2-Thesis-Secure Routing Protocols For

}w
!"#$%&'()+,-./012345<yA|
M ASARYK U NIVERSITY
FACULTY OF I NFORMATICS
Secure Routing Protocols for

Wireless Sensor Networks
M ASTER ’ S T HESIS
Bc. Jiřı́ Kůr
Brno, spring 2008

Declaration
Hereby I declare, that this paper is my original authorial work, which I

have worked out by my own. All sources, references and literature used or
excerpted during elaboration of this work are properly cited and listed in
complete reference to the due source.
Advisor: Mgr. Petr Švenda
ii
Acknowledgement
I express my gratitude to Petr Švenda for introducing me into the prob-

lematic of evolutionary algorithms and for our fruitful discussions. I am
grateful to my sister Hanka for the language corrections.
iii
Abstract
In this thesis, we examine the security aspects of wireless sensor networks

with emphasis on security of routing. Several secure routing protocols are
reviewed and their security is evaluated. In the second part of the thesis,
concept for automatic attack generation and introduction to evolutionary
algorithms are presented. Usability of the concept was verified using evo-
lutionary algorithms. Several attacks on routing protocols were generated.
The impact of generated attacks is discussed with respect to countermea-
sures.
iv
Keywords
Wireless Sensor Network, Routing, Security, Evolutionary Algorithms
v
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Wireless sensor networks . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Hardware characteristics . . . . . . . . . . . . . . . . . . . . . 3
2.3 Security in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.1 Security goals . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.2 Key management . . . . . . . . . . . . . . . . . . . . . 5
2.3.3 Attacker model . . . . . . . . . . . . . . . . . . . . . . 6
3 Secure Routing in WSNs . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 Attacks on routing . . . . . . . . . . . . . . . . . . . . . . . . 9
Bogus routing information . . . . . . . . . . . . . . . 9
Selective forwarding . . . . . . . . . . . . . . . . . . . 9
Sinkhole attack . . . . . . . . . . . . . . . . . . . . . . 9
HELLO flood attack . . . . . . . . . . . . . . . . . . . 10
Wormhole attack . . . . . . . . . . . . . . . . . . . . . 10
Acknowledgement spoofing . . . . . . . . . . . . . . 10
Sybil attack . . . . . . . . . . . . . . . . . . . . . . . . 10
Denial of Service . . . . . . . . . . . . . . . . . . . . . 11
3.2 Towards secure routing . . . . . . . . . . . . . . . . . . . . . . 11
3.2.1 µTesla . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.2 ARMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Secure routing protocols . . . . . . . . . . . . . . . . . . . . . 14
3.3.1 Scure Implicit Geographic Forwarding . . . . . . . . 14
IGF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SIGF-0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SIGF-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SIGF-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3.2 Secure Directed Diffusion . . . . . . . . . . . . . . . . 17
3.3.3 SeRINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.4 A Clean-Slate Approach . . . . . . . . . . . . . . . . . 21
4 Introduction to Evolutionary Algorithms . . . . . . . . . . . . . . 23
4.1 Population of individuals and their representation . . . . . . 23
vi
4.2 Genetic operators . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 Fitness function and selection operator . . . . . . . . . . . . . 24
5 Automatic design of attack strategy . . . . . . . . . . . . . . . . . 25
5.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.2 Basic concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.1 Elementary rules . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Generation of attack strategy . . . . . . . . . . . . . . 28
5.2.3 Translation . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.4 Strategy execution . . . . . . . . . . . . . . . . . . . . 29
5.2.5 Fitness function evaluation . . . . . . . . . . . . . . . 29
5.3 Concept realization via evolutionary algorithms . . . . . . . 29
5.3.1 Attacker model revised . . . . . . . . . . . . . . . . . 30
5.3.2 Evolutionary algorithms and genome structure . . . 32
Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Instructions . . . . . . . . . . . . . . . . . . . . . . . . 35
5.3.3 Network simulator . . . . . . . . . . . . . . . . . . . . 36
5.3.4 Fitness functions . . . . . . . . . . . . . . . . . . . . . 37
5.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.4.1 Minimum Cost Forwarding . . . . . . . . . . . . . . . 39
Forging beacons . . . . . . . . . . . . . . . . . . . . . 40
Selective forwarding . . . . . . . . . . . . . . . . . . . 40
5.4.2 Implicit Geographic Forwarding . . . . . . . . . . . . 41
Rushing attack . . . . . . . . . . . . . . . . . . . . . . 42
MAC layer jamming . . . . . . . . . . . . . . . . . . . 43
Neighborhood congestion . . . . . . . . . . . . . . . 44
5.4.3 Experience and future work . . . . . . . . . . . . . . . 44
6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A Example of generated attack strategy . . . . . . . . . . . . . . . . 52
vii
Chapter 1
Introduction
Sensor nodes are tiny, low-cost devices equipped with environment sensors
and radio for wireless communication. These sensor nodes may constitute
the network for monitoring physical phenomena. Such network is called
Wireless Sensor Network (WSN). Wireless sensor network consists of high
number (102 − 106 ) of sensor nodes and one or few powerful devices acting
as gateways. Wireless sensor networks can be utilized in a broad variety
of applications ranging from battlefield surveillance in military, through re-
mote patient monitoring in medicine to forest fire detection in environmen-
tal applications. Majority of WSN applications require at least some level
of security. In order to achieve the needed level, secure and robust routing
is necessary. However, routing protocols for WSN were not designed with
security requirements in mind. Karlof and Wagner [KW03] triggered a rev-
olution in this field by proposing a comprehensive study on the security
of routing in wireless sensor networks. They showed that all the protocols
were then prone to simple attacks. Since then, security of routing has be-
come a hot topic and several secure routing protocols were proposed.
In this thesis, we aim to review the issue of secure routing in wireless
sensor networks. We first introduce the concept of wireless sensor networks
and outline their security aspects. In the second chapter, we examine se-
lected secure routing protocols and evaluate their benefits and drawbacks.
We also describe common attacks on routing protocols.
The second half of the thesis deals with the problem of the attack strate-
gies’ automatic generation and presents our results. We introduce the con-
cept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter,
we present our concept for automatic design of attack strategies. We use
this concept to discover attacks on routing algorithms. We summarize the
results and outline the future work in the conclusion.
1
Chapter 2
Wireless sensor networks
Wireless Sensor Network is a heterogenous network composed of a large

number of tiny low-cost devices, denoted as nodes, and few general-purpose
computing devices referred to as base stations. The general purpose of wire-
less sensor network is to monitor some physical phenomena (e.g., tem-
perature, barometric pressure, light) inside the area of deployment. The
basic units of WSN are nodes (sometimes called motes). These nodes are
equipped with communication unit, mostly the radio transceiver, process-
ing unit, battery and sensors. Due to the size and expected costs of the
nodes, they are constrained in processing power and energy. The number
of nodes deployed in WSN can vary from tens to tens of thousands depend-
ing on the particular application. Nodes can be deployed, for example, by
precise placing one by one into predefined positions or by dropping from
the plane. Their positions can be static or mobile. Networks with nodes
in static positions are more common. Nodes have to be autonomous and
the network itself has to be self organizing. They are also prone to failures,
thus the topology of the network changes very often. Beside resource lim-
ited nodes, the wireless sensor network includes one or more base stations
(sometimes called sinks). These base stations have more resources and ca-
pabilities than the nodes. Assume base stations might have laptop capabili-
ties. They act as gateways between the sensor network and other networks,
e.g. Internet. They can also somehow coordinate the nodes. In most com-
mon application scheme, the nodes collect measured data and send them
to the base stations, which forward them to the consumer.
2.1 Applications
There is a broad variety of applications for wireless sensor networks. These

applications can be divided into five categories [ASSC02]: military, envi-
ronmental, health, home and other commercial applications. In military, the
wireless sensor networks can be used for battlefield surveillance, sniper lo-
2
2. W IRELESS SENSOR NETWORKS
cation or to detect the chemical or biological attacks. Sensor network can

also be greatly beneficial for the environment. For example, it can detect
forest fires or help researchers to monitor animal habits. Important applica-
tion area is medical environment, where nodes can collect patient’s physio-
logical data. In commerce, wireless sensor networks can be deployed in car
tracking systems or used for securing buildings, temperature regulation in
offices, etc.
2.2 Hardware characteristics
Sensor nodes are small, low-cost and battery supplied devices. Therefore
the concept of WSNs is quite challenging. There are two main constraints,
the low processing power of the nodes and the capacity of their batteries.
The former constraint directly determines the algorithms we can use.
For example, we cannot use asymmetric cryptography or maintain large
routing tables. Since the priority in the development is to minimize cost,
size and power consumption, there is only a small chance of a significant
improvement of computational power and memory in the near future.
The later constraint influences the properties of used algorithms indi-
rectly. Capacity of the batteries is essential for the node’s lifetime. Often it
is impossible or not intended to be possible to change batteries. Therefore
the lifetime and usability of the network depends on their capacity and on
the consumption of the nodes. Energy consumption is closely related to the
algorithms implemented. For example, the biggest energy consumer is ra-
dio transceiver, hence the communication between nodes is very expensive
in terms of node’s energy resources. Efficient algorithms must take this into
an account.
The batteries are dominating part of the node in terms of size. The size
of the node is thus directly proportional to a capacity of its batteries.
Here are the parameters of typical today sensor node, TMote Sky [TM006]:
• size: 65 x 32 x 7 (mm, excluding battery pack)
• 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory,

10KB RAM
• 1024KB of external flash memory to store data and code
• radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal an-

tenna outdoor range reaches 125m, indoor range up to 50m
• tinyOS operating systems
3
Figure 2.1: TMote Sky sensor node. Figure taken from [TM006]
• 2xAA battery
• lifetime > 1 year using sleep modes
• senors: temperature, humidity, light
Contrary to the nodes, base station is assumed to have laptop capabili-

ties and unlimited energy resources. More on wireless sensor network prin-
cipals can be found in [ASSC02].
2.3 Security in WSN
Majority of sensor network applications require strong security features.

This requirement is obvious in case of military applications or applications
working with sensitive personal data, like health or home applications.
However security is a very demanded property also in commercial appli-
cations, where information means a competitive advantage and all assets
have to be protected. Also environmental applications need some level of
security, at least in terms of robustness against accidental errors and van-
dalism.
Nodes have two properties, which have critical impact on the security
of WSNs, and which both are caused by the small size and low costs of the
nodes. First, the nodes are not considered tamper resistant. Attacker with
physical access to the node can extract the keys and other sensitive data
from the node relatively easily. Attacker can then also turn the node into a
malicious one by uploading malicious firmware into it. Second, the node is
limited in resources, consequently only some security mechanisms can be
applied.
Contrary to nodes, base station is considered tamper-resistant and trusted.
4
It also has much greater capabilities, suppose it may have lap-top capabili-
ties and unlimited energy supply.
2.3.1 Security goals
The security goals in sensor networks are similar to those in traditional net-
works. We require confidentiality, integrity, authenticity, freshness, anonymity
and availability of service.
Confidentiality, integrity and authentication are traditionally provided
by an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLS
or SSH. But sensor networks often require in-network processing of the
messages, like data aggregation, to be efficient and thus end-to-end ap-
proach is not in use. Therefore link-layer security architectures such as Tiny-
Sec [KSW04] and mechanisms for securing node-to-node communication
[PST+ 02] are of a great interest in sensor networks.
Freshness, anonymity and availability of service should be provided by
a secure routing protocol. There are several other security features of the
ideal secure routing protocol. For example an attacker should not be able to
abuse the routing algorithm to shorten the network’s lifetime. Or he should
not be able to significantly slow down the traffic or increase latency. How-
ever these features are application specific and it is unlikely to design uni-
versal secure routing algorithm with all such properties.
2.3.2 Key management
Poor sensor node’s capabilities prevent us from massive use of expensive

