Security and Safety Analysis of WSNBased on Finite Model CheckingVladimir A. OleshchukUniversity of AgderNorway Vladimir I. ZadorozhnyUniversity of PittsburghUSA*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

OutlineWSN basicsMotivationSimulation and Model-checking for security analysis Trust-Aware Query Processing in Data Intensive Sensor NetworksExperimental resultsConclusions

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

WSN BasicsV.Oleshchuk & V. Zadorozhny*

UkrProg 2008 Kiev

UkrProg 2008 Kiev

Real world Computer worldreal worldcomputer world*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

From sensors to sensor nodesAutonomous ComputerSensor nodeSensor*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

From sensor nodes to sensor networks(Collaboration, Event-driven processing, ) = Distributed Applications*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*Basic WSN Taxonomy Topology:Random sensor network (not a-priori topology)Structured sensor network (a-priori topology)Special-purpose WSNs (e.g., Structural Health Monitoring)Mesh Networks (e.g., MeshScape 4.0 Millennial Net system)

Mobility:Stationary sensor nodesMobile sensor nodes

V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Typical WSN applicationsSupport distributed interaction with the physical environment through measuring and aggregating data. Example: monitoring and information tracking for managing critical assets: Structural Health Monitoring (SHM) for monitoring integrity of civil and military structuresMonitoring of the vital signs parameters of patients Military (battlefield) applications.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

CoBIS*Scenario: Support for safety-critical processes such as alerting against inappropriate materials being stored together or outside of approved storage facilities

V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

VITUS

VITUS (Video Image analysis for TUnnel Safety)The main aim of this project is to build and implement a prototype for an automatic video image analysis system in order to increase safety in tunnel road.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

CenSCIR (and Sustainable Bridges)*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

WINES IIUse of Wireless Sensor Networks for Ageing Engineering Infrastructures (water supply, tunnels, bridges, etc.)

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

WSN ApplicationsGenerally speaking, WSNs can be used in applications where sensors are unobtrusively embedded into systems, consequently involving operations like:monitoringtrackingdetecting collecting reporting

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Security concernsThe reasons why security becomes an essential issue in WSN are: sensitive nature of many of those applications (specially Critical Infrastructure Protection)untrusted environment where the sensors are deployed share the drawbacks of any wireless network: natural physical insecurity of wired communications is present.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Security concernsIt is difficult to protect WSN because every node becomes a potential point of logical and physical abuseLogical:monitor transmissions, intercept and modify data, and impersonate nodes injecting false information to others. Physical:gain access to one or more of them and reprogram their operationintroduce his own fake nodes.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Security RequirementsData ConfidentialityAuthenticationData IntegrityData FreshnessNon-repudiationAvailability

Time SynchronizationSecure LocalizationSelf-OrganizationForward secrecy Backward secrecy*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*WSN productsAMPS-1 (MIT)MICA-2 and MICA2Dot (UC Berkeley, Crossbow) Medusa MK-2 (UCLA)RAM: 4-128 KB Flash: 32KB - 1 MBRunning at: 4 40 MHzV.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*Wireless Network StandardsIEEE 802.15: wireless personal area networks Suitable for low power and low data rate sensor networks802.15.4: data rates: 20, 40 or 250 kbps in the 868, 915 or 2400 MHz bands respectively. Typical transmit power: 1 2 mW.V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

ChallengesIt is questionable if primitive traditionally used in other networking scenarios are suitable for sensor networks because small amount of RAM memory. and very modest computational power. Cryptographic operations must be designed to minimize the use of memory. Also, design of secure protocols should consider thatEach bit transmitted consumes as much power as executing hundreds of instructions. *V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Example: RoutingMaximum transmission distance of current generation of sensor nodes ranges between 100 and 300 m. Thus, messages cannot be transmitted directly between any two nodesrouting infrastructures needed Algorithms should workEven when nodes start to fail due to energy issues With any network size and node densityProviding a certain quality of serviceMinimizing the memory usage, speed and energy consumptionAnd Security must be considered!!! *V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*Collisions and Collision DomainsV.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*Collision Aware Data DeliveryV.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Secure RoutingChallenge: (almost) no protocols with security in mind from scratch!It is essential to make the routing algorithm robust against attacks: Malicious nodes and denial of service still possibleSome work that focus on protection of existing routing protocolsOthers focus on designing new protection techniques*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Security issues in WSNSensor nodes are devices with limited computational and energy resourcesWireless (open) transmission of critical information with limited communication channels (distance and broadband) Sensors can be either inaccessible, or easily accessible and unprotected. WSN can be large and potentially dynamic

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Problem of assuring WSN securityUsers expect that certain level of WSN security will be guaranteed despite of limited resources (energy) allocated to each node. Use of simulation tools may help to produce quantitative security assessment on particular execution sequences.These predictions depend on the number performed simulation runs, and on the criteria used to select these runsSeldom, but critical worst-case executions scenarios may be ignored during the simulation campaign*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Two approaches: Simulation and Model CheckingThe objective of using Simulation is to study average case behavior of WSNThe objective of using Model Checking (MC) is to provide an approach to discover worst case scenario to improve security, safety, reliability of sensor network based applications.

