec


should perform an early detection of false datainjection.§

4.1. Data Confidentiality

In this subsection we introduce the cryptographic prim-itives used in the following. Our focus here is on ahomomorphic encryption scheme allowing arithmeticoperations to be performed on ciphertexts.

Formally, let Enc() denote a probabilistic encryptionscheme. Let M be the message space and C the cipher-text space such that M is a group under operation

⊕and

C is a group under operation⊗

. Enc() is a (⊕

,⊗

)-homomorphic encryption scheme if for any instanceEnc() of the encryption scheme, given c1 = Enck1(m1)and c2 = Enck2(m2), there exists a key k such thatc1

⊗c2 = Enck(m1

⊕m2).

To provide data confidentiality we will adoptand modify the additively homomorphic encryp-tion scheme presented in Reference [8]. In thisscheme Enc(m1, r1, p) = m1 + r1 (mod p), wherem1 is the message to encrypt, r1 is the key, andp is the modulus over which the sum is com-puted. The aforementioned encryption schemesupports additively homomorphic encryption op-erations since Enc(m1, r1, p) + Enc(m2, r2, p) =(m1 + r1 (mod p)) + (m2 + r2 (mod p)) = m1 + m2+ r1 + r2 (mod p) = Enc(m1 + m2, r1 + r2, p).

In the present work, the key ri is generated by a sensorvia a stream cipher keyed with the secret key ki and theunique identifier (id) of the message to encrypt. Whilein the work presented in Reference [8] the secret key ki

associated to a sensor is shared only between the sensorand the BS, in our work the secret key ki is also sharedamong neighboring sensors. In Section 2 we pointed torecent techniques to implement pairwise secret sharingin a WSN.

It should be noted that the homomorphic encryptionfunction used in this work could be inspired by othersolutions as well, like the one in presented in Reference[36], which has also been adopted in Reference [15].

4.2. Key Setup

We now discuss on the cryptographic key setup that weassume in our system. We assume sensor nodes to sharepairwise secret keys with their physical neighbors, andthat each sensor node can establish a pairwise shared

§It is outside the scope of this paper to study the actions tobe taken upon a detection event.

key with another node that is multiple hops away. Thepairwise key establishment schemes proposed in Ref-erence [24] or in Reference [7] where two nodes onlyneed to know their IDs to establish a shared key can beused to achieve our requirements. We stress that bothof these works have been shown to be affordable forsensor networks in terms of computational constraintsand communication overheads.

As in Reference [8], we also assume each sensor nodeui to be capable of generating a keystream ri by usinga stream cipher, such as RC4, keyed with the sensor’ssecret key ki and a unique message identifier id. Thesecret key ki is pre-computed and shared (in a secureway) between sensor ui, the BS, and all neighbors of ui.Node ui can share the key ki with its neighborhood us-ing the pairwise key it shares with each of its neighbors.

Before proceeding any further, we wish to point outthat the key setup discussed in this section appears tobe subject to the following attack. Distributing secretkeys to a neighborhood implies that an adversary maycompromise a single sensor and to be able to recovera number of keys (ki, ri) that is equal to the size of theneighborhood. In Section 6.2 we show that although wecannot prevent this kind of attack, our scheme boundsthe impact of such an attack to the neighborhood of thecompromised node, while still providing guarantees onthe confidentiality of the aggregated data.

5. The Aggregation Protocol

As discussed in Section 3, we assume the WSN to beorganized in a logical tree with peer monitoring and ag-gregator roles assigned. In this section, we focus on thenormal operation of the aggregation protocol. A snap-shot of the tree hierarchy, with examples of aggregatorsand peer monitors can be found in Figure 1. Further-more, data aggregation is assumed to be performed soas to obtain the mean value of the data sensed by theWSN.

Note that all operations shown in the sequel of thissection are performed modulus p, where p is a suitableprime number.

Aggregator: As sketched in Section 3.5, the core ideaof the protocol proposed in this work is that the aggre-gator sensor ua does not compute the mean on its ownreading, but only uses the readings of its contributorysensors (that is, the aggregators one level down in thetree-aggregation hierarchy). The encrypted reading ofsensor ua (sa) will be aggregated by the sensor ub to-wards which sensor ua is contributor, as imposed bythe logical aggregation hierarchy.


DOI: 10.1002/sec


For each contributing sensor ucq (q = 1, . . . , j), ag-gregator ua receives the triple 〈scq , Acq, ncq〉, where scq

is the encrypted reading of contributing sensor ucq , Acq

is the received aggregated value computed by ucq andncq is the number of contribution that generated theaggregated value Acq .

