You are on page 1of 16

Securing Topology Maintenance

Protocols for Sensor Networks


Andrea Gabrielli, Luigi V. Mancini, Sanjeev Setia, and Sushil Jajodia, Senior Member, IEEE
AbstractWe analyze the security vulnerabilities of PEAS, ASCENT, and CCP, three well-known topology maintenance protocols
(TMPs) for sensor networks. These protocols aim to increase the lifetime of the sensor network by only maintaining a subset of nodes
in an active or awake state. The design of these protocols assumes that the sensor nodes will be deployed in a trusted, nonadversarial
environment, and does not take into account the impact of attacks launched by malicious insider or outsider nodes. We propose a
metaprotocol (Meta-TMP) to represent the class of topology maintenance protocols. The Meta-TMP provides us with a better
understanding of the characteristics and of how a specific TMP works, and it can be used to study the vulnerabilities of a specific TMP.
We describe various types of malicious behavior and actions that can be carried out by an adversary to attack a wireless sensor
network by exploiting the TMP being used in the network. We describe three attacks against these protocols that may be used to
reduce the lifetime of the sensor network, or to degrade the functionality of the sensor application by reducing the network connectivity
and the sensing coverage that can be achieved. Further, we describe countermeasures that can be taken to increase the robustness of
the protocols and make them resilient to such attacks.
Index TermsMobile applications, pervasive computing, wireless sensor networks, reliability, security and privacy protection.

1 INTRODUCTION
T
OPOLOGY maintenance protocols (TMPs), such as SPAN
[2], ASCENT [3], PEAS [4], and CCP [5], are critical to
the operation of wireless sensor networks. These protocols
aim to increase the lifetime of the sensor network by only
maintaining a subset of nodes in an active or awake state,
while turning off redundant nodes. There have to be
enough active nodes to maintain the connectivity of the
network as well as to obtain sensing coverage in the area
where the sensor network is deployed.
The various topology maintenance protocols that have
been proposed in the literature differ in their objectives as
well as in the approaches that are used to achieve their
objectives. For example, SPAN and ASCENT attempt to
maintain network connectivity, but do not guarantee
sensing coverage. On the other hand, PEAS and CCP are
designed to address both connectivity and the applications
coverage requirements in a configurable fashion.
All these protocols involve some form of coordination
and message exchange between neighboring nodes in
order to elect coordinators and determine sleep schedules.
These protocols were designed assuming a nonadversarial,
trusted environment. Consequently, they are vulnerable to
security attacks in which malicious nodes send spoofed or
false messages to their neighbors in an effort to defeat the
objectives of the protocol.
Attacks on the topology maintenance protocols can be
carried out either by entities that are external to the network
(outsider attacks) or by compromisednodes (insider attacks).
Insider attacks are a particularly challenging problem for
sensor networks because many sensor applications involve
deploying nodes in an unattended environment, thus
leaving them vulnerable to capture and compromise by an
adversary. Unlike outsider attacks, insider attacks cannot be
prevented by authentication mechanisms since the adver-
sary knows all the keying material possessed by the
compromised nodes.
In this paper, we propose a metaprotocol (Meta-TMP) to
represent the class of topology maintenance protocols. We
describe various types of malicious behavior and actions
that can be carried out by an adversary to attack a wireless
sensor network by exploiting the TMP being used in the
network. We describe three types of attacks that can be
launched against these protocols: sleep deprivation attacks
that increase the energy expenditure of sensor nodes, and
thus, reduce the lifetime of the sensor network; snooze
attacks that result in inadequate sensing coverage or
network connectivity; and network substitution attacks in
which multiple attackers collude to take control of part of
the sensor network.
Furthermore, we describe countermeasures that can be
taken to increase the robustness of the protocols and make
them resilient to such attacks. The proposed countermea-
sures include authentication mechanisms that can be used to
prevent outsider attacks and certain insider attacks (such as
impersonation attacks). However, we found that all these
protocols require incorporation of protocol-specific mea-
sures in order to increase their resilience to insider attacks.
We show that adding our countermeasures to the analyzed
protocols does not significantly impact their performance or
energy consumption.
450 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
. A. Gabrielli and L.V. Mancini are with the Dipartimento di Informatica,
University of Rome La Sapienza, via salaria 113, Rome 00198, Italy.
E-mail: {andrea.gabrielli, lv.mancini}@di.uniroma1.it.
. S. Setia is with the Department of Computer Science, George Mason
University, Fairfax, VA 22030. E-mail: setia@gmu.edu.
. S. Jajodia is with the Center for Secure Information Systems, George
Mason University, Fairfax, VA 22030. E-mail: jajodia@gmu.edu.
Manuscript received 16 Mar. 2007; revised 10 Feb. 2009; accepted 22 Sept.
2009; published online 3 Dec. 2009.
Recommended for acceptance by V. Gligor.
For information on obtaining reprints of this article, please send e-mail to:
tdsc@computer.org, and reference IEEECS Log Number TDSC-2007-03-0038.
Digital Object Identifier no. 10.1109/TDSC.2009.46.
1545-5971/11/$26.00 2011 IEEE Published by the IEEE Computer Society
To the best of our knowledge, the only other research
work that has pointed out the security issues on topology
maintenance protocols is [6]. However, while Karlof and
Wagner [6] describe the snooze attack against the following
protocols, GAF [7], SPAN [2], CEC [8], and AFECA [9], they
do not discuss using the snooze attack to reduce the sensing
coverage. Moreover, they do not take sleep deprivation and
network substitution attacks into consideration, nor do they
discuss any possible countermeasures. In another related
work [10], Stajano and Anderson introduced the problem of
the sleep deprivation attack. However, they did not consider
this attack in the context of topology maintenance protocols
nor did they describe any countermeasures.
The rest of this paper is organized as follows: in Section 2,
we make a survey of TMP protocols. In Section 3, we
propose a metaprotocol (Meta-TMP) to represent the class of
topology maintenance protocols. Section 4 discusses the
threat model and the different kinds of adversaries we
expect to encounter in sensor networks. Next, in Section 5,
we present a taxonomy of the attacks that can be launched
against topology maintenance protocols. Sections 6 and 7
present a brief overview of the PEAS and CCP protocols,
respectively, and discuss the specific attacks against
each protocol. In Section 8, we discuss and evaluate the
performance of countermeasures for the two protocols.
Appendix A, which can be found on the Computer Society
Digital Library at http://doi.ieeecomputersociety.org/
10.1109/TDSC.2009.46, lists notations that have been used
in the rest of the paper. Finally, in Appendix B, which can be
found on the Computer Society Digital Library at http://
doi.ieeecomputersociety.org/10.1109/TDSC.2009.46, we
present the ASCENT protocol, discuss the specific attacks
against the protocol, and propose and evaluate the counter-
measures for the protocol.
2 SURVEY OF TMP PROTOCOLS
We believe that the three TMPs (PEAS, CCP, and ASCENT)
analyzed here are representative of many different mechan-
isms that can be used to build TMPs. For example, the
HETCP [11] functioning mechanism is similar to PEAS, and
two of the three variants of SLAM [12] can be built upon
protocol like CCP and SPAN [2] as suggested by the
authors. The SPAN functioning mechanism is similar to
CCP, and they share the same state activity diagram and the
same communication pattern.
Protocols such as GAF [7], CEC [8], AFECA [9], SPAN
[2], HETCP [11], DSSP [13] and many others are also
vulnerable to the attacks proposed in this paper.
HETCP [11] is composed of two phases. In the first,
called Clustering phase, some nodes elect themselves as
cluster head using information exchanged with their
neighbors, in particular each node informs the neighbors
about its own residual energy and connection degree. In the
second, called Sleep scheduling phase, nodes probe the
environment and decide to go sleeping or not. The Sleep
scheduling phase is equal to the functioning of the PEAS
protocol; thus, the HETCP can be attacked in the same way
we described in this paper for PEAS. Moreover, the
adversary can cheat during the Clustering phase and make
all the legitimate nodes choose the adversary as cluster
head, and thus, the adversary can control all the commu-
nication of the network.
Without specific security mechanism, even centralized
TMP can be vulnerable, as, for example, DSSP [13]. In DSSP,
there is a Base Station (BS) that is informed by the nodes
about their position and their residual energy. The BS, using
position and residual energy of the nodes, periodically
decides which nodes have to remain awake and it informs
the network by sending messages. An attacker can exploit
these two communication phases to induce either the BS to
choose a particular subset of nodes that has to remain active,
or the nodes to erroneously go in a active or sleeping state.
The vulnerability of a TMP can even compromise other
protocols that run on top of the TMP, as, for example, a local
monitoring protocol like SLAM [12]. SLAM elects some
nodes, called guards, to perform traffic overhearing and
monitoring of neighbors. This protocol has three different
mechanisms depending on the TMP used in the network:
No-Action-Required SLAM, Adapted SLAM, and On-
Demand SLAM. The first and the second mechanisms
increase the threshold of working node to keep the guards
awake. Two examples of TMPs that are supported with No-
Action-Required SLAM and Adapted SLAM are, respec-
tively, SPAN and CCP. Thus, these two mechanisms can be
attacked simply attacking the below TMP. The third
mechanism, On-Demand SLAM, uses wake-up antennas
and the nodes perception of the neighborhood to choose the
guards to be awake during communication. The adversary
can attack this third mechanism exploiting the antennas to
wake-up nodes, or it can inject false messages to compro-
mise the perception of the nodes about their neighborhood,
making the legitimate nodes choose fake or malicious nodes
as guards of communication.
There are other protocols, such as [14], [15], and [16],
that are designed as the TMP protocols to reduce the
energy consumption of the network. However, they are not
based on the scheduling of sleep-wake period to exploit
node redundancy. Instead, they are based either on
changing and adjusting the transmission power of each
node, or on geometrical structure-based methods to select
next-hop neighbors.