**V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

High-level MC scenario for WSN analysis Step 1: Define a model M of the a behavioral description of the whole WSN that represents all possible execution sequences Step 2: Use MC to find the worst-case execution sequences*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Example: Using MC to find the minimal lifetime of WSNIdentify the set of final states in the model M representing the state of the network when it is considered as deadFind the shortest execution sequences (from the time duration point of view) leading to such final statesSuch execution paths represent a worst-case execution scenario and give the minimal lifetime of the network*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Trust-Aware Query Processing in Data Intensive Sensor NetworksV.Oleshchuk & V. Zadorozhny*UkrProg 2008 Kiev

UkrProg 2008 Kiev

OutlineTrustbased routing: motivationSystem modelSubjective logicTrustbased routing : an exampleExperimental results*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Trustbased routing: motivation Current focus of research mostly on time/energy efficiency.

Reliability and trustworthiness of gathered data may be critical.

Usage of cryptographic protection is limited*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Trust-based routing: idea The required level of trustworthiness can be achieved by routing data via trusted sensors, even though such trusted routes are longer and may be more time/energy consuming.Trustworthiness of each sensor or groups of sensors may be determined from their context (e.g., properties of deployment area, sensor design, etc.).*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

System model (1)Two types of nodes: sensors and base stations.Every sensor can be associated with one or several base stations.Each sensor and each base station have an assigned opinion about the trustworthiness of the sensors it queries.Each base station knows opinions about sensors it controls and opinions about trustworthiness of recommendations of sensors and other base st.*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

System model (2)A level of trust to each sensor based on its location, design, software configuration ,etc.A sensor query originates at a base station propagating it to all sensor nodes in the network and collecting the results back from the sensors.A query optimizer runs at a base station and generates a set of alternative query routing trees.The optimizer selects a query tree that delivers results satisfying trustworthiness requirements (in addition to other requirements, such as finding maximizing concurrent transmissions).

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Subjective logicOpinion expresses an opinion about level of trustworthiness.Let t, d and u be such that where Then a triple I called an opinion, where components and correspond to trust, distrust and uncertainty respectively.The level of trustworthiness is defined based on several opinions.Distrust could be expressed as opinion ={0.0,0.9,0.1}Maximum trust could be expressed as opinion ={0.96,0.0,0.04} .

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Subjective logic operatorsThe subjective logic defines a set of logical operators for combining opinions such as conjunction, recommendation, and consensus.An opinion of entity A about logical statement p being true is

For example, if A is a sensor node and statement p corresponds to the statement that data received from A represents temperature in room XXX

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Conjunction of opinions*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Recommendation operator . (1)A has none direct opinion about p, and will try to deduce some indirect opinion about trustworthiness of p based on the given recommendation.An opinion of entity A about trustworthiness of a recommendation given by B denoted as:

when B gives a recommendation to A about trustworthiness of a statement p in form of its opinion.*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Recommendation operator (2)*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Consensus operator When there are several independent opinions about the same statement p, we can use consensus operator to get combined opinion about the same statement.*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sensor network with base station and aggregation sensor node *V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Optimized routing query treewithout consideration of trustworthiness requirementswith consideration of trustworthiness requirements*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Analyzing trust properties denote trustworthiness level of result received by B on query q.In English: Trustworthiness level of any query issued by node B will never be lower than NIn LTL: *V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Expressing it in LTLWSN is secure in the sense that any measurement can be delivered at least on trust level N.

Any message can be eventually delivered to base station B without degradation of its trustworthiness

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Questions in progress:What is trade-off between energy and trust efficiency, latency and trust, etc. ?What is the minimal lifetime in trust-aware WSN? What is relation between required trust level and lifetime? We should be able to validate that WSN conform given security policy. *V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Trust-Aware Query Processing in Data Intensive Sensor Networks: Some Experimental Results

UkrProg 2008 Kiev

ExperimentsSmall-scale topology (10 nodes)Experimental Set upResultsLarge-scale topology (73 nodes)Experimental Set upResults*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Small-scale: Experiments Set up10 nodes wireless sensor networkData-intensiveMulti-hop deliveryEach node transmits: at least 128 KbEach node has an opinion: t ranges between 0.97-0.99 (high trust!)d and u; randomly assigned values such that t+d+u = 1*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Base Station

Small-scale: RoutesData delivery evaluated on following 5 different routes*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

SHAPE \* MERGEFORMAT

SHAPE \* MERGEFORMAT

Base Station

Base Station

Base Station

Base Station

Base Station

Time and Energy Cost for Various RoutesRoute 1 has minimum energy costA Time-Energy Optimizer would pick Route 1 or Route 3 as a (near) optimal routeRoute 1,2 and 5 have comparable latencyRoute 3 has minimum latencyRoute 4 has maximum latency and energy cost*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet1

119.824

122.016

105.63

195.456

125.824

TimeCost (s)

Time Cost (s)

Sheet2

Sheet2

9.66

12.16

10.81

19.008

10.912

Energy

Energy Cost (J)