Sensor ua then ‘unfolds’ the aggregated data receivedby every contributing sensor and includes the readingsreceived by every ucq to the new aggregated value

Aa =∑j

q=1(Acq ∗ n−1cq

) + ∑jq=1 scq

nA

wherena = nc1 + · · · + ncj + j.

During the computation of the aggregated data, twocases may occur: Either all sensors sent their contri-bution, or some sensors (ucm ) did not send their con-tribution. In the latter case, ua adds to the aggregatedfunction the key (rcq ) these sensors would have sent ifthe communication had taken place. Finally, ua sendsto the sensor up in the hierarchy its current reading en-crypted with the random data ra, the aggregated valueAa, and the number of contributors so far (na). Notethat, unlike the algorithm proposed in Reference [8],we introduce a division (mod p). The division is equiv-alent to compute the inverse of the number nA and toperform a modular multiplication; however, note thatthe modulus is relatively small, hence the implemen-tation of the extended Euclidian algorithm is quite ef-ficient [37]. The pseudo code of the steps executed bysensor ua is reported in Algorithm 1.

5.1. Peer Monitoring Sensors

As discussed in Section 3.4, the role of peer monitoringnodes (termed uw in the sequel of this section) is toverify that an aggregator sensor ua correctly performedthe aggregation function. Figure 1 shows a snapshot ofthe aggregation hierarchy and two peer monitors, uw1

and uw2 .Before delving into the details of the peer monitoring

operation we first give a definition.

Definition 1. Peer monitoring set. Given an aggre-gator sensor ua we define the set of peer monitoringnodes associated to sensor ua, termed W(ua), as theset of size d of nodes that are within the wireless radiorange of ua and that are not part of the aggregation tree.

We assume the set W(ua) to be built during the con-struction of the aggregation topology and to be known

by ua and by all uw ∈ W(ua). We further assume thatthe set of sensors that are supposed to contribute withtheir data to node ua (as dictated by the aggregationtopology) is also known by all uw ∈ W(ua).

By exploiting the broadcast nature of radio commu-nications, a peer monitoring sensor uw ∈ W(ua) mightbe able to receive the same data transmitted to the nodeua. Hence, uw could perform the same checks of ua

(e.g., checking bounds) and could further check if theaggregated data computed by ua matches with its owncomputed aggregated value. However, due to the rela-tive distance between nodes, a monitoring node mightnot be in the transmission range of sensor uc thus be-ing unable to receive the data sent to ua by uc.‖ In the

‖For example, sensor uw2 in Figure 1 cannot overhear datasent by uc1 to ua.


DOI: 10.1002/sec


following, we distinguish between the case in which apeer monitor has all the contributor nodes in its com-munication range (direct observation) and the case inwhich this is not possible.

For the case wherein direct observation is possible,let us consider the aggregating sensor ua. Suppose thatsensor uc sends its reading (sc) together with the ag-gregated data Ac and the number of sensors that con-tributed to Ac (〈sc, Ac, nc〉) to sensor ua. A peer mon-itoring node uw overhears all messages sent by sensoruc and performs exactly the same computations thattake place at ua. When ua sends its triple 〈sa, Aa, na〉upstream, uw is able to verify whether the aggregatedvalue Aa sent by ua matches its locally computed valueAa. Moreover, the peer monitoring node will also per-form the following checks: on the data reading, assess-ing whether this data follows in the expected bounds;on the number of contributors so far, that should not ex-ceed n, or some other finer value, if available. Note thatif it is not possible to perform the former two checks(for instance, the sensed data cannot be bound, or thevalue n is unknown to the peer monitoring), our pro-posal for the integrity of the aggregated data would stillstood.

When direct observation is not possible, the normalexecution of the aggregation protocol should be slightlymodified. First, observe that if the contribution of asensor uc cannot be observed by a peer monitoringnode uw, then uc can reach uw within at most twohops. Indeed, by definition, nodes uc and uw are inthe communication range of ua. In this case, besidesits normal operation, an aggregator node ua is askedto act as a relay node, retransmitting all data requiredby the peer monitoring node uw to verify the valid-ity of aggregation. Data relaying may be subject tointegrity attacks, hence each contributor uc appendsto the message sent to the aggregator sensor ua anHMAC keyed with the pairwise key uc shares withuw. We recall now that our protocol, as well as all ag-gregation protocols available in the literature, worksin rounds (synchronization is required). This impliesthat a peer monitoring sensor uw is able to detect if anaggregator node ua did not abide to the protocol, fail-ing to forward all contributions to uw. Note that a peermonitoring sensor uw will raise an alarm if an expectedcontribution was not received. It is out of the scope ofthis paper to detail how to deal with such an anomaly,but a possible solution could be to remove the misbe-having sensor from the WSN when the number of itsmissing contributions exceeds a given threshold. Thepseudo code of a peer monitoring sensor is reported inAlgorithm 2.