(in terms of computational resources) public key cryptography based on
RSA or complexity of discrete logarithm problem. However some new de-
signs [PLGP06] propose to use public key cryptography based on ellip-
tic curves, which is less computationaly complex. They assume that every
node contains a public key of a single trusted authority and is able to verify
corresponding digital signature. It is questionable whether the public key
cryptography will be available in sensor networks in the near future. Pri-
mary aim is to miniaturize the node and to decrease its cost, not to increase
its processing power. However there are more and more schemes employ-
ing asymmetric cryptography and we feel that its use has an increasing
tendency.
Because of the limited processing power, symmetric cryptography is
dominant in sensor networks. There are several schemes of key sharing
among the nodes and base stations. We will examine the most common of
5
them. Single key shared among all nodes: Simple, but weak scheme. Com-
promission of a single node compromise the whole network. This scheme is
sometimes used for establishing the keys between each pair of neighboring
nodes. It assumes, that attacker needs some time to compromise the node.
During this time the new keys are established and globally shared key is
erased. Every node shares a unique key with base station: Keys can be in-
serted into nodes off-line, prior to their deployment. Compromission of a
single node compromise only its own key. Frequent assumption of security
protocols. Each pair of neighboring nodes shares a key: Also common as-
sumption. Frequently applied together with previous scheme. Enables hop-
by-hop encryption and in-network processing, therefore it is convenient for
sensor network. However in most applications, keys cannot be preinstalled
and must be distributed after deployment. Suppose we deploy the nodes
by dropping them from the plane. We do not know, which nodes will be
neighbors and which not. The neighborhood is established during the de-
ployment process and keys have to be distributed afterwards. This task is
nontrivial and requires additional assumptions and complex key distribu-
tion protocol [EG02, PST+ 02, ZSJ03].
2.3.3 Attacker model
Karlof and Wagner have proposed following attacker model [KW03] suit-
able for sensor networks and routing. There are two types of attacker: mote-
class attacker and laptop-class attacker. Mote-class attacker has one or few
nodes with capabilities similar to a legitimate node. On the other hand,
laptop-class attacker has a powerful device with capabilities comparable to
laptop. He is not energy constrained and can have more sensitive antenna
and more powerful radio. Another distinction can be made between insider
attacks and outsider attacks. Insider attacks deal with a legitimate partici-
pants of the network behaving in a malicious way, whereas outsider attacks
are mounted by outsider who is not the part of the network. However out-
sider can eavesdrop the communication easily due to the broadcast nature
of a wireless communication.
Attacker can be modeled also with respect to the Needham-Schroeder
model [NS78]. Needham and Schroeder assume that ”an intruder can intr-
pose a computer on all communication paths, and thus can alter or copy
parts of messages, replay messages, or emit false material”. This model
was extended to node-compromise model [EG02], which further assume:
1) keys can be loaded into the nodes in the secure way before the nodes are
deployed. 2) the attacker is able to compromise only a fraction of the nodes.
6
3) attacker can extract all keys from compromitted node and 4) attacker is
able to monitor only fraction of links during the short time period after the
deployment of the nodes. This means that there is something like period of
protection for nodes after deployment.
7
Chapter 3
Secure Routing in WSNs
Routing techniques in wireless sensor networks are influenced by two fac-

tors. First, it has to deal with hardware and resource constraints. The rout-
ing algorithm has to be energy aware, thus minimize the control informa-
tion flows and communication. Routing table maintenance is limited by
memory capacity. Second, the nature of sensor network applications de-
fines traffic patterns, which are different from the traditional ones. In sen-
sor networks, it is not necessary to support communication between any
pair of nodes, the dominant traffic is one-to-many (base station multicast),
many-to-one (data sent to the base station) and local communication be-
tween neighbors. As the resources are limited and the number of nodes is
large, wireless sensor network usually does not support global addressing,
that brings high overhead. It often trade on its data centric character in-
stead and deploys attribute-based addressing. This means the base station
sends queries for data with specific properties. However routing technique
is strongly dependent on the particular application for which the wire-
less sensor network is used. Each application has different requirements
on routing.
Today routing techniques can be divided into three categories [AKK04]
based on the network structure: flat-based, hierarchical-based and location-
based routing. In flat-based routed networks, each node plays the same
role, due to the large number of nodes the global addressing is not sup-
ported, the data-centric approach is used instead. Typical algorithms in this
category are Direct Diffusion and Sensor Protocols for Information via Ne-
gotiation (SPIN). The hierarchical-based (sometimes called cluster-based)
algorithms are used in networks, where the nodes are organized into clus-
ters and route the information via special nodes denoted as cluster heads.
The main benefit of such routing algorithms is data aggregation, which
saves energy and increases efficiency. The typical representative of this cat-
egory is Low Energy Adaptive Clustering Hierarchy (LEACH). Location-
based routing uses node’s location for addressing. The position of a node
can be relative to its neighbors or absolute, detected, for example, by GPS.
8
3. S ECURE R OUTING IN WSN S
To this category are included geographic routing algorithms like Geographic

and Energy Aware Routing (GEAR) or Geographic Forwarding (GF).
3.1 Attacks on routing
Since the concept of sensor networks originates from the wireless ad-hoc
networks, many attacks on wireless ad-hoc networks can be adapted for
sensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wag-
ner [KW03] show another types of attacks and furthermore they propose
two novel attacks – HELLO floods and sinkholes. Denial of Service attacks
on sensor networks are studied by Stankovic and Wood [WS02]. We present
a brief summary of major attack classes here.
Bogus routing information
The basic method how to influence routing is to change the routing in-
formation. An adversary spoofs, alters or replays routing information. By
these methods he can create loops in routing, increase latency, extend the
paths or attract the traffic to the chosen node.
Selective forwarding
Selective forwarding is a variant of the DoS attack. Malicious node forwards

only a chosen packets and drops the rest. Attacker has to be included in the
path of the data flow to mount selective forwarding. To do so, he can use
can use Sybil attack or sinkhole attack. The ultimate variant of this attack is
called a Black hole attack. In such case, all the packets are dropped. How-
ever node behaving like a Black hole can be easily detected by the neighbor-
ing nodes, considered as dead and excluded from the routing path. There-
fore dropping only some messages may be more beneficial for the attacker.
Sinkhole attack
The goal of the sinkhole attack is to attract as much of the traffic as possi-
ble to the malicious node. The principle of this attack is that the malicious
node tries to look very attractive for other nodes with respect to the routing
algorithm. This goal can be achieved, for example, by spoofing the route
advertisement or by providing a high-quality path to the base station using
wormhole attack. Sinkhole can be further used for selective forwarding,
which is very efficient and easy in that case.
9
HELLO flood attack
In some protocols, nodes announce themselves to the neighbors by broad-

casting the HELLO packets. Node receiving such packet concludes, that the
broadcasting node is his neighbor and is within the normal radio range. A
lap-top class attacker can use a powerful radio to send HELLO packets to
nodes, which are far more distant than the normal radio range from him.
These nodes will send their messages to oblivion trying to reach the neigh-
bor, which is not in their radio range.
Wormhole attack
Wormhole is a low-latency out-of-band channel used to connect two distant

part of the network. Wormhole attack exploits the routing race conditions.
This means that message, which should normally traverse multiple nodes,
traverse only single one and hence is delivered in a much less time. Time
of the delivery can be important for the routing scheme, especially if the
influenced message contains routing information.
The attacker can send replayed packets through the wormhole to per-
suade two distant nodes that they are neighbors. He can, for example, cre-
ate wormhole between the base station and a node at the opposite side of
network, thus instead of multiple hops the node appears to be only single
hop from the base station. Therefore it becomes a sinkhole for his neighbors
providing low-latency route to the base station.
Acknowledgement spoofing
Acknowledgement spoofing focus on the algorithms using link layer ac-

knowledgements. An attacker spoofs these acknowledgements to persuade
the node, that its dead neighbor is alive or that the weak link is reliable. The
impact is similar to selective forwarding, chosen packets are lost with high
probability.
Sybil attack
In the sybil attack, the attacker simulates multiple nodes and advertise mul-
tiple identities to the rest of the network. By this, he can cripple even the
robust multipath routing algorithms, because the bulk of the paths (even
all) may pass through him. In geographic routing, attacker’s node can be
virtually at more locations simultaneously and thus influence routing algo-
10
rithm. Sybil attack in general means serious threat not only for routing, but
also for other algorithms such as voting algorithm or distributed storage.
Denial of Service
Denial of Service represents more or less general class of attacks, that can be
mounted on several ISO/OSI layers of wireless sensor network, including
the network layer. Almost all above attacks, especially selective forwarding
and HELLO floods, can result in the denial of service.
3.2 Towards secure routing
Insecurity of routing algorithms is usually caused by missing authentica-

tion, freshness and integrity check of the routing information. This fact
is demonstrated in presented attacks. Spoofing of routing information or
acknowledgements is not be possible, if proper mechanisms ensuring in-
tegrity and authenticity are implemented. Sybil attack becomes more com-
plicated if authentication of nodes is present. Freshness of messages can
stop replay attacks.
We present two security concepts proposed for sensor networks in this
section. These concepts can be used to secure the existing routing proto-
cols or can be taken as a security primitives when designing new protocol.
They address the broadcast authentication problem, because broadcast is
frequently used to spread the routing information along the network.
3.2.1 µTesla
In several routing protocols [HSW+ 00, YCLZ01, AKK04], the base station
periodically broadcasts routing information or advertise itself as a base sta-
tion. Attacker can forge such broadcasted information in case it is not prop-
erly authenticated. To achieve authenticated broadcast, asymmetric cryp-
tography is traditionally used. However this approach is not suitable for
resource constrained sensor networks. Therefore, µTesla [PST+ 02] was de-
signed. It provides an efficient authenticated broadcast based on symmet-
ric cryptography. µTesla is the building block of the security architecture
for sensor networks called SPINS (Security Protocols for Sensor Network)
[PST+ 02]. Another building block is SNEP, which is used to achieve confi-
dentiality, integrity, authentication and freshness.
µTesla exploits the concept of one-way hash chain. Because this concept
is frequently used in secure routing protocols, we describe it in detail. Let
11
us assume that we have public one-way function F , and random number r.

The one-way hash chain of length n is the sequence of n numbers, where the
last number is r, and i − th number is obtained by application of function F
on (i+1)-th one, for 0 < i < n. Generation of one-way hash chain thus starts
by application of function F on r. The key property of this chain is, that
everyone can compute i-th item, having arbitrary j-th item, where i < j,
but not vice versa. One of the first applications of this chain was Lamport’s
scheme for one-time password generation [Lam81].
To make use of µTesla, each node has to share a secret key with the base
station. There also has to be a loose time synchronization between nodes
and the base station. Prior to the actual broadcast, the base station generates
the one-way hash chain of the length n with the random key Kn as the last
element, let us denote this chain as a one-way key chain. Then the derived
key K1 , first element of the one-way key chain, is delivered to all nodes
in an authenticated (not necessarily confidential) manner using their keys
shared with the base station.
The time is divided into uniform intervals. Note that we have loose time
synchronization. Base station associates each key of the key chain with one
interval. Hence in the interval i base station authenticates the packets with
the Message Authentication Code (MAC) using key Ki . The node receiving
these packets, stores them for further authentication. In the following time
interval, the base station reveals the key Ki . Receiving nodes use that key
to check authenticity of the packets stored in previous time interval and
verify the integrity and authenticity of the key by application of the one-
way function F on it. Note that the nodes already posses key Kv , where v <
i. If the verification of the key succeeds, Kv is replaced by Ki and the packet
is considered as authentic. In time interval i only packets authenticated by
key Ki are accepted. This prevents an attacker from using already revealed
key to spoof the packets.
µTesla has two drawbacks. The nodes have to keep the messages buffered,
because the authentication is delayed. It can be problem because of the lim-
ited memory of nodes. It also delays the propagation of routing informa-
tion. The second drawback is the need of loose time synchronization.
µTesla can be extended to provide authenticated broadcast not only for
base stations but also for nodes. Nevertheless, this model is not needed so
often. Nodes usually broadcast messages only to their neighbors and these
messages can be authenticated in more efficient way as showed in following
subsection.
12
Figure 3.1: ARMS. The relation between packets. i denotes the actual con-
tents of the packet. Message represents sequence F (Kn+1 )|Kn |i. Figure
taken from[LC06b]
3.2.2 ARMS
µTesla aims to authenticate broadcast messages from the base station. Un-
fortunately this scheme is not suitable for resource constraint nodes, which
are not able to maintain long one-way hash chain. Moreover, nodes typi-
cally performs only so called local broadcast, which means the packets are
broadcasted only to the neighbors. Authentication of a local broadcast can
be achieved in an efficient way using ARMS [LC06b] (An Authenticated
Routing Message in Sensor Networks). ARMS scheme assumes, that each
pair of neighboring nodes share a secret key. This assumption is reasonable
and can be achieved by several schemes [EG02, PST+ 02, ZSJ03]. As µTesla,
ARMS trade on the one-way hash chain principle. In contrast to µTesla, the
chain is extremely short and periodically renewed.
Prior to the actual broadcast, sender generates random key K1 . Then
he derives short one-way key chain F (K1 ), K1 , and sends the value F (K1 )
(commitment) to all the neighbors using authenticated unicast. Broadcasted
packet has then the form: [F (K2 )|K1 |i|M AC(K1 , message)], where F (K2 )
is a new commitment, i is the actual authenticated content, message is
[F (K2 )|K1 |i] and M AC(K, m) denotes MAC of m using key K. Since re-
ceiver knows previous commitment F (K1 ), he can immediately verify the
authenticity of key K1 and thus authenticity and integrity of the whole
packet. Concurrently, new commitment F (K2 ) is established. The relation
between subsequent packets is shown in the figure 3.1.
Note, that if a single message is lost, the phase of authenticated uni-
cast has to be repeated. For this reason, authors have extended the one-way
13
chain. In extended scheme, up to two messages can be lost without need