Sheet3

Sheet3

0.5560.1810.263

0.5570.1910.252

0.5740.1990.227

0.4550.2110.334

0.580.2140.206

TRUST

DISTRUST

UNCERTAINTY

Sheet1

Sheet1

119.824

122.016

105.63

195.456

125.824

TimeCost (s)

Time Cost (s)

Sheet2

Sheet2

9.66

12.16

10.81

19.008

10.912

Energy

Energy Cost (J)

Sheet3

Sheet3

0.5560.1810.263

0.5570.1910.252

0.5740.1990.227

0.4550.2110.334

0.580.2140.206

TRUST

DISTRUST

UNCERTAINTY

Opinions for Various RoutesRoute 1, 2, 3 and 5 have comparatively higher trust (between 0.5 and 0.6)Route 1 has lowest distrustRoute 4 has lowest trustA Trust-aware optimizer will pick Route 1 as an efficient data delivery route*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet1

119.824

122.016

105.63

195.456

125.824

TimeCost (s)

Time Cost (s)

Sheet2

Sheet2

9.66

12.16

10.81

19.008

10.912

Energy

Energy Cost (J)

Sheet3

Sheet3

0.5560.1810.263

0.5570.1910.252

0.5740.1990.227

0.4550.2110.334

0.580.2140.206

TRUST

DISTRUST

UNCERTAINTY

Small-scale Experiments: ConclusionsNo significant trade-off observed between low latency and energy cost schedule Vs high trust schedule; when all the initial trust values are set within high range (0.97-0.99).Trust values seem to be very sensitive; due to multiplicative property of conjunction operator.*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Large-scale: Experiments Set upLarge-scale experiment to understand sensitivity of trust values and to explore trade-offs in a large network.73 nodes1200m X1200m area; range: 100m 150m6 peripheral nodes (marked by squares in the figure) are the data source nodes; all other nodes just relay data729 possible data delivery topologies considered*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Large-scale: Sensitivity AnalysisInitial individual nodes trust values set in range between 0.97-0.99For whole of the network trust ranged between 0.35-0.45 (figure a)distrust ranged between 0.19-0.24 (figure b)uncertainty ranged between 0.35-0.45 (figure c)Any lower value of trust in the network decreases the overall trust by a bigger factor. Longer chains of the network path with comparative trust values (not equal to 1) also decrease the trust values. This is because of the definition of conjunction and recommendation operators in the trust subjective logic

(a)(b)(c)*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet2

Sheet3

Large-scale: AnalysisMost of the data delivery paths latency ranged between 400 600s; with a few with low latency between 300-400s.Energy cost ranged between 50 to 100 J.However, again, for this set of experiments trust values were very low (0.35-0.45) as was the case with small-scale experiment.*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet2

Sheet3

Large-scale: Optimizer choicesAgain, there were no significant trade-offs observed between latency-energy cost Vs Opinion. However, the optimizer could explore interesting data delivery schedules*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

TrustDistrustUncertaintyLatency (s)Energy (mJ)Max Trust Schedule0.4320.2040.364472.54458241.92Min Distrust Schedule0.3790.1960.425550.0875803.05Min Uncertainty Schedule0.4110.2350.354505.02466746.49Min Latency Schedule0.4190.2140.367325.95258900.39Min Energy Schedule0.4240.20.376376.7253909.52

TrustDistrustUncertaintyLatency (s)Energy (mJ)Best Desired Schedule0.4320.1960.354325.95253909.5213

UkrProg 2008 Kiev

Large-scale: Sensitivity Analysis and Trade-off6 nodes with low trust (0.3) (introduced to explore trade-offs)Other nodes individual trust values (0.8-0.99)Network trust values obtained were still very low between 0.002-0.014*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet2

Sheet3

MBD0013A28A.unknown

MBD0012B65D.unknown

Large-scale: Sensitivity Analysis and Trade-off6 nodes with low trust (0.3)Other nodes individual trust values (0.91-0.99). (Increased from last set of experiments.)Network trust values were still very low between 0.06-0.13*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet2

Sheet3

MBD0013A28A.unknown

MBD001AD02E.unknown

MBD0012B65D.unknown

Large-scale: Sensitivity Analysis and Trade-off3 nodes unprotected (t=0.3)Other nodes (t=0.99-1.0)trust values vary on 3rd decimal placeTRADE-OFF: Lowest latency data delivery routes also have lowest network trust values; thus, high trust and medium latency routes are chosen by the optimizer to deliver data efficiently in a trust-aware fashion.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

Sheet1

Sheet2

Sheet3

MBD0012B65D.unknown

ConclusionsTrust values are very sensitive. Any change in the 3rd decimal place of trust value implies a much larger change in the actual trust of the node. Trade-offs observed between low latency and energy cost schedule Vs high trust schedule; when all the initial trust values are set within high range (0.99-1.0); and a few of the nodes were assumed unprotected (trust=0.3).Our trust-aware optimizer is able to explore the trade-off opportunities to find an efficient data delivery route.

*V.Oleshchuk & V. ZadorozhnyUkrProg 2008 Kiev

UkrProg 2008 Kiev

*

****