One could argue that having a sensor ua acting as a re-lay node for a fraction of contributor sensors that cannotbe monitored may imply a significant overhead. How-ever, as discussed in Section 6.5, an aggregator will beasked to forward a number of messages proportional tothe number of its contributors, that is a constant, smallnumber of nodes. This induce a communication over-head that is reasonably low as compared to the benefitsoffered by our scheme.


DOI: 10.1002/sec


Table I. Comparison of the properties of the different data aggregation approaches.

Properties

Model Sensor failure resilience Confidentiality Message length independent from WSN size

Our Yes Yes YesCMT [8] No Yes NoHBH Yes No YesNo Agg. Yes Yes No

Moreover, in Section 6.2 we focus on those attacksperformed by malicious peer monitoring nodes that donot fall in our adversary model but need to be discussedfor the sake of completeness.

5.2. Features Provided by the ProposedProtocol

In this section we highlight the features of the pro-posed aggregation protocol, while a detailed analysisis developed in Section 6.

� With the proposed aggregation protocol there is noneed to send to the BS neither the list of the sensorsthat executed the aggregation function, nor the list ofmissing participants; this feature is not provided byReference [8];

� By using peer monitoring sensors, the proposed pro-tocol allows local, early, and cooperative detectionof bogus data injection;

� The aggregation protocol requires only the exactnumber of bits needed to compute the aggregatefunction (for instance, the average values over thereadings);

� As sensors compute the aggregated data without tak-ing into account their own readings, with the pro-posed protocol it is possible for the peer monitoringnodes to check not only the aggregated value but alsosingle sensor readings;

� In our scheme, peer monitoring sensors do not senddata messages, except for alarm messages. This im-plies that the density of peer monitoring nodes doesnot increase medium access contention: If necessary,we could increase the resilience of the aggregationprotocol by increasing the number of peer monitor-ing nodes (see Section 6.1) without any performancedegradation;

� A single node corruption would not reveal any otherinformation than the readings of the corrupted nodeand the readings of its neighbors; that is, an adversarycan only obtain a (small) constant number of readings

without being able to recover any information on theaggregated data, as discussed in Section 6.2.

Table I provides a summary comparison of the proto-col proposed in this paper with relevant related work inthe literature. With HBH we refer to the case in whichsensors encrypt data on a hop-by-hop basis, while NoAgg. refers to a situation in which there is no data ag-gregation: each reading is sent to the BS. CMT refers tothe proposal appeared in Reference [8]. In next sectiona detailed analysis of the proposed protocol is reported.

6. Analysis and Discussion

6.1. Resilience

In order to analyze resilience of our protocol with re-spect to the adversary model introduced in Section 3.1,we assume that the adversary can compromise α ran-domly chosen sensors; we want to evaluate what is theprobability ε for the adversary to inject bogus data.

Note that the sensors to be compromised are ran-domly selected among the ones that are not yet com-promised. This means that every sensor can be compro-mised with probability less than α/(n − α). As we haveseen in Section 3.2, the above assumption can be usedto provide an upper bound on the probability that com-promised sensors can succeed in injecting a bogus data.

The relationship between the failure probability fp

and the number of sensors compromised by the adver-sary is given by fp < α/(n − α). In the sequel of thissection, fp can also be considered the fraction of thetotal number of sensors that can be corrupted by anadversary.

To provide an upper bound on resilience, note thatwe cannot have more than n peer monitoring sets ina WSN. The probability for the WSN to be jeopar-dized (Pr[J]) is given by the probability that at leastone of the monitoring sets is completely under the con-trol of the adversary. Let us indicate with Pr[jM] =


DOI: 10.1002/sec


max{Pr[j1], . . . , Pr[jn]} the monitoring set that hasthe highest probability to be corrupted. Further, werecall that for a peer monitoring set of size d, the prob-ability to be entirely corrupted is given by f d

p , since themaximum of Pr[ji] is obtained by the monitoring setthat has the least number of peer monitoring sensors(d), hence Pr[jM] = fd

p . Thus, an upper bound on theoverall probability to jeopardy the WSN security is

