Professional Documents
Culture Documents
!"#$%&'()+,-./012345<yA|
M ASARYK U NIVERSITY
FACULTY OF I NFORMATICS
M ASTER ’ S T HESIS
ii
Acknowledgement
iii
Abstract
iv
Keywords
v
Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Wireless sensor networks . . . . . . . . . . . . . . . . . . . . . . . 2
2.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Hardware characteristics . . . . . . . . . . . . . . . . . . . . . 3
2.3 Security in WSN . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3.1 Security goals . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.2 Key management . . . . . . . . . . . . . . . . . . . . . 5
2.3.3 Attacker model . . . . . . . . . . . . . . . . . . . . . . 6
3 Secure Routing in WSNs . . . . . . . . . . . . . . . . . . . . . . . 8
3.1 Attacks on routing . . . . . . . . . . . . . . . . . . . . . . . . 9
Bogus routing information . . . . . . . . . . . . . . . 9
Selective forwarding . . . . . . . . . . . . . . . . . . . 9
Sinkhole attack . . . . . . . . . . . . . . . . . . . . . . 9
HELLO flood attack . . . . . . . . . . . . . . . . . . . 10
Wormhole attack . . . . . . . . . . . . . . . . . . . . . 10
Acknowledgement spoofing . . . . . . . . . . . . . . 10
Sybil attack . . . . . . . . . . . . . . . . . . . . . . . . 10
Denial of Service . . . . . . . . . . . . . . . . . . . . . 11
3.2 Towards secure routing . . . . . . . . . . . . . . . . . . . . . . 11
3.2.1 µTesla . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.2 ARMS . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Secure routing protocols . . . . . . . . . . . . . . . . . . . . . 14
3.3.1 Scure Implicit Geographic Forwarding . . . . . . . . 14
IGF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SIGF-0 . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SIGF-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
SIGF-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3.2 Secure Directed Diffusion . . . . . . . . . . . . . . . . 17
3.3.3 SeRINS . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.4 A Clean-Slate Approach . . . . . . . . . . . . . . . . . 21
4 Introduction to Evolutionary Algorithms . . . . . . . . . . . . . . 23
4.1 Population of individuals and their representation . . . . . . 23
vi
4.2 Genetic operators . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 Fitness function and selection operator . . . . . . . . . . . . . 24
5 Automatic design of attack strategy . . . . . . . . . . . . . . . . . 25
5.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.2 Basic concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.2.1 Elementary rules . . . . . . . . . . . . . . . . . . . . . 26
5.2.2 Generation of attack strategy . . . . . . . . . . . . . . 28
5.2.3 Translation . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2.4 Strategy execution . . . . . . . . . . . . . . . . . . . . 29
5.2.5 Fitness function evaluation . . . . . . . . . . . . . . . 29
5.3 Concept realization via evolutionary algorithms . . . . . . . 29
5.3.1 Attacker model revised . . . . . . . . . . . . . . . . . 30
5.3.2 Evolutionary algorithms and genome structure . . . 32
Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Instructions . . . . . . . . . . . . . . . . . . . . . . . . 35
5.3.3 Network simulator . . . . . . . . . . . . . . . . . . . . 36
5.3.4 Fitness functions . . . . . . . . . . . . . . . . . . . . . 37
5.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.4.1 Minimum Cost Forwarding . . . . . . . . . . . . . . . 39
Forging beacons . . . . . . . . . . . . . . . . . . . . . 40
Selective forwarding . . . . . . . . . . . . . . . . . . . 40
5.4.2 Implicit Geographic Forwarding . . . . . . . . . . . . 41
Rushing attack . . . . . . . . . . . . . . . . . . . . . . 42
MAC layer jamming . . . . . . . . . . . . . . . . . . . 43
Neighborhood congestion . . . . . . . . . . . . . . . 44
5.4.3 Experience and future work . . . . . . . . . . . . . . . 44
6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A Example of generated attack strategy . . . . . . . . . . . . . . . . 52
vii
Chapter 1
Introduction
Sensor nodes are tiny, low-cost devices equipped with environment sensors
and radio for wireless communication. These sensor nodes may constitute
the network for monitoring physical phenomena. Such network is called
Wireless Sensor Network (WSN). Wireless sensor network consists of high
number (102 − 106 ) of sensor nodes and one or few powerful devices acting
as gateways. Wireless sensor networks can be utilized in a broad variety
of applications ranging from battlefield surveillance in military, through re-
mote patient monitoring in medicine to forest fire detection in environmen-
tal applications. Majority of WSN applications require at least some level
of security. In order to achieve the needed level, secure and robust routing
is necessary. However, routing protocols for WSN were not designed with
security requirements in mind. Karlof and Wagner [KW03] triggered a rev-
olution in this field by proposing a comprehensive study on the security
of routing in wireless sensor networks. They showed that all the protocols
were then prone to simple attacks. Since then, security of routing has be-
come a hot topic and several secure routing protocols were proposed.
In this thesis, we aim to review the issue of secure routing in wireless
sensor networks. We first introduce the concept of wireless sensor networks
and outline their security aspects. In the second chapter, we examine se-
lected secure routing protocols and evaluate their benefits and drawbacks.
We also describe common attacks on routing protocols.
The second half of the thesis deals with the problem of the attack strate-
gies’ automatic generation and presents our results. We introduce the con-
cept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter,
we present our concept for automatic design of attack strategies. We use
this concept to discover attacks on routing algorithms. We summarize the
results and outline the future work in the conclusion.
1
Chapter 2
2.1 Applications
2
2. W IRELESS SENSOR NETWORKS
Sensor nodes are small, low-cost and battery supplied devices. Therefore
the concept of WSNs is quite challenging. There are two main constraints,
the low processing power of the nodes and the capacity of their batteries.
The former constraint directly determines the algorithms we can use.
For example, we cannot use asymmetric cryptography or maintain large
routing tables. Since the priority in the development is to minimize cost,
size and power consumption, there is only a small chance of a significant
improvement of computational power and memory in the near future.
