header

   
HOME   •   OVERVIEW   •   LAB DEVELOPMENT   •   LOGIN  •   DOWNLOAD   •   CONTACTS
 

 

 
         Network Security Projects              WSN course modules

Advanced Research Programs (ARP) has funded a team of UHCL researchers to develop a WSN experiments over a period of 2007-2009. As the head of the project, Dr. Yang has led the team in developing labs for supporting research and teaching of network security, including wireless networks. The work proposed in this proposal is focusing on developing secure and effective algorithms for WSN for Human Detection and tracking, and integrating a WSN Test Bed into the existing computer security labs. The DCSL, currently providing ample space to host the network devices and security appliances of the DCSL network, will be used to host the WSN Test Bed. Secure and Optimized Communication & Organization for Target Tracking in Wireless Sensor Networks (SOHO) proposal was submitted to the Texas Higher Education Coordination Board (THECB) in April 2006 for the Advanced Research Programs grant. The proposal was accepted and completed by 2008.
WIRELESS SENSOR NETWORK
INTRODUCTION TO sOCO
This project decribes an authentication mechanism to protect the Optimized Communication and Organization (OCO) method for routing and self-organization of a wireless sensor network. This includes authentication of sent messages to assure that they have not been altered (aka. message integrity), and authentication of the sender to assure that the messages are not forged (aka. origin integrity). The process begins with a survey of security threats and risk mitigation strategies common to all wireless sensor networks. This survey includes mainly attacks against origin and message integrity, as well as those against confidentiality and availability. The risk analysis converges into a risk assessment of OCO messaging. Selection of an elegant authentication solution requires a survey of current unicast and broadcast message authentication protocols for wireless sensor networks. The protocols will be contrasted to select the most appropriate one for OCO.The project also demonstrates via simulation with the network simulation software OMNeT++ the energy costs of integrating message authentication into OCO. Understanding this cost enables an application owner to evaluate whether to accept the risk of insecure messaging or bear the cost of authentication.
GENERAL DESCRIPTION

Without authentication mechanisms tailored to the application, sensor networks will be unreliable for use in critical arenas. The receiver must be guaranteed that critical messages indeed originated from the claimed source. Conventional security mechanisms in use on the Internet are usually not applicable to wireless sensor networks because of the limited resources available in the sensor nodes, such as limited processor speed, smaller memory size, and limited communication channels and speed. Security comes at a cost; and that cost must be balanced with the goals of the application. The goal of this research project is to produce an efficient, authenticated version of the OCO method, which effectively provides both message integrity and origin integrity to the wireless sensor network applications.

SECURITY GOALS

Security assessments of any application focus on the five fundamental tenets of information security: confidentiality, origin integrity, data integrity, non-repudiation, and availability.
    Confidentiality means the concealment of information from unauthorized entities. Mechanisms used to achieve confidentiality include access control mechanisms and cryptography. Cryptography scrambles, or encrypts, data to generate ciphertext unintelligible to any unauthorized viewer. The data can be made comprehensible to an authorized viewer who knows the secret key.
    Origin integrity, also known as authentication, refers to the trustworthiness of the source of data. It means that the receiver of a message can trust that the sender of the message is truthfully who it claims. An intruder should not be able to send a fabricated message and have it treated as a legitimate message from a trusted peer. Data integrity means that the user of the data can trust that the content of the information has not been changed in any way by an unauthorized intruder or improperly modified by an authorized user. Non-repudiation means that the sender of a message should not be able to deny later that he ever sent that message. In the pre-digital world, one achieved non-repudiation with a simple hand-written signature. In cryptography, it implies that authentication and data integrity can be certified with a high level of assurance and it cannot later be refuted.