Pr[J] ≤ Pr[j1 ∨ j2 ∨ · · · ∨ jn] ≤ nPr[jM] = n × fdp

(1)

In Figures 2(a) and (b) we plot Equation 1. On thex-axis we report the number of sensors in the WSN,varying this value in the range [256, . . . , 65 516], whileon the y-axis we show the probability that the WSN canbe jeopardized (Pr[J]). In Figure 2(a) and (b) we takeinto account two single node failure probabilities, thatis fp = 2−4 and fp = 2−5 (i.e., as noted in Section3.2 this parameters reflect a situation in which the ad-versary can corrupt up to n/17 and n/33 sensors). Wealso vary the number of peer monitoring sensors d inthe range [4, . . . , 6]. Within each figure, we magnifythe behavior of the curves for a choice of the x-axisin the range [63 000, . . . , 65 516], while the y-axis val-ues are selected to grant visibility to the curve with thelowest values. Note that the lowest value on the y-axis isalways provided by d = 6; this is coherent with the in-tuition that the bigger the number of peer monitors, thesmaller the probability of compromising our scheme.

In Figure 2(a) the probability of jeopardizing theWSN is not negligible when d = 4, even for a smallnetwork size. However, note that as the number of peermonitoring sensors is at least d = 5, this probability isalways below the value of 0.07, while for small net-works (e.g., below 10 000 nodes) this probability is aslittle as 0.001. When the number of monitoring sensorsreaches the value d = 6, the corresponding probabilityis negligible: It is less than 0.00006 for a WSN with upto 10 016 nodes, while increases only up to 0.004 for aWSN with 65 516 nodes.

The same qualitative behavior can be observed inFigure 2(b). In particular, when d = 4 and the networksize is less than or equal to 10 016 nodes, the probabilitythat our protocol does not detect the injection of bogusdata is always lower than 0.01, while this value slowlyincreases up to 0.06 when considering 65 516 nodes.For d = 5, with 10 016 nodes the probability to jeop-ardize the WSN is less than 0.0003, while it increasesup to 0.002 when considering 65 516 nodes. Finally,for d = 6 we have that for each size of the WSN in

Fig. 2. Scheme failure probability for d = 4, 5, and 6. (a)pf = 2−4, (b) pf = 2−5.

the range [256, . . . , 65 516], the probability ε is below0.0006.

Figures 2(a) and (b) support the intuition that the pro-posed protocol is highly resilient against the obliviousadversary. Indeed, for a wide set of parameters (for in-stance, we have assumed the adversary able to compro-mise 1/17 of the network), d = 6 implies a very smallprobability for the oblivious adversary to be successfulin injecting bogus data. Further, we highlight the factthat it is possible to trade-off the resilience to the obliv-ious adversary with a slight increase in the size of thepeer monitoring set: a unity increase in the value of dprovides an exponential gain in the resilience towardsthe oblivious adversary. It should be noted that the re-silience of our scheme in the random failure model isequivalent to the one we obtained for the adversarymodel.

Finally, note that an exponential gain is achievedby decreasing the sensor failure probability (fp).However, fp is not a design parameter—for instance,


DOI: 10.1002/sec


if we use Commercial Off-The-Shelf sensors, theycome with their Mean Time Between Failure in thetechnical specification sheet. This is why we havebeen conservative in considering high values for fp,such as fp = 2−4, 2−5.

6.2. Security Analysis

6.2.1. Confidentiality

Data aggregation can be exploited by an adversary toviolate the confidentiality of the aggregated data, forexample by compromising a few nodes close to the BS.

In our protocol, we cope with this threat via encryp-tion using the scheme described in Section 4.1. Re-ferring to the key setup phase described in Section 4.2,each sensor ui distributes to its neighbors the secret keyki used to generate the key stream ri. Thanks to this fea-ture, if sensor ui fails, its neighbors can still provide therandom value that should have been used to mask thesensed data. This operation is necessary since the BS,like in Reference [8], derives all the masking valuesfrom the secret keys ki it shares with sensors, and usesthese values to decrypt the received aggregate data.

Hence, distributing secret keys to a neighborhoodmeans that compromising a single sensor will providethe adversary with a number of keys that is equal to thenumber of compromised sensor’s neighbors. However,since in our scheme every and each node adds an en-cryption layer (ra) on the sensed data, the aggregateddata will be still secure, like in Reference [8]. Fromthese considerations the following lemma holds.

Lemma 1. In our protocol, for the adversary to cap-ture q readings, it is necessary to capture a number ofnodes that is at least �q/M, where M is the maximumsize of an active neighborhood.

