robust range-independent localization for wireless sensor networks radha poovendran joint work with...
TRANSCRIPT
Robust Range-Independent Localization for Wireless Sensor Networks
Radha Poovendran
Joint work with Loukas Lazos
Network Security Lab
University of Washingtonhttp://www.ee.washington.edu/research/nsl/faculty/radha
2
• Motivation• Problem • Assumptions• Approach• Solution: SeRLoc• Threats and defense• Performance • High resolution localization:
HiRLoc• Conclusions
Talk Outline
3
• Location information is used for• Applications-Search & rescue etc.• Network Functions-Routing etc.
• Location estimation Techniques• Range-based
•Absolute p2p distance/angle estimate.
•Requires hardware/sync. clocks.• Range-free
•No distance or angle measurements•Used by Dv-hop, APIT etc.
Motivation
4
Secure Localization Problem
• Localization Problem: Estimate
sensor’s location.
• Threat: An adversary can provide
false info displace the sensor.
• Secure Localization: Ensure robust
location estimation even in the
presence of adversaries.
• Related work: Capkun [Technical
Report—SecPos]
5
Network Model Assumptions (1)Two-tier network
architecture
Locator Sensor
Omnidirectional antennas, unknown location, randomly deployed, density ρs.
Directional antennas, known location,randomly deployed, density ρL.
ρL << ρs
r
R
6
Network Model Assumptions (2)
•Locator deployment: Homogeneous
Poisson point process of rate ρL
Random spatial distribution.
•Sensor deployment: Random sampling
with rate ρs.
2
!
2R
k
Ls
Lek
RkLHP
LHs: Locators heard at a sensor s
7
• Develop range-free location estimation technique that •Detects attacks on localization.•Allows robust location
estimation even in the presence of attacks.
•We do not attempt to eliminate attacks on other network protocols.
Our Approach
8
Our Approach: SeRLocLocator Senso
rROI
L1
L4
L3
L2
• Each locator Li transmits
information that defines
the sector Si, covered by
each transmission.
• Sensor s defines the region of intersection (ROI), from all locators it hears.
sLH
iiSROI
1
s
9
Locator Sensor
L1
L4
L3
L2: (X2, Y2)
Locators
Coordinates Slopes
L1: (X1, Y1) [θ1,1, θ1,2]
L2: (X2, Y2) [θ2,1, θ2,2]
L3: (X3, Y3) [θ3,1, θ3,2]
L4: (X4, Y4) [θ4,1, θ4,2]
The sensor collects information from all the locators that it can hear.
SeRLoc – Step 1: Beacon reception
θ2,2
θ1,2
(0, 0)Computing the ROI analytically by intersection of
conics is EXPENSIVE! Approximate method.
10
SeRLoc – Step 2: Search areaLocator Senso
r
L1
L4
L3
L2
R
RR
R: Locator’s Range Search Area
Define:
(Xmin+R, Ymax-R)
(Xmin+R, Ymin+R)(Xmax-R, Ymin+R)
(Xmax-R, Ymax-R)
2R+Xmin - Xmax
1. Sensor knows the rectangular coordinates and places a grid.
2. Every grid point coordinates are known.
Xmin = min { Xi i L }
Ymin = min { Yi i L }
Xmax = max { Yi i L }
Ymax = max { Yi i L }
11
― Sensor holds a Grid Score Table (GST)
―GST is initialized to zero.―Perform Grid sector test
for every point in the grid:
―If C1=True and C2=True,
increase GST score value by one.
SeRLoc – Step 3: Grid-sector testLocator Senso
rR: Locator’s Range
L1 g: (xg,yg)
θ1,2
θ1,1
,:1 RLgC i
2,11,12 : C
R
12
SeRLoc – Step 4: ROI computationSensor
Search Area 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
…1 1 1 2 3 3 3 3 4 4 4 3 3 3 3 3
3 1 1 2 2 2 3 4 4 4 4 4 4 4 3 3 2
21 1 2 2 4 4 4 4 4 4 4 4 4 4 3 3
22 2 2 2 3 4 4 4 4 4 4 4 4 3 2 2
22 2 3 3 3 3 4 4 4 4 4 4 3 3 2 2
22 2 2 3 3 3 3 4 4 4 4 3 3 2 2 2
21 2 2 2 3 3 3 3 4 4 3 2 2 2 3 4
32 2 2 3 3 3 3 3 2 2 2 2 1 1 1 1
1…0 0 0 0 1 1 1 1 0 0 0 0 0 0 0 0
0
ROI
•Majority vote: Points with highest score define the ROI.