The later constraint influences the properties of used algorithms indi-
rectly. Capacity of the batteries is essential for the node’s lifetime. Often it
is impossible or not intended to be possible to change batteries. Therefore
the lifetime and usability of the network depends on their capacity and on
the consumption of the nodes. Energy consumption is closely related to the
algorithms implemented. For example, the biggest energy consumer is ra-
dio transceiver, hence the communication between nodes is very expensive
in terms of node’s energy resources. Efficient algorithms must take this into
an account.
The batteries are dominating part of the node in terms of size. The size
of the node is thus directly proportional to a capacity of its batteries.
Here are the parameters of typical today sensor node, TMote Sky [TM006]:
• size: 65 x 32 x 7 (mm, excluding battery pack)
3
2. W IRELESS SENSOR NETWORKS
Figure 2.1: TMote Sky sensor node. Figure taken from [TM006]
• 2xAA battery
4
2. W IRELESS SENSOR NETWORKS
It also has much greater capabilities, suppose it may have lap-top capabili-
ties and unlimited energy supply.
The security goals in sensor networks are similar to those in traditional net-
works. We require confidentiality, integrity, authenticity, freshness, anonymity
and availability of service.
Confidentiality, integrity and authentication are traditionally provided
by an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLS
or SSH. But sensor networks often require in-network processing of the
messages, like data aggregation, to be efficient and thus end-to-end ap-
proach is not in use. Therefore link-layer security architectures such as Tiny-
Sec [KSW04] and mechanisms for securing node-to-node communication
[PST+ 02] are of a great interest in sensor networks.
Freshness, anonymity and availability of service should be provided by
a secure routing protocol. There are several other security features of the
ideal secure routing protocol. For example an attacker should not be able to
abuse the routing algorithm to shorten the network’s lifetime. Or he should
not be able to significantly slow down the traffic or increase latency. How-
ever these features are application specific and it is unlikely to design uni-
versal secure routing algorithm with all such properties.
5
2. W IRELESS SENSOR NETWORKS
them. Single key shared among all nodes: Simple, but weak scheme. Com-
promission of a single node compromise the whole network. This scheme is
sometimes used for establishing the keys between each pair of neighboring
nodes. It assumes, that attacker needs some time to compromise the node.
During this time the new keys are established and globally shared key is
erased. Every node shares a unique key with base station: Keys can be in-
serted into nodes off-line, prior to their deployment. Compromission of a
single node compromise only its own key. Frequent assumption of security
protocols. Each pair of neighboring nodes shares a key: Also common as-
sumption. Frequently applied together with previous scheme. Enables hop-
by-hop encryption and in-network processing, therefore it is convenient for
sensor network. However in most applications, keys cannot be preinstalled
and must be distributed after deployment. Suppose we deploy the nodes
by dropping them from the plane. We do not know, which nodes will be
neighbors and which not. The neighborhood is established during the de-
ployment process and keys have to be distributed afterwards. This task is
nontrivial and requires additional assumptions and complex key distribu-
tion protocol [EG02, PST+ 02, ZSJ03].
Karlof and Wagner have proposed following attacker model [KW03] suit-
able for sensor networks and routing. There are two types of attacker: mote-
class attacker and laptop-class attacker. Mote-class attacker has one or few
nodes with capabilities similar to a legitimate node. On the other hand,
laptop-class attacker has a powerful device with capabilities comparable to
laptop. He is not energy constrained and can have more sensitive antenna
and more powerful radio. Another distinction can be made between insider
attacks and outsider attacks. Insider attacks deal with a legitimate partici-
pants of the network behaving in a malicious way, whereas outsider attacks
are mounted by outsider who is not the part of the network. However out-
sider can eavesdrop the communication easily due to the broadcast nature
of a wireless communication.
Attacker can be modeled also with respect to the Needham-Schroeder
model [NS78]. Needham and Schroeder assume that ”an intruder can intr-
pose a computer on all communication paths, and thus can alter or copy
parts of messages, replay messages, or emit false material”. This model
was extended to node-compromise model [EG02], which further assume:
1) keys can be loaded into the nodes in the secure way before the nodes are
deployed. 2) the attacker is able to compromise only a fraction of the nodes.
6
2. W IRELESS SENSOR NETWORKS
3) attacker can extract all keys from compromitted node and 4) attacker is
able to monitor only fraction of links during the short time period after the
deployment of the nodes. This means that there is something like period of
protection for nodes after deployment.
7
Chapter 3
8
3. S ECURE R OUTING IN WSN S
Since the concept of sensor networks originates from the wireless ad-hoc
networks, many attacks on wireless ad-hoc networks can be adapted for
sensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wag-
ner [KW03] show another types of attacks and furthermore they propose
two novel attacks – HELLO floods and sinkholes. Denial of Service attacks
on sensor networks are studied by Stankovic and Wood [WS02]. We present
a brief summary of major attack classes here.
The basic method how to influence routing is to change the routing in-
formation. An adversary spoofs, alters or replays routing information. By
these methods he can create loops in routing, increase latency, extend the
paths or attract the traffic to the chosen node.
Selective forwarding
Sinkhole attack
The goal of the sinkhole attack is to attract as much of the traffic as possi-
ble to the malicious node. The principle of this attack is that the malicious
node tries to look very attractive for other nodes with respect to the routing
algorithm. This goal can be achieved, for example, by spoofing the route
advertisement or by providing a high-quality path to the base station using
wormhole attack. Sinkhole can be further used for selective forwarding,
which is very efficient and easy in that case.
9
3. S ECURE R OUTING IN WSN S
Wormhole attack
Acknowledgement spoofing
Sybil attack
In the sybil attack, the attacker simulates multiple nodes and advertise mul-
tiple identities to the rest of the network. By this, he can cripple even the
robust multipath routing algorithms, because the bulk of the paths (even
all) may pass through him. In geographic routing, attacker’s node can be
virtually at more locations simultaneously and thus influence routing algo-
10
3. S ECURE R OUTING IN WSN S
rithm. Sybil attack in general means serious threat not only for routing, but
also for other algorithms such as voting algorithm or distributed storage.