The above lemma allows the adversary to chose anyq sensors from the WSN. That is, even if the adversaryis able to compromise all the q sensors close to the BS,it will get no more than qM readings. Note that in ascheme where no data confidentiality is enforced, thiswould result in the compromising of the confidentialityof the aggregated data.

6.2.2. Impersonation

Here we turn to the attacks through which an adversarycan impersonate a legitimate sensor node. By cloninga corrupted sensor an adversary could perform the so-called Sybil attack [38] and insert all produced sensorreplicas in the WSN.

In the literature it is possible to find some solutionsthat deal with the Sybil attack, like Reference [39];more recent works aim at better identifying the ratio-nales behind this attack and provide efficient solutions[40,41] to cope with it.

Our aggregation protocol thwarts this kind of attackby construction. Indeed, if the adversary replicates acaptured sensor and deploys it in different neighbor-hoods, these replicas will not hold the encryption keysthat have been previously shared among sensors; hence,the corrupted sensor and its replicas cannot participateto the aggregation protocol. If replicas are positionedwithin the same neighborhood of the corrupted node, apeer monitoring node can easily detect the attempts ofa sensor to inject several readings in a single time slot.

In case a corrupted node tries to disrupt the com-putation performed in the WSN by injecting an im-plausible value, that is, a value that exceeds a certainrange [min, . . . , max], an alarm is going to be raised;indeed, as described in Algorithm 2, the reading sc pro-vided by a contributor is defined to fall in the range[min, . . . , max].

6.3. Discussion on Peer Monitoring Nodes

In this section we discuss on some possible caveatsrelated to the role of peer monitoring nodes.

A typical example would be for a misbehaving peermonitoring sensor to report false alarms to the BS. Theimpact of false positives can be mitigated for exam-ple by requiring the source of an alarm to append itsidentity—according to a protocol that could allow iden-tity verification. The BS could maintain and incrementa tally for those nodes that falsely reported an alarm.Hence, the BS could take the appropriate action to iso-late the misbehaving sensor if the tally exceeds a certainthreshold. Note that this solution also requires a mech-anism to identify false alarms. Further, peer monitorscould also be the target of attacks. For example, a threatcould be posed by a contributor sensor trying to con-trol its transmission power with the goal to circumventthe peer monitor; this can be done by modulating thetransmission power such that the signal would be strongenough to be overheard by a peer monitoring set, buttoo weak to be received by the true aggregator. Thoughthis would require the misbehaving node to know ex-actly the transmission power required to reach each ofits neighboring nodes, we consider this attack feasible.However, this attack would still be detected based onour protocol, since peer monitoring nodes verify theresult of the computation performed by the aggregator,which will not match with the locally computed value.


DOI: 10.1002/sec


Even if the identification of the misbehaving node isdifficult, an alarm will be raised to inform the BS ofthe inconsistency of the aggregated data.

A more sophisticated attack can be mounted whenmultiple nodes collude. For example, suppose an ag-gregator ua and all the nodes in Wa are corrupted. Theaggregator could inject bogus data in the network. Theaggregation protocol presented in this paper is inher-ently d − 1 resilient to collusion attacks, where d isthe size of the smallest peer monitor set. If at least onesensor in the set is not corrupted, it can still notify theBS of the anomalies perceived during each protocolexecution.

6.4. Scalability Issues

The number of neighbors a sensor can support ismainly limited by interference and collision issues atthe medium access level. In this section, we investi-gate the scalability of our scheme with respect to thenetwork size.

Define x = max{i|fp ≤ 2−i}, then Equation 1 can berewritten as

Pr[J] ≤ 2−xd+log2 n (2)

Equation 2 reflects the impact that the parameters d(the size of the peer monitoring set that has the minimalnumber of elements) and n (the number of sensors inthe WSN) have on the resilience to failures. Our objec-tive is to study the effectiveness of our protocol as thesize of the WSN increases, while preserving Pr[J] ≤ ε

resilience to bogus data injection.Let M be the maximum size of an active neighbor-

hood a sensor can support and fix ε to be the upperbound on the probability of failure. In the followingwe study the relationship between the cardinality of theminimum peer monitoring set and the network size, fora given probability ε.