There are also protocols, such as [17], [18], [19], and [20],
that switch off the radio in the active nodes when they do
not need communication. In accordance with [21] and [22],
we believe that the protocols that use duty cycling on active
nodes should be classified as Power Management, and they
are complementary with the Topology Maintenance techni-
ques. Here, our study focuses on security protocols that
exploit the nodes redundancy to select only a subset of
nodes to maintain in active state; thus, the detailed analysis
of the other kind of protocols designed to reduce the energy
consumption is out of the aim of this work.
3 META-TMP
What follows is a description of the functioning of a general
TMP and the definition of a Meta-TMP that can be used to
represent this class of protocols. The Meta-TMP provides us
with a better understanding of the characteristics and how a
specific TMP works. It is also a useful tool for studying the
security vulnerabilities of a specific TMP.
The abstraction of TMPs into a meta protocol, Meta-TMP,
is represented in the state diagram of Fig. 1.
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 451
Typically, a node that is involved in a TMP collects and
exchanges data with the neighborhood and periodically
decides whether to be active or to be asleep.
In order to keep things as general as possible, Testing
Data are the name which is assigned to the data that each
node needs to decide which state of activity it should be in.
We assume that each node might collect the Testing Data in
any state of activity.
The type of data and the nature of the tests that are
carried out by each node are closely related to the
characteristics and design of the TMP. A list of possible
factors that could be included in the TMP in order to
decide about the state of activity of the nodes is: density of
active nodes, position of the nodes, communication traffic
of the neighbors, packet losing ratio, external environ-
mental conditions, and time.
As a rule, nodes collect or exchange data locally, that is,
among neighboring nodes, by using communication pat-
terns such as unicast node-to-node, broadcast node-to-
neighbors, or eavesdropping on the neighbors using the
network interface in promiscuous mode.
Each node participating in the TMP can be in one of the
following states:
. M-Tc:t
1
: The starting state of each node. The node
executes the test Tc:t
1
(Test Begin), and then, makes
a transition: if condition M-C
1o
(Meta-Condition
from Begin to Sleeping) is true, the node goes into
M-Sleeping state. Otherwise, if condition M-C
1o
is
false, the node goes into M-Working state.
. M-Sleeping: In this sleeping state, the node saves
energy. When the event M-1
\11
(Meta Event
Awake) occurs, the node goes into the M-Tc:t
\
(Meta TestWorking) state.
. M-Tc:t
\
: The testing state to start working. The
node executes the test Tc:t
\
(Test Working), and
then, makes a transition: if condition M-C
o\
(Meta-
Condition from Sleeping to Working) is true, the
node goes into M-Working state. Otherwise, if
condition M-C
o\
is false, the node goes back into
M-Sleeping state.
. M-Working: The working state, the node takes part in
the sensing andcommunicationof the network. When
the event M-1
11oT
(Meta Event Rest) occurs, the node
goes into the M-Tc:t
o
(Meta Test Sleeping) state.
. M-Tc:t
o
: The testing state to go to sleep. The node
executes the test Tc:t
o
(Test Sleeping), and then,
makes a transition: if condition M-C
\o
(MetaCon-
dition from Working to Sleeping) is true, the node
goes into M-Sleeping state. Otherwise, if condition
M-C
\o
is false, the node goes back into M-Working
state.
The persistence of a node in one of the previous states
continues as long as the node participates in the TMP.
Generally speaking, a node stops taking part in the TMP,
that is, the node reaches the Meta-TMP Stop state when
the battery runs out or when the node fails.
To date, the proposed TMPs were designed assuming the
presence of a nonadversarial, trusted environment. Conse-
quently, they are vulnerable to security attacks in which
malicious nodes send spoofed or false messages to their
neighbors in an effort to defeat the objectives of the protocol.
We outline how the communication patterns used by
TMPs play an important role in network security. In fact,
they could be exploited to thwart the functioning of the
TMP, and thus, launch attacks against the network.
4 THREAT MODEL
In this section, we describe our assumptions with respect to
the sensor network and the behavior and capabilities of an
adversary.
Due to the wireless nature of communications in sensor
networks, we assume that the adversary can eavesdrop on
the communications of other nodes and can also inject data
packets into the network.
We assume that the nodes are not tamperproof. Thus, if
the adversary captures a node, all the information including
cryptographic keys stored in the node are compromised.
Furthermore, the adversary can clone the identity of a
compromised device, and can store the information
obtained from that node in other malicious nodes.
Finally, we assume that the adversary can deploy
malicious nodes, and these nodes can collude together to
attack the system.
4.1 Attacker Classification
We may classify the attacker, as in [6], into various
categories based on both its hardware capabilities and its
knowledge of the cryptographic keys that are used to
provide authenticated and/or confidential communication.
Laptop-class versus node-class attackers. A laptop-class
attacker uses a relatively powerful device as compared to a
sensor node. An attacker with these capabilities has access
to greater battery, storage, and computational resources
than a typical sensor node, e.g., a Berkeley MICA mote [23].
It may also use a high-power radio transmitter and a
sensitive antenna that could allow the attacker to eavesdrop
on the entire network and to transmit messages with
enough power to be heard by any node.
On the other hand, a node-class attacker uses one or
more devices with the same capabilities as legitimate sensor
nodes. Therefore, it is only able to listen to or transmit
messages within a limited range, and it faces constraints
such as limited battery power, small memory, and a
relatively slow CPU.
Outsider versus insider attackers. An outsider attacker
has no more knowledge than the definition of the
protocols that are used in the network and the information
that is gathered by eavesdropping on network commu-
nications. It has no access to cryptographic keys or data
452 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
Fig. 1 Meta-TMP state diagram.
that are used to secure the network. For example, it does
not possess any credentials that enable it to authenticate
itself to the other nodes.
In contrast, an insider is an attacker that has all the
information used by a node to be a legitimate member of the
network, such as its cryptographic keys. It can be a captured
node, but also a device, such a node-class or laptop-class, in
which the attacker has stored information retrieved from a
compromised node.
5 ATTACKS ON TOPOLOGY MAINTENANCE
PROTOCOLS
The use of topology maintenance protocols introduces
new vulnerabilities in sensor networks. In particular, an
adversary can launch new kinds of attacks by exploiting
the ability of these protocols to increase or decrease the
number of active nodes.
In the following two sections, we will discuss: a list of
various types of malicious behavior and actions that
could be carried out by an adversary to attack a WSN by
exploiting the TMP being used in the network; and a
classification of TMP attacks based upon their effect on
the target WSN.
5.1 Malicious Behavior toward Topology
Maintenance Protocols
Jam. This is a Denial-of-Service (DoS) attack. The adversary
sends radio signals to interfere with node transmission and
make any kind of communication impossible. The strength
of this attack is related to the power of the antenna being
used. It could be applied to disrupt communications and
induce the legitimate nodes to change state erroneously.
Law et al. [24] show how the jamming can be used to
perform attacks on the network link layer protocols. Xu et al.
[25] survey issues related to perform a jamming attack
against sensor networks by examining both the attack and
defence; they present the following jamming models:
constant jammer, deceptive jammer, random jammer, and
reactive jammer.
Attacks on Information. The adversary exchanges false
information with legitimate nodes. It can forge falsified
data or it can modify values that should be forwarded on
behalf of its neighbors. The adversary can lie about the
data, and in particular:
. Identity: The adversary sends packets with falsified
ID. The adversary can attempt to attain several goals.
For example, it could modify the nodes perception
of the neighborhood density, or it could thwart
protocols that use threshold decisional schemes.
Newsome et al. [26] show how this behavior can
also be used to attack distributed storage, routing,
data aggregation, voting, fair resource allocation,
and misbehavior detection algorithms. The adver-
sary can modify its own ID or its neighbors:
- Self: The adversary impersonates multiple iden-
tities. This behavior is also known as Sybil
attack [26].
- Neighborhood: The adversary modified IDs of
packets that it forwards onbehalf of its neighbors.
. Packet control data: The adversary sends packets
with modified control data and may make the
control data incorrect, or make the data correct but
maliciously forged. In the former case, the receiver
node rejects the packet as it does in case of errors
during transmission. Packet reception thus results in
a waste of energy. This technique could be used to
launch an attack in an attempt to consume legit-
imate node energy. In the latter case, the control
data are maliciously modified but they are correct;
thus, the receiver accepts the packet. The adversary
may use this technique to trick, for example,
protocols based on quality-of-service mechanisms
or packet delivery estimation. The adversary can
play with its own control data or with the
neighborhoods control data:
- Self: The adversary modifies the control data of its
communications with the other network entities.
- Neighborhood: The adversary modifies the con-
trol data of the packets that it forwards on behalf
of its neighbors.
. Position: The adversary lies about its physical
location. It can exploit this technique against proto-
cols based on node position. Lazos et al. [27] address
the problem of verifying the location claim of a node,
known as Location Verification, in WSN. The
adversary can lie about its own position or the
position of its neighbors:
- Self: The adversary lies about its position.
Depending on the nature of the WSN, it can
change the position one or more times. For
example, if the WSN is a static network, that is,
the nodes are not supposed to move, the
adversary cannot modify just its position more
than once without being detected.
- Neighborhood: The adversary lies about the
position of its neighbors. As in the previous
case, it can do so one or more times for each
neighbor, depending on the nature of the WSN.
. State of activity: The adversary lies about the state
of activity. It could make the configuration and the
topology of the network looks different, thus
inducing legitimate nodes to change their own state
of activity. The adversary can use this behavior to
cause nodes to shift from working to sleeping states,
or vice versa:
- Self: The adversary announces a false state of its
activity to its neighbors.
- Neighborhood: The adversary lies about the state
of activity of its neighbors.
All of the above techniques of attack against a node of
the network can take place when the node is collecting
Testing Data. As described in Section 3, Testing Data are
potentially collected in any of the Metastates.
5.2 Effect of the Attacks on Topology Maintenance
Protocols
The classification contains three types of attacks: sleep
deprivation, snooze, and network substitution.
Sleep deprivation attack. In this type of attack, the
adversary tries to induce a node in a specific area to remain
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 453
active. This attack has two effects. First, by increasing the
energy expenditure of sensor nodes, it reduces the estimated
lifetime of the network. Second, in the case of a densely
populated area, it can lead to increased energy consumption
due to congestion and contention at the data link layer.
