Distributed Detection of Node

Replication Attacks in Sensor

Networks
Bryan Parno, Adrian perrig, Virgil Gligor
IEEE Symposium on Security and Privacy 2005

Xia Wang
CS610, Fall 2005
Outline
Introduction
Preliminary protocols
Randomized multicast
Line-selected multicast
Simulations
Conclusions and Future work
Introduction
Sensor nodes are small, low-cost and usually
hardware unprotected.
Unshielded sensor nodes are easily to be
captured, replicated in hostile environments.
Node replication attacks: A legitimate node is
captured and compromised by an adversary,
then the adversary can replicate the node
with the same ID and insert those nodes in
the network.
Using replicated nodes the adversary could
subvert the whole network.

Existing Approaches
Centralized monitoring: all nodes
transfer a list of their neighbors
claimed locations to a central base
station that examines location conflicts.
Single Point Failure
Localized voting systems: nodes can
revoke their neighbors.
Can not detect distributed node replication.
Some assumptions and Goals
Assumptions:
The adversary cannot create new IDs for nodes or
simply guess a new ID.
The percentage of nodes captured are limited.
Any cloned node has at least one legitimate node as a
neighbor. (can be removed)
Each node knows its geographic position.
Goal:
Provide schemes to detect node replication attack
without centralized monitoring and revoke the
replicated nodes.
Lower memory consumptions and communication costs
Preliminary approaches
Node-To-Network Broadcasting
Deterministic Multicast
Node-To-Network Broadcasting(1)
Each node uses an authenticated
broadcast message to flood the network
with its location information.
Each node stores the location
information for its neighbors.
If conflicting claim is detected, the
offending node is revoked.

Node-To-Network Broadcasting(2)
Simple and achieve 100% detection rate
Each node stores location information
for its d neighbors.
Total communication cost is O(n
2
)

Deterministic Multicast
Each node broadcasts its location to its neighbors.
Neighbors forward location claim to a subset of the
nodes witnesses
F() = W
1
, W
2
, , W
g
Once the witness detects a location conflict, it
revokes by flooding.
If each node selects (glng)/d random destination
from the set of witnesses.
Average path length is O( ), then communication
cost is
F is a deterministic function, an adversary can also
determine all witness nodes.

n
)
ln
(
d
n g g
O
Randomized Multicast(1)
Each nodebroadcasts its location to its neighbors
1

2
...
d
with the format
<ID

, l

, {H(ID

, l

)} >
Each neighbor verifies s signature and location l

With probability p, each neighbor selects g random
locations as witnesses.
Use geographic routing to forward s location.
Upon receiving a location claim, each witness verifies
the signature, and check location conflicts.
If a node replication attack is detected, it floods
through the network with the two conflicting
locations.
Whats the probability of a collision?
1
c
K
Security Analysis of Randomized
Multicast (1)
Suppose malicious nodeis replicated at location l
1
, l
2
, , l
L
At each location l
i
, p.d nodes randomly select g witnesses.
p Probability a neighbor will replicate location information
d - Average degree of each node
g - Number of witnesses selected by each neighbor
The probability that two conflicting location reports collide at
some witness node.
Birthday paradox predicts at least one collision with high
probability.
(In a room with 23 persons, there is a chance of more than 50%
that two persons have the same birthday).
Perfectly, s location will be saved at p.d.g locations.

g d p
nc
n
g d p
P

|
.
|

\
|

= 1
1
g d p
nc
n
g d p
P

|
.
|

\
|

=
2
1
2
[

=

|
.
|

\
|

=
1
1
1
L
i
g d p
nc
n
g d p i
P
xy x
y
= 1 ) 1 (
x
e x s + ) 1 (
2
) 1 (
2 2 2


s
L L
n
g d p
nc
e P
P
nc1
is the probability that
the p.d.g recipients of
claim l
1
do not receive
any of the p.d.g copies of
claim l
2

P
nc
is the probability of no
collision at all.
N = 10,000, g =100, d=20,
p = 0.05, Probability to
detect single replication is
greater than 63%,
Probability to detect two
replication is greater than
95%
nc c
P P =1
Not efficient,
communication cost is
O(n
2
)
Line-Selected Multicast
When a location claim travels from one
node to another node, all the
intermediate nodes store the location
and virtually form a line across the
network.
If a conflicting location claim ever
crosses the line, then the node at the
intersection will detect the conflict.
Analysis of Line-Selected Multicast
The probability that
two line-segments
intersect
Use the solution to
Sylvesters Four-
Point Problem.
The probability that
four randomly
selected points in a
convex domain will
form a re-entrant
quadrilateral is


2
12
35
t
235 . 0
12
35
1
3
1
2
sec
~
|
.
|

\
|
=
t
t iner
P
Advanced Analysis of Line-
Selected Multicast
With only 2
random segments
per point, the
probability is
>56%
5 segments per
point, the
probability is
95%
Simulations
Communication Overhead
Simulation(2)
The average probability of detecting a single node replication
using Line-Selected Multicast in a variety of topologies.

Conclusions and Future Work
Conclusions
Proposed randomized multicast scheme and line-selected multicast
scheme to detect distributed node replication attack
Line-selected multicast provides excellent resiliency while achieving
near optimal communication overhead.
Both primary protocols illustrate the power of emergent properties
in sensor networks.
Future work
Consider misbehavior malicious nodes
Critique
Once one location claim conflicting is detected, the revocation
activity of the replicated nodes will be flooded through the whole
network. As the node replication attack happens during certain time
slot, the malicious node may get other nodes ID information before
a detection starts. In that case, this malicious node can fabricate a
location conflicting information and flood it into the network. The
malicious node exhaust the energy of the network by flooding those
conflicting information.