From Equation 2 we have that:

Pr[J] ≤ 2−dx+log2 n ≤ ε

is true for

dx ≥ log2 n − log2 ε

Hence, the values d can take on are given by

M > d ≥⌈

log2 n − log2 ε

x

⌉(3)

Fig. 3. Peer monitoring density for failure probability lessthan ε = 2−16, 220, and 2−24. (a) pf = 2−4, (b) pf = 2−5.

where M is the maximum size of an active neigh-borhood, and the equation on the right provides theminimum value of d such that our WSN is still ε re-silient. In Figures 3(a) and (b) we plot Equation 3. Onthe x-axis we represent the network size (in the range[256, . . . , 65 516]), while on the y-axis we report theminimum number of monitoring sensors are requiredto have at least ε resilience. The two figures take intoconsideration different values for the failure probabilityfp. In Figure 3(a) we assume to have fp = 2−4. Fromthis figure, we observe that when the network size isless or equal to 16 376 sensors, a monitoring set of car-dinality at least 7 and 9 is required to have ε = 2−16,2−24, respectively. For a network size between 16 376and 65 516 sensors, we need a peer monitoring set ofcardinality 8 and 10 if we want to be ε resilient, whereε is 2−16, 2−24, respectively.

The same results hold for the case fp = 2−5, as canbe seen from Figure 3(b). Indeed, we have taken a


DOI: 10.1002/sec


conservative approach taking into consideration theupper integer part of log2 n−log2 ε

x, as results from

Equation 3.From this discussion it follows that our proposed

scheme is highly scalable. Indeed, for a WSN com-posed of up to 65 516 sensors, for a value of fp =2−4, 2−5, to assure an ε resilience for ε = 2−16,2−24, the number of required peer monitors ranges in[7, . . . , 10]. Note that 10 neighbors is a very feasiblelimit on the number of neighbors a sensor can haveReference [20]. Furthermore, this limit can even bestretched if we assume that peer monitoring sensorsare specialized sensors (i.e., they do not act neither ascontributor nor as aggregator); in this case it holds theconsideration exposed in Section 5.2 about the possi-bility of decoupling the physical neighborhood limit asfor the peer monitoring set.

6.5. Overhead Analysis

Transmission overhead: Each contributing sensoris required to append an HMAC to each messagedestined to each peer monitoring sensor associated toit. Note that, as shown above, this number is in therange [7, . . . , 10], while the size of the HMAC can belimited to 64 bits, as detailed in the following. Further,note that an aggregator could incur an additionaloverhead when it acts as a rely node for nodes thatare not in the direct communication range of the peermonitoring nodes. However, rely is just on-hop limitedand possibly required by just a small subset of thenodes (if any) in the peer monitoring set. Finally, itshould be noted that monitoring sensors do not sendany messages, unless to rise an alarm.

Computational overhead: Our protocol requires con-tributing sensors to generate the encryption key andthe HMACs. Aggregating sensors are further requiredto generate the encryption key ki in case of contrib-utors failures. Peer monitoring sensors carry out thesame set of computations performed by the aggrega-tor. However, note that computing an HMAC can beconsidered a lightweight operation.

As opposed to the protocol proposed in Reference[8], our scheme requires the additional overhead im-posed by HMACs and the presence of peer monitoringsensors. These limitations are compensated by the ad-ditional properties of our scheme presented in Table I.Further advantages of our proposal are: the smallermessage size of the aggregated data; and, the fact thatit does not require the identity of contributors to beappended.

Finally, recall that the implementation of the HMACas discussed in detail in Reference [42] would producean output of 64 bits only. The energy devoted to com-pute and to transmit this HMAC has been the subject ofresearch [43,44], and its cost has been accepted as sus-tainable by the vast majority of the literature concernedwith security issues for WSN.

7. Concluding Remarks

In this paper we present a mechanism for data aggre-gation in WSN that enforces both confidentiality andintegrity of the aggregated data. The proposed mecha-nism is based on a novel application of peer monitor-ing and on a delayed aggregation of sensed data. Thesecurity of our scheme relies on the concept of addi-tive homomorphic encryption and on a lightweight keydistribution technique. Moreover, our scheme is robustagainst bogus data injection. Resilience to attacks andto random node failures is also provided. Our aggrega-tion protocol is scalable, and we have shown that thenetwork size can scale up to thousands of sensors withguarantees on the confidentiality and integrity providedby the scheme. These properties come at a limited ad-ditional cost since the proposed scheme requires onlylocal communications and leverages lightweight cryp-tographic primitives.

Acknowledgment

This work was partly supported by the Span-ish Ministry of Science and Education throughprojects TSI2007-65406-C03-01 ‘E-AEGIS’ andCONSOLIDER CSD2007- 00004 ‘ARES’, and bythe Government of Catalonia under grant 2005 SGR00446. This work was partially funded also by the Ital-ian National Research Council (CNR) via the short-term mobility program (2005).