•Error is introduced due to discrete computation.
•We trade Accuracy vs. Complexity.
13
SeRLoc - Security mechanisms• Message Encryption : Messages are encrypted by a shared
symmetric key.
• Locator ID authentication :
• A locator Li has a unique password PWi.
• PWi is blinded with a one-way hash function H :
{0,1}{0,1}
• A hash chain is generated by iterative application of H
h0, h1 ,…, hn, h0=PWi, h1=H(PWi)
• Preload every sensor with the values Hn(PWi) of all
locators.
• A sensor can authenticate a locator within its range (one-
hop authentication).
• Locator beacon format:
Li : { (Xi, Yi) || (θi,1, θi,2) || (Hn-j(PWi)), j } Ki
Locator’s coordinates Slopes of the sector
ID authentication
Shared symmetric key
Hash index
14
SeRLoc – Wormhole Attack
L1
L4
L3
L2
L5
L8L7
L6
THREAT MODEL• An attacker records beacons in
region A
• Tunnels beacons via wormhole link at
region B
• Replays the beacons.
• Sensor “hears” locators LHs: {L1 -
L8}.
• No compromise of integrity,
authenticity of the communication
or crypto protocols.
• Direct wormhole link allows timely
replay of beacons.
sensorLocator
Attacker
Region B
Region A
Wormhole link
15
Wormhole attack detection (1)
cL
c
AA eLHPSGP 11
Accept only single message per locator
Multiple messages from the same locator are heard due to: –Multi-path effects–Imperfect sectorization–Replay attack
sensorLocator
Ac
Wormhole link
Attacker
obstacle
16
jLiLAA eeCRP 11
Communication range constraint property.
Locators heard by a sensor cannot be more than 2R apart.
R: locator-to-sensor communication range.
sensorLocator
Ai
RLL ji 2
Aj
Wormhole attack detection (2)
Wormhole link
Attacker
2R
Li Lj
17
2
det
11
)()(
iLcLcL AAA eee
CRPSGPCRPSGPCRSGPP
Probability of wormhole detection
The events of a locator being within any region Ai, Aj, Ac are inde-pendent (Regions do not overlap).
sensorLocator
Ai Aj
Ac
Wormhole attack detection (3)
Wormhole link
Attacker
2R
18
Wormhole attack detection (4)Probability of wormhole detection
L
19
Attach to Closest Locator Algorithm
(ACLA)1. Sensor s : Broadcasts a nonce η.
2. Locator Li : Reply with a beacon + the
nonce η, encrypted with the pair-wise
key Ks,Li.
3. Sensor s : Identify the locator Lc with
the first authentic reply.
4. Sensor s : A locator Li belongs to the
valid set, only if it overlaps with the
sector defined by the beacon of Lc.
Resolution of location ambiguity
L1
L4
L3
L2
L5
L8
L7
L6
sensorLocator
Attacker
Region B
Region AWormhole link
A sensor needs to distinguish the valid set of locators from the replayed ones.
20
THREAT MODEL
•The attacker has compromised the globally shared key K0.
•The attacker can impersonate any locator not directly
heard to the sensor under attack.
SeRLoc – Sybil Attack
L1
L2L3
L4
Impersonator
•Attacker can fabricate arbitrary
number of beacons.
•Attacker succeeds in displacing the
sensor if more than |LHs| locators
can be impersonated.
21
•In a successful Sybil attack, a sensor hears at least twice
the number of locators.
•Define a threshold Lmax as the maximum allowable number
of locators heard, such that:
Sybil Attack detection – Defense (1)
max(| | ) ,sP LH L max(| | ) 12s
LP LH
Probability of false
alarm
Probability of Sybil
attack detection
•Design goal: Given security requirement δ, minimize false
alarm probability ε.