Denial of Service
Denial of Service represents more or less general class of attacks, that can be
mounted on several ISO/OSI layers of wireless sensor network, including
the network layer. Almost all above attacks, especially selective forwarding
and HELLO floods, can result in the denial of service.
3.2.1 µTesla
In several routing protocols [HSW+ 00, YCLZ01, AKK04], the base station
periodically broadcasts routing information or advertise itself as a base sta-
tion. Attacker can forge such broadcasted information in case it is not prop-
erly authenticated. To achieve authenticated broadcast, asymmetric cryp-
tography is traditionally used. However this approach is not suitable for
resource constrained sensor networks. Therefore, µTesla [PST+ 02] was de-
signed. It provides an efficient authenticated broadcast based on symmet-
ric cryptography. µTesla is the building block of the security architecture
for sensor networks called SPINS (Security Protocols for Sensor Network)
[PST+ 02]. Another building block is SNEP, which is used to achieve confi-
dentiality, integrity, authentication and freshness.
µTesla exploits the concept of one-way hash chain. Because this concept
is frequently used in secure routing protocols, we describe it in detail. Let
11
3. S ECURE R OUTING IN WSN S
12
3. S ECURE R OUTING IN WSN S
Figure 3.1: ARMS. The relation between packets. i denotes the actual con-
tents of the packet. Message represents sequence F (Kn+1 )|Kn |i. Figure
taken from[LC06b]
3.2.2 ARMS
µTesla aims to authenticate broadcast messages from the base station. Un-
fortunately this scheme is not suitable for resource constraint nodes, which
are not able to maintain long one-way hash chain. Moreover, nodes typi-
cally performs only so called local broadcast, which means the packets are
broadcasted only to the neighbors. Authentication of a local broadcast can
be achieved in an efficient way using ARMS [LC06b] (An Authenticated
Routing Message in Sensor Networks). ARMS scheme assumes, that each
pair of neighboring nodes share a secret key. This assumption is reasonable
and can be achieved by several schemes [EG02, PST+ 02, ZSJ03]. As µTesla,
ARMS trade on the one-way hash chain principle. In contrast to µTesla, the
chain is extremely short and periodically renewed.
Prior to the actual broadcast, sender generates random key K1 . Then
he derives short one-way key chain F (K1 ), K1 , and sends the value F (K1 )
(commitment) to all the neighbors using authenticated unicast. Broadcasted
packet has then the form: [F (K2 )|K1 |i|M AC(K1 , message)], where F (K2 )
is a new commitment, i is the actual authenticated content, message is
[F (K2 )|K1 |i] and M AC(K, m) denotes MAC of m using key K. Since re-
ceiver knows previous commitment F (K1 ), he can immediately verify the
authenticity of key K1 and thus authenticity and integrity of the whole
packet. Concurrently, new commitment F (K2 ) is established. The relation
between subsequent packets is shown in the figure 3.1.
Note, that if a single message is lost, the phase of authenticated uni-
cast has to be repeated. For this reason, authors have extended the one-way
13
3. S ECURE R OUTING IN WSN S
Since Karlof and Wagner [KW03] drew the attention to the problem of se-
cure routing in sensor networks, several novel secure routing protocols
were proposed [DHM02, KLP03, LC06a, NC07, PLGP06, WFSH06, WYC04,
YM06]. Some of them can be considered completely secure, but some of
them prevents only selected types of attacks. We have encountered also few
protocols that were pretty secure, but with assumptions unsuitable for sen-
sor networks. In this section we deeper examine four secure routing pro-
tocols. We have selected protocols, which we consider innovative, efficient
and secure, and which come up with interesting ideas appropriate for fur-
ther use.
IGF
Implicit geographic routing is a stateless hybrid routing/MAC protocol.
The next hop is determined at the transmission time, during the MAC-layer
handshake. The IGF is build on RTS/CTS MAC protocol1 . In IGF, each node
is aware of its location. The routing procedure starts when a sender broad-
casts Open Request To Send (Open RTS) with its position S and destination
position D. Nodes located within the 60◦ sextant centered on the line from
1. IGF have originaly extended basic 802.11 DCF MAC protocol [IEE99]
14
3. S ECURE R OUTING IN WSN S
S to D are considered as candidate nodes. Each of these nodes sets the Clear
To Send (CTS) response timer according to its distance from S, remaining
energy and the distance to center of sextant. The more suitable the node
is for forwarding the message the shorter time it sets. When the response
timer expires, the node sends CTS. Then the sender sends him the data.
Nodes hearing CTS cancel their timers.
Authors of SIGF have presented security analysis of IGF [WFSH06]. IGF
is robust and fault tolerant. It is safe against altering or spoofing the routing
information, because no one is sent. Furthermore neither HELLO floods nor
wormhole attacks have much effect, no routing tables are kept and routing
is dynamic and independent of routing information exchange. But Sybil at-
tack, Selective forwarding and DoS remains a threat for IGF. In Sybil attack,
a single node attacker can create multiple virtual nodes around the sending
node and thus increase the chance of being chosen. This attack can result
into selective forwarding or black hole. Simple, but very effective attack is
so called rushing attack. Malicious node ignores the CTS respond timer and
sends CTS immediately. On the other hand such behavior is easy to detect.
DoS attack can be performed by replaying either old ORTS message or old
CTS message. This confuses the neighboring or sending nodes forcing them
to restart their timers or send the data to oblivion.