of restart. Unlike µTesla we do not require time synchronization, because
broadcast is only local and the messages are delivered in the same time to
all nodes. Thus attacker cannot forge any packet using just revealed key.
ARMS is very efficient, it require only 20 additional bytes per message.
Also memory requirements are very low (16 bytes for receiver, 48 bytes for
sender). The only problem can be the generation of random data. Sender
have to generate 8 bytes of random data per every two messages. However
these date could be obtained using for example noisy radio channel.
3.3 Secure routing protocols
Since Karlof and Wagner [KW03] drew the attention to the problem of se-
cure routing in sensor networks, several novel secure routing protocols
were proposed [DHM02, KLP03, LC06a, NC07, PLGP06, WFSH06, WYC04,
YM06]. Some of them can be considered completely secure, but some of
them prevents only selected types of attacks. We have encountered also few
protocols that were pretty secure, but with assumptions unsuitable for sen-
sor networks. In this section we deeper examine four secure routing pro-
tocols. We have selected protocols, which we consider innovative, efficient
and secure, and which come up with interesting ideas appropriate for fur-
ther use.
3.3.1 Scure Implicit Geographic Forwarding

Secure Implicit Geographic Forwarding (SIGF) [WFSH06] is a configurable
protocol family for secure routing. It consists of three protocols, which rep-
resent three security levels. The higher level inherits the capabilities from
the lower ones. SIGF extends the Implicit Geographic Routing (IGF) [BHSS03]
and thus can be included into location-based class of algorithms.
IGF
Implicit geographic routing is a stateless hybrid routing/MAC protocol.
The next hop is determined at the transmission time, during the MAC-layer
handshake. The IGF is build on RTS/CTS MAC protocol1 . In IGF, each node
is aware of its location. The routing procedure starts when a sender broad-
casts Open Request To Send (Open RTS) with its position S and destination
position D. Nodes located within the 60◦ sextant centered on the line from
1. IGF have originaly extended basic 802.11 DCF MAC protocol [IEE99]
14
S to D are considered as candidate nodes. Each of these nodes sets the Clear
To Send (CTS) response timer according to its distance from S, remaining
energy and the distance to center of sextant. The more suitable the node
is for forwarding the message the shorter time it sets. When the response
timer expires, the node sends CTS. Then the sender sends him the data.
Nodes hearing CTS cancel their timers.
Authors of SIGF have presented security analysis of IGF [WFSH06]. IGF
is robust and fault tolerant. It is safe against altering or spoofing the routing
information, because no one is sent. Furthermore neither HELLO floods nor
wormhole attacks have much effect, no routing tables are kept and routing
is dynamic and independent of routing information exchange. But Sybil at-
tack, Selective forwarding and DoS remains a threat for IGF. In Sybil attack,
a single node attacker can create multiple virtual nodes around the sending
node and thus increase the chance of being chosen. This attack can result
into selective forwarding or black hole. Simple, but very effective attack is
so called rushing attack. Malicious node ignores the CTS respond timer and
sends CTS immediately. On the other hand such behavior is easy to detect.
DoS attack can be performed by replaying either old ORTS message or old
CTS message. This confuses the neighboring or sending nodes forcing them
to restart their timers or send the data to oblivion.
SIGF-0
SIGF-0 is a simple extension of IGF. It allows us to configure several param-

eters of IGF. Unlike IGF, where the forwarding area is fixed to 60◦ sextant,
SIGF-0 supports enlarging of this area and thus takeing into account more
neighboring nodes. This decreases the chances of malicious nodes to be cho-
sen. In IGF, sender chooses the first CTS message he obtains, then closes the
collection window and sends the data. Contrary, in SIGF, sender keeps the
collection window opened for some time to obtain more CTS messages and
then chooses one of them. The choice can be made randomly or based on
some priority. Sender can also choose multiple nodes to increase the ro-
bustness of the algorithm. Last configurable settings of SIGF-0 is whether
the location of a node will be omitted or not in the CTS response timer cal-
culation.
Key difference between IGF and SIGF-0 is that IGF closes the CTS collec-
tion window after obtaining the first CTS, while SIGF-0 collects multiple of
them. Hence SIGF-0 is not so vulnerable against rushing attack. Although
it brings a small inefficiency, it significantly improves security.
15
SIGF-1
This variant inherits all the properties of SIGF-0. Furthermore it introduce
an inner state of the node. This state is initialized and maintained by the
node itself and it does not bring any communication overhead. SIGF-1 works
as SIGF-0, but the choice of a next hop is based also on the reputation value
assigned to each neighbor. This value is derived from the state informa-
tion stored and maintained by the node. The node keeps the number of
sent messages T , and several records for each neighbor node N : number
of messages sent to N ; number of messages actually forwarded by N (this
is determined by overhearing the traffic of node N ); last claimed location
of N ; average delay during forwarding of message (again determined by
overhearing). From these data node derives the reputation value of node N .
Candidates, which has the reputation value below a threshold are dropped
from the candidate list. This approach protects the algorithm against a Sybil
attack. Note that all options of IGF-0 still remains.
SIGF-2
SIGF-2 includes both previous variants and adds the use of cryptography
to prevent the DoS attack. It also ensures confidentiality, authenticity, in-
tegrity and freshness of the communication between neighboring nodes.
SIGF-2 require neighboring nodes to share the secret key. In addition, the
neighborhood key has to be establish to enable authenticated broadcast of
Open RTS message.
The integrity and authenticity of messages is ensured by Message Au-
thentication Code using shared key. Freshness is guaranteed by sequencing
the messages, for each neighbor node a counter is kept. SIGF-2 offers pay-
load encryption to keep data confidential and prevent eavesdropping. By
using authentication and sequencing, DoS attack is prevented as old mes-
sages are discarded by the nodes. However in case of compromitted node,
attacker can still mount such an attack. It is optional in SIGF-2, which type
of messages will be protected by cryptographic mechanisms. This gives the
user ability to set an appropriate level of security.
SIGF is a good example of routing protocol, which can be qualified as

secure. SIGF can be configured to a certain level of security and robustness.
One can easily trade off between security, efficiency and performance of the
algorithm. What’s more configuration can be done dynamically. For exam-
ple, system can be set to maximum performance and in case the attacker
16
is detected, the system can be reconfigured as a reaction to the attack. We

consider the configurability of SIGF as a great advantage. We also appre-
ciate the approach of IGF which integrate routing with the medium access
control. This significantly increases the performance and efficiency of the
overall system, which is important in limited wireless sensor networks. We
are aware of the fact, that mixing the ISO/OSI layers has also many draw-
backs and that IGF/SIGF is dependent on the particular MAC algorithm,
but WSNs are specific and one cannot expect truly universal solution. The
important limitation of IGF/SIGF is its essential assumption, that every
node knows its location. However we consider this assumption as justi-
fiable. Furthermore such equipped network can offer advanced services.
There are two ways to satisfy this assumption. In the first way, every node
is equipped with GPS. The second way uses few GPS equipped nodes and
mechanism of triangulation to determine the location of the rest of nodes.
Comparing the variants of SIGF, we would evaluate the SIGF-0 as the
best using cost/performance approach. It is very simple extension of IGF,
which provides variety of settings and adorable security properties for triv-
ial cost. SIGF-1 is also very paying. However in a high-density network, the
state maintenance can occupy significant part of a memory and the process
of overhearing can consume nontrivial amount of energy. SIGF-2 uses en-
cryption, which require key establishment and management. It is costly and
the benefits in terms of defense against DoS attack are very small. Since sen-
sor nodes are not tamper resistant, it is relatively easy for the attacker to be-
come part of the network and mount the attack anyway. Nevertheless once
the keys are distributed, the cryptography can provide additional services.
Hence the SIGF-2 mechanisms can be used in cooperation with other pro-
tocols. This could justify the cost. We would consider implementing ARMS
for authenticated local broadcast of Open RTS messages, instead of sharing
neighborhood key. ARMS would also provide implicit sequencing of the
Open RTS messages.
3.3.2 Secure Directed Diffusion
Directed Diffusion is a very important data-centric routing protocol for

Wireless Sensor Networks [IGE00]. However this protocol has several se-
curity shortcomings. Therefore Secure Directed Diffusion (SDD) [WYC04],
a secure variant of this protocol, was designed. SDD protocol makes use of
immediate TESLA [PCST01], that is a mechanism for authenticated broad-
cast.
Original Directed Diffusion has four phases. In the first phase, base sta-
17
tion broadcasts interest for data, which is named by attribute-value pair.

This interest floods the network and sets up gradients at each node. Gra-
dients specify data rate and direction in which to send data. Second phase
begin, when the interest reaches the node, which can satisfy it. That node
sends low-rate data along the reverse path of the interest dissemination.
At the end of this phase, base station receives low-rate data from multiple
paths. The next phase is reinforcement phase. Base station selects one par-
ticular path and sends reinforcement via this path in order to obtain higher
data rate. In the last phase, source node generates data at the requested rate
and sends it through the reinforced path. Not only base stations can rein-
force the path, but also node included in the path can. This enable to repair
broken paths. Also negative reinforcements are supported.
Directed Diffusion is vulnerable to attacks, because of missing authen-
tication and integrity checking. Karlof and Wagner [KW03] has shown sev-
eral attacks on Directed Diffusion. Attacker can spoof positive or negative
reinforcements in order to change the data flow. This may include him into
the path and result into selective forwarding, data tampering, DoS or eaves-
dropping. Attacker can also clone the data flow by rebroadcasting the inter-
est listing himself as a base station. Lap-top class attacker can create a sink-
hole using wormhole attack in combination with forged reinforcements.
SDD protocol adopts ideas of immediate TESLA protocol [PCST01] to
ensure authenticity and integrity of routing and data messages. Only sym-
metric cryptography is used and asymmetry is achieved by one-way hash
chain. The principle is similar to µTESLA described in section 3.2.1. SDD
protocol requires that there is only one base station and it shares a secret
key with each node. All nodes are also seeded with the first value k1 of
the one-way key chain, where only base station knows kn to be able to
authenticate its messages. SDD has the same phases as original Directed
Diffusion, but in each phase, the integrity and authenticity of origin of
the messages is protected. In the first phase, the base station floods mes-
sage M = (H(IN T ERESTx )|M AC(kx |H(IN T ERESTx ))), where H(m)
denotes hash of the message m, M AC(k, m) denotes Message Authentica-
tion Code of m using key k and | denotes concatenation. Suppose all nodes
have received message M after time t. Then base station floods another
message (IN T ERESTx |kx ). Now, node can verify that kx is from base sta-
tion by computing F x−1 (kx ) = k1 . Having kx , node can verify integrity and
authenticity of H(IN T ERESTx ) and subsequently of IN T ERESTX . The
same technique is used when sending reinforcements in the third phase.
Thus the interests and reinforcements cannot be forged or modified. No-
tice the drawback, that now the broken path cannot be repaired as in the
18
insecure Directed Diffusion, because only base station can send reinforce-
ments.
The data sent in the second and fourth phase by the source node are
also authenticated and its integrity is protected. In the phase of low-rate
data propagation, source node N floods
D = (H(DAT A1 )|M AC(kN 1 |H(DAT A ))|(k 1 ) |N ), where k 1 is the first
1 N SF N
key of the one-way key chain generated by node N , and (m)Sn denotes
encryption of m using key Sn shared between node N and base station.
Base station decrypts the key kN 0 and sends it in the authenticated way as
in first phase to all nodes on the path. After this source node N sends data
(DAT A1 |kN 2 |nonce1|N |(nonce1)
SN ), where N is the list of nodes. nonce1 is
used to ensure freshness. If node E receives this data, it sends
(DAT A1 |kN 1 |nonce1|N, E|((nonce1)
SN )SE ). The process continues until base
station receives the data. Base station can verify authenticity and integrity
of the data and also check the identity of the nodes on the path. Than base
station probabilistically selects one of the possible paths. In the last phase,
data are sent from the source node N in the similar authenticated way as the
interests and reinforcements, but in opposite direction. Sequence numbers
are also contained in the data to ensure freshness.
Secure Directed Diffusion is secure variant of popular data-centric pro-