22
Sybil Attack detection – Defense (2)
k
i
R
i
Ls
Lei
RkLHP
1
22
!1
• Random locator deployment we can derive the Lmax
value:
Lmax/2
Lmax
False Alarm Probability
Detection Probability
23
SeRLoc – Compromised entitiesTHREAT MODEL
• Attacker possess
1. Knowledge of all cryptographic quantities
2. Full control over the behavior of the entity.
• Compromise of a sensor reveals the globally shared
key K0.
• Compromise of a locator reveals K0, master key KLi,
and the hash chain of the locator.
• The adversary can launch a Sybil attack from a location
closer to the sensor under attack than any locator
Compromise the ACLA algorithm Displace any sensor.
24
Enhanced location determination algorithm
L2
L3
L4
L5
L6
L1 L7
L8
L9
1. The sensor transmits a nonce with his
ID and set LHs
2. Locators within r
from the sensor relay
the nonce.
3. Locators within R
reply with a beacon
+ the nonce.
4. Sensor accepts
first Lmax replies.
• Attacker has to
compromise more than
Lmax/2 locators, AND
• Replay before
authentic replies arrive
at s.
25
• Simulation setup:
―Random locator distribution with density ρL.
―Random sensor distribution with density ρs.
• Performance evaluation metric:
• : Sensor location estimation.
• si : Sensor actual location.
• r : Sensor-to-sensor communication range.• |S| : Number of sensors.
Performance Evaluation
S
i
iesti
r
ss
SLE
1
1
estis
26
Localization Error vs. LH
•SeRLoc outperforms
current schemes for
any LH value
•Satisfactory
performance even
for very small LH.
27
Localization error vs. antenna sectors
•Higher number of
directional antennas
(narrower sectors)
reduces LH.
•More expensive
hardware at each
locator.
28
Localization error vs. sector error
•Sector error:
Fraction of sectors
falsely estimated at
each sensor.
•SeRLoc is resilient
against sector error
due to the majority
vote scheme.
•Even when 50% of the sectors are falsely
estimated, LE < r for LH 6.
29
Localization error vs. GPS error
• GPS Error (GPSE):
Error in the locators’
coordinates.
• For GPSE = 1.8r and
LH = 3, LE = 1.1r.
• DV-hop/Amorphous:
LE = 1.1r requires LH
= 5 with no GPSE.
• APIT: LE = 1.1r
requires LH = 12 with
no GPSE.
30
High Resolution localization - HiRLoc Can we increase the accuracy of the location estimate, while preserving the resilience against attacks?
How do we achieve ROI segmentation ?
Expensive solution1. Increase the locator density More sectors will intersect.
2. Decrease the sector size Smaller ROI.
Inexpensive solution
1. Variation of the antenna orientation.
2. Variation of the communication range.
sLH
iiSROI
1
Is it feasible?
Yes, if we can
further segment the
ROI
31
Variation of the antenna orientation • Rotate the antenna system by some angle α.
• Broadcast beacons with the new coordinates.
• Compute ROI by intersection of all sectors Si(j) over time,
j : transmission round
Initial ROI estimate
L1
L2
s
α
α
• Sector dependence:
Si(j) = S(θi(j), j)Improve
d ROI
32
Antenna rotation equivalence
Rotation
•Antenna rotation emulates an antenna system
with more directional antennas (narrower
sectors).
L1
3-sector
antenna
L1
6-sector
antenna
33
Variation of the communication range • Reduce the communication range Ri(j) via power control.
• Broadcast beacons with the new Ri(j).
• Compute the intersection of all sectors Si(j).
Initial ROI estimate
L1
L2
s
• Sector dependence:
Si(j) = S(Ri(j), j)
Reduction in
communication rangeImprove
d ROI
34
Intersecting multiple sectors
L1
• For same angle transmissions θi(j), j=1..k, but different
range Ri(j), pick sector with smaller range Rmin=minRi(j).
S1(1)
S1(2)
S1(k)
Rmin
Rmax
L1
k
jiii kRSjjRS
1min ,,
S1(k)
35
Computation of the ROI• Option 1:
1. Collect Si(j) info j =1..m .
2. Intersect all Si(j) j =1..m to determine the ROI.
m
j
LH
ii
s
jSmROI1 1
)(
• Option 2:
1. Collect Si(j) for all Li in LHs.
2. At each round j, compute ROIt ROI(j) = ROI(j-1) ROIt.
m
j
LH
ii
s
jSmROI1 1
)(
36
Conclusions Presented a robust range-free localization:
SeRLoc SeRLoc
Robustly computes the location in the
presence of attacks No neighboring sensor information required.