SIGF-0
15
3. S ECURE R OUTING IN WSN S
SIGF-1
This variant inherits all the properties of SIGF-0. Furthermore it introduce
an inner state of the node. This state is initialized and maintained by the
node itself and it does not bring any communication overhead. SIGF-1 works
as SIGF-0, but the choice of a next hop is based also on the reputation value
assigned to each neighbor. This value is derived from the state informa-
tion stored and maintained by the node. The node keeps the number of
sent messages T , and several records for each neighbor node N : number
of messages sent to N ; number of messages actually forwarded by N (this
is determined by overhearing the traffic of node N ); last claimed location
of N ; average delay during forwarding of message (again determined by
overhearing). From these data node derives the reputation value of node N .
Candidates, which has the reputation value below a threshold are dropped
from the candidate list. This approach protects the algorithm against a Sybil
attack. Note that all options of IGF-0 still remains.
SIGF-2
SIGF-2 includes both previous variants and adds the use of cryptography
to prevent the DoS attack. It also ensures confidentiality, authenticity, in-
tegrity and freshness of the communication between neighboring nodes.
SIGF-2 require neighboring nodes to share the secret key. In addition, the
neighborhood key has to be establish to enable authenticated broadcast of
Open RTS message.
The integrity and authenticity of messages is ensured by Message Au-
thentication Code using shared key. Freshness is guaranteed by sequencing
the messages, for each neighbor node a counter is kept. SIGF-2 offers pay-
load encryption to keep data confidential and prevent eavesdropping. By
using authentication and sequencing, DoS attack is prevented as old mes-
sages are discarded by the nodes. However in case of compromitted node,
attacker can still mount such an attack. It is optional in SIGF-2, which type
of messages will be protected by cryptographic mechanisms. This gives the
user ability to set an appropriate level of security.
16
3. S ECURE R OUTING IN WSN S
17
3. S ECURE R OUTING IN WSN S
18
3. S ECURE R OUTING IN WSN S
insecure Directed Diffusion, because only base station can send reinforce-
ments.
The data sent in the second and fourth phase by the source node are
also authenticated and its integrity is protected. In the phase of low-rate
data propagation, source node N floods
D = (H(DAT A1 )|M AC(kN 1 |H(DAT A ))|(k 1 ) |N ), where k 1 is the first
1 N SF N
key of the one-way key chain generated by node N , and (m)Sn denotes
encryption of m using key Sn shared between node N and base station.
Base station decrypts the key kN 0 and sends it in the authenticated way as
in first phase to all nodes on the path. After this source node N sends data
(DAT A1 |kN 2 |nonce1|N |(nonce1)
SN ), where N is the list of nodes. nonce1 is
used to ensure freshness. If node E receives this data, it sends
(DAT A1 |kN 1 |nonce1|N, E|((nonce1)
SN )SE ). The process continues until base
station receives the data. Base station can verify authenticity and integrity
of the data and also check the identity of the nodes on the path. Than base
station probabilistically selects one of the possible paths. In the last phase,
data are sent from the source node N in the similar authenticated way as the
interests and reinforcements, but in opposite direction. Sequence numbers
are also contained in the data to ensure freshness.
19
3. S ECURE R OUTING IN WSN S
3.3.3 SeRINS
20
3. S ECURE R OUTING IN WSN S
21
3. S ECURE R OUTING IN WSN S
22
Chapter 4
Most algorithms for solving optimization problems work with a single can-
didate solution at a time. Evolutionary algorithms work with a population
of candidate solutions instead. This enables parallel search for the solu-
tion and natural selection mechanism. The number of candidate solutions
in population has significant impact on the convergency towards optimal
solution and is typically set by an expert. Another key factor of the evo-
lution progress is the representation of the candidate solutions, which is
denoted as genome. In linear genetic programming [BNKF98], which is the
technique we use in this work, genome consists of a sequence of instruc-
tions. Another common structure of genome is a tree-based structure used
in genetic programming [Koz92].
23
4. I NTRODUCTION TO E VOLUTIONARY A LGORITHMS
The crucial part of the evolution process is the natural selection. It decides
which individuals are replicated or modified and which are removed from
the population. In evolutionary algorithms, the selection is based on the
output of the fitness function.
The fitness function captures the relation between the candidate solu-
tion and the optimal solution for the problem in question. It expresses the
quality of the candidate solution with respect to the desired goal and pro-
vides feedback to the evolution.
The fitness function has to be graded with sufficient granularity to be
able to distinguish the quality of two similar individuals. If it is not, then
the search process can degrade down to a random search. For example, sup-
pose we have only binary fitness function, which outputs ’1’ if the solution
succeeds and ’0’ if not. Then, until the optimal solution is found, all candi-
date solutions have the same quality and hence the selection is completely
random. This results into the random search.
Fitness function must be also fast to compute. This condition is purely
practical, because in the evolution process, we have to be able to evaluate a
large number (103 − 106 ) of candidate solutions in a reasonable time.
The fitness function leads the evolution to the intended goal, thus we
set the subject of the search by the definition of the proper fitness function.
Note that some problems cannot be solved using evolutionary algorithms,
because we are not able to define the fitness function satisfying above prop-
erties, especially gradation.
24
Chapter 5
In this work, we examine the security of routing protocols for wireless sen-
sor networks. We aim to design an automatic method for generating attack
strategies on these protocols. Such method can help us reveal, understand
and countermeasure potential weaknesses.
There is a significant asymmetry between designing a secure system and
attacking such system. The designer of a system has to consider and prevent
all possible strategies, whereas the attacker needs to employ only one of
those strategies to be successful. This is analogous to an exhaustive search
through the whole search space versus a guided search through a part of
the search space. The exhaustive search is practically impossible in our case,
because the space of possible attack strategies is extremely large. Thus, we
have decided to employ guided search and try to find at least some attack
strategies. We are aware of the fact, that the chosen approach cannot prove
the security of a system, even in case no attack strategy is found. However,
it can help to secure the system by revealing its potential weaknesses.
So far, there have been several proposals for use of automatic attack genera-
tion. The automatic attacks were mainly used in relation with Intrusion De-
tection Systems (IDS). Automatic generation of attack graphs 2 using sym-
bolic model checking algorithms was proposed [SHJ+ 02]. Constructing of
attack graphs is crucial part of the vulnerability analysis of the network.