Snooze attack. In this type of attack, the adversary forces
the nodes to remain in the sleeping state. This kind of attack
can be applied to the whole network or to a subset of nodes.
In the latter case, the adversary can launch an attack to
jeopardize the connectivity of the network or to reduce the
sensing coverage in a region. For example, an adversary can
selectively turn off nodes that are monitoring an intruders
path through an area in which a sensor field has been
deployed for surveillance.
Network substitution attack. In this type of attack, the
adversary takes control of the entire network or a portion of
it by using a set of colluding malicious nodes. The adversary
deploys a set of nodes that are included in the set that has
been elected by the topology maintenance protocol to
maintain network connectivity or the sensing of the area.
Once the protocol has chosen the malicious nodes as its
working nodes, the portion of the network under attack is
totally in the hands of the adversary.
When the adversary controls a portion of the network, it
can carry out other attacks such as traffic analysis and
selective or complete packet dropping. This attack cannot
be easily detected because the adversary can maintain
network connectivity and keep it operating as usual. For
example, if the application is supposed to receive readings
from sensors at a certain frequency, the adversary can send
false readings at the same rate and avoid detection.
Each one of the three attacks requires the adversary to be
able to attack some of the Metastates. In particular:
. to apply the sleep deprivation attack, if the target node
is in:
- M-Tc:t
1
: The adversary has to falsify Testing
Data collected by the node and used in the
Tc:t
1
. These Testing Data are usually collected
in the M-Tc:t
1
. The data have to be falsified so
that the node decides to go in M-Working.
- M-Working or M-Tc:t
o
: The adversary has to
falsify Testing Data collected by the node and
used in the Tc:t
o
. These Testing Data are
usually collected in the M-Tc:t
o
and even in
the M-Working state. The data have to be
falsified so that the node decides to remain in
M-Working.
- M-Sleeping or M-Tc:t
\
: The adversary has to
falsify Testing Data collected by the node and
used in the Tc:t
\
. These Testing Data are
usually collected in the M-Tc:t
\
. The data have
to be falsified so that the node decides to go in
M-Working.
. to apply the snooze attack or the network substitution
attack, if the target node is in:
- M-Tc:t
1
: The adversary has to falsify Testing
Data collected by the node and used in the
Tc:t
1
. These Testing Data are usually collected
in the M-Tc:t
1
. The data have to be falsified so
that the node decides to go in M-Sleeping.
- M-Working or M-Tc:t
o
: The adversary has to
falsify Testing Data collected by the node and
used in the Tc:t
o
to decide to remain in
M-Working or to go to M-Sleeping. These Testing
Data are usually collected in the M-Tc:t
o
and
even in the M-Working state. The data have to be
falsified so that the node decides to go in
M-Sleeping.
- M-Sleeping or M-Tc:t
\
: The adversary has to
falsify Testing Data collected by the node and
used in the Tc:t
\
to decide to remain in
M-Sleeping or to go to M-Working. These
Testing Data are usually collected in the
M-Tc:t
\
. The data have to be falsified so that
the node decides to remain in M-Sleeping.
In Tables 1 and 2, we highlight the possible effects of an
attack depending on the protocol vulnerabilities, which is
depending on the way the Testing Data can be falsified. All
possible alternatives are considered, since Table 1 has eight
rows, each row corresponding to one of the eight edges of
the Meta-TMP state diagram in Fig. 1. Both tables assume
that Testing Data can be collected in any state of activity.
Note that the efficiency of the attacks could vary
depending on the adversary ability to generate the events
M-1
11oT
and M-1
\11
. For example, if the adversary is
able to generate M-1
11oT
, it can complete a snooze attack
faster than if the adversary has to wait the regular
454 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
TABLE 1
Table of Correspondences between Points of
Vulnerability and Attack Effects on the Target Node
TABLE 2
Table of Correspondences between Points of
Vulnerability and Attack Effects on the Target WSN
occurrence of M-1
11oT
. When the events are periodic, the
ability of the attacker to generate M-1
11oT
and M-1
\11
reduces the waiting time of the attacker, but in the other
case, the ability of the attacker to generate M-1
11oT
and
M-1
\11
is a necessary condition to launch an attack.
Note that in case u, there is not an attack because the
adversary can force the nodes to start in M-Sleeping, but the
adversary cannot prevent the TMP to move these sleeping
nodes in M-Working later. Thus, the adversary in case u can
only reduce the reactivity of the new nodes to start working.
For the same reason, there is not an attack in case . The
attacker can induce the node in M-Tc:t
o
to go sleeping but
other nodes will start working to balance the situation.
Moreover, it is possible to design protocols where a node in
M-Working does not go periodically on M-Tc:t
o
, as, for
example, in PEAS. In case c, the adversary can avoid that
working nodes go to M-Sleeping; in this way, the adversary
couldcompromise theTMPenergybalancingbetweennodes.
6 ANALYSIS OF PEAS
6.1 Brief Review of PEAS
In PEAS [4], the subset of active nodes selected by the
protocol must be large enough to obtain sensing coverage of
the deployment area and spread out enough to maintain the
connectivity of the network. The operation of the protocol is
described below.
Each node in PEAS has three operation modes: Sleeping,
Probing, and Working. In the Sleeping mode, a sensor is not
active. It sleeps for an exponentially distributed duration
)T
:
`c
`T
:
, where ` is the probing rate of the node and
T
:
denotes the length of sleeping time. A node in Sleeping
mode waits until its sleeping time expires, and then, enters
the Probing mode. In the Probing mode, a sensor tries to
detect whether any working node is present within a
probing range 1
1
. The probing node sends a PROBE
message with a range of 1
1
, and any working node within
1
1
should respond with a REPLY message, which is also
sent within the range of 1
1
. If the probing node receives a
REPLY, it goes back to Sleeping mode; otherwise, it enters the
Working mode. A node usually stays in the Working mode
until it consumes all its energy. However, as discussed
below, in some situations, a node is allowed to transit back
to the Sleeping mode.
PEAS provides a mechanism which allows it to adjust
the probing frequency of each sleeping node and maintain
the probing rate of all the neighbors at a desired value `
d
. A
working node measures its neighbors probing rates
^
` and
includes the measurement in its REPLY messages in
response to the probes. When a probing node receives
more than one REPLY, it selects the largest one
^
` and sets its
new probing rate `
icn
as follows:
`
icn
`
o|d
`
d
^
`
.
Therefore, the protocol keeps the actual probing around the
desired `
d
. Note that the sleeping time of a node increases
as
^
` increases.
Due to collisions, PROBE and REPLY messages can be
lost and some nodes may become active even though they
are within the probing range of another working node. For
example, assume that two active nodes n and . are within
each others probing range. If a third node : within the
probing range of n and . sends a PROBE, then both n and .
will overhear each others REPLY. In this case, PEAS allows
a node to go back to sleep, using the following rule: if a
node n hears a REPLY by a node . that is active and with a
working time T
n
that is greater than the working time of n,
then n goes back to sleep. In order for a node to determine
whether its working time is greater than the working time
of another node, each node must include its own working
time in its REPLY message.
6.2 PEAS as a Meta-TMP Instance
The correspondence between the PEAS protocol and the
Meta-TMP is shown in Fig. 2 and is summarized in Table 3.
Each node starts participating in the PEAS protocol
when it is turned on, that is, Meta-TMP Start corresponds
to the node turning on.
In PEAS, M-Tc:t
1
is not present because at first, each
node starts off in a sleeping state, that is, the test Tc:t
1
always replies that the condition M-C
1o
is true.
The state M-Sleeping corresponds to the Sleeping state of
PEAS in which the node turns off the radio and does not
perform any sensing.
The exit event M-1
\11
from the state M-Sleeping
corresponds to the expiration of the sleeping timer T
:
,
which consequently produces the transition of a node into
the Probing state.
The M-Tc:t
\
state, whereby each node verifies whether it
should transit in the M-Working state, corresponds to the
Probing state in PEAS in which the node sends a PROBE. The
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 455
Fig. 2. Correspondence between PEAS and the Meta-TMP.
TABLE 3
Table of Correspondences between PEAS and Meta-TMP
condition M-C
o\
, which makes a node transit in
M-Working, corresponds to the absence of a REPLY in
response to a PROBE. On the other hand, the condition
Not(M-C
o\
), which makes the node go back to M-Sleeping,
corresponds to the reception of the REPLY.
Both the M-Working state and the M-Tc:t
o
state
correspond to the Working state. In the former case, Working
represents M-Working because a node in Working is active,
it performs sensing and it takes part in the routing. In the
latter case, Working represents M-Tc:t
o
because a node in
Working verifies whether it should go back to the Sleeping
state as a consequence of the reception of a REPLY message.
The REPLY in the previous situation corresponds to the
event M-1
11oT
.
The condition M-C
\o
that makes a node transit in
M-Sleeping corresponds to the case in which the working
time T
n
that is received in the REPLY is greater than the
working time of the receiver. On the other hand, the
condition Not(M-C
\o
), which makes the node go back to
M-Working, corresponds to the opposite case, that is, when
the working time T
n
that is received in the REPLY is less
than or equal to the working time of the receiver.
The Testing Data that are used by a node to determine its
own state of activity consist of the PROBE message and its
content. The acquisition of the Testing Data takes place
when the node is in Probing or Working, but not when the
node is in Sleeping, because it turns off the radio and simply
waits for the expiration of the timer T
:
.
Termination of PEAS is determined in each of the nodes
by the battery expiration or the failure of the node itself.
6.3 Attacks on PEAS
In Table 4, we highlight which kinds of malicious behavior
are effective against PEAS relatively to the vulnerabilities
of Table 1. As described in Table 2, the adversary, to be
able to launch a snooze or network substitution attack, has to
generate case ( and (u or )) or ( and and 0). As be can
seen in Table 4, u cannot be generated and is included
into 0, that is, we can focus on and . To apply these two
attacks, the adversary has to send REPLY with T
n
greater
than the receiver one and it has to send REPLY in
response of a probe.