Uses light-weight security mechanisms
(hashing, symmetric crypto). HiRLoc: Achieves high resolution localization
with no additional hardware resources, will
preserving robustness against threats in WSN. This work is only the first step. More research is needed!
37
Thank you for your
time!
38
Appendix for Readers
39
HiRLoc – Wormhole attack (1)
L1
L4
L3
L2
L5
L8L7
L6
• Transmissions in every round are
done with Rmax.
• Sensor hear LHs={L1...L8} at every
antenna rotation.
• Sensor can determine valid
LHs={L1..L4} as in SeRLoc.
• Use only valid LHs, in ROI
computation.
• Wormhole attack for case 1
HiRLoc security SeRLoc
security
Case 1: Antenna Orientation Variation
Region B
Region AWormhole link
40
ROI(j)ROI(1)
HiRLoc – Wormhole attack (2)
L1
L4
L3
L2
THREAT MODEL
• Locators in valid LHs can get out of
range, once Ri(j) reduced.
• Attacker can replay transmissions
from valid LHs not heard at the
sensor.
DEFENSE
• Sensor determines valid LHs based on transmissions with Rmax.
• Determine
• Intersect any future ROI(j), j = 2..m with ROI(1).
Case 2: Communication Range Variation
Wormhole link
sLH
ii jRSROI
1max)1(
41
HiRLoc – Sybil attack (1)
• Locators transmit with Rmax at every antenna rotation.
• Attacker cannot impersonate locators directly heard to the
sensor.
• Sybil detection as in SeRLoc |LHs| Lmax.
• If under attack, execute ACLA.
Case 1: Antenna Orientation Variation
L1
L2L3
L4
Impersonator
• Sybil attack for case 1
HiRLoc security SeRLoc
security
42
HiRLoc – Sybil attack (2)
THREAT
• Locators in LHs when Rmax, that get out of range due to reduced
Ri(j), can be impersonated.
• Limiting |LHs| Lmax. does not defend against the Sybil attack.
DEFENSE
• Compute the ROI(1) based on Rmax
beacons.
• Intersect future ROI(1) estimation with
ROI(1).The sensor cannot be displaced
outside ROI(1)
HiRLoc ROI SeRLoc ROI
L1
L4
L3
L2 Impersonator
Case 2: Communication Range Variation
43
Performance Evaluation (1)SeRLoc vs. HiRLoc – Antenna orientation variation
•3-sector antennas
used, beamwidth
120o.
•Each antenna
rotation is by 40o.
•LH % of ROI
improvement .
•After 3 antenna
rotations.
ROI(3)<0.46 ROI(1)
44
Performance Evaluation (2)SeRLoc vs. HiRLoc – Antenna orientation variation
•LH = 15.
•Each antenna
rotation is by 2π/3M,
M = # of
sectors
•Sectors % of ROI
improvement .
•After 3 antenna
rotations.
ROI(3)<0.46 ROI(1)
45
Performance Evaluation (3)SeRLoc vs. HiRLoc – Communication range variation
•After 3 antenna rotations
ROI(3) < 0.58ROI(1)
•3-sector antennas
used, beamwidth
120o.
•Each antenna
rotation is by 40o.
•LH % of ROI
improvement .
•For small LH, sectors
get out of range with
range reduction.
46
Performance Evaluation (4)SeRLoc vs. HiRLoc – Communication range variation
•LH = 15.
•Each antenna
rotation is by 2π/3M,
M = # of
sectors
•Sectors % of ROI
improvement .
•After 3 antenna
rotations.
ROI(3)<0.58 ROI(1)
47
Performance Summary
HiRLoc leads to significant improvement over
SerLoc even with a small number of antenna
rotations and/or communication range
variations.
HiRLoc is more effective for small LH and wide
antenna sectors, when SeRLoc does not give a
high resolution location estimation.
HiRLoc achieves high resolution localization
with no additional resources.