tocol. Unlike the original one, it does not support data aggregation and
path recovery. On the other hand, it is resistant to almost all known at-
tacks. However there is a problem during the low-rate data propagation
phase. Possible paths are discovered and one is probabilistically selected.
The probability of attacker being on the path is proportional to the frac-
tion of paths including attacker and all the paths. Suppose the attacker A
overhears message (DAT A1 |kN 1 |nonce1|N, E|((nonce1)
SN )SE ). He can cre-
ate message
(DAT A1 |kN1 |nonce1|N, E, A|(((nonce1)
SN )SE )SA ) and thus introduce new
path. The more such paths are created the greater the probability for the at-
tacker to be on the selected path. The authors are aware of this attack. How-
ever they rely on the property of the original Directed Diffusion, that for
data dissemination the MAC unicast is used. We believe, that this is a poor
countermeasure. Unicast is not used for security purposes. It is still pos-
sible for an attacker to eavesdrop the communication. In addition, strong
attacker can use, for example, selective jamming to prune away the original
path.
19
3.3.3 SeRINS
Secure alternate path Routing IN Sensor networks [LC06a] is a routing pro-

tocol, which combines several existing security mechanisms together with
its neighbor report system to ensure secure routing. The goal of SeRINS is
to protect the network against insider, which launches selective forward-
ing or advertise bogus routing information. Authors of SeRINS assume
that attacker can compromise only small number of nodes. They also as-
sume, that each node shares a unique secret key with base station, and that
each pair of neighboring nodes agrees on the shared secret key. The last
assumption protects outsider attacker from joining the network, because
all communication is protected by hop-by-hop encryption. SeRINS consists
of three different schemes, an alternate path scheme, neighbor report sys-
tem, and neighbor authentication. An alternate path scheme establishes a
routing topology. Base station builds a tree with itself as a root by periodic
broadcast of routing information. There are two difference over the MCF or
TinyOS beaconing. First, the routing information packets are authenticated.
Second, each node keeps more than one parent node and hence multiple
paths to the base station exist. Regarding the authentication of the routing
updates, first hop from base station is authenticated using one-way hash
chain, so no one can impersonate base station, subsequent hops are authen-
ticated using neighbor authentication scheme. This scheme is no more than
ARMS scheme described in section 3.2.2. To mitigate the impact of the selec-
tive forwarding, multiple paths are established and for every packet one of
them is randomly chosen. The third scheme, neighbor report system, was
designed to identify and eliminate malicious nodes, which advertise bo-
gus routing information. All neighbor nodes checks the routing information
send by a node and if inconsistency is detected, malicious node is reported.
Decision whether reported or reporting node is malicious is done by base
station based on votes from neighboring nodes. Base station eliminates the
malicious node by flooding this information and revoking its keys. Under
given assumptions, SeRINS seems to be resistant to all known attacks men-

tioned in section 3.1. Sybil attack, Sinkhole attack, HELLO floods and ac-
knowledgement spoofing are impossible due to secure channels between
each pair of neighboring nodes. Note that responsibility is moved to the
underlaying key distribution scheme. Wormhole attack is supposed to be
defended by extern schemes like packet leashes [HPJ03]. SeRINS itself de-
fends routing against selective forwarding and advertising of bogus routing
20
information. Impact of selective forwarding is minimized using multiple

paths scheme, yet some impact remains. Problem of bogus routing infor-
mation is solved using detection and reaction mechanism called neighbor
report system. We consider this system very inspiring. It is the example of
leveraging the fact, that neighboring nodes can overhear the surrounding
communication. It can be denoted as intrusion detection system. However
it is strongly embedded in the routing scheme and cannot be applied alone
without massive changes.
3.3.4 A Clean-Slate Approach
Parno et al. [PLGP06] have decided to design a completely novel routing

protocol with security and efficiency as the main goals. Their protocol trade
on the combination of prevention, detection/recovery and resiliency. Fur-
thermore, it provides node-to-node routing scheme. Unlike the majority
of algorithms for sensor networks, this one exploits public key cryptog-
raphy. There is a single trusted authority NA and each node is preloaded
with its public key PN A and is able to verify the signature. Authors argue,
that verification of signature can be very efficient and performed even by a
node. Each node has also unique ID and a certificate (ID)SN A signed by the
trusted authority. Additionally the node has a one-way hash chain of chal-
lenge values C1 ...Ck . Node also possesses (C1||ID)SN A to be able to send
authenticate the challenges. Note, that these assumptions are strict indeed,
but can be satisfied off-line prior to the actual deployment of the nodes.
The algorithm assigns the unique network address to each node and
establishes the routing tables using recursive grouping. Recursive group-
ing algorithm is initiated by every node broadcasting its ID and certificate.
Neighboring nodes thus constructs a list of authenticated neighbors. Af-
ter this phase, no node can join the neighborhood. The grouping algorithm
itself starts with every node comprising its own group. Than the process
continues by recursive merging of the groups until the whole network com-
prises single group. During the grouping algorithm, hierarchical network
addresses are constructed and forwarding is based on the address prefixes.
After this procedure each node posses the routing table, that maps address
prefixes to the neighboring nodes. To make routing resilient, multiple rout-
ing entries can be maintained for routing into a subgroup. Thus node can
choose between multiple paths.
Besides the grouping algorithm, there are several additional techniques
to detect malicious behavior, eliminate malicious node and recover normal
state. Grouping Verification Tree (GVT) algorithm detects malicious behav-
21
ior during recursive grouping algorithm. It is based on Merkle hash tree

[Mer80], which provides authentication of leaves having authentic root,
and validation of the tree construction having authenticated leaves. GVT
exploits authenticated challenges Ck and prevents the malicious node from
joining the group or corrupting the grouping algorithm. GVT can be ex-
tended to verify the neighbor lists of the node or to verify the address of
a particular node. The routing protocol implements a distributed detection
algorithm [PPG05] for detection of a node claiming multiple identities, or
replaying the broadcasted packets in the first phase. A simple algorithm
(HoneyBee) is used to eliminate such nodes. Legitimate node, who has de-
tected the malicious one, sacrifices itself. It floods its own ID together with
the malicious node’s ID in an authenticated way. Both refereed nodes are
revoked.
The security of this algorithm is ensured by running authenticated neigh-
borhood discovery and by the GVT algorithm which detects possible tam-
pering. The recursive grouping algorithm runs deterministically and is pro-
tected by GVT, hence it prevents an intruder from altering the resulting
topology. The Sybil attack is prevented using unique node IDs and certifi-
cates signed by trusted authority. Multiple path variant is also fault tolerant
and robust. The algorithm itself cannot cope with wormhole. To overcome
this, authors suggest integrating one of the wormhole detection algorithms.
We consider the ”Clean-slate approach” as innovative due to the effi-

cient asymmetric cryptography usage. On the other hand, we are still not
fully convinced, that it is necessary to employ asymmetric cryptography.
Even though it is relatively efficient it still remains costly. Moreover, nodes
need to maintain routing tables, merge tables and challenge constants in
memory. This algorithm consumes much resources of the node. We rate this
as the biggest weakness of the algorithm. To be really secure, algorithm has
to integrate many additional mechanisms, this fact also degrades the usabil-
ity of the algorithm. Regarding benefits, this protocol is designed to route
between any pair of nodes, whereas the huge majority of routing schemes
relaxed to this traffic pattern. Therefore it predestines this technique to be
employed in specific applications where such pattern is needed.
22
Chapter 4
Introduction to Evolutionary Algorithms
In this thesis, we try to automatically generate attack strategies on routing

algorithms for WSNs. We have decided to employ evolutionary algorithms
for this purpose. Evolutionary algorithms are stochastic search algorithms
inspired by biologic evolution. In order to find the optimal solution, evolu-
tionary algorithms employ the basic mechanisms of evolution. They work
with a set of individuals (denoted as population), in which each individual
represents a possible solution. From these individuals, new ones are cre-
ated using operations of mutation, crossover and reproduction. The quality
of new individuals is evaluated by the fitness function. The new population
is then sieved by the natural selection, that is based on the fitness function.
The natural selection decides, which individuals will be reproduced (and
thus their capabilities and features will be used for further generations)
and which will be forgotten. This process is repeated until good enough
solution is found. Details on the evolutionary mechanisms follow.
4.1 Population of individuals and their representation
Most algorithms for solving optimization problems work with a single can-
didate solution at a time. Evolutionary algorithms work with a population
of candidate solutions instead. This enables parallel search for the solu-
tion and natural selection mechanism. The number of candidate solutions
in population has significant impact on the convergency towards optimal
solution and is typically set by an expert. Another key factor of the evo-
lution progress is the representation of the candidate solutions, which is
denoted as genome. In linear genetic programming [BNKF98], which is the
technique we use in this work, genome consists of a sequence of instruc-
tions. Another common structure of genome is a tree-based structure used
in genetic programming [Koz92].
23
4. I NTRODUCTION TO E VOLUTIONARY A LGORITHMS
4.2 Genetic operators
In order to work, evolution has to have mechanisms, that ensure replica-