To launch a sleep derivation attack, the adversary has to
generate case (c and (c or c)), or (c and c and j), or (c or c) if
M-1
11oT
does not exist, but the last does not apply because
M-1
11oT
exists inPEAS. Considering Table 4, we cansee that
the sleep deprivation attack can be launch using reactive
jamming when the target nodes are in Probing or Working
state.
Thus, PEAS is vulnerable to all the attacks presented in
Section 5.2. In the following discussion, we present five
possible attacks on PEAS in details. The first three attacks
are based on the use of forged REPLY messages, whereas
the last two sleep deprivation attacks exploit the fact that once
a node enters the working state in PEAS, it will normally
remain active until it runs out of power.
Snooze attack by a laptop-class attacker. The adversary
A sends a forged REPLY with enough transmit power to be
heard by any node in the network. In the forged REPLY, T
n
is set to the maximum value it can have. Each working node
goes to sleep because it believes that there is another
working node within its probing range and with a greater
T
n
. Further, the adversary can use the
^
` value included in
the REPLY message to control the sleep schedules of other
nodes. For example, it can set a small
^
` to make other nodes
wake up very often and rapidly consume their energy. In
order to disable the network during selected periods of
time, the adversary can use a large value for
^
`, and thus,
induce other nodes to sleep for a long time.
Snooze attack by node-class attacker. The adversary uses
a set of nodes to turn off the network in a selected area. It
partitions the target area into cells C
1
. C
2
. . . . . C
i
, where each
cell is a square of size
2

2
p
1
T
. This choice ensures that a node
in the center of a cell C
i
can cover the cell with its
transmission range. Then the adversary deploys enough
malicious nodes in the area so as to ultimately have a device
in each cell. The task of each node is to keep legitimate nodes
that are within its transmission range in the sleeping state.
When the attack begins, a malicious node monitors the
network for incoming messages. If it receives a PROBE
message or discovers an active node, it sends a REPLY
message with T
n
set to the maximumvalue it can have to put
the node to sleep. Moreover, the
^
` in each REPLYis chosen in
such a way that the neighbors are synchronized to wake up
and probe together. This allows the adversary to wake up at
the same time as its neighbors, wait until all of them have
sent probe messages, and then send a single REPLY message
whichthen results inall the active nodes going to sleep. Thus,
it is possible for the adversary to consume the same amount
of battery power as any of its neighbors and to ensure that it
will not run out of power before its neighbors do.
Network substitution attack. The adversary substitutes
legitimate nodes with malicious nodes in a portion of the
network. The attack is launched in the same fashion as the
snooze attack by node-class attacker, but nowthe size of the cells
is
1
T

5
p
. Thus, any two nodes in adjacent cells or in the same cell
are within each others transmission range. By having a node
inside each cell, the adversary can now keep any legitimate
node in sleeping mode and at the same time, can maintain
the connectivity among the malicious nodes and between the
malicious nodes and the rest of the network.
Sleep deprivation attack by a laptop-class attacker. The
goal of this type of attack is to keep all nodes in Working
mode. Following the same procedure that is used in the
snooze attack by a laptop-class attacker, the adversary can put
456 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
TABLE 4
Table of Correspondences between PEAS
Points of Vulnerability and Attacker Behaviors
all the nodes in sleeping mode and synchronize them so
that they all wake up at a given time. When all the nodes
wake up to probe, the attacker jams (e.g., reactive jamming)
the network to prevent any of them from receiving a
REPLY. All the nodes are now in Working mode and none of
them will probe again. Even if two nodes are within each
others probing range, they will not go back to sleep because
they will not receive a REPLY.
Sleep deprivation attack by node-class attacker. The
adversary deploys a set of malicious nodes in the area
under attack and induces all the legitimate nodes to
transition to Working mode at the same time. Note that
the adversary cannot leave even one single node in Sleeping
mode because that node could set off a chain reaction that
would result in all the redundant active nodes returning to
the Sleeping mode. This is because when a sleeping node
wakes up and sends a PROBE message, any active node
within the probing range will respond with a REPLY
message. The REPLY will be heard by a redundant active
node resulting in its going back to sleep.
The adversary partitions the target area into squared
cells C
1
. C
2
. . . . . C
i
, where each cell is a square of size
1
T

5
p
.
Therefore, any two nodes in adjacent cells or in the same
cell are within each others transmission range. The
adversary applies the attack the same way as the network
substitution attack and puts all the nodes into Sleeping mode.
In particular, by including an appropriate
^
` in each REPLY,
the sleep phases of all the legitimate nodes are synchro-
nized in such a way that they wake up and probe at the
same time. At this time, the malicious nodes jam the
network. Hence, any legitimate node goes into Working
mode because it has not received any REPLY messages.
7 ANALYSIS OF CCP
7.1 Brief Review of CCP
The goal of CCP [5] is to maintain an active subset of the
network nodes that is large enough to guarantee a
1
o
-coverage degree of the network deployment area. In
CCP, each node locally decides whether to be active or to
go to sleep by using the 1
o
-coverage eligibility rule and
the information that is received in the HELLO messages
sent by its neighboring nodes.
Before introducing the 1
o
-coverage eligibility rule, we
would like to provide some definitions. The sensing circle of
a node n is the set of points j that are 1
o
distant from n. A
point is called an intersection point if it is the intersection
between two sensing circles, or if it is the intersection
between the sensing circle of a node and the boundary of
the area to be covered.
The 1
o
-coverage eligibility rule is that a node n is not
eligible to become active if: 1) any point j that is an
intersection point between the sensing circles of two active
nodes and is also within the sensing circle of n is 1
o
-covered,
or 2) there is no intersection point within the sensing circle of
n and there are at least 1
o
sensors located at the same
position as n. The protocol ensures that if a node n decides to
sleep, then each point j which could be sensed by n is
already sensed by at least 1
o
other nodes. The following
discussion is a summary of how the protocol works.
The broadcasting of HELLO messages allows all the
nodes to know the positions of the active nodes and decide
whether to remain active or to go back to sleep. When
1
T
! 21
o
, a node only includes its own location in its
HELLO message. When 1
T
< 21
o
, a nodes sensing circle
may contain intersection points of nodes that are d
21
o
1
T
e hops
away. Hence, in this case, the node should include the
location of all the active nodes within d
21
o
1
T
e hops; otherwise,
more nodes will remain active. A node discovers the
position of active nodes within d
21
o
1
T
e due to the HELLO
messages that it receives from its neighbors.
A node can be in one of three states:
. SLEEP: In this state, a node sleeps until its sleep
timer T
:
expires. Then it wakes up, it starts a listen
timer T
1
and enters the LISTEN state.
. LISTEN: In this state, the node collects beacon
messages, i.e., locally broadcast HELLO, WITH-
DRAW, and JOIN messages, and executes the
1
o
-coverage eligibility rule. If the node is eligible,
it enters the ACTIVE state and broadcasts a JOIN
message; otherwise, when T
1
expires, it starts a sleep
timer T
:
and goes back to the SLEEP state.
. ACTIVE: In this state, each time a node receives a
beacon message, it executes the 1
o
-coverage elig-
ibility rule to determine its eligibility. If it is
noneligible, it sends a WITHDRAW message and
goes back to sleep.
Both the join and withdraw announcements are delayed
by randomized timers (T
,d
and T
nd
, respectively) to avoid
collisions. After the random delay expires, a node checks its
eligibility status and if the eligibility status has changed, the
node cancels the announcement and remains in its previous
state. This prevents two nodes fromannouncing that they are
covering the same portion of network when one alone will
suffice. It also avoids two nodes from withdrawing at the
same time, thus leaving a zone with a coverage less than 1
o
.
7.2 CCP as a Meta-TMP Instance
The correspondence between the CCP protocol and the
Meta-TMP is shown in Fig. 3 and is summarized in Table 5.
Each node starts participating in the CCP protocol when
it is turned on, that is, Meta-TMP Start corresponds to the
node turning on.
M-Tc:t
1
is not present in CCP because at first, each node
starts in the working state, that is, the test Tc:t
1
always
replies that the condition M-C
1o
is false.
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 457
Fig. 3. Correspondence between CCP and the Meta-TMP.
The M-Working state corresponds to the ACTIVE state of
CCP in which the node performs sensing and takes part in
the routing.
The exit event M-1
11oT
from the M-Working state
corresponds to the reception of a beacon message (HELLO,
WITHDRAW, or JOIN) that consequently produces the
transition of a node in the M-Tc:t
o
state.
In CCP, the M-Tc:t
o
corresponds to the ACTIVE state.
Both the M-Working state and the M-Tc:t
o
state correspond
to the ACTIVE state. In the former case, ACTIVE represents
M-Working because: 1) a node in ACTIVE is working; 2) it
performs sensing; and 3) it takes part in the routing. In the
latter case, ACTIVE represents M-Tc:t
o
because a node in
ACTIVE collects the beacon messages HELLO, WITH-
DRAW, and JOIN, and executes the 1
o
-coverage eligibility
rule to verify whether it should go to the SLEEP state.
The condition M-C
\o
that makes a node transit in
M-Sleeping corresponds to the change in its eligibility status
from eligible to noneligible. On the other hand, the
condition Not(M-C
\o
) that makes the node go back into
M-Working corresponds to the opposite case, that is, the
node remains eligible.
The M-Sleeping state corresponds to the SLEEP state of
CCP in which the node turns off the radio and does not
perform any sensing.
The exit event M-1
\11
from the M-Sleeping state
corresponds to the expiration of the sleeping timer T
:
,
which consequently produces the transition of a node into
the LISTEN state.
The M-Tc:t
\
state, whereby each node verifies whether
it should transit in the M-Working state, corresponds to
the LISTEN state in CCP in which the node collects the
beacon messages HELLO, WITHDRAW, and JOIN, and
executes the 1
o
-coverage eligibility rule. The condition
M-C
o\
that makes a node transit in M-Working
corresponds to the eligibility of the node as defined by
the 1
o
-coverage eligibility rule. On the other hand, the
condition Not(M-C
o\
) that makes the node go back to
M-Sleeping corresponds to the noneligibility of the node.