In [MGL+ 06], virtual network infrastructure is proposed, which is able
to generate testing data set. This set would be further used for evaluation
and testing of intrusion detection systems.
Polymorphic blending attacks (PBA) can be used to evade some payload-
based intrusion detection systems. The principal of PBA is to transform the
2. Attack graph is ”the data structure used to represent all possible attack on the network”.
[SHJ+ 02]
25
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
attack packets into the form, that match the normal packet profile and thus
evade IDS. In [FL06], authors propose to use the hill climbing for automatic
generation of PBA instances, given the IDS and particular attack.
Combination of evolutionary algorithms and network simulator was
successfully used to produce also the defensive strategy. Secrecy amplifi-
cation protocol for WSN [SM07] was evolved. This protocol might signifi-
cantly increase resiliency of link keys against link compromise attack.
The basic concept for automatic design of attack strategies is a result of joint
work with my advisor Petr Švenda. It combines automatic attack strategy
generator with simulator or real system to generate and evaluate the large
number of potential attack strategies. In this thesis we use this concept to
automatically generate attack strategies on routing protocols.
The basic concept consists of the following five steps:
We have to seed the generator with a set of elementary rules before the
actual process of attack generation begins. These rules are basic building
blocks creating the attack strategy. This action is viewed as a step 0.
We will discuss all steps in detail. Since this work examines the secure
routing for WSNs, we use examples from this area.
26
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Translation
Attack strategy Attack strategy
in metalanguage in domain language
Figure 5.1: Basic concept for automatic attack generation. Attack strategy
in metalanguage is generated from elementary rules. Strategy is translated
to the language of evaluation environment (simulator, real system). Dur-
ing evaluation of attack strategy statistics are collected. These statistics are
used for computation of fitness function, which qualify the success of the
strategy and provides guideline to the generator.
27
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
3. Hill climbing is an optimization algorithm. It starts with a random solution and gradu-
ally improves this solution by making small changes to it.
28
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
5.2.3 Translation
Elementary rules and resulting attack strategies are written in a metalan-
guage, which is suitable for the generator. On the other hand, in most cases
this language cannot be interpreted by a simulator or a real system. There-
fore we have to translate the attack strategy in order to execute it on the
simulator. Note that we can use multiple simulators or real systems, which
use different languages, and single generator. Thus the translation into mul-
tiple languages is necessary.
Now we demonstrate the practical use of the basic concept. Due to our fo-
cus, we aim to generate attack strategies on the routing protocols for wire-
29
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
less sensor networks. The ultimate goal of our effort is to generate success-
ful attack strategy on a secure routing protocol, that would reveal the con-
ceptional weakness of the protocol. However we are aware of high com-
plexity and hardness of achieving such goal, so we first focus on an insecure
protocols with known weaknesses. The attack strategy generator should be
able to reveal these weaknesses and to generate appropriate attack strate-
gies. We have chosen two insecure routing protocols, Minimum cost for-
warding, described in section 5.4.1, and Implicit geographic forwarding,
presented in section 3.3.1. The first was chosen because it represents widely
used class of routing protocols, that construct a minimum spanning tree as
a routing structure. It also has several documented weaknesses which are
easy to find for a human expert. The second protocol is more robust and
incorporates a randomness into the routing process. However also this pro-
tocol contains weaknesses that can be turned into a successful attack. An-
other reason, why to choose IGF is, that it can be easily upgraded to one of
the security levels of SIGF. We could thus potentially analyze what impact
the attack strategy generated for IGF has on its secured version SIGF.
A particular instance of the basic concept is shown in the figure 5.2.
If we follow the basic steps of the concept, we first define the elementary
rules. These rules are strongly dependant on the attacker’s abilities. There-
fore, prior to the elementary rules definition we have revised the attacker
model in section 5.3.1. There are two kinds of elementary rules, triggers
and instructions. Details are presented in subsequent section. We employ
evolutionary algorithms as the attack strategy generator . We do not need
a translation step, because the simulator was designed to accept the output
of the generator. For routing simulation we have extended the Sensor Secu-
rity Simulator. The feedback is provided by one of four fitness functions we
have implemented. Each fitness function guides the evolution to a slightly
different attack strategy with a different goal. Details on implementation
and Sensor Security Simulator follow in subsequent sections.
30
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Translation
Attack strategy Attack strategy
in metalanguage in domain language
Attack strategy in domain language
- triggers and
instructions
nature of wireless medium and the fact, that attacked protocols do not em-
ploy cryptographic mechanisms for ensuring confidentiality, authenticity
and integrity. Therefore if no link layer encryption is implemented, outsider
attacker can act as an insider in our case.
Our attacker falls into the category of mote-class attacker. Therefore,
we further divide this category into three subclasses for our purpose. Sin-
gle node attacker, Multiple nodes attacker with homogenous strategy and
Multiple nodes attacker with heterogenous strategy. Single node attacker
controls only one node. Thus only one instance of attack strategy is exe-
cuted at a time. Multiple nodes attacker with homogenous strategy con-
trols multiple nodes and each one of these nodes executes the same attack
strategy. Thus there are multiple similar attack strategies running at a time.
31
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
In the simplest case, this attacker is nothing more than multiple instances
of single node attacker. But attack strategy can leverage the knowledge that
there are several malicious nodes and implement some sort of cooperation
between them. Multiple nodes attacker with heterogenous strategy controls
multiple nodes. These nodes are divided into groups and each group acts
as a multiple nodes attacker with homogenous strategy. The advantage is,
that each group can run different attack strategy, and these attack strategies
can be designed to cooperate and support each other. So at the and we get
several cooperating attackers. For example, suppose there are 2 groups of
malicious nodes denoted as A and B. Then, attack strategy of group A can
redirect the traffic to the malicious nodes of group B, which ,according to
their attack strategy B, drop the packets.