tion of individuals and that introduce new abilities to them. The replica-
tion of individuals is provided by the replication operator, which simply
copies the individual, and by the crossover operator, that combines differ-
ent parts from two or more individuals into a single one. In specific settings,
crossover can supply the task of replication New properties are introduced
to an individual by the mutation operator. Mutation modifies the genome
of the individual by replacing some parts of the genome by newly gener-
ated ones.
4.3 Fitness function and selection operator
The crucial part of the evolution process is the natural selection. It decides
which individuals are replicated or modified and which are removed from
the population. In evolutionary algorithms, the selection is based on the
output of the fitness function.
The fitness function captures the relation between the candidate solu-
tion and the optimal solution for the problem in question. It expresses the
quality of the candidate solution with respect to the desired goal and pro-
vides feedback to the evolution.
The fitness function has to be graded with sufficient granularity to be
able to distinguish the quality of two similar individuals. If it is not, then
the search process can degrade down to a random search. For example, sup-
pose we have only binary fitness function, which outputs ’1’ if the solution
succeeds and ’0’ if not. Then, until the optimal solution is found, all candi-
date solutions have the same quality and hence the selection is completely
random. This results into the random search.
Fitness function must be also fast to compute. This condition is purely
practical, because in the evolution process, we have to be able to evaluate a
large number (103 − 106 ) of candidate solutions in a reasonable time.
The fitness function leads the evolution to the intended goal, thus we
set the subject of the search by the definition of the proper fitness function.
Note that some problems cannot be solved using evolutionary algorithms,
because we are not able to define the fitness function satisfying above prop-
erties, especially gradation.
24
Chapter 5
Automatic design of attack strategy
In this work, we examine the security of routing protocols for wireless sen-
sor networks. We aim to design an automatic method for generating attack
strategies on these protocols. Such method can help us reveal, understand
and countermeasure potential weaknesses.
There is a significant asymmetry between designing a secure system and
attacking such system. The designer of a system has to consider and prevent
all possible strategies, whereas the attacker needs to employ only one of
those strategies to be successful. This is analogous to an exhaustive search
through the whole search space versus a guided search through a part of
the search space. The exhaustive search is practically impossible in our case,
because the space of possible attack strategies is extremely large. Thus, we
have decided to employ guided search and try to find at least some attack
strategies. We are aware of the fact, that the chosen approach cannot prove
the security of a system, even in case no attack strategy is found. However,
it can help to secure the system by revealing its potential weaknesses.
5.1 Related work
So far, there have been several proposals for use of automatic attack genera-
tion. The automatic attacks were mainly used in relation with Intrusion De-
tection Systems (IDS). Automatic generation of attack graphs 2 using sym-
bolic model checking algorithms was proposed [SHJ+ 02]. Constructing of
attack graphs is crucial part of the vulnerability analysis of the network.
In [MGL+ 06], virtual network infrastructure is proposed, which is able
to generate testing data set. This set would be further used for evaluation
and testing of intrusion detection systems.
Polymorphic blending attacks (PBA) can be used to evade some payload-
based intrusion detection systems. The principal of PBA is to transform the
2. Attack graph is ”the data structure used to represent all possible attack on the network”.
[SHJ+ 02]
25
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
attack packets into the form, that match the normal packet profile and thus
evade IDS. In [FL06], authors propose to use the hill climbing for automatic
generation of PBA instances, given the IDS and particular attack.
Combination of evolutionary algorithms and network simulator was
successfully used to produce also the defensive strategy. Secrecy amplifi-
cation protocol for WSN [SM07] was evolved. This protocol might signifi-
cantly increase resiliency of link keys against link compromise attack.
5.2 Basic concept
The basic concept for automatic design of attack strategies is a result of joint
work with my advisor Petr Švenda. It combines automatic attack strategy
generator with simulator or real system to generate and evaluate the large
number of potential attack strategies. In this thesis we use this concept to
automatically generate attack strategies on routing protocols.
The basic concept consists of the following five steps:
1. Execution of the X-th round of generator → attack strategy in a meta-

language.
2. Translation from the metalanguage into a domain language.
3. Strategy execution (either by a simulation or in a real system).
4. Evaluation of the fitness function (obtaining attack success value).
5. Proceed to the (X+1)-th round.
We have to seed the generator with a set of elementary rules before the
actual process of attack generation begins. These rules are basic building
blocks creating the attack strategy. This action is viewed as a step 0.
We will discuss all steps in detail. Since this work examines the secure
routing for WSNs, we use examples from this area.
5.2.1 Elementary rules

Prior to the actual generation process, we have to define elementary rules,
which act as building blocks for new attack strategies. To do so, we first
observe the attacked system and look for ways of influence that an attacker
could have on it. For example he can intercept, send or generate message.
These methods are then decomposed into elementary rules, such as inter-
cept message from node X, change parameter X of the message or generate
26
Translation
Attack strategy Attack strategy
in metalanguage in domain language
Attack strategy generator Simulator

- random search
- exhaustive search Real system
Elementary - educated guess
rules - guided search
Attack success Statistics

Fitness function
Ways of influence that an attacker can have on simulated/real system
Figure 5.1: Basic concept for automatic attack generation. Attack strategy
in metalanguage is generated from elementary rules. Strategy is translated
to the language of evaluation environment (simulator, real system). Dur-
ing evaluation of attack strategy statistics are collected. These statistics are
used for computation of fitness function, which qualify the success of the
strategy and provides guideline to the generator.
particular message. Granularity of these rules is a very important factor.

The more detailed the rules are, the bigger the possibilities of the genera-
tor. On the other hand, the larger the search space of attack strategies. We
divide the granularity into three levels. Note that these levels are not strict
and depends on the viewpoint. In one scenario we consider something as
a primitive attack, whereas in other scenario it is only an elementary rule
of high granularity and vice versa. Moreover, we can use both primitive
attacks and detailed elementary rules in a single scenario.
• Recombination of primitive attacks - if we take primitive known at-

tacks (sequences of elementary rules) as an elementary rules, we can
generate new attacks by recombination of these known attacks. This
can significantly speed up generation process, because known con-
27
structions need not to be generated from scratch. On the other hand,

novel primitive attacks cannot be generated. For example, elementary
rule can be replay message, delay message or drop message.
• Optimization of known attacks - we already have an attack strategy

(e.g., compromise node and extract its keys) and we want to optimize
its parameters (e.g., which nodes should be compromitted). In this
case, elementary rules represent the parameters.
• Novel attacks - if the elementary rules are detailed enough, generator

can combine them into a completely novel attack. These rules should
represent all the basic actions an attacker can do. For example, inter-
cept a message or even modify X-th bit of the message. In this work,
we will try to define high granularity rules and generate novel attacks.
5.2.2 Generation of attack strategy

Generator constructs the attack strategy from the elementary rules. One of
the following techniques can be used for construction.
• Random search - elementary rules are randomly combined into an at-

tack strategy. No information about previously generated attack strate-
gies is used in generation process.
• Exhaustive search - all possible combinations of elementary rules are

generated. This technique finds optimal attack strategy that can be
constructed from elementary rules. Exhaustive search is not conve-
nient for large search spaces, which is our case.
• Educated guess - an expert combines elementary rules into a possibly

successful attack strategy. Information about previously generated at-
tack strategies can be used to speed up the process.
• Guided search - new attack strategy is modification of the previously

generated attack strategy. Information about the quality of previous
attack strategy is available and is shape the new attack strategy. The
representatives of the guided search are for example hill climbing 3 or
evolutionary algorithms. We use evolutionary algorithms to generate
attack strategies in this work.
3. Hill climbing is an optimization algorithm. It starts with a random solution and gradu-
ally improves this solution by making small changes to it.
28
5.2.3 Translation
Elementary rules and resulting attack strategies are written in a metalan-
guage, which is suitable for the generator. On the other hand, in most cases
this language cannot be interpreted by a simulator or a real system. There-
fore we have to translate the attack strategy in order to execute it on the
simulator. Note that we can use multiple simulators or real systems, which
use different languages, and single generator. Thus the translation into mul-
tiple languages is necessary.
5.2.4 Strategy execution

Attack strategy is executed in the simulator or real system. The statistics
from the simulator or real system are used as an input of the fitness func-
tion, that evaluates the success of the attack strategy. For example, the statis-
tics can include average length of the message route or number of delivered
messages. The possibility of using real system for the evaluation of the at-
tack strategy can be very useful. No abstraction is used and the generated
attack strategies can exploit, for example, bugs in particular real system im-
plementation.
5.2.5 Fitness function evaluation

In our concept, the feedback about the attack strategy success is very im-
portant, especially if a form of the guided search is used for attack strategy
generation. This feedback is provided by the fitness function 4 , that evalu-
ates the quality of the attack strategy. Note that the fitness function deter-
mines the attacker’s goal. For example, if the goal is to decrease the net-
work lifetime, the fitness function can be defined as the inverse value of the
remaining energy. Thus having elementary rules, translation rules and sim-
ulator, we can generate attack strategies with different goals by switching
the fitness functions.
5.3 Concept realization via evolutionary algorithms
Now we demonstrate the practical use of the basic concept. Due to our fo-
cus, we aim to generate attack strategies on the routing protocols for wire-
4. Term fitness function is borrowed from the terminology of evolutionary algorithms. In

contrast to the original fitness function used in evolutionary algorithms our fitness func-
tion does not need to fulfill all its properties. Properties of the original fitness function are
discussed in section 4.3.
29
less sensor networks. The ultimate goal of our effort is to generate success-
ful attack strategy on a secure routing protocol, that would reveal the con-
ceptional weakness of the protocol. However we are aware of high com-
plexity and hardness of achieving such goal, so we first focus on an insecure
protocols with known weaknesses. The attack strategy generator should be
able to reveal these weaknesses and to generate appropriate attack strate-
gies. We have chosen two insecure routing protocols, Minimum cost for-
warding, described in section 5.4.1, and Implicit geographic forwarding,
presented in section 3.3.1. The first was chosen because it represents widely
used class of routing protocols, that construct a minimum spanning tree as
a routing structure. It also has several documented weaknesses which are
easy to find for a human expert. The second protocol is more robust and
incorporates a randomness into the routing process. However also this pro-
tocol contains weaknesses that can be turned into a successful attack. An-
other reason, why to choose IGF is, that it can be easily upgraded to one of
the security levels of SIGF. We could thus potentially analyze what impact
the attack strategy generated for IGF has on its secured version SIGF.
A particular instance of the basic concept is shown in the figure 5.2.
If we follow the basic steps of the concept, we first define the elementary
rules. These rules are strongly dependant on the attacker’s abilities. There-
fore, prior to the elementary rules definition we have revised the attacker
model in section 5.3.1. There are two kinds of elementary rules, triggers
and instructions. Details are presented in subsequent section. We employ
evolutionary algorithms as the attack strategy generator . We do not need
a translation step, because the simulator was designed to accept the output
of the generator. For routing simulation we have extended the Sensor Secu-
rity Simulator. The feedback is provided by one of four fitness functions we
have implemented. Each fitness function guides the evolution to a slightly
different attack strategy with a different goal. Details on implementation
and Sensor Security Simulator follow in subsequent sections.
5.3.1 Attacker model revised
To clarify the attacker’s capabilities, we have to define an attacker model.

We have revised and extended the Karlof’s attacker model described in sec-
tion 2.3.3 for this purpose.
We assume that our attacker is authorized to take part in the routing
process, thus to mount insider attacks. This state can be achieved by cap-
turing the legitimate node. However also outsider attacker can have abil-
ities similar to insider attacker in some conditions. This is caused by the
30
Translation
Attack strategy Attack strategy
in metalanguage in domain language
Attack strategy in domain language
Attack strategy generator Simulator

Elementary
rules - evolutionary algorithms - Sensor Security Simulator
- triggers and
instructions
Attack success Fitness function Statistics
- number of delivered messages

- length of path
...
Ways of influence that an attacker can have on simulated/real system
Figure 5.2: A particular instance of the basic concept. Evolutionary algo-

rithms are used as the attack strategy generator. Translation step is omitted,
because simulator accepts the generator’s output. Generated attack strat-
egy runs on Sensor Security Simulator. Statistics include total number of
generated messages, number of delivered messages and many others. One
of fitness functions evaluates the attack strategy success.
nature of wireless medium and the fact, that attacked protocols do not em-
ploy cryptographic mechanisms for ensuring confidentiality, authenticity
and integrity. Therefore if no link layer encryption is implemented, outsider
attacker can act as an insider in our case.
Our attacker falls into the category of mote-class attacker. Therefore,
we further divide this category into three subclasses for our purpose. Sin-
gle node attacker, Multiple nodes attacker with homogenous strategy and
Multiple nodes attacker with heterogenous strategy. Single node attacker
controls only one node. Thus only one instance of attack strategy is exe-
cuted at a time. Multiple nodes attacker with homogenous strategy con-
trols multiple nodes and each one of these nodes executes the same attack
strategy. Thus there are multiple similar attack strategies running at a time.
31
In the simplest case, this attacker is nothing more than multiple instances
of single node attacker. But attack strategy can leverage the knowledge that
there are several malicious nodes and implement some sort of cooperation
between them. Multiple nodes attacker with heterogenous strategy controls
multiple nodes. These nodes are divided into groups and each group acts
as a multiple nodes attacker with homogenous strategy. The advantage is,
that each group can run different attack strategy, and these attack strategies
can be designed to cooperate and support each other. So at the and we get
several cooperating attackers. For example, suppose there are 2 groups of
malicious nodes denoted as A and B. Then, attack strategy of group A can
redirect the traffic to the malicious nodes of group B, which ,according to
their attack strategy B, drop the packets.
In our practical work, we are not interested in laptop-class attacker.
Though, we can extend our attack strategy generator to generate attack
strategies for laptop-class attacker by defining additional elementary rules
(and thus giving the attacker more capabilities).
5.3.2 Evolutionary algorithms and genome structure

As we have stated, we apply evolutionary algorithms to generate attack
strategies. We have chosen an open source library GAlib5 for practical im-
plementation of evolution process. It is written in C++ and supports multi-
ple genome representations and genetic operators.
One of the key parameters of evolution is the representation of genome.
In our case, genome stands for an attack strategy. In linear genetic program-
ming, genom is usually represented as a sequence of instructions. This is
not totally suitable for our problem. We have thus extended this represen-
tation. Attack on routing is not typically represented as a sequence of steps
executed one by one, but rather steps triggered by various events. Therefore
we have decided to represent the strategy as a composition of substrategies.
These substrategies can be executed in an arbitrary order. The execution
of a substrategy is triggered by the event corresponding to the substrat-
egy. Hence the genome is a two-dimensional array, where each row repre-
sents the substrategy. Each substrategy begins with its trigger. The genome
structure is shown in figure 5.3 by the black color. The gray color demon-
strates the possible three-dimensional genome, which can represent the at-
tack strategy of the Multiple nodes attacker with heterogenous strategy.
Each two-dimensional layer acts as a strategy for one group of malicious
5. http://lancet.mit.edu/ga/ (May 2008)
32
Trig_1 INS INS ... INS

Trig_2
Trig_1 INS INS
INS INS
... ...
INS INS
...
...
Trig_x INS INS ... INS

...