The Testing Data, used by a node to determine its own
state of activity, consist of the information contained in the
beacon messages. The acquisition of the Testing Data takes
place when the node is in LISTEN or ACTIVE, but not when
the node is in SLEEP because it turns off the radio and only
waits for the expiration of the timer T
:
.
Termination of CCP is determined in each of the nodes
by the battery expiration or the failure of the node itself.
7.3 Attacks on CCP
In Table 6, we highlight which kinds of malicious behavior
are effective against CCP relatively to the vulnerabilities of
Table 1. As described in Table 2, the adversary, to be able to
launch a snooze or network substitution attack, has to generate
case ( and (u or )) or ( and and 0). As can be seen from
Table 6, u is always true, , and they are both included
into 0, that is, we can focus on . To apply these two attacks,
the adversary has to send fake Hellos with false activity
state of the node and false position.
To launch a sleep derivation attack, the adversary has to
generate case (c and (c or c)), or (c and c and j), or (c or c) if
M-1
11oT
does not exist. Considering Table 4, we can see
that the above cases are all reduced to the same behavior,
that is a constant, deceptive, or reactive jamming.
We now describe in details three attacks on CCP in
which the adversary exploits the possibility of using forged
HELLO messages to keep nodes in the sleeping mode. We
also discuss why the design of CCP makes it difficult to
launch a sleep deprivation attack.
Snooze attack by a laptop-class attacker. The goal of the
attacker is to induce all the legitimate nodes inside a
selected area 1 of the network to go into the sleep mode.
For the sake of simplicity, we first describe the attack
assuming that the required coverage degree 1
o
of the
network is 1 and 1
T
! 21
o
.
The adversary selects an area 1
0
1 with the following
properties: 1) it is a composition of cells C
1
. C
2
. . . . . C
i
,
where the size of a cell is less than
2

2
p
1
o
, and 2) it contains all
the sensing circles of the target nodes. The size (
2

2
p
1
o
) of the
cell ensures that any point inside or on the boundary of a cell
is within a circle of radius 1
o
centered in the cell, and the
second property ensures that all the intersection points of the
target nodes are within B. The adversary chooses a bogus
node 11
i
for each cell C
i
and broadcasts a HELLO message
with enough transmit power to be heard by every node in B,
announcing that 11
i
is active and positioned at the center of
the cell C
i
. By doing so, any node inside C
i
believes that its
sensing range inside B is covered by the bogus nodes. All the
target nodes remain sleeping because they are within B and
all their intersection points are also within B.
458 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
TABLE 5
Table of Correspondences between CCP and Meta-TMP
TABLE 6
Table of Correspondences between CCP Points
of Vulnerability and Attacker Behaviors
In order to launch the attack when the required coverage
degree of the network is a general 1
o
1, the adversary
has to choose 1
o
bogus node identifiers for each cell C
i
.
When 1
T
< 21
o
, the adversary must include all the
positions of the bogus nodes that are d
21
o
1
T
e hops away
from 11
i
in the HELLO message of node 11
i
for each
bogus node 11
i
.
Snooze attack by node-class attacker. In this attack, the
adversary uses malicious nodes to keep all the nodes inside
a selected area 1 of the network in the sleeping state. We
describe the attack assuming that 1
o
1, and then, explain
how to extend it for a general 1
o
.
The adversary calculates the minimum number of nodes
i that are necessary for sensing a circular area C of radius
1
T
1
o
, and their relative positions 11
1
. 11
2
. . . . . 11
i
with respect to the center of area C. It loads positions
11
1
. 11
2
. . . . . 11
i
and a set of i IDs into a single malicious
node. Then the attacker deploys the malicious nodes in 1 in
such a way that any point inside 1 is within the
communication range of a malicious node.
The task of a malicious node A is to make other
legitimate nodes inside its transmission range think that
they are noneligible. Note that the existence of fictitious
nodes in the circular area of radius 1
T
1
o
can be
announced to nodes within 1
T
by malicious node X. Thus,
even the legitimate nodes near the border of the area of
radius 1
T
believe that their sensing range is already
covered. By using its absolute position, each node A
calculates the absolute position 1
1
. 1
2
. . . . . 1
i
of
11
1
. 11
2
. . . . . 11
i
. Then it sends i HELLO messages
announcing that 11
i
(i 1 to i) is active and is located at
1
i
. Each neighbor node of A believes that all the points
inside its sensing circle are already covered by one of the
nodes in set f11
1
. 11
2
. . . . . 11
i
g because its sensing circle is
within 1
T
1
o
from A. When a legitimate node that is a
neighbor of A runs the 1
o
-coverage eligibility rule, it finds
that all the intersection points within its sensing circle are
covered, so it believes that it is noneligible. Thus, the
attacker induces all the legitimate nodes inside 1 to go to
sleep because any legitimate node is a neighbor of at least
one malicious node. When 1
T
< 21
o
, the HELLO message
of a malicious node can include the position of bogus active
nodes within d
21
o
1
T
e hops.
The attack can be extended to a generic 1
o
by
announcing 1
o
nodes at each position 1
1
. 1
2
. . . . . 1
i
.
Network substitution. The attack is performed in the
same manner as the previous snooze attack by node-class
attacker, but the adversary partitions the target area into
squared cells C
1
. C
2
. . . . . C
i
, where each cell is a square of
size
1
T

5
p
. This way, any two nodes in adjacent cells or in the
same cell are within each others transmission range. Thus,
the malicious nodes are connected and can simulate the
normal operation of the network.
Sleep deprivation attack. To launch this attack, the
adversary has to jam (e.g., launch a constant, deceptive, or
reactive jamming) the network to prevent the reception of the
beacon messages that are periodically exchanged by the
nodes. Further, due to the continuous checking of the
eligibility status by the active nodes, this operation must be
performed very often, making the attack not affordable for
node-class attackers, andexpensivefor alaptop-class attacker
as well. Moreover, note that a denial-of-service attack
involving continuous jamming (e.g., constant or deceptive
jamming) can be performed in any sensor network, regard-
less of the topology maintenance protocol being used. Hence,
we do not consider this as anattack that is specific totopology
maintenance protocols.
8 COUNTERMEASURES
We now describe countermeasures for each of the protocols
we have analyzed. Clearly, the most important counter-
measure against the attacks described in Section 5.2 is to
ensure that all communication between nodes is authenti-
cated. Many of the messages that are exchanged between
nodes in the TMPs are local broadcast messages, i.e.,
broadcasts that are restricted to the immediate neighbors
of a node. Thus, efficient authentication mechanisms are
needed not just for unicast messages, but also for local
broadcast messages.
The aim of using message authentication is to avoid the
production of malicious Testing Data. As described in
Sections 3 and 5, the protection of these data is a key point
for the resilience of the TMP. Thus, message authentication
is required that each time a message is directly or indirectly
used to collect Testing Data. Authentication provides the
TMP with resilience against outsider attackers, but not
against insider. Solutions to protect the network against
insiders could be the use of mechanisms for malicious node
detection (i.e., [28] and [29]) or the use of nodes redundancy
and threshold schemes to collect data (as in [30] and [31]).
Furthermore, to limit the damage that can be caused by a
malicious node, the Testing Data gathered by a node from
its neighbors should not include information about third-
party nodes. This prevents attacks in which the adversary
uses compromised nodes to inject falsified Testing Data
about the nodes neighborhood.
Several solutions have been proposed in the literature to
provide efficient key setups in sensor networks [32], [33],
[34]. In the discussion that follows, we assume that
neighboring nodes can establish pairwise shared keys with
each other. The pairwise shared key is used for computing
message authentication codes (MACs) that authenticate the
unicast messages exchanged between two neighboring
nodes. We note that ideally, the pairwise key establishment
scheme should be resilient to cloning or node replication
attacks. In particular, in the countermeasures, we propose
that it is required that even if the adversary captures a
node n, the identity of the compromised node cannot be
successfully impersonated outside the neighborhood of n.
One possible protocol for achieving this goal in a sensor
network is LEAP [33]. However, any scheme that meets
these requirements can be used.
In addition, we assume the existence of an authentication
mechanism for local broadcast authentication. In particular,
we use the mechanism based on one-way key chains
provided by LEAP for authenticating local broadcasts.
However, other protocols could be used, e.g., jTESLA
[32], to authenticate locally broadcast messages. Alterna-
tively, new local broadcast authentication mechanisms
could be designed that are more efficient and scalable than
the existing solutions.
In the following discussion, we do not take into
consideration attacks which consist of jamming the network
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 459
to produce a denial-of-service attack, since these attacks are
not specific to topology maintenance protocols.
Before discussing our countermeasures, we briefly
describe the LEAP [33] key management protocol for sensor
networks. It allows a node n to share a pairwise key 1
n.
with any neighbor .. Further, LEAP restricts the security
impact of a compromised node to the immediate network
neighborhood of the compromised node. This provides two
useful properties. First, if a node n is captured, the
adversary cannot use the compromised keys obtained by
n to create new pairwise keys. Second, the keys of a node n
are established between n and its neighbors after the
deployment of n, and n can use those keys only with them.
Thus, an attacker that compromises n cannot use its
compromised keys in other parts of the network; hence, it
cannot exploit the possibility to clone the identity of n.
Furthermore, LEAP provides a local broadcast authenti-
cation mechanism based on the use of a one-way key chain.
The LEAP uses one-way key chains [35] for one-hop
broadcast authentication. Unlike TESLA, this technique
does not use delayed key disclosure and does not require
time synchronization between neighboring nodes. Basically,
each node generates a one-way key chain of a certain length,
then transmits the commitment (i.e., the last generated key)
of the key chain to each neighbor, encrypted with their
pairwise shared key. Whenever a node has a message to
send, the next 1
n ,
key in the key chain is attached to the
message. The keys are disclosed in an order reverse to their
generation. A receiving neighbor can verify the first
message that was authenticated with the key-chain using
the commitment, and it can verify any following messages
using the key it received from the sending node more
recently. As discussed by the authors [33], this authentica-
tion mechanism has some weaknesses, and it is possible for
an adversary to obtain a valid key to authenticate a
fabricated message while impersonating another node.