References

1. Akyildiz IF, Su W, Sankarasubramaniam Y, Cayirci E. Wire-less sensor networks: a survey. Computer Networks 2002; 38(4):393–422.

2. Intanagonwiwat C, Estrin D, Govindan R, Heidemann J. Impactof network density on data aggregation in wireless sensor net-works. In Proceedings of IEEE ICDCS, Washington, DC, USA,2002; 457. IEEE Computer Society.

3. Krishnamachari B, Estrin D, Wicker SB. The impact of data ag-gregation in wireless sensor networks. In Proceedings of IEEE


DOI: 10.1002/sec


ICDCSW, Washington, DC, USA, 2002; 575–578. IEEE Com-puter Society.

4. Madden S, Frankli MJ, Hellerstein JM, Hong W. Tag: a tinyaggregation service for ad-hoc sensor networks. In Proceedingsof ACM OSDI, New York, NY, USA, 2002; 131–146. ACM Press.

5. Anderson R, Chan H, Perrig A. Key infection: smart trust forsmart dust. In Proceedings of IEEE ICNP, Washington, DC,USA, 2004; 206–215. IEEE Computer Society.

6. Chan H, Perrig A, Przydatek B, Song D. Sia: secure informationaggregation in sensor networks. Journal of Computer Security2007; 15(1): 69–102.

7. Di Pietro R, Mancini LV, Mei A. Energy efficient node-to-nodeauthentication and communication confidentiality in wirelesssensor networks. Wireless Networks 2006; 12(6): 709–721.

8. Castelluccia C, Mykletun E, Tsudik G. Efficient aggregationof encrypted data in wireless sensor networks. In Proceedingsof ACM/IEEE Mobiquitous, San Diego, CA, USA, 2005; 109–117.

9. Esler M, Hightower J, Anderson TE, Borriello G. Next centurychallenges: data-centric networking for invisible computing. InProceedings of ACM MOBICOM, 1999; 256–262.

10. Intanagonwiwat C, Estrin D, Govindan R, Heidemann J. Impactof network density on data aggregation in wireless sensor net-works. In Proceedings of IEEE ICDCS, Washington, DC, USA,2002; 457. IEEE Computer Society.

11. Hu L, Evans D. Secure aggregation for wireless networks. InProceedings of SAINT, Washington, DC, USA, 2003; 384. IEEEComputer Society.

12. Wagner D. Resilient aggregation in sensor networks. In Proceed-ings of ACM SASN, New York, NY, USA, 2004; 78–87. ACMPress.

13. Girao J, Schneider M, Westhoff D. Cda: concealed data aggrega-tion in wireless sensor networks. In Proceedings of ACM WISE,Philadelphia, USA, October 2004. WiSe 2004. Poster presenta-tion.

14. Girao J, Westhoff D, Schneider M. Cda: concealed data aggrega-tion for reverse multicast traffic in wireless sensor networks. InProceedings of IEEE ICC, Seoul, Korea, May 2005. ICC2005.

15. Westhoff D, Girao J, Acharya M. Concealed data aggregation forreverse multicast traffic in sensor networks: encryption, key dis-tribution, and routing adaptation. IEEE Transactions on MobileComputing 2006; 5(10): 1417–1431.

16. Chan H, Perrig A, Song D. Secure hierarchical in-network ag-gregation in sensor networks. In Proceedings of ACM CCS, NewYork, NY, USA, 2006; 278–287. ACM Press.

17. Frikken KB, Dougherty JA, IV. An efficient integrity-preservingscheme for hierarchical sensor aggregation. In Proceedings ofACM WiSec ’08, New York, NY, USA, 2008; 68–76. ACM Press.

18. Buttyan L, Schaffer P, Vajda I. Ranbar: ransac-based resilientaggregation in sensor networks. In Proceedings of ACM SASN,New York, NY, USA, 2006; 83–90. ACM Press.

19. Roy S, Conti M, Setia S, Jajodia S. Securely computing an ap-proximate median in wireless sensor networks. In Proceedingsof SecureComm 2008, in press, 2008.

20. Eschenauer L, Gligor VD. A key-management scheme for dis-tributed sensor networks. In Proceedings of the ACM CCS, 2002;41–47. ACM Press.

21. Di Pietro R, Mancini LV, Mei A, Panconesi A, RadhakrishnanJ. Redoubtable sensor networks. ACM Transactions on Informa-tion and System Security 2008; 11(3): 1–22.