Figure 5.3: Genome structure. The black color describes the single at-
tack strategy. Each row represents a substrategy. The first slot contains
trigger, subsequent slots contain sequence of instructions. The gray color
demonstrates the possible three dimensional genome representing the at-
tack strategies of Multiple nodes attacker with heterogenous strategy
nodes. Three-dimensional genom structure enables us to generate multiple

cooperating strategies.
Now we present the structure of triggers and instructions. Our model of
node contains several memory slots, which are used for temporal storage of
messages and identities of nodes. In order to address these memory slots,
instructions include one or more parameters. For example, the instruction
can be defined as INS SEND M P1, which mean: send message stored in
memory slot P1.
In addition to these parameters, we have incorporated the mechanism
of conditional execution of instructions and triggers. Each node contains
so called condition memory slots (cms). These slots contain numeric value,
which acts as a basis for condition. Instruction has thus two additional pa-
rameters, cms – addresses the conditional memory slot and cv – denotes the
condition value. If the condition value is lesser than the value in addressed
conditional memory slot, instruction is executed, otherwise not. If the cms
refers to the condition memory slot number 0, instruction is executed no
matter the condition value. Values in condition memory slots can be au-
tomatically decremented by node or manipulated by special instructions.
The same as for instructions holds for triggers. If the trigger is not executed,
33
whole corresponding substrategy is also skipped. We have designed condi-

tion mechanism, to enable complex dependencies between various events,
instructions and triggers.
Each node is also equipped with temporary memory, which is used for
handling incoming messages or messages loaded from memory slots.
As an elementary rules for generating the attack strategy on IGF, we
have define following triggers and instructions. We aimed to create high
granularity rules, which could lead to generation of completely novel at-
tack.
Triggers
The majority of triggers contain parameters cms and cv described above.
We briefly describe the event, which triggers the strategy execution.
• TRIG NOP – no operation trigger, the corresponding substrategy is
never executed
• TRIG TIME p1 – time trigger, the substrategy is repeatedly executed
each p1 time units (lets say milliseconds)
• TRIG DATA cms cv – data message not addressed to the malicious
node was overheard
• TRIG DATA ME cms cv – data message was delivered to the mali-
cious node
• TRIG ORTS cms cv – Open RTS was received
• TRIG CTS cms cv – CTS message not addressed to the malicious node
was overheard
• TRIG CTS ME cms cv – CTS message was delivered to the malicious
node
• TRIG ACK cms cv – acknowledgement not addressed to the mali-
cious node was overheard
• TRIG ACK ME cms cv – acknowledgement was delivered to the ma-
licious node
• TRIG COLLISION cms cv – collision on medium was detected
• TRIG RNG cms cv p1 – the substrategy is executed with probability
p1
34
Instructions
All the instructions, except no operation instruction, contain parameters of
condition mechanism cms and cv described above. Each instruction also
includes boolean switch, which determines, whether the instruction will be
executed or not. This switch enables to temporarily prune away the instruc-
tion and helps in pruning process (discussed in section 5.4).
• INS NOP - no operation
• INS DROP M cms cv p1 - drop message from memory slot p1
• INS SEND M cms cv p1 - send message from memory slot p1
• INS STORE M cms cv p1 - store message from temporary memory

into memory slot p1
• INS LOAD M cms cv p1 - load message from memory slot p1 into

the temporary memory.
• INS GENERATE M cms cv p1 p2 p3 - generate message, store this

message into memory slot p1, p2 denotes the type of the generated
message (ORTS,CTS,ACK,DATA), destination of the message is loaded
from memory slot p3
• INS SEND ORTS cms cv - send Open Request To Send
• INS SEND ACK cms cv p1 - send acknowledge, destination is loaded

from memory slot p1
• INS SEND CTS cms cv p1 - send CTS, destination is loaded from

memory slot p1
• INS GET N cms cv p1 p2 p3 - get the information from message

stored in memory slot p1, p2 denotes type of the information (ulti-
mate source, ultimate destination, transmitting node, receiving node),
store the information into memory slot p3
• INS FAKE N cms cv p1 p2 p3 - forge the information in message

stored in memory slot p1, p2 denotes type of the information (ulti-
mate source, ultimate destination, transmitting node, receiving node),
load the information from memory slot p3
• INS SET CMEM cms cv p1 p2 - set the value in condition memory

slot p1 to value p2
35
• INS ADD CMEM cms cv p1 p2 - add the value p2 to the value stored
in condition memory slot p1
• INS SUB CMEM cms cv p1 p2 - subtract the value p2 from the value
stored in condition memory slot p1
Our evolution process involves two genetic operators – crossover and

mutation. Crossover derives two new genomes (offsprings), from two ex-
isting ones (parents). We have implemented one point crossover. Both par-
ents are split in the same point. One offspring inherits the first part from
the one parent and second part from the other. Second offspring inherits
remaining parts. The point of splitting is chosen randomly, but have to
respect the boundaries of substrategies. Hence the point is between two
substrategies. We used the crossover with probability starting at 0 proba-
bility (no crossover) up to 0.5, which means massive crossover. Note that
crossover can substitute the reproduction operator, that we thus have not
implemented.
Mutation simply goes through the genome elements (triggers, instruc-
tions and all the parameters and switches) and each one randomly changes
with the probability of mutation. This probability is fixed for the whole
evolution process, we used both massive mutation (probability was 0.1),
and normal mutation (probability was 0.01). After the actual mutation, we
performed a validation step to validate the resulting genome. Unwanted
constructions can be removed from the genome in this phase. We are thus
able to ban some kind of attacks.
Regarding the population size, we have tried small population of 5 in-
dividuals as well as larger population of 20 individuals.
Natural selection was based on fitness function. One third of individuals
with the best fitness value became parents of the new generation.
5.3.3 Network simulator

Generated attack strategies are evaluated using wireless sensor network
simulator Sensor Security Simulator [SM07]. This simulator was developed
at FI MUNI for security analysis of the key distribution protocols for WSNs.
It supports evolutionary algorithms, GAlib package is included. We have
extended Sensor Security Simulator by implementation of advanced sup-
port of routing protocols containing time dimension of routing. We have
also implemented two routing protocols: Minimum Cost Forwarding (de-
tails in section 5.4.1) and Implicit Geographic Forwarding (details in sec-
tion 3.3.1). The implementation was designed to support the execution of
36
generated attack strategies. Furthermore it accepts the language of the at-

tack strategy generator, thus no translation of generated attack strategy is
needed.
One of the goals of the implementation was high performance of the
simulator, because we needed to evaluate large number of attack strategies
in reasonable time. Hence the simulator contains some level of abstraction,
for example, time of the message transmission between two nodes is con-
stant. However we believe that this abstraction should not have much im-
pact on our aims.
We have also considered the possibility of using existing simulator such
as NS-2 simulator [NS08]. But these simulators are mainly designed to max-
imally emulate real conditions and thus are significantly slower than our
simulator.
5.3.4 Fitness functions
In order to successfully use the evolutionary algorithms, it is necessary to

find an appropriate fitness function. We have implemented four different
fitness functions. Each represents slightly different attacker’s goal.
number of delivered messages fitness value is computed as a fraction of

all generated messages and messages delivered to the base stations.
This value reflects the ability of attacker to deny the service and dis-
rupt the message availability.
number of messages passing through malicious nodes fitness value equals

to the number of legitimate messages (not generated by attacker),
passed through the malicious nodes. Each message is counted only
once, although it may pass through many malicious nodes. The value
indicates the ability of attacker to attract the traffic and include itself
to the path of the data flow. Attacker controlling data flow may effec-
tively eavesdrop or perform selective forwarding.
length of the path average physical length of the path taken by legitimate
messages. Attacker may extend the length of the path, to increase the
latency and involve more nodes into routing process, thus bring in
the inefficiency and energy wastage.
length of the path in unique hops average path of the legitimate messages
counted in unique hops. The goals of this attacker are similar to the
goals of previous one. However previous fitness function could trade
37
on the loops in the routing scheme. Since such loops could be de-
tected, we have decided to implement fitness function, that does not
support creating loops. Another difference is, that this function re-
flects only length in hops, whereas the previous one include physical
length of the path no mater the hop count.
The design of the proper fitness function is often matter of intuition and
educated guess. At least in the initial phases of the design process. Some
fitness functions can turn out to be inconvenient after some time. Experi-
ence are very important and may lead to further improvement of the fitness
function. We have decided to implement our fitness functions, because we
felt they could express the attacker’s gradual progress.
5.4 Results
We have tried to generate attack strategies on two insecure routing proto-

cols, Minimum Cost Forwarding and Implicit Geographic Forwarding. The
granularity of the elementary rules corresponded to the level suitable for
generating novel attack strategies. Prior to the presentation of results, we
have to admit, that we have understood only a fraction of all generated
strategies and we were not able to fully analyze the results. It is extremely
hard in general to understand the outcome of the evolution algorithms.
We have implemented a pruning technique, which is common technique
that helps to analyze the results of evolution. It prunes out the instructions,
which have no impact on the fitness value. Our analyses are further based
on statistics from the simulator. We have also implemented simple graphi-
cal interface to display the deployment of the network.
We took into account two types of attacker: Single node attacker and
Multiple nodes attacker with homogenous strategy. However we were not
able to distinguish the fundamental differences in the resulting strategies
for both attackers. The impact of the discovered attacks was more or less
proportional to the number of malicious nodes involved in the attack. We
have not detected any interconnection between the actions of malicious
nodes (which unfortunately does not mean there are no such interconnec-
tions). Thus we will discuss the results without respect to the number of
malicious nodes.
38
5.4.1 Minimum Cost Forwarding
We first briefly describe the protocol and review its security weaknesses.
Minimum Cost Forwarding [YCLZ01] is a simple routing technique, which
indirectly constructs minimum spanning tree routing structure. The rout-
ing is based on cost fields (cost of the optimal path from node to the base
station) established by periodic broadcast of beacons. The process starts at
base station, which broadcasts its cost fields 0. Nodes in the range of the
broadcast set their cost field to the sum of their own cost (e.g. remaining
energy, latency, ...) and the broadcasted cost field. Then they broadcast their
own cost field. It is obvious each node receives multiple different cost fields.
The node only accepts such cost field, that is equal or lower then previous
one. In that case, the node modifies its cost field and starts a new broad-
cast. After some time, all nodes have their cost fields equal to the cost of the
optimal path to the base station.
When the node generates new message, it assigns a credit to that mes-
sage. The credit equals to the node’s cost field minus the cost of the node.
Message is then broadcasted to all neighboring nodes. One of these nodes
has the cost equal to the message credit. This node lies on the optimal path
and thus forwards the message. First, it modifies the credit of the message
and then rebroadcasts it.
The routing does not require IDs of the nodes for the routing purposes.
The path of the message is optimal with respect to the costs of the nodes.
Hence the routing structure forms a minimum spanning tree rooted at the
base station. The initial flooding can be reduced by forcing the nodes to
wait some time before rebroadcasting the beacon. They can obtain lower
cost during this time interval.
Karlof and Wagner [KW03] have analyzed the security of this protocol.
It is obvious, that attacker can claim itself to be a base station and attract all
traffic. Also HELLO flood attack is possible. The missing authentication is
critical in this case.
We suggest to use ARMS protocol for authentication of local broadcast.
This could prevent HELLO floods, because each node knows its neighbors
and messages are authenticated. It could also discourage the outsider at-
tacker. If a node is compromitted, it can easily advertise extremely low cost
path also in case that ARMS is implemented. However, such node could be
somehow detected by its neighbors and eliminated from the network. This
possibility can be subject of further research. Ideas of algorithm SeRINS and
its neighbor report system could be helpful.
39
Several basic attacks were discovered by our mechanism.
Forging beacons
The generated attack strategy exploited the fundamental weakness of the