Specifically, in this attack, an adversary has to receive the
original broadcast message from a node (say o) to obtain the
valid authentication key (say 1), while at the same time,
preventing the target node(s) from receiving the broadcast
message. It can then impersonate o by including the key 1
in a fabricated message that it sends to the target node(s).
However, we show that this attack provides no real
advantage to the adversary in the case of attacks on TMPs.
8.1 Proposed Countermeasures for PEAS
We present an extension of the PEAS protocol that makes
the protocol resilient to outsider attackers. Further, a node
can tolerate attacks by up to t compromised nodes within its
transmission range 1
T
. We assume that the network nodes
have established pairwise keys with their neighbors.
We extend the PEAS protocol in the following way. In
Probing mode, any node, say n, sends a PROBE containing a
nonce and its ID. If n receives at least t 1 authenticated
REPLYs with the corresponding nonce, it goes back to sleep.
Each REPLY, sent by a neighbor . of n, must include a MAC
created with the shared pairwise key 1
n.
. The messages
exchanged between n and . are:
n ! : 11O11. n. ioicc.
. ! : 1111Y . ..
^
`. T
n
.
`C1
n.
. 1111Y jioiccj
^
`jT
n
.
The use of the nonce is introduced to avoid a replay attack.
Without the nonce, an adversary can store the REPLY from .
and may use it to respond to n by pretending that . is
functioning even when . is dead. With such a replay attack,
the adversary could prevent new legitimate nodes from
becoming active.
In the original protocol, a working node goes back to sleep
if it overhears a REPLYfroma node (in response to a PROBE)
with a larger working time T
n
. This allows nodes that became
active erroneously (e.g., because the REPLY messages from
active nodes were lost due to collisions) to go back to the
sleep state. We maintain this feature, but we modify the rule
as follows: a working node goes back to sleep only if it
receives t 1 REPLYs. Further, when this situation occurs, if
the node has the smallest T
n
, then it performs a probe by
sending a PROBE message. If it receives at least t 1 REPLYs
in response to the probe, it goes back to sleep. This extra
probing operation is performed by the node to authenticate
and also to verify the freshness of the REPLY. Note that even
if a node : receives the REPLY sent by a node . to n, node :
cannot check the freshness because : does not know the
nonce, and : cannot verify the authenticity of the message
because the message is authenticated with a key shared only
by n and .. With these modifications, an adversary has to
compromise at least t 1 nodes within the transmission
range of n to be able to induce node n to go to sleep. If LEAPis
used to establish the pairwise keys, the adversary cannot
reuse the compromised identities at different locations in
the network. Thus, the number of nodes that need to be
compromised in order for the adversary to be able to launch
the attacks described in Section 6.3 increases as value t and
the size of the target area increase, and we can choose t to
achieve the desired resilience to node compromise.
8.2 Proposed Countermeasures for CCP
We present an extension of the CCP protocol that makes it
resilient to outsider attackers. Further, a node can tolerate
attacks by up to 1
o
1 compromised nodes within its
transmission range 1
T
. We assume that nodes use the LEAP
protocol both to establish pairwise keys with their neigh-
bors and for local broadcast authentication.
We extend the CCP protocol in the following way. All the
beacon messages broadcast by a node n are authenticated
using the mechanism provided by LEAP. In other words,
each message includes a key fromthe one-way key chain that
is maintained by each node. The keys in this key chain are
revealed in the reverse order with respect to their generation.
Further, each node only includes its own location in the
HELLO message so that a node can only lie about its
position. Thus, with this modification, when 1
T
< 21
o
, the
protocol may elect a few more active nodes than actually
necessary. This may not necessarily be negative since it
increases the delivery ratio of the network, as shown in [5].
For example, the HELLO message that n sends to its
neighbors using the jth key of the chain would have the
format:
n ! : H111O. n. jo:. 1
n ,
.
The identity of the sender n is authenticated by the key
that is included in the message, in fact, n is the only one that
460 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
knows that key. When a node . receives a beacon message,
it verifies the validity of the new key using the previous key
it received from n. If the key is not valid, then . discards the
message because it could have been sent by a malicious
node. The sequentiality of the keys also prevents replay
attacks in which an adversary replays the messages sent by
legitimate nodes when these nodes have failed or are in an
inactive state.
The vulnerability of LEAPs one-way key chain mechan-
ism discussed in [33] does not provide any real advantage
to the adversary in the case of CCP. In order to turn off a
legitimate node ., the adversary has to perform the attack
on LEAPs local broadcast authentication mechanism for
1
o
different neighbors of . (i.e., the adversary has to
intercept the messages and maliciously modify the position
fields of 1
o
nodes). Moreover, the only field the adversary
can change is the position field. In stationary sensor
networks, this change can easily be detected.
Note that the minimum number of identities that are
needed to keep a node in the sleep state is 1
o
. Thus, with
our extension to CCP, an adversary has to compromise at
least 1
o
nodes within the transmission range to launch a
snooze attack on n. If LEAP is used, the adversary cannot
successfully use compromised identities at different loca-
tions in the network.
The number of nodes that have to be compromised by
the adversary in order to launch the attacks described in
Section 7.3 increases as the value 1
o
and the size of the
target area increase. We can choose 1
o
to achieve the
desired resilience to node compromise.
8.3 Performance Evaluation
The performance overhead of the countermeasures dis-
cussed above arises from two sources. First, we require all
messages to be authenticated, and this leads to both
computational overhead (for computing and verifying
MACs) and communication overhead (due to the increased
message sizes). Second, some of our countermeasures
involve modifications to the TMPs that lead to increased
storage costs per node (for maintaining additional state
information) and increased communication overhead.
In the following discussion, we analyze the authentication
overhead as well as the overhead for the protocol-specific
countermeasures. Note that we have not introduced new
messages in any of the protocols. Thus, our overhead is only
due to the authentication of messages, to some additional
storage costs, and to increased communication overhead.
8.3.1 Authentication Overhead
With regards to the overhead resulting from the addition of
authentication, we must point out that there is no additional
authentication requirement imposed by our countermea-
sures beyond what is already recommended for preventing
outsider attacks. Authentication is not only necessary for
securing topology maintenance protocols, but also for
securing any communication in sensor networks.
Our countermeasures rely on unicast messages being
authenticated using MACs, and local broadcast messages
being authenticated using the technique proposed in LEAP.
Note that the local broadcast authentication mechanism
proposed by LEAP involves attaching a single key to each
broadcast message. The TinySec [36] project demonstrated
that adding an MAC increases the energy expenditure of
sending a packet by less than three percent, and increases
the latency of packet transmission by less than 1.6 percent.
We believe that these costs are reasonable and should not
be considered as overhead specifically for securing topol-
ogy maintenance protocols, but rather as the cost of
securing the communication in a sensor network.
An additional optimization is to run initially some kind
of node-to-node authentication protocol to make the
neighboring nodes trust one another; then any TMPs could
run as in the original working setup. In such a case, the local
broadcast authentication might be performed periodically,
if needed. This strategy might allow the reduction of the
authentication overheads incurred by the modifications in
the TMP protocols.
8.3.2 Storage Costs
The main storage cost imposed by our countermeasures for
all the protocols is for the storage required for pairwise keys
and the one-way key chain used for local broadcasts. In [33],
Zhu et al. analyze the storage requirements for LEAP and
show that it is reasonable even for the current generation of
sensor nodes.
PEAS. The additional state information required by a
node in order to maintain our modifications to PEAS is the
following: 1) a counter and a list of IDs for the received
REPLY messages and 2) a nonce to check the freshness of
the REPLY. The actual storage overhead would depend on
the implementation. For example, most routing or link layer
protocols use a neighbor table. Thus, in the event, we
already have such a table, we do not need to store the ID of
the node that sent the REPLY. We can simply add a flag to
each entry in the neighbor table that is set when a REPLY
message is received from that node.
CCP. There is no additional storage cost for our
modifications to CCP beyond the cost of maintaining keys
for authentication.
8.3.3 Communication Overhead
The communication overhead for our countermeasures
arises from the increased message sizes mainly due to the
addition of MACs. As discussed above, the TinySec project
showed that this overhead is quite small (three percent). In
the case of the PEAS protocol, we require the PROBE and
REPLY messages to include a nonce. This would add two to
four bytes to each message, depending on the size of the
nonce that is used. In the case of ASCENT and CCP, we do
not require any changes to the format of the messages used
by the protocol.
Summary. Our countermeasures introduce a small over-
head on the protocols due to additional storage require-
ments and the increased energy cost for the computation
and inclusion of the MAC to authenticate messages. We
believe that the extra cost is reasonable considering the
potential cost of using vulnerable topology maintenance
protocols, e.g., being unable to obtain the desired connec-
tivity or sensing coverage, or even worse, having a region
controlled by the adversary without being aware of it.
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 461
8.4 Simulations
In this section, we describe the simulations that were
performed for the PEAS protocol and we show the
experimental results that were obtained. The goal of the
simulation is not only to provide experimental support to
the analytic results of the previous section, but also to study
the effects of the countermeasures on the network lifetime
and mainly, to verify that the modifications we introduced
do not compromise the stability of the network.
In the PEAS protocol, a node remains in the Sleeping
state if it receives at least one REPLY from an active node
during the probing phase, while the proposed counter-
measures require the node to receive at least t 1 REPLYs
to remain in Sleeping. The effect of this change is not
studied in the overhead analysis, which only takes into
consideration additional costs for authentication, transmis-
sion, and memory to store state information of the node.
Therefore, the effects of our countermeasures on PEAS are
studied by performing simulations.