PROPOSED SOLUTION: s(OCO)
Focusing strictly on authentication, instead of confidentiality or availability, balances the risk outlined in the risk assessment with the goal of conserving energy. This project recommends integrating origin authentication and message integrity into any OCO message with a total risk rating above 250. This captures all messages in the Processing, Tracking, and Maintenance phases. This authenticated version of OCO, known as s(OCO), provides individual message authentication with limited overhead. s(OCO) will protect the network from message fabrication and message spoofing as long as no nodes are compromised. If an attacker can compromise an active node, it can steal the shared key and defeat the security protocol
In order to model the system, this proposal imposes a standard TinyOS packet format onto OCO communications and establishes standard sizes for OCO data fields. This facilitates calculation of the cost of integrating TinySec-Auth into OCO. Common fields among packets include destination address, Active Message (AM) type, and packet length. By starting packets with the destination address, nodes may employ early rejection of messages. When a node determines that it is not the intended recipient, it may conserve energy by dropping the packet. The active message type, analogous to a TCP or UDP port in the Internet protocols, specifies the appropriate handler function to extract and interpret the message on the receiver
Figure illustrates the respective packet formats for TinyOS, TinySec-Auth, and s(OCO). Shaded fields in the packet diagrams represent fields protected by the MAC.
pictureformat
s(OCO) follows the packet format in TinySec-Auth and increases the TinyOS headers by one byte. Both proposals drop the 1-byte group ID and the 2-byte CRC fields in the original TinyOS packet and replace them with a 4-byte MAC. The MAC provides the packet integrity service of the CRC. The cipher key implicitly replaces the group membership function provided by the group ID. s(OCO) appropriates bytes from the payload for additional fields including a counter used as a message id and the packet source address. Node addresses occupy two bytes. s(OCO) allocates 2-bytes each for time-tosynchronize and time-to-stay-awake. Node position, node energy level, and notification timestamps each receive 4 bytes. The standard fields in a s(OCO) packet consume 12 bytes.
PHASES PROPOSED FOR s(OCO)
Table summarizes the 14 OCO messages, their respective roles, and their packet length.