algorithm. Attacker based on this strategy impersonated the base station
by sending the beacon packet with cost field equal to 0. We consider this
result as trivial, because one of the instructions was SEND BEACON with
parameter cost field. However attacker understood the need of broadcast-
ing the low cost field. This attack was extremely powerful and stopped
further evolution. New individuals were always getting back to this so-
lution. We thus decided to ban broadcasting cost field 0, but attacker kept
broadcasting as low cost field as possible. Finally we banned the instruc-
tion SEND BEACON completely. Attacker, who was not able to generate
fake beacons, came up with replay attack. After obtaining a beacon from
his neighbor, he immediately forwarded it without proper modification of
the cost field. Hence he was able to decrease its realcost field. In this case,
the impact on routing was not so dramatic.
Selective forwarding
Evolution also generated attack strategy capable of dropping messages pass-

ing through his malicious nodes. This can be classified as a selective for-
warding or blackhole attack. Attacker found out several techniques for drop-
ping messages. The basic one is using simple DROP MESSAGE instruction
from the set of elementary rules. But he was also able to find more compli-
cated mechanism for dropping messages. He first stored the message into a
memory slot, without its forwarding. Subsequently he overwrote the mem-
ory slot with another message. This approach is complicated and unneces-
sary indeed, but it demonstrates the capabilities of evolutionary algorithms
to come up with several procedures to achieve the same goal.
Dropping messages occurred in strategies, whose evolution used the fit-
ness functions based on number of delivered messages. This result was ex-
pected. However, it became also the basic principal of the strategies which
tried to extend the path of the messages. This holds for both fitness func-
tions including the length of path.
Attacker tried to maximize the average length of the path by dropping
messages which traveled only short distances. To evolve these attack strate-
gies, we have used three basic settings. First settings has fixed network
topology and the message flows. Thus the attacker is able to identify mes-
40
sages witch travel only short distances by trying to drop them. Fitness value
provides him with the feedback on how the average length has changed. In
the next generation, attacker can try to drop another message. The attacker
is thus learning the flows of data during the evolution. The ability of at-
tacker to adapt the strategy for the concrete topology and traffic pattern
can be classified as success. There can be applications with a priori known
and fixed data flows and topology. In such scenario, attacker can optimize
itself to achieve optimal results.
Another settings used random topology and data flow for each attack
strategy. This setting was not suitable for evolution. The fitness value achieved
by an individual was highly dependant on the topology generated. Hence
even poor individual was able to achieve good fitness value in the specific
run of simulator. This led to varying fitness values and elimination of good
individuals.
Last settings uses the set of multiple different topologies and data flows
for evaluation of a single attack strategy. We expected the downgrade of
the fitness value, because evolution could not optimize the strategy for spe-
cific pattern. This expectation was confirmed. However the evolution was
still able to find at least some strategy for dropping the messages which
improved its fitness value.
These results have confirmed the predominating opinion, that evolution
algorithms are primarily suitable for simple optimization problems. We see
the great potential in this. We should focus more on optimization-like prob-
lems in the future.
Attacks revealed by evolution has confirmed the weakness of IGF, which

is the missing authentication of messages and check of their integrity. Re-
play attack also drew the attention to the problem of message freshness.
Possible countermeasures were discussed above.
5.4.2 Implicit Geographic Forwarding
Evolution was also successful in generating attack strategies on IGF. Im-

plicit geographic forwarding is described in section 3.3.1. Elementary rules
used for evolution of attack strategies aiming IGF are presented in section
5.3.2.
41
incoming ORTS 1 TRIG_ORTS

1 2 STORE_M 1
temporary memory 3 LOAD_M 1
4 GET_N 1 0 1
ORTS ID
5 SEND_CTS 1
M 2
M message memory
temporary memory
3
ORTS ID 4
ID identity memory
5
CTS MY ID ID
5
sending immediate CTS
Figure 5.4: Rushing attack. The action is triggered by incoming Open RTS
message M. This message is stored into the message memory slot 1. Then,
M is loaded from the slot into temporary memory. Instruction GET N 1 0
1 extracts from the message in slot 1 the ID of the sender (0) and stores it
into identity memory slot 1. Last instruction sends the CTS message to the
ID from identity memory slot 1. We were not able to identify the purpose
of loading the message into the temporary memory.
Rushing attack
We have defined four different fitness functions. Each one stands for slightly
different attacker’s goal. However, all these goals have some sub-goals in
common. On of these sub-goal is to attract as much traffic as possible. There-
fore the evolution has developed the attack strategy, which mounts so called
rushing attack. This attack is one of the known attacks on IGF and its goal
is to attract the traffic flowing through the neighboring nodes. Malicious
node does not respect the CTS timer an immediately answer the Open RTS.
Thus sender choose him as the next hop. The generated strategy consists of
five substrategies. The pruned substrategy describing the rushing attack is
42
described in the figure 5.4. There are 4 instructions in the substrategy, how-
ever only 3 of them form rushing attack. The extra instruction is instruction
LOAD M, which loads the message into temporary memory. Unfortunately
we were not able to identify the purpose of this step. The message stored
in the temporary memory may be send by another substrategy or used to
overwrite the memory slot. We consider this attack as the a nice example of
evolution capabilities.
The problem of rushing attack is addressed and solved in SIGF. The
sender waits for multiple CTS messages and selects on of them. The se-
lection can be random or based on a reputation system.
MAC layer jamming
IGF is integrated in RTS/CTS handshake, thus elementary rules contain in-

structions such as SEND ORTS and SEND CTS, which enable the attack
strategy to control the medium access. Evolution exploited these instruc-
tions to cause collisions on the medium. Two or more packets have to be
send during the short time period (during one substrategy) to block the
medium for all neighboring nodes. This fact led to the DoS attack strategy,
which totaly crippled the neighborhood.
The probability that this attack occurs in the substrategy is very high
and the blocked medium can limit also the attacker not only his neigh-
bors. We have thus banned this kind of attack. In the new settings, attack
strategies could send just single message at a time. This was exploited to se-
lectively corrupt communication and thus to perform selective forwarding
(dropping). Attacker sent a message at the time another node was transmit-
ting. The impact was same as in the case of IGF and selective forwarding.
The evolution started to optimize the occurrence of collisions to achieve the
best fitness value. Same settings of topology as for IGF were tested and the
results were similar.
These attacks exploited the properties of physical layer. Majority of rout-
ing protocol designs neglects this kind of attacks and let the lower layers
solve it. However IGF and also SIGF are integrated into the RTS/CTS hand-
shake and cannot be build on a different MAC protocol. We consider this
as a weakness of both IGF and SIGF. No robust MAC protocol can be used
with them. However local jamming attacks decrease the performance of all
MAC protocols and therefore this weakness should not be taken as critical.
43
Neighborhood congestion
Also another attack strategy has turn out to be a DoS attack. Sensor nodes
have limited buffers for storing forwarded messages. Attack strategy re-
peatedly sending data in combination with blocked medium results into
the congestion of these buffers. Thus nodes are forced to drop subsequent
incoming messages. Overloading the system is typical DoS attack which is
usually protected using intrusion detection systems. Malicious node send-
ing extreme number of packets should be thus detected by IDS and elimi-
nated from the network.
5.4.3 Experience and future work
We have collected lot of experience during the work with evolutionary al-
gorithms. We see the greatest potential of their use in optimization prob-
lems. Thus in optimization of known attacks strategies rather than in gen-
eration of novel attacks. We also have encountered an ability of evolution-
ary algorithms to exploit the bugs in implementation. At the early phases of
our experiments, the strategies were sometimes achieving unusually high
fitness values. This was caused by unexpected constructions of strategies.
These strategies have exploited incomplete specification of routing protocol
and thus incomplete implementation or the fitness functions. The weird be-
havior of an attacker has also revealed bugs in code, which led to massive
memory leaks. Therefore we suggest using real system instead of simula-
tor. Evolution could find out bugs in particular implementation or in the
incomplete specification of the routing algorithm.
There is lot of space for future research in this area. We would like to
focus on development of tools for better analysis of generated strategies.
We have designed the architecture of a graphical module, which would
display the routing and attacker actions in time step by step. Implemen-
tation of this module is awaiting. Furthermore, we would like to design
more complex fitness functions combining several metrics. Redefinition of
elementary rules could also bring new results. There is also possibility to
implement and test another routing protocols.
We are aware of the evolution power in optimization. Therefore we will
try to formulate the task as an optimization problem in the future. It is chal-
lenging for us to find out such problems in the area of secure routing.
We are also considering to generate the attack strategies against particu-
lar defenses or detection mechanisms rather than routing protocols. Similar
approach as for IDS testing [FL06] could be beneficial. Attacker is trying to
44
modify the appearance of known attack strategy to bypass particular IDS.

Completely different idea is to automatically generate defensive strate-
gies. We know that it is unlikely to evolve universal defense strategy, how-
ever evolution could be useful in case of generating defensive strategy against
particular attack. Evolution was already successful in this task [SM07].
45
Chapter 6
Conclusion
In this thesis, we have examined the security in the wireless sensor net-
works with special emphasis on security of routing protocols. We have re-
viewed two mechanisms for authenticated broadcast (µTesla, ARMS) and
several secure routing protocols (SIGF, SDD, SeRINS, Clean Slate Approach).
We also have considered their weaknesses and strong points. The results
show, that these protocols are suitable for sensor networks and provide suf-
ficient level of security for most of the applications.
In the second half of the thesis, novel concept for automatic design of
attack strategies was described. This concept is a result of my joint work
with Petr Švenda. Usability of the concept was tested. New attack strategies
on routing protocols for wireless sensor networks were generated using
evolutionary algorithms. Several basic attacks were found. These attacks
demonstrate the possibilities and potential of evolutionary algorithms.
We have also extended the Sensor Security Simulator and implemented
two routing algorithms (Minimum cost forwarding, Implicit geographic
routing).
We take the results of this thesis as a solid basis for further research in
this field. Both, problematic of the secure routing in WSN and problematic
of the automatic attack design, require novel research directions.
46
Bibliography
[AKK04] J. N. Al-Karaki and A. E. Kamal. Routing techniques in wireless

sensor networks: a survey. IEEE Wireless Communications, vol.
11, issue 6, pages 6–28, 2004.
[ASSC02] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci.