In our practical work, we are not interested in laptop-class attacker.
Though, we can extend our attack strategy generator to generate attack
strategies for laptop-class attacker by defining additional elementary rules
(and thus giving the attacker more capabilities).
32
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
...
Trig_2 INS INS ... INS
...
Figure 5.3: Genome structure. The black color describes the single at-
tack strategy. Each row represents a substrategy. The first slot contains
trigger, subsequent slots contain sequence of instructions. The gray color
demonstrates the possible three dimensional genome representing the at-
tack strategies of Multiple nodes attacker with heterogenous strategy
33
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Triggers
The majority of triggers contain parameters cms and cv described above.
We briefly describe the event, which triggers the strategy execution.
• TRIG NOP – no operation trigger, the corresponding substrategy is
never executed
• TRIG TIME p1 – time trigger, the substrategy is repeatedly executed
each p1 time units (lets say milliseconds)
• TRIG DATA cms cv – data message not addressed to the malicious
node was overheard
• TRIG DATA ME cms cv – data message was delivered to the mali-
cious node
• TRIG ORTS cms cv – Open RTS was received
• TRIG CTS cms cv – CTS message not addressed to the malicious node
was overheard
• TRIG CTS ME cms cv – CTS message was delivered to the malicious
node
• TRIG ACK cms cv – acknowledgement not addressed to the mali-
cious node was overheard
• TRIG ACK ME cms cv – acknowledgement was delivered to the ma-
licious node
• TRIG COLLISION cms cv – collision on medium was detected
• TRIG RNG cms cv p1 – the substrategy is executed with probability
p1
34
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Instructions
All the instructions, except no operation instruction, contain parameters of
condition mechanism cms and cv described above. Each instruction also
includes boolean switch, which determines, whether the instruction will be
executed or not. This switch enables to temporarily prune away the instruc-
tion and helps in pruning process (discussed in section 5.4).
35
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
• INS ADD CMEM cms cv p1 p2 - add the value p2 to the value stored
in condition memory slot p1
• INS SUB CMEM cms cv p1 p2 - subtract the value p2 from the value
stored in condition memory slot p1
36
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
length of the path average physical length of the path taken by legitimate
messages. Attacker may extend the length of the path, to increase the
latency and involve more nodes into routing process, thus bring in
the inefficiency and energy wastage.
length of the path in unique hops average path of the legitimate messages
counted in unique hops. The goals of this attacker are similar to the
goals of previous one. However previous fitness function could trade
37
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
on the loops in the routing scheme. Since such loops could be de-
tected, we have decided to implement fitness function, that does not
support creating loops. Another difference is, that this function re-
flects only length in hops, whereas the previous one include physical
length of the path no mater the hop count.
The design of the proper fitness function is often matter of intuition and
educated guess. At least in the initial phases of the design process. Some
fitness functions can turn out to be inconvenient after some time. Experi-
ence are very important and may lead to further improvement of the fitness
function. We have decided to implement our fitness functions, because we
felt they could express the attacker’s gradual progress.
5.4 Results
38
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
We first briefly describe the protocol and review its security weaknesses.
Minimum Cost Forwarding [YCLZ01] is a simple routing technique, which
indirectly constructs minimum spanning tree routing structure. The rout-
ing is based on cost fields (cost of the optimal path from node to the base
station) established by periodic broadcast of beacons. The process starts at
base station, which broadcasts its cost fields 0. Nodes in the range of the
broadcast set their cost field to the sum of their own cost (e.g. remaining
energy, latency, ...) and the broadcasted cost field. Then they broadcast their
own cost field. It is obvious each node receives multiple different cost fields.
The node only accepts such cost field, that is equal or lower then previous
one. In that case, the node modifies its cost field and starts a new broad-
cast. After some time, all nodes have their cost fields equal to the cost of the
optimal path to the base station.
When the node generates new message, it assigns a credit to that mes-
sage. The credit equals to the node’s cost field minus the cost of the node.
Message is then broadcasted to all neighboring nodes. One of these nodes
has the cost equal to the message credit. This node lies on the optimal path
and thus forwards the message. First, it modifies the credit of the message
and then rebroadcasts it.
The routing does not require IDs of the nodes for the routing purposes.
The path of the message is optimal with respect to the costs of the nodes.
Hence the routing structure forms a minimum spanning tree rooted at the
base station. The initial flooding can be reduced by forcing the nodes to
wait some time before rebroadcasting the beacon. They can obtain lower
cost during this time interval.
Karlof and Wagner [KW03] have analyzed the security of this protocol.
It is obvious, that attacker can claim itself to be a base station and attract all
traffic. Also HELLO flood attack is possible. The missing authentication is
critical in this case.
We suggest to use ARMS protocol for authentication of local broadcast.
This could prevent HELLO floods, because each node knows its neighbors
and messages are authenticated. It could also discourage the outsider at-
tacker. If a node is compromitted, it can easily advertise extremely low cost
path also in case that ARMS is implemented. However, such node could be
somehow detected by its neighbors and eliminated from the network. This
possibility can be subject of further research. Ideas of algorithm SeRINS and
its neighbor report system could be helpful.
39
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Forging beacons
Selective forwarding
40
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
sages witch travel only short distances by trying to drop them. Fitness value
provides him with the feedback on how the average length has changed. In
the next generation, attacker can try to drop another message. The attacker
is thus learning the flows of data during the evolution. The ability of at-
tacker to adapt the strategy for the concrete topology and traffic pattern
can be classified as success. There can be applications with a priori known
and fixed data flows and topology. In such scenario, attacker can optimize
itself to achieve optimal results.
Another settings used random topology and data flow for each attack
strategy. This setting was not suitable for evolution. The fitness value achieved
by an individual was highly dependant on the topology generated. Hence
even poor individual was able to achieve good fitness value in the specific
run of simulator. This led to varying fitness values and elimination of good
individuals.