We do not show simulations for the CCP or ASCENT
protocols because the proposed countermeasures do not
present any mechanisms such that the stability of the
protocols could be modified, as in the case of PEAS. What
follows is a comparison of the results between the
simulations of the original PEAS and the version with the
countermeasures proposed in Section 8.1.
The simulations of the original PEAS are performed
using the implemented version of PEAS that we obtained
from the author of the protocol. The code is written in
PARSEC [37] language, and it is the same version used by
the author for the results presented in [4]. The simulations
of PEAS with our countermeasures are performed with a
version of the PEAS code that has been modified for this
analysis. The parameters that represent the node character-
istics are reported in Table 7. The values are similar to the
hardware characteristics of the Berkeley Motes [23] sensors.
Nodes are uniformly distributed in an area of 50 50 m
2
and they remain stationary after deployment. The source
and the sink are placed in opposite corners of the area, and
the source generates 20 data reports per minute (one report
every 3 seconds). The reports are delivered to the sink using
the GRAB [38] forwarding protocol. The probing range 1
1
is set to 3 meters, the initial per-node probing rate ` is equal
to 0.1 wake up/sec so that the number of working nodes
quickly stabilizes. The desired aggregate probing rate `
d
is
chosen as 0.02 wake up/sec, that is, each active node should
perceive a node wake up every 50 seconds. The node failure
rate is set to 10.66 failures/5,000 seconds.
The following metrics are used to evaluate the protocols:
the Coverage Lifetime and the Connectivity Lifetime.
The Coverage Lifetime is defined as the time interval from
activation of the network until the percentage of the area
that is being monitored simultaneously by at least K
working nodes drops below a specified threshold. The
Coverage Lifetime characterizes how long the system
ensures that interested events are monitored with a
probability of success higher than the specified threshold.
The Connectivity Lifetime is defined as the time interval from
activation of the network until the percentage of the reports
delivered to the destination, with respect to the total
number of reports sent, drops below a specified threshold.
The threshold values for both the coverage and connectivity
measurements are chosen to be 90 percent, that is, the
coverage lifetime ends when the monitored area drops
below 90 percent of the total area to be monitored. The
connectivity lifetime ends when the number of reports
delivered to the destination drops below 90 percent of the
sent reports. The coverage degree 1 is set to three, and the
minimum number of sensors in the network is 180; thus, we
are quite sure that we have enough nodes for 3-coverage in
the area. We perform simulations by increasing the node
populations by 90 devices per-step, until reaching a
maximum of 1,530 nodes. Given each population, the
results are the average over four simulation runs.
Figs. 4 and 5 show the coverage lifetime and the
connectivity lifetime of the network, respectively, with
increasing numbers of sensors. The curves represent the
462 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
TABLE 7
Sensors Parameters for Simulations
Fig. 4. Network coverage lifetime.
Fig. 5. Network connectivity lifetime.
original PEAS protocol and the version with the proposed
countermeasures, called Sec-PEAS (Secure-PEAS) below.
The graphs show the performance of Sec-PEAS for various
choices of t, that is, with several choices of the number of
REPLYs that are needed to make a node remain in the
Sleeping state. As discussed in Section 8.1, the value t defines
the resilience of Sec-PEAS to insider attackers. More pre-
cisely, an adversary has to compromise at least t 1 nodes
within the communication range of n to successfully attack
node n. Therefore, the resilience of Sec-PEAS increases as t
does. Moreover, the t value directly influences the density of
active nodes in the network. In fact, a node in Probing goes
back to Sleeping only if it receives at least t 1 valid REPLYs.
Hence, the density of active nodes increases as t does.
Note that the curve trends are similar, but as parameter t
increases, the increment innetworklifetime that is obtainedis
smaller because of the greater number of simultaneously
active nodes. As a consequence, the greater the required
resilience to adversaries, the smaller the performance of Sec-
PEAS. When the t is zero, that is, the number of requested
REPLYs is equal to 1, the performance of the modified
protocol is almost the same as the performance of the original
one. Indeed, in this case (t 0), the density of the
simultaneously active nodes is like the original protocol,
and the only energy overhead which is introduced is due to
authentication of the exchanged messages. Hence, as we can
deduce by the graphs, the cost of message authentication
could be considered negligible. Compared to the PEAS
simulations in [4], the simulations of the original protocol we
performed in this study show an irregular pattern for the
network connectivity lifetime, see Fig. 5. Indeed, in the [4]
simulations, reports from the source to the sink are sent at a
rate of 1 report/10 seconds, while in the simulations we
performed for this analysis, the reports are sent at a rate of
1 report/3 seconds. It seems that the difference in pattern is
due to the degradation of PEAS performances inthe presence
of a greater communication load in the network. Figs. 4 and 5
showthat the stability of the network is not compromised by
the proposed countermeasures. On the contrary, the increase
in the number of simultaneously active nodes that are
introduced with the countermeasures improves network
performance ondata delivery. Infact, the trendingraphFig. 5
shows that the increase in the connectivity lifetime is less
regular in the original PEAS protocol than in the Sec-PEAS,
with a value of t 0. Graphs in Figs. 4 and 5 show the
coverage lifetime and the connectivity lifetime of the net-
work, respectively, when 1
1
3 meters. As previously
noted, the number of simultaneously active nodes in Sec-
PEAS is determined by the value of 1
1
and the value of t,
while the protocol resilience to attackers is only determined
by t. Thus, one could choose a greater value of 1
1
in order to
increase the lifetime of the network that adopts Sec-PEAS,
while leaving t unchanged. The results of such simulations
are shown in Figs. 6 and 7, where the coverage and
connectivity lifetime of the network are reported, respec-
tively, for PEAS with 1
1
3, for Sec-PEAS (t 1) with 1
1
equal to 3, 4, and 5 meters, and for Sec-PEAS(t 4) with 1
1
equal to 3 and 4 meters.
Figs. 6 and 7 confirm the increase in network lifetime
when 1
1
increases. In particular, we can see that the
performance of Sec-PEAS (t 1) with 1
1
5 is comparable
to the performance of the original PEAS protocol.
9 CONCLUSION
Based on our analysis of PEAS, CCP, and ASCENT, we can
make the following general observations with respect to the
security considerations in the design of topology main-
tenance protocols:
. Local broadcast, i.e., a broadcast in which the
recipients are limited to being one-hop neighbors
of the sender, is a frequent communication operation
used by TMPs. If these locally broadcast messages
are not authenticated, TMPs become highly vulner-
able to impersonation attacks launched by compro-
mised insiders. Most of the mechanisms that have
been proposed for (global) broadcast authentication
would appear to be too expensive for resource-
constrained sensor nodes. Thus, further research is
necessary in order to develop efficient mechanisms
that are tailored to local broadcast authentication in
sensor networks.
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 463
Fig. 6. Trend of the network coverage lifetime with increasing 1
1
.
Fig. 7. Trend of the network connectivity lifetime with increasing value
of 1
1
.
. TMPs should be designed so that a node makes its
state transition decisions, e.g., a decision regarding
whether to sleep or remain active, based on input
from multiple neighbor nodes in order to be resilient
to false messages injected by malicious nodes.
. TMPs should be designed so that state transition
decisions are revisited periodically. For example,
without a periodic check of a nodes eligibility to be
in a sleeping or active state, it becomes possible for
an adversary to launch a resource-consumption
attack that results in a node staying in the active
state until its energy is depleted.
Our analysis of the security of topology maintenance
protocols highlights the need for key management protocols
that are resilient to node cloning and replication attacks.
Lastly, we show that efficient mechanisms for local (one-
hop) broadcast authentication are also desirable.
REFERENCES
[1] A. Gabrielli, L.V. Mancini, S. Setia, and S. Jajodia, Securing
Topology Maintenance Protocols for Sensor Networks: Attacks
and Countermeasures, Proc. First IEEE Intl Conf. Security and
Privacy for Emerging Areas in Comm. Networks (SecureComm 05),
Sept. 2005.
[2] B. Chen, K. Jamieson, H. Balakrishnan, and R. Morris, Span: An
Energy-Efficient Coordination Algorithm for Topology Mainte-
nance in Ad Hoc Wireless Networks, ACM Wireless Networks J.,
vol. 8, no. 5, pp. 481-494, Sept. 2002.
[3] A. Cerpa and D. Estrin, ASCENT: Adaptive Self-Configuring
Sensor Networks Topologies, IEEE Trans. Mobile Computing,
vol. 3, no. 3, pp. 272-285, July/Aug. 2004.
[4] F. Ye, G. Zhong, S. Lu, and L. Zhang, PEAS: A Robust Energy
Conserving Protocol for Long-Lived Sensor Networks, Proc. 23rd
IEEE Intl Conf. Distributed Computing System (ICDCS 03), May
2003.
[5] X. Wang, G. Xing, Y. Zhang, C. Lu, R. Pless, and C. Gill,
Integrated Coverage and Connectivity Configuration in Wireless
Sensor Networks, ACM Trans. Sensor Network, vol. 1, no. 1,
pp. 36-72, Aug. 2005.
[6] C. Karlof and D. Wagner, Secure Routing in Wireless Sensor
Networks: Attacks and Countermeasure, Proc. First IEEE Intl
Workshop Sensor Network Protocols and Applications (SNPA 03),
May 2003.
[7] Y. Xu, J. Heidemann, and D. Estrin, Geography Informed Energy
Conservation for Ad Hoc Routing, Proc. MobiCom 01, July 2001.
[8] Y. Xu, J. Heidemann, and D. Estrin, Energy Conservation by
Adaptive Clustering for Ad-Hoc Networks, Proc. MobiHoc 02,
June 2002.
[9] Y. Xu, J. Heidemann, and D. Estrin, Adaptive Energy-Conserving
Routing for Multihop Ad Hoc Networks, Research Report 527,
USC/Information Sciences Inst., Oct. 2000.
[10] F. Stajano and R. Anderson, The Resurrecting Duckling: Security
Issues for Ad-Hoc Wireless Networks. Springer-Verlag, Apr. 1999.