packetlength
The Position Collection phase, which only occurs during network initialization, includes two messages with risks ratings below 250. The base broadcasts message M1, the Position Request message, immediately following node deployment. The nodes respond by sending message M2 to their parent, which in turn forwards the message toward the base. Because of the narrow attack window, the Position Collection phase messages receive a low total risk rating. Thus, implementation in a standard TinyOS packet format satisfies security requirements. Message M1 occupies 7 bytes and maps to TinyOS Active Message (AM) type 1. The Position Reply message, message M2, includes fields for reporting node ID and that nodes position. These increase packet length of M2 to 13 bytes.
In the Processing phase, the base station sends two topology type packets and three packets used to assign roles to nodes. s(OCO) must broadcast the topology messages because, at this point in the network setup, there is no route from the base station to the destination nodes. The topology information captured during the Position Collection phase only provided the path for nodes to report their id and position to the base station. Message M3 advises a child node of the id of its parent. M4 informs a parent node of the id of one of its children. A parent receives M4 for every one of its immediate children. The packets put the child node id and parent node id into the message payload, adding 4 bytes and increasing the length of M3 and M4 to 16 bytes. Because of the lack of a route from the base to the border, the base must also broadcast these messages. When a node receives on of these messages, it will check the id of the intended target in the payload and rebroadcast the message if necessary. Nodes use the counter to track whether or not they have already broadcast the message. M5, which requires 14 bytes, instructs a border node to activate its tracking sensor and its radio. M6 announces the time to sleep (TTS) and time to stay awake (TTSA) to redundant nodes. These time fields consume two bytes each and increase packet length to 18 bytes. Message type 7 consumes 14 bytes to instruct forwarding nodes of their occupation.
The two messages in the Target Tracking phase originate from a border node alerting its peers of an intruder. M8, sent toward to base station, includes fields for reporting node id and a 4-byte timestamp. It occupies 18 bytes in a TinySec-Auth format. A node broadcasts M9, which requires 12 bytes, to its neighbors to inform them of the intrusion.
The Maintenance phase supports network longevity with keep-alive messages and notifications when nodes lose their parent or child. Messages M10 through M14 constitute the Maintenance phase. By way of message M10, a child node can report its health to its parent. M10 includes a 4-byte field where the child node records its energy level, increasing total packet length to 16 bytes. A parent informs its children that it is still alive by broadcasting M11, which requires 12 bytes. Nodes that receive M11 do not rebroadcast it, as they would when they receive one of the Processing phase messages. However, nodes that receive the message must still authenticate it to determine if the source address belongs to their parent. s(OCO) does not define recommended timing interval for sending M10 and M11, leaving a tradeoff between recovery time and energy use to the implementation
Message M12 and M13 make up the S.O.S. messages in s(OCO). A child node broadcasts the 12-byte message M12 when it does not receive message M11 from its parent. Neighboring nodes must authenticate, but not rebroadcast M11. A parent sends M13 to the base station when its child node fails to report its status. M13 includes 2-bytes for the lost child node id and 4 bytes for the parent nodes energy level, lengthening it to 18 bytes. Each node that receives M13 must authenticate it and send it to their parent until it reaches the base. The base station periodically sends message M14 to resynchronize redundant nodes. This message includes updates to the time to synchronize and time to stay awake parameters. M14 consumes 16 byes.
EXPERIMENTAL DESIGN AND TOOLS
The project put forth the hypothesis that securing OCO will increase the total cost of operating the network to between three percent and thirteen percent. The three percent lower bound reflects the cost of a packet in TinySec-Auth with a full 24-byte payload. The thirteen percent upper bound represents the cost increase of s(OCO)s shortest 12-byte packets. The mean operating cost of s(OCO) should exist within these upper and lower bounds because of packet length and the influence of the sensor module and the radio module. The experiments will simulate an OCO network and an s(OCO) network and evaluate the mean operating costs of both networks under similar circumstances.
The experimental analysis employs the OMNeT++ network simulator for the implementation and evaluation of the s(OCO) countermeasures on network life span. OMNeT++, provides a framework that simplifies evaluation of communication protocols. OMNeT++ supplies a hierarchal set of modules, each interconnected through interfaces called gates. Since OMNeT++ manages transmission of messages through the gates, the developer can focus on implementation of application classes within each module. In this evaluation of OCO, an instantiation of an OMNeT++ application class randomly distributes nodes across the simulation grid during the Position Collection phase. It simulates the transmission and reception of Position Collection messages and tracks the cost of each message throughout the simulation.
A separate C# application reads the output from OMNeT++, constructs the coverage map, and performs the image processing tasks. This application determines node occupation, and organizes the network topology. The output from this application is fed back into the OMNeT++ simulator to evaluate the cost of message passing in the Processing and Tracking phases. The simulation omits modeling of the Maintenance phase. The OMNeT++ simulator and the C# image processing application lack automated interfaces that could allow simple integration of the two components. Without such interfaces, the network cannot seamlessly notify the base of the need for maintenance, reprocess the coverage map, and send new topology and occupation messages.
The simulation assesses energy consumed by the nodes radio, its sensor, and its microcontroller. In the Position Collection and Processing phases, all nodes maintain an active radio and processor. Thus, a nodes energy consumption in these first two phases depends mainly on the number of messages it has to send and receive. In the Tracking phase, a nodes occupation influences its energy usage characteristics. Border nodes generally consume the most energy because both their sensor modules and radio modules remain active. Their processor sleeps until it is required to create a message. Forwarding nodes should consume less since they keep their sensor disabled until one of their neighbors detects an intruder. Their radio remains enabled to receive and forward messages. As with border nodes, their microcontroller sleeps except to create messages. All three components of redundant nodes remain deactivated, although they periodically wake up to receive commands sent by the base. The simulation assumes that the base station has unlimited energy and computation resources.
EXPERIMENTAL RESULTS
This analysis of results aims to identify the impact s(OCO) has on individual nodes and on the network as a whole. According to the TinySec paper, the addition of authentication increases the cost of sending a single 24-byte packet by three percent. However, this value does not apply globally to individual OCO or s(OCO) packets, which range in length from between 12 and 18 bytes total. Shorter packets cost more because MAC computation must occur early in packet transmission, before the first byte leaves the mote radio. In longer packets, the cost of computing the MAC averages out over more bytes. This supports the case for defining a lower bound of three percent. Other services besides messaging consume energy in a wireless sensor network, such as the sensor and processor. The experimental results support the hypothesis that s(OCO) costs between three percent and thirteen percent more of total network energy than the standard, unauthenticated OCO.
The addition of authentication to OCO increases total energy consumption to between 8 and 10 percent of all energy consumed during the experiments. While the results only slightly exceed the costs of maintaining an active processor or an active sensor, they still negatively influence the longevity of an OCO network. Since the network stabilizes during the Tracking phase, it should be able to sustain operations for a long duration with s(OCO). Nodes that transmit or receive a higher number of messages than its peers may benefit from an alternative risk assessment methodology.
   The survey conducted as part of this project tracked the evolution of two disparate fields in sensor network research: target tracking applications and authentication protocols. While both areas of research strive for efficiency, the addition of security to a target tracking mechanisms increases energy consumption. Sensor network authentication protocols similarly strive for efficiency by reducing computation and communication costs.
Top
COPYRIGHT © 2007 University of Houston Clear Lake. ALL RIGHTS RESERVED.