22. Zhu S, Setia S, Jajodia S. LEAP: efficient security mechanismsfor large-scale distributed sensor networks. In Proceedings ofACM CCS, 2003; 62–72.

23. Greenwald MB, Khanna S. Power-conserving computation oforder-statistics over sensor networks. In Proceedings of ACM

SIGMOD-SIGACT-SIGART PODS, New York, NY, USA, 2004;275–285. ACM Press.

24. Liu D, Ning P. Establishing pairwise keys in distributed sensornetworks. In Proceedings of ACM CCS , 2003; 52–61. ACMpress.

25. Madden S, Franklin MJ, Hellerstein JM, Hong W. The designof an acquisitional query processor for sensor networks. In Pro-ceedings ACM SIGMOD ’03, 2003; 491–502. ACM Press.

26. Gehrke J, Madden S. Query processing in sensor networks. IEEEPervasive Computing 2004; 3(1): 46–55.

27. Zhang W, Cao G. Optimizing tree reconfiguration to track mobiletargets in sensor networks. SIGMOBILE Mobile Computing andCommunications Review 2003; 7(3): 39–40.

28. Elson J, Romer K. Wireless sensor networks: a new regime fortime synchronization. ACM SIGCOMM CCR 2003; 33(1): 149–154.

29. Ganeriwal S, Capkun S, Han C-C, Srivastava MB. Secure timesynchronization service for sensor networks. In Proceedings ofACM WISE, New York, NY, USA, 2005; 97–106. ACM Press.

30. Ganeriwal S, Ganesanl D, Hansen M, Srivastava MB, Estrin D.Rate-adaptive time synchronization for long-lived sensor net-works. In Proceedings of ACM SIGMETRICS, New York, NY,USA, 2005; 374–375. ACM Press.

31. van Greunen J, Rabaey J. Lightweight time synchronization forsensor networks. In Proceedings of ACM WSNA, New York, NY,USA, 2003; 11–19. ACM Press.

32. Perrig A, Szewczyk R, Wen V, Culler DE, Tygar JD. SPINS:security protocols for sensor networks. In Proceedings of ACMMOBICOM, 2001; 189–199.

33. Gupta H, Zhou Z, Das SR, Gu Q. Connected sensor cover: self-organization of sensor networks for efficient query execution.IEEE/ACM Transactions on Networking 2006; 14(1): 55–67.

34. Couture M, Barbeau M, Bose P, Kranakis E. Incremental con-struction of k-dominating sets in wireless sensor networks. InTR-Carleton University, 2006.

35. Wang J, Medidi S. Topology control for reliable sensor-to-sinkdata transport in sensor networks. In Proceedings of IEEE ICC,2008; 3215–3219.

36. Domingo-Ferrer J. A provably secure additive and multiplica-tive privacy homomorphism. In Proceedings of IFIP SEC, 2002;471–483.

37. Knuth D. The Art of Computer Programming (3rd edn), Vol. 2.Addison-Wesley, 1997.

38. Douceur JR. The sybil attack. In Proceedings of USENIX IPTPS.Springer, 2002; 251–260.

39. Parno B, Perrig A, Gligor VD. Distributed detection of nodereplication attacks in sensor networks. In Proceedings of IEEES&P, Washington, DC, USA, 2005; 49–63.

40. Conti M, Di Pietro R, Mancini LV, Mei A. Requirements andopen issues in distributed detection of node identity replicas inwsn. In Proceedings of IEEE SMC, 2006; 1468–1473.

41. Conti M, Di Pietro R, Mancini LV, Mei A. A randomized, ef-ficient, and distributed protocol for the detection of node repli-cation attacks in wireless sensor networks. In Proceedings ofMobiHoc ’07, New York, NY, USA, 2007; 80–89. ACM Press.

42. Menezes AJ, van Oorschot PC, Vanstone SA. Hash functions anddata integrity. Handbook of Applied Cryptography. CRC Press,1996.

43. Wander AS, Gura N, Eberle H, Gupta V, Shantz SC. Energy anal-ysis of public-key cryptography for wireless sensor networks. InProceedings of IEEE PERCOM, Washington, DC, USA, 2005;324–328. IEEE Computer Society.

44. Law YW, Doumen J, Hartel P. Survey and benchmark of blockciphers for wireless sensor networks. ACM Transactions on Sen-sor Networks 2006; 2(1): 65–93.


DOI: 10.1002/sec

confidentiality and integrity for data aggregation in wsn using peer monitoring

Documents