Wireless sensor networks: a survey. Comput. Netw., vol. 38,
issue 4, pages 393–422, 2002.
[BHSS03] B. Blum, T. He, S. Son, and J. Stankovic. Igf: A state-free ro-

bust communication protocol for wireless sensor networks. In
Technical Report, CS-2003-11. Department of Computer Sci-
ence, University of Virginia, USA, 2003.
[BNKF98] W. Banzhaf, P. Nordin, R.E. Keller, and F.D. Francone. Genetic

Programming – An Introduction. Morgan Kaufmann Publish-
ers, San Francisco, CA, 1998.
[DHM02] J. Deng, R. Han, and S. Mishra. Insens: Intrusion-tolerant rout-

ing in wireless sensor networks. In Technical Report CU CS-
939-02. Department of Computer Science, University of Col-
orado, 2002.
[EG02] Laurent Eschenauer and Virgil D. Gligor. A key-management

scheme for distributed sensor networks. In CCS ’02: Proceed-
ings of the 9th ACM conference on Computer and communica-
tions security, pages 41–47, New York, NY, USA, 2002. ACM.
[FL06] Prahlad Fogla and Wenke Lee. Evading network anomaly de-
tection systems: formal reasoning and practical techniques. In
CCS ’06: Proceedings of the 13th ACM conference on Com-
puter and communications security, pages 59–68, New York,
NY, USA, 2006. ACM.
[HPJ03] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: a

defense against wormhole attacks in wireless networks. In
47
6. C ONCLUSION
INFOCOM 2003. Twenty-Second Annual Joint Conference of

the IEEE Computer and Communications Societies. IEEE, vol-
ume 3, pages 1976–1986, 2003.
[HSW+ 00] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David E.
Culler, and Kristofer S. J. Pister. System architecture directions
for networked sensors. In Architectural Support for Program-
ming Languages and Operating Systems, pages 93–104, 2000.
[IEE99] Wireless LAN Medium Access Control (MAC) and Physical

Layer (PHY) Specifications. IEEE Standard 802.11, June 1999.
[IGE00] Chalermek Intanagonwiwat, Ramesh Govindan, and Deborah

Estrin. Directed diffusion: a scalable and robust communication
paradigm for sensor networks. In MobiCom ’00: Proceedings of
the 6th annual international conference on Mobile computing
and networking, pages 56–67, New York, NY, USA, 2000. ACM
Press.
[KLP03] Chris Karlof, Yaping Li, and Joseph Polastre. Arrive: Algorithm
for robust routing in volatile environments. Technical Report
UCB//CSD-03-1233, Berkeley, CA, March 2003.
[Koz92] John R. Koza. Genetic Programming: On the Programming of

Computers by Means of Natural Selection (Complex Adaptive
Systems). The MIT Press, December 1992.
[KSW04] Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: a link
layer security architecture for wireless sensor networks. In Sen-
Sys ’04: Proceedings of the 2nd international conference on Em-
bedded networked sensor systems, pages 162–175, New York,
NY, USA, 2004. ACM Press.
[KW03] Chris Karlof and David Wagner. Secure routing in wireless sen-
sor networks: Attacks and countermeasures. Elsevier’s AdHoc
Networks Journal, Special Issue on Sensor Network Applica-
tions and Protocols, vol. 1, issue 2-3, pages 293–315, September
2003.
[Lam81] Leslie Lamport. Password authentication with insecure com-

munication. Communications of the ACM, vol. 24, issue 11,
pages 770–772, 1981.
48
6. C ONCLUSION
[LC06a] Suk-Bok Lee and Yoon-Hwa Choi. A secure alternate path rout-
ing in sensor networks. Computer Communications, vol. 30,
issue 1, pages 153–165, December 2006.
[LC06b] Suk-Bok Lee and Yoon-Hwa Choi. Secure Mobile Ad-hoc Net-
works and Sensors, volume Volume 4074/2006 of Lecture Notes
in Computer Science, chapter ARMS: An Authenticated Rout-
ing Message in Sensor Networks, pages 158–173. Springer
Berlin / Heidelberg, 2006.
[Mer80] Ralph C. Merkle. Protocols for public key cryptosystems. sp,

vol. 00, page 122, 1980.
[MGL+ 06] Frederic Massicotte, Francois Gagnon, Yvan Labiche, Lionel

Briand, and Mathieu Couture. Automatic evaluation of intru-
sion detection systems. In ACSAC ’06: Proceedings of the 22nd
Annual Computer Security Applications Conference on An-
nual Computer Security Applications Conference, pages 361–
370, Washington, DC, USA, 2006. IEEE Computer Society.
[NC07] Nidal Nasser and Yunfeng Chen. Secure multipath routing pro-
tocol for wireless sensor networks. In ICDCSW ’07: Proceedings
of the 27th International Conference on Distributed Computing
Systems Workshops, page 12, Washington, DC, USA, 2007. IEEE
Computer Society.
[NS78] Roger M. Needham and Michael D. Schroeder. Using encryp-

tion for authentication in large networks of computers. Com-
munications of the ACM, vol. 21, issue 12, pages 993–999, 1978.
[NS08] The Network Simulator NS-2. http://www.isi.edu/

nsnam/ns/, (May 2008).
[NSSP04] James Newsome, Elaine Shi, Dawn Song, and Adrian Per-
rig. The sybil attack in sensor networks: analysis & defenses.
In IPSN’04: Proceedings of the third international symposium
on Information processing in sensor networks, pages 259–268,
New York, NY, USA, 2004. ACM Press.
[PCST01] Adrian Perrig, Ran Canetti, Dawn Song, and Doug Tygar. Effi-
cient and secure source authentication for multicast. 2001.
49
6. C ONCLUSION
[PLGP06] Bryan Parno, Mark Luk, Evan Gaustad, and Adrian Perrig.
Secure sensor network routing: a clean-slate approach. In
CoNEXT, page 11, 2006.
[PPG05] Bryan Parno, Adrian Perrig, and Virgil Gligor. Distributed de-
tection of node replication attacks in sensor networks. In SP ’05:
Proceedings of the 2005 IEEE Symposium on Security and Pri-
vacy, pages 49–63, Washington, DC, USA, 2005. IEEE Computer
Society.
[PST+ 02] Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, and
David E. Culler. Spins: security protocols for sensor networks.
Wirel. Netw., vol. 8, issue 5, pages 521–534, 2002.
[SHJ+ 02] Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann,
and Jeannette M. Wing. Automated generation and analysis of
attack graphs. In SP ’02: Proceedings of the 2002 IEEE Sympo-
sium on Security and Privacy, page 273, Washington, DC, USA,
2002. IEEE Computer Society.
[SM07] Petr Svenda and Vaclav Matyas. Key distribution and secrecy
amplification in wireless sensor networks. In Technical Report,
FIMU-RS-2007-05, Brno, ČR, 2007. Masaryk University.
[TM006] Tmote Sky: Datasheet. http://www.sentilla.com/pdf/

eol/tmote-sky-datasheet.pdf, 2006.
[WFSH06] Anthony D. Wood, Lei Fang, John A. Stankovic, and Tian He.
Sigf: a family of configurable, secure routing protocols for wire-
less sensor networks. In SASN ’06: Proceedings of the fourth
ACM workshop on Security of ad hoc and sensor networks,
pages 35–48, New York, NY, USA, 2006. ACM Press.
[WS02] Anthony D. Wood and John A. Stankovic. Denial of service in

sensor networks. IEEE Computer, vol. 35, issue 10, pages 54–62,
2002.
[WYC04] Xiaoyun Wang, Lizhen Yang, and Kefei Chen. Sdd: Secure di-
rected diffusion protocol for sensor networks. In Security in Ad-
hoc and Sensor Networks, volume 3313/2005 of Lecture Notes
in Computer Science, pages 205–214, First European Work-
shop, ESAS 2004, Heidelberg, Germany, August 2004. Springer
Berlin/Heidelberg.
50
6. C ONCLUSION
[YCLZ01] F. Ye, A. Chen, S. Liu, and L. Zhang. A scalable solution to mini-

mum cost forwarding in large sensor networks. In Proceedings
of Tenth International Conference on Computer Communica-
tions and Networks, pages 304 – 309, 2001.
[YM06] Jian Yin and Sanjay Madria. Secrout: A secure routing protocol
for sensor networks. In AINA ’06: Proceedings of the 20th In-
ternational Conference on Advanced Information Networking
and Applications - Volume 1 (AINA’06), pages 393–398, Wash-
ington, DC, USA, 2006. IEEE Computer Society.
[ZSJ03] Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap: efficient se-
curity mechanisms for large-scale distributed sensor networks.
In CCS ’03: Proceedings of the 10th ACM conference on Com-
puter and communications security, pages 62–72, New York,
NY, USA, 2003. ACM.
51
Appendix A
Example of generated attack strategy
Here is the example of generated attack strategy after pruning. It does not
use the conditional memory slots, hence the instructions do not contain
all parameters that are showed in section 5.3.2. All presented instructions
are necessary for achieving maximum fitness value. This strategy contains
rushing attack (substrategy triggered by TRIG ORTS). It also disturb send-
ing of selected messages by causing collisions on the medium (two mes-
sages are send in the single substrategy – e.g. two subsequent SEND ORTS
instructions in the last substrategy).
This example illustrates the hardness of the strategy analysis. We were
not able to completely interpret this strategy.
TRIG CTS
SEND ORTS
GENERATE M 1 2 1
LOAD M 1
STORE M 1
SEND M 1
GENERATE M 0 0 1
***
TRIG CTS ME
STORE M 0
LOAD M 0
SEND CTS 0
DROP M 1
SEND M 0
***
52
A. E XAMPLE OF GENERATED ATTACK STRATEGY
TRIG COLLISION
SEND ORTS
LOAD M 1
SEND ACK 0
DROP M 1
GENERATE M 0 1 0
GET N 0 2 1
***
TRIG ORTS
STORE M 1
LOAD M 1
GET N 1 0 1
SEND CTS 1
***
TRIG ACK
GET N 0 1 0
SEND ORTS
SEND ORTS
GENERATE M 1 2 0
53

2-Thesis-Secure Routing Protocols For

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2-Thesis-Secure Routing Protocols For

Uploaded by

Copyright:

Available Formats

}w

Secure Routing Protocols for

Bc. Jiřı́ Kůr

Brno, spring 2008

Hereby I declare, that this paper is my original authorial work, which I

Advisor: Mgr. Petr Švenda

I express my gratitude to Petr Švenda for introducing me into the prob-

In this thesis, we examine the security aspects of wireless sensor networks

Wireless Sensor Network, Routing, Security, Evolutionary Algorithms

Wireless sensor networks

Wireless Sensor Network is a heterogenous network composed of a large

There is a broad variety of applications for wireless sensor networks. These

cation or to detect the chemical or biological attacks. Sensor network can

2.2 Hardware characteristics

• 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory,

• 1024KB of external flash memory to store data and code

• radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal an-

• tinyOS operating systems

• lifetime > 1 year using sleep modes

• senors: temperature, humidity, light

Contrary to the nodes, base station is assumed to have laptop capabili-

2.3 Security in WSN

Majority of sensor network applications require strong security features.

2.3.1 Security goals

2.3.2 Key management

Poor sensor node’s capabilities prevent us from massive use of expensive

2.3.3 Attacker model

Secure Routing in WSNs

Routing techniques in wireless sensor networks are influenced by two fac-

To this category are included geographic routing algorithms like Geographic

3.1 Attacks on routing

Bogus routing information

Selective forwarding is a variant of the DoS attack. Malicious node forwards

HELLO flood attack

In some protocols, nodes announce themselves to the neighbors by broad-

Wormhole is a low-latency out-of-band channel used to connect two distant

Acknowledgement spoofing focus on the algorithms using link layer ac-

3.2 Towards secure routing

Insecurity of routing algorithms is usually caused by missing authentica-

us assume that we have public one-way function F , and random number r.

chain. In extended scheme, up to two messages can be lost without need

3.3 Secure routing protocols

3.3.1 Scure Implicit Geographic Forwarding

SIGF-0 is a simple extension of IGF. It allows us to configure several param-

SIGF is a good example of routing protocol, which can be qualified as

is detected, the system can be reconfigured as a reaction to the attack. We

3.3.2 Secure Directed Diffusion

Directed Diffusion is a very important data-centric routing protocol for

tion broadcasts interest for data, which is named by attribute-value pair.

Secure Directed Diffusion is secure variant of popular data-centric pro-

Secure alternate path Routing IN Sensor networks [LC06a] is a routing pro-

given assumptions, SeRINS seems to be resistant to all known attacks men-

information. Impact of selective forwarding is minimized using multiple

3.3.4 A Clean-Slate Approach

Parno et al. [PLGP06] have decided to design a completely novel routing

ior during recursive grouping algorithm. It is based on Merkle hash tree

We consider the ”Clean-slate approach” as innovative due to the effi-

Introduction to Evolutionary Algorithms

In this thesis, we try to automatically generate attack strategies on routing

4.1 Population of individuals and their representation

4.2 Genetic operators

In order to work, evolution has to have mechanisms, that ensure replica-

4.3 Fitness function and selection operator

}w