Last settings uses the set of multiple different topologies and data flows
for evaluation of a single attack strategy. We expected the downgrade of
the fitness value, because evolution could not optimize the strategy for spe-
cific pattern. This expectation was confirmed. However the evolution was
still able to find at least some strategy for dropping the messages which
improved its fitness value.
These results have confirmed the predominating opinion, that evolution
algorithms are primarily suitable for simple optimization problems. We see
the great potential in this. We should focus more on optimization-like prob-
lems in the future.
41
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
M message memory
temporary memory
3
ORTS ID 4
ID identity memory
5
CTS MY ID ID
5
sending immediate CTS
Figure 5.4: Rushing attack. The action is triggered by incoming Open RTS
message M. This message is stored into the message memory slot 1. Then,
M is loaded from the slot into temporary memory. Instruction GET N 1 0
1 extracts from the message in slot 1 the ID of the sender (0) and stores it
into identity memory slot 1. Last instruction sends the CTS message to the
ID from identity memory slot 1. We were not able to identify the purpose
of loading the message into the temporary memory.
Rushing attack
We have defined four different fitness functions. Each one stands for slightly
different attacker’s goal. However, all these goals have some sub-goals in
common. On of these sub-goal is to attract as much traffic as possible. There-
fore the evolution has developed the attack strategy, which mounts so called
rushing attack. This attack is one of the known attacks on IGF and its goal
is to attract the traffic flowing through the neighboring nodes. Malicious
node does not respect the CTS timer an immediately answer the Open RTS.
Thus sender choose him as the next hop. The generated strategy consists of
five substrategies. The pruned substrategy describing the rushing attack is
42
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
described in the figure 5.4. There are 4 instructions in the substrategy, how-
ever only 3 of them form rushing attack. The extra instruction is instruction
LOAD M, which loads the message into temporary memory. Unfortunately
we were not able to identify the purpose of this step. The message stored
in the temporary memory may be send by another substrategy or used to
overwrite the memory slot. We consider this attack as the a nice example of
evolution capabilities.
The problem of rushing attack is addressed and solved in SIGF. The
sender waits for multiple CTS messages and selects on of them. The se-
lection can be random or based on a reputation system.
43
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
Neighborhood congestion
Also another attack strategy has turn out to be a DoS attack. Sensor nodes
have limited buffers for storing forwarded messages. Attack strategy re-
peatedly sending data in combination with blocked medium results into
the congestion of these buffers. Thus nodes are forced to drop subsequent
incoming messages. Overloading the system is typical DoS attack which is
usually protected using intrusion detection systems. Malicious node send-
ing extreme number of packets should be thus detected by IDS and elimi-
nated from the network.
We have collected lot of experience during the work with evolutionary al-
gorithms. We see the greatest potential of their use in optimization prob-
lems. Thus in optimization of known attacks strategies rather than in gen-
eration of novel attacks. We also have encountered an ability of evolution-
ary algorithms to exploit the bugs in implementation. At the early phases of
our experiments, the strategies were sometimes achieving unusually high
fitness values. This was caused by unexpected constructions of strategies.
These strategies have exploited incomplete specification of routing protocol
and thus incomplete implementation or the fitness functions. The weird be-
havior of an attacker has also revealed bugs in code, which led to massive
memory leaks. Therefore we suggest using real system instead of simula-
tor. Evolution could find out bugs in particular implementation or in the
incomplete specification of the routing algorithm.
There is lot of space for future research in this area. We would like to
focus on development of tools for better analysis of generated strategies.
We have designed the architecture of a graphical module, which would
display the routing and attacker actions in time step by step. Implemen-
tation of this module is awaiting. Furthermore, we would like to design
more complex fitness functions combining several metrics. Redefinition of
elementary rules could also bring new results. There is also possibility to
implement and test another routing protocols.
We are aware of the evolution power in optimization. Therefore we will
try to formulate the task as an optimization problem in the future. It is chal-
lenging for us to find out such problems in the area of secure routing.
We are also considering to generate the attack strategies against particu-
lar defenses or detection mechanisms rather than routing protocols. Similar
approach as for IDS testing [FL06] could be beneficial. Attacker is trying to
44
5. A UTOMATIC DESIGN OF ATTACK STRATEGY
45
Chapter 6
Conclusion
In this thesis, we have examined the security in the wireless sensor net-
works with special emphasis on security of routing protocols. We have re-
viewed two mechanisms for authenticated broadcast (µTesla, ARMS) and
several secure routing protocols (SIGF, SDD, SeRINS, Clean Slate Approach).
We also have considered their weaknesses and strong points. The results
show, that these protocols are suitable for sensor networks and provide suf-
ficient level of security for most of the applications.
In the second half of the thesis, novel concept for automatic design of
attack strategies was described. This concept is a result of my joint work
with Petr Švenda. Usability of the concept was tested. New attack strategies
on routing protocols for wireless sensor networks were generated using
evolutionary algorithms. Several basic attacks were found. These attacks
demonstrate the possibilities and potential of evolutionary algorithms.
We have also extended the Sensor Security Simulator and implemented
two routing algorithms (Minimum cost forwarding, Implicit geographic
routing).
We take the results of this thesis as a solid basis for further research in
this field. Both, problematic of the secure routing in WSN and problematic
of the automatic attack design, require novel research directions.
46
Bibliography
[FL06] Prahlad Fogla and Wenke Lee. Evading network anomaly de-
tection systems: formal reasoning and practical techniques. In
CCS ’06: Proceedings of the 13th ACM conference on Com-
puter and communications security, pages 59–68, New York,
NY, USA, 2006. ACM.
47
6. C ONCLUSION
[HSW+ 00] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David E.
Culler, and Kristofer S. J. Pister. System architecture directions
for networked sensors. In Architectural Support for Program-
ming Languages and Operating Systems, pages 93–104, 2000.
[KLP03] Chris Karlof, Yaping Li, and Joseph Polastre. Arrive: Algorithm
for robust routing in volatile environments. Technical Report
UCB//CSD-03-1233, Berkeley, CA, March 2003.
