A few of the attacks previously mentioned that are most pertinent to WSNs deployed in an industrial controls scenario have been studied. We give a brief description of them and how we intend to tackle them.
Denial of Service attack: This attack is the most common choice of attack to disrupt the control system operations. A Denial of Service (DoS) attack in a sensor network targets the resources of a sensor node thereby making them inactive after some time. This kind of
attack falls under the category of both an insider and an outsider attack. Message rerouting attacks, spoofing attacks and jamming attacks are some examples of DoS attacks. For a DoS attack, the probability that an attack is taking place is calculated by looking at the packet arrival rates, end-to-end delays and communication delays. Anomalies in the trans- mission times caused by genuine system noise are also considered to detect its presence. In this paper we consider the jamming attack. Wormhole attack is another DoS attack. Our objective is to be able to differentiate between the different types of attacks to better address the security issues. One of the methods (at the application layer) in which DoS attack can be countered is the data aggregation by forming secure clusters. We intend to mitigate the Jamming attack by flagging the nodes where packet drops and network delays are very frequent. Rerouting data through other sensors around such nodes and passing control messages that contain information about which sensors get to use the channel for data transmission helps mitigate the Jamming attack. Another commonly used approach is the usage of multiple frequency channels.
Wormhole attacks: The wormhole attack is one in which a sensor node receives a message at its origin and sends it to its destination. A wormhole attack is difficult to detect when packet delivery ratio is low owing to packet drops caused by system noise. A genuine packet drop due to poor network conditions can be mistaken as a wormhole attack. Under high noise levels, we obtained the packet arrival rates PDFs with different network parameters at the start of the network deployment. These PDFs were the reference PDFs with which the packet arrival rates of the sensors during real time was compared. We examined the total packet delivery ratio from different sensors (aggregator nodes and forwarding nodes). Doing so provided a better understanding of how long a sensor node had held a packet and where it sent the packet. The probability of an intruder in the system was derived according to these results. This probability aided in developing the overall probability of the presence of a standalone Wormhole attack or a collaborative attack. In a WSN environment, where the nodes are static, the solution for wormhole attack talk about
using multiple base stations. Rerouting traffic to other nodes is the most common solution. However, in a WNCS, this rerouting is not as straightforward as it seems. This is because, rerouting may affect the network scheduling and also, under collaborative attacks, rerouting may only aid an attacker more.
Stealthy attacks: Deception attacks in a sensor networks work by manipulating the data that is transmitted or by changing the data to be sent in a manner that allows corruption of data to go undetected. This kind of attack is difficult to detect. But for this attack to be successful the requirements grow manifold. Both an outsider and an insider can perform this attack. Over time, the probability that the data is inconsistent is calculated. This probability is fed as one of the conditional probabilities of the system. The different types of stealthy attacks are replay attacks, injection attacks, bias-injection attacks, data deception attacks etc. Below, we mention the two kinds of attacks that are implemented in this paper and our methods to detect them.
a) Data Deception attack: The system state that we studied can be written as
˙
x(t) = Ax(t) + Bu(t)y(t) = Cx(t) + Du(t)
where, A ∈ Rn×n is the input matrix, C ∈ Rk×n is the output matrix. Both B ∈ Rn×m and D ∈ Rk×mare attack matrices. These values define the attack state affecting the system input and the output attack matrix affecting the measurement vector respectively. For an observer,
˙z(t) = Fz(t) +Cbu(t) + Ky(t) ˆx(t) = ˙z(t) + Hy(t)
where, z is the measurement (observed), ˆx is the new estimate according to the observed measurement. H is the observation matrix for the original observed value y, F is the obser- vation matrix and Cb is the observed attack matrix with the corrupted input. For a global observer, we have
˙
where, at = a1, a2, a3, ...an is the attack vector, J is the observation matrix corre-
sponding to the estimate x and Bf should have a full column rank. The corrupted estimate
is calculated as
zk= Fk+ TkBu(t) + Kky(t) ˆxk(t) = zk+ Hky(t)
The estimation error ˙e= Fe where, e = xzˆ− Hx is used to detect the attack. This error must be in a tolerable bound. Note that this estimation error can arise because of quantization errors which in turn arise from lower sampling rates. Lower sampling rates in WSNs are required to conserve energy on the sensor node. Here, F governs the stability of the system so that the error has to become zero over time. The measurement residual ρ = z − H ˆx , where z is a function of the input u and the actual measurement, and, H is the observation matrix, is the acceptable deviation in the value to maintain stability. The residual ρ = H( ˆx− x) ˙e has to be less than a predetermined threshold value as governed by the Level 2 of the Information Fusion Architecture. This threshold value is determined based on its effectiveness in detecting the attack. It must be noted that a small residual will lead to discarding genuine data under relatively high noise, and, a higher residual will lead to faulty packets being accepted. Hence, determining the threshold value is of utmost importance in detecting this attack. Our information fusion architecture ensures that a locally optimum threshold value is chosen to best represent the system behavior i.e. determine the cause as either noise or attack. If an attack is detected this threshold is updated and it is minimized to reduce the effect of this type of attack.
b) Replay attack: For a replay attack considering the same system as (13); in order to detect the attack, we injected an unknown signal into the system at a random point in the system operation or at a chosen time. This signal is unknown to the attacker in the sense that system behavior with this input cannot be determined by the attacker to converge the state estimates to fit the expected pdf. The information inferred from the abnormality in system state is represented in the control input to the actuator according to the output of the
hypotheses selected. Therefore, we can detect the presence of an attacker. This is from the measurement attack vector that can be found out by
Du(t) = y(t) −C ˆx(t) (13)
where, ˆx(t) is the reconstructed state estimate from the new signal at the time of inducing the signal that the user injects into the system and is input at the corresponding time. Again if the value of Du(t) is not within the accepted bounds, we confirm the presence of an attacker. In attacks where the attacker makes the difference between the attack state estimate and the actual state estimate ˆx∼ x very low, there is a possibility that the attackers presence may go undetected. In such instances, however, the attack itself causes no harm to the system’s stability. Furthermore, the attacker must vastly increase his attack scope (number of nodes to be attacked) to either create disruptions or steal any resources. We did not investigate an effective solution to this effect as gaining access to a large pool of sensor nodes is in itself a challenging task even to an attacker. As in the case of data deception attacks, the data sampling is altered according to the control information sent to the sensors and actuators from Level 2.
Based on the parameters and the procedure mentioned previously, feature extraction of several attack scenarios is done repetitively in order to reflect the most accurate represen- tation of the WNCS. Information form the feature extraction is used to perform likelihood ratio tests for different test samples to help profile the various attacks. These samples are obtained from the control system’s operation under attacks. Multiple hypotheses were gen- erated and a few with the highest likelihood ratio were chosen according to the operation of the system under the various attack scenarios. This profiling and Hypotheses generation and choice is done offline before the information fusion system is integrated into the sensor network structure.
Inconsistent Data Packet Drops
Communication Delays
End to End delays System Delays
Propagation Delay
Attacker (Outsider) Attacker (Insider)
Inter-Arrival time DoS Attacks Wormhole Attacks Data Deception attacks Replay Attacks
Feature Selection and Extraction Dynamic Bayesian
Network
Quantization
errors Sampling time
Figure 1. Bayesian Network Model for feature extraction and decision process
D. INFERENCE ALGORITHM