[11] D. Kejun, Z. Xingshe, Z. Xingguo, and L. Zhigang, HETCP: A
Hierachical Energy Efficient Topology Control Protocol for
Wireless Sensor Networks, Proc. Second Intl Conf. Wireless Comm.,
Networking and Mobile Computing (WiCOM 06), Sept. 2006.
[12] I. Khalil, S. Bagchi, and N.B. Shroff, SLAM: Sleep-Wake Aware
Local Monitoring in Sensor Networks, Proc. 37th IEEE Intl Conf.
Dependable Systems and Networks (DSN 07), June 2007.
[13] E. Bulut and I. Korpeoglu, DSSP: A Dynamic Sleep Scheduling
Protocol for Prolonging the Lifetime of Wireless Sensor Net-
works, Proc. 21st Intl IEEE Conf. Advanced Information Networking
and Applications Workshops (AINAW 07), 2007.
[14] S. Hong, Y.-J. Choi, and S.-J. Kim, An Energy Efficient Topology
Control Protocol in Wireless Sensor Networks, Proc. Ninth Intl
Conf. Advanced Comm. Technology (ICACT 07), Feb. 2007.
[15] R. Mochaourab and W. Dargie, A Fair and Energy-Efficient
Topology Control Protocol for Wireless Sensor Networks, Proc.
Second ACM Intl Conf. Context-Awareness for Self-Managing
Systems, May 2008.
[16] Y. Wang, F. Li, and T.A. Dahlberg, Energy-Efficient Topology
Control for Three-Dimensional Sensor Networks, Intl J. Sensor
Networks, vol. 4, nos. 1/2, pp. 68-78, 2008.
[17] K.A. Arisha, M.A. Youssef, and M.F. Younis, Energy-Aware
TDMA-Based MAC for Sensor Networks, Proc. IEEE Workshop
Integrated Management of Power Aware Comm., Computing and
Networking, May 2002.
[18] Time Synchronized Mesh Protocol (TSMP), http://www.
dustnetworks.com/technology/tsmp.shtml, 2010.
[19] T. van Dam and K. Langendoen, An Adaptive Energy-Efficient
MAC Protocol for Wireless Sensor Networks, Proc. First Intl
Conf. Embedded Networked Sensor Systems (Sensyn 03), Nov. 2003.
[20] I. Rhee, A. Warrier, M. Aia, and J. Min, Z-MAC: A Hybrid MAC
for Wireless Sensor Networks, Proc. Third Intl Conf. Embedded
Networked Sensor Systems (Sensyn 05), Nov. 2005.
[21] P. Santi, Topology Control in Wireless Ad Hoc and Sensor
Networks, ACM Computing Surveys, vol. 37, no. 2, pp. 164-194,
June 2005.
[22] G. Anastasi, M. Conti, M.D. Francesco, and A. Passarella, How to
Prolong the Lifetime of Wireless Sensor Networks, Mobile Ad Hoc
and Pervasive Communications, M. Denko and L. Yang, eds.,
Chapter 6, Am. Scientific Publishers, 2006.
[23] MICA Sensor Node, http://www.xbow.com, 2010.
[24] Y.W. Law, L. van Hoesel, J. Doumen, P. Hartel, and P. Havinga,
Energy-Efficient Link-Layer Jamming Attacks against Wireless
Sensor Network MAC Protocols, Proc. Third ACM Workshop
Security of Ad Hoc and Sensor Networks (SASN 05), Nov. 2005.
[25] W. Xu, K. Ma, W. Trappe, and Y. Zhang, Jamming Sensor
Networks: Attack and Defense Strategies, IEEE Networks Special
Issue on Sensor Networks, vol. 20, no. 3, pp. 41-47, May/June 2006.
[26] J. Newsome, E. Shi, D. Song, and A. Perrig, The Sybil Attack in
Sensor Networks: Analysis & Defenses, Proc. Third IEEE/ACM
Intl Symp. Information Processing in Sensor Networks (IPSN 04),
Apr. 2004.
[27] L. Lazos, R. Poovendran, and S. Capkun, ROPE: Robust Position
Estimation in Wireless Sensor Networks, Proc. Fourth IEEE/ACM
Intl Symp. Information Processing in Sensor Networks (IPSN 05),
Apr. 2005.
[28] Y. Zhang, W. Lee, and Y.-A. Huang, Intrusion Detection
Techniques for Mobile Wireless Networks, ACM Wireless Net-
works, vol. 9, no. 5, pp. 545-556, Sept. 2003.
[29] S. Zhong, J. Chen, J. Yang, and R. Yang, Sprite: A Simple, Cheat-
Proof, Credit-Based System for Mobile Ad-Hoc Networks, Proc.
IEEE INFOCOM 03, Apr. 2003.
[30] S. Zhu, S. Setia, S. Jajodia, and P. Ning, An Interleaved Hop-by-
Hop Authentication Scheme for Filtering of Injected False Data in
Sensor Networks, Proc. IEEE Symp. Security and Privacy (S&P 04),
May 2004.
[31] B. Parno, A. Perrig, and V. Gligor, Distributed Detection of Node
Replication Attacks in Sensor Networks, Proc. IEEE Symp.
Security and Privacy (S&P 05), May 2005.
[32] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and D. Tygar, Spins:
Security Protocols for Sensor Networks, Proc. MobiCom 01, July
2001.
[33] S. Zhu, S. Setia, and S. Jajodia, LEAP: Efficient Security
Mechanisms for Large-Scale Distributed Sensor Networks, Proc.
10th ACM Intl Conf. Computer and Comm. Security (CCS 03),
citeseer.ist.psu.edu/zhu03leap.html, Oct. 2003.
[34] R. Di Pietro, L.V. Mancini, and A. Mei, Energy Efficient Node-to-
Node Authentication and Communication Confidentiality in
Wireless Sensor Networks, ACM Wireless Networks J., vol. 12,
no. 6, pp. 709-721, Dec. 2006.
[35] L. Lamport, Password Authentication with Insecure Commu-
nication Communication, Comm. ACM, vol. 24, no. 11, pp. 770-
772, Nov. 1981.
[36] C. Karlof, N. Sastry, and D. Wagner, TinySec: A Link Layer
Security Architecture for Wireless Sensor Networks, Proc. Second
ACM Conf. Embedded Networked Sensor Systems (SenSys 04), Nov.
2004.
[37] Parsec Language, Parallel Computing Laboratory, Computer
Science Department, UCLA, http://pcl.cs.ucla.edu/projects/
parsec/, 2010.
[38] F. Ye, G. Zhong, S. Lu, and L. Zhang, A Robust Data Delivery
Protocol for Large Scale Sensor Networks, Proc. Second Intl
Workshop Information Processing in Sensor Networks (IPSN 03), Apr.
2003.
464 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 8, NO. 3, MAY/JUNE 2011
Andrea Gabrielli received the Laurea degree
in computer science in 2005 from the Diparti-
mento di Informatica, University of Rome La
Sapienza, where he is currently working
toward the PhD degree, under the supervision
of Professor Luigi V. Mancini, while on leave
from a permanent position of System Admin-
istrator at the same university. From May to
November 2004, he was a visiting scientist at
the CSIS of GMU. From 2006 to 2008, he
worked as a system administrator at Italian Interuniversities Con-
sortium for Supercomputing Applications (CASPUR). His main
research interests include: computer network security, security and
privacy for RFID, and wireless ad hoc network security.
Luigi V. Mancini received the PhD degree in
computer science from the University of New-
castle upon Tyne, United Kingdom, in 1989,
and the Laurea degree in computer science
from the University of Pisa, Italy, in 1983. Since
2000, he has been a full professor of computer
science in the Dipartimento di Informatica at
the University of Rome La Sapienza. His
current research interests include: computer
network and information security, secure multi-
cast communication, public key infrastructure, authentication protocols,
system survivability, computer privacy, wireless network security, fault-
tolerant distributed systems, and large-scale peer-to-peer systems. He
published more than 80 scientific papers in international conferences
and journals such as: ACM TISSEC, IEEE TC, IEEE TKDE, IEEE
TPDS, and IEEE TSE. He is the founder of Information and
Communication Security (ICSecurity) Laboratory, and currently, he is
the director of the masters degree programs in information and
network security at the University of Rome La Sapienza.
Sanjeev Setia received the PhD degree from
the University of Maryland, College Park, in
1993. He is a professor of computer science at
George Mason University. His research interests
are in ad hoc and sensor networks, network
security, and performance evaluation of compu-
ter systems. In recent years, he has worked
extensively on security mechanisms and proto-
cols for ad hoc and wireless sensor networks.
He was a cofounder of the ACM Workshop on
Security in Ad Hoc and Sensor Networks (SASN), and served as its
coorganizer in 2003 and 2004. His research has been funded by the US
National Science Foundation (NSF), NASA, and US Defense Advanced
Research Projects Agency (DARPA).
Sushil Jajodia received the PhD degree from
the University of Oregon, Eugene. He is a
university professor, BDM international profes-
sor of information technology, and the director
of Center for Secure Information Systems at
the George Mason University, Fairfax, Virginia.
He joined Mason after serving as the director
of the Database and Expert Systems Program
at the US National Science Foundation. Before
that he was the head of the Database and
Distributed Systems Section at the Naval Research Laboratory,
Washington, and an associate professor of computer science and
the director of Graduate Studies at the University of Missouri,
Columbia. He has also been a visiting professor at the University of
Milan and University of Rome La Sapienza, Italy, and the Isaac
Newton Institute for Mathematical Sciences, Cambridge University,
England. The scope of his research interests encompasses informa-
tion systems security, distributed databases, and temporal databases.
He has authored six books, edited 34 books and conference
proceedings, and published more than 350 technical papers in the
refereed journals and conference proceedings. He is the founding
editor-in-chief of the Journal of Computer Security and the consulting
editor of the Springer International Series on Advances in Information
Security. He is a senior member of the IEEE. More information about
his research can be found at http://csis.gmu.edu/jajodia.
> For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
GABRIELLI ET AL.: SECURING TOPOLOGY MAINTENANCE PROTOCOLS FOR SENSOR NETWORKS 465