[KSW04] Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: a link
layer security architecture for wireless sensor networks. In Sen-
Sys ’04: Proceedings of the 2nd international conference on Em-
bedded networked sensor systems, pages 162–175, New York,
NY, USA, 2004. ACM Press.
[KW03] Chris Karlof and David Wagner. Secure routing in wireless sen-
sor networks: Attacks and countermeasures. Elsevier’s AdHoc
Networks Journal, Special Issue on Sensor Network Applica-
tions and Protocols, vol. 1, issue 2-3, pages 293–315, September
2003.
48
6. C ONCLUSION
[LC06a] Suk-Bok Lee and Yoon-Hwa Choi. A secure alternate path rout-
ing in sensor networks. Computer Communications, vol. 30,
issue 1, pages 153–165, December 2006.
[LC06b] Suk-Bok Lee and Yoon-Hwa Choi. Secure Mobile Ad-hoc Net-
works and Sensors, volume Volume 4074/2006 of Lecture Notes
in Computer Science, chapter ARMS: An Authenticated Rout-
ing Message in Sensor Networks, pages 158–173. Springer
Berlin / Heidelberg, 2006.
[NC07] Nidal Nasser and Yunfeng Chen. Secure multipath routing pro-
tocol for wireless sensor networks. In ICDCSW ’07: Proceedings
of the 27th International Conference on Distributed Computing
Systems Workshops, page 12, Washington, DC, USA, 2007. IEEE
Computer Society.
[NSSP04] James Newsome, Elaine Shi, Dawn Song, and Adrian Per-
rig. The sybil attack in sensor networks: analysis & defenses.
In IPSN’04: Proceedings of the third international symposium
on Information processing in sensor networks, pages 259–268,
New York, NY, USA, 2004. ACM Press.
[PCST01] Adrian Perrig, Ran Canetti, Dawn Song, and Doug Tygar. Effi-
cient and secure source authentication for multicast. 2001.
49
6. C ONCLUSION
[PLGP06] Bryan Parno, Mark Luk, Evan Gaustad, and Adrian Perrig.
Secure sensor network routing: a clean-slate approach. In
CoNEXT, page 11, 2006.
[PPG05] Bryan Parno, Adrian Perrig, and Virgil Gligor. Distributed de-
tection of node replication attacks in sensor networks. In SP ’05:
Proceedings of the 2005 IEEE Symposium on Security and Pri-
vacy, pages 49–63, Washington, DC, USA, 2005. IEEE Computer
Society.
[PST+ 02] Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, and
David E. Culler. Spins: security protocols for sensor networks.
Wirel. Netw., vol. 8, issue 5, pages 521–534, 2002.
[SHJ+ 02] Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann,
and Jeannette M. Wing. Automated generation and analysis of
attack graphs. In SP ’02: Proceedings of the 2002 IEEE Sympo-
sium on Security and Privacy, page 273, Washington, DC, USA,
2002. IEEE Computer Society.
[SM07] Petr Svenda and Vaclav Matyas. Key distribution and secrecy
amplification in wireless sensor networks. In Technical Report,
FIMU-RS-2007-05, Brno, ČR, 2007. Masaryk University.
[WFSH06] Anthony D. Wood, Lei Fang, John A. Stankovic, and Tian He.
Sigf: a family of configurable, secure routing protocols for wire-
less sensor networks. In SASN ’06: Proceedings of the fourth
ACM workshop on Security of ad hoc and sensor networks,
pages 35–48, New York, NY, USA, 2006. ACM Press.
[WYC04] Xiaoyun Wang, Lizhen Yang, and Kefei Chen. Sdd: Secure di-
rected diffusion protocol for sensor networks. In Security in Ad-
hoc and Sensor Networks, volume 3313/2005 of Lecture Notes
in Computer Science, pages 205–214, First European Work-
shop, ESAS 2004, Heidelberg, Germany, August 2004. Springer
Berlin/Heidelberg.
50
6. C ONCLUSION
[YM06] Jian Yin and Sanjay Madria. Secrout: A secure routing protocol
for sensor networks. In AINA ’06: Proceedings of the 20th In-
ternational Conference on Advanced Information Networking
and Applications - Volume 1 (AINA’06), pages 393–398, Wash-
ington, DC, USA, 2006. IEEE Computer Society.
[ZSJ03] Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap: efficient se-
curity mechanisms for large-scale distributed sensor networks.
In CCS ’03: Proceedings of the 10th ACM conference on Com-
puter and communications security, pages 62–72, New York,
NY, USA, 2003. ACM.
51
Appendix A
Here is the example of generated attack strategy after pruning. It does not
use the conditional memory slots, hence the instructions do not contain
all parameters that are showed in section 5.3.2. All presented instructions
are necessary for achieving maximum fitness value. This strategy contains
rushing attack (substrategy triggered by TRIG ORTS). It also disturb send-
ing of selected messages by causing collisions on the medium (two mes-
sages are send in the single substrategy – e.g. two subsequent SEND ORTS
instructions in the last substrategy).
This example illustrates the hardness of the strategy analysis. We were
not able to completely interpret this strategy.
TRIG CTS
SEND ORTS
GENERATE M 1 2 1
LOAD M 1
STORE M 1
SEND M 1
GENERATE M 0 0 1
***
TRIG CTS ME
STORE M 0
LOAD M 0
SEND CTS 0
DROP M 1
SEND M 0
***
52
A. E XAMPLE OF GENERATED ATTACK STRATEGY
TRIG COLLISION
SEND ORTS
LOAD M 1
SEND ACK 0
DROP M 1
GENERATE M 0 1 0
GET N 0 2 1
***
TRIG ORTS
STORE M 1
LOAD M 1
GET N 1 0 1
SEND CTS 1
***
TRIG ACK
GET N 0 1 0
SEND ORTS
SEND ORTS
GENERATE M 1 2 0
53