}w!"#$%&'()+,-./012345<ya

(1)

MASARYKUNIVERSITY FACULTY OFINFORMATICS

}w !"#$%&'()+,-./012345<yA|

Secure Routing Protocols for

Wireless Sensor Networks

MASTER’STHESIS

Bc. Jiˇr´ı K ˚ur

(2)

Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source.

(3)

Acknowledgement

I express my gratitude to Petr ˇSvenda for introducing me into the prob-lematic of evolutionary algorithms and for our fruitful discussions. I am grateful to my sister Hanka for the language corrections.

(4)

In this thesis, we examine the security aspects of wireless sensor networks with emphasis on security of routing. Several secure routing protocols are reviewed and their security is evaluated. In the second part of the thesis, concept for automatic attack generation and introduction to evolutionary algorithms are presented. Usability of the concept was verified using evo-lutionary algorithms. Several attacks on routing protocols were generated. The impact of generated attacks is discussed with respect to countermea-sures.

(5)

Keywords

(6)

1 Introduction . . . 1

2 Wireless sensor networks . . . 2

2.1 Applications . . . 2 2.2 Hardware characteristics . . . 3 2.3 Security in WSN . . . 4 2.3.1 Security goals . . . 5 2.3.2 Key management . . . 5 2.3.3 Attacker model . . . 6 3 Secure Routing in WSNs . . . 8 3.1 Attacks on routing . . . 9

Bogus routing information . . . 9

Selective forwarding . . . 9

Sinkhole attack . . . 9

HELLO flood attack . . . 10

Wormhole attack . . . 10

Acknowledgement spoofing . . . 10

Sybil attack . . . 10

Denial of Service . . . 11

3.2 Towards secure routing. . . 11

3.2.1 µTesla . . . 11

3.2.2 ARMS . . . 13

3.3 Secure routing protocols . . . 14

3.3.1 Scure Implicit Geographic Forwarding . . . 14

IGF . . . 14

SIGF-0 . . . 15

SIGF-1 . . . 16

SIGF-2 . . . 16

3.3.2 Secure Directed Diffusion . . . 17

3.3.3 SeRINS . . . 20

3.3.4 A Clean-Slate Approach . . . 21

4 Introduction to Evolutionary Algorithms . . . 23

(7)

4.2 Genetic operators . . . 24

4.3 Fitness function and selection operator . . . 24

5 Automatic design of attack strategy . . . 25

5.1 Related work. . . 25

5.2 Basic concept. . . 26

5.2.1 Elementary rules . . . 26

5.2.2 Generation of attack strategy . . . 28

5.2.3 Translation . . . 29

5.2.4 Strategy execution . . . 29

5.2.5 Fitness function evaluation . . . 29

5.3 Concept realization via evolutionary algorithms . . . 29

5.3.1 Attacker model revised . . . 30

5.3.2 Evolutionary algorithms and genome structure . . . 32

Triggers . . . 34

Instructions . . . 35

5.3.3 Network simulator . . . 36

5.3.4 Fitness functions . . . 37

5.4 Results . . . 38

5.4.1 Minimum Cost Forwarding . . . 39

Forging beacons . . . 40

Selective forwarding . . . 40

5.4.2 Implicit Geographic Forwarding . . . 41

Rushing attack . . . 42

MAC layer jamming . . . 43

Neighborhood congestion . . . 44

5.4.3 Experience and future work . . . 44

6 Conclusion. . . 46

(8)

Introduction

Sensor nodes are tiny, low-cost devices equipped with environment sensors and radio for wireless communication. These sensor nodes may constitute the network for monitoring physical phenomena. Such network is called Wireless Sensor Network (WSN). Wireless sensor network consists of high number(102−106)of sensor nodes and one or few powerful devices acting as gateways. Wireless sensor networks can be utilized in a broad variety of applications ranging from battlefield surveillance in military, through re-mote patient monitoring in medicine to forest fire detection in environmen-tal applications. Majority of WSN applications require at least some level of security. In order to achieve the needed level, secure and robust routing is necessary. However, routing protocols for WSN were not designed with security requirements in mind. Karlof and Wagner [KW03] triggered a rev-olution in this field by proposing a comprehensive study on the security of routing in wireless sensor networks. They showed that all the protocols were then prone to simple attacks. Since then, security of routing has be-come a hot topic and several secure routing protocols were proposed.

In this thesis, we aim to review the issue of secure routing in wireless sensor networks. We first introduce the concept of wireless sensor networks and outline their security aspects. In the second chapter, we examine se-lected secure routing protocols and evaluate their benefits and drawbacks. We also describe common attacks on routing protocols.

The second half of the thesis deals with the problem of the attack strate-gies’ automatic generation and presents our results. We introduce the con-cept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter, we present our concept for automatic design of attack strategies. We use this concept to discover attacks on routing algorithms. We summarize the results and outline the future work in the conclusion.

(9)

Chapter 2

Wireless sensor networks

Wireless Sensor Network is a heterogenous network composed of a large number of tiny low-cost devices, denoted as nodes, and few general-purpose computing devices referred to as base stations. The general purpose of wire-less sensor network is to monitor some physical phenomena (e.g., tem-perature, barometric pressure, light) inside the area of deployment. The basic units of WSN are nodes (sometimes called motes). These nodes are equipped with communication unit, mostly the radio transceiver, process-ing unit, battery and sensors. Due to the size and expected costs of the nodes, they are constrained in processing power and energy. The number of nodes deployed in WSN can vary from tens to tens of thousands depend-ing on the particular application. Nodes can be deployed, for example, by precise placing one by one into predefined positions or by dropping from the plane. Their positions can be static or mobile. Networks with nodes in static positions are more common. Nodes have to be autonomous and the network itself has to be self organizing. They are also prone to failures, thus the topology of the network changes very often. Beside resource lim-ited nodes, the wireless sensor network includes one or more base stations (sometimes called sinks). These base stations have more resources and ca-pabilities than the nodes. Assume base stations might have laptop capabili-ties. They act as gateways between the sensor network and other networks, e.g. Internet. They can also somehow coordinate the nodes. In most com-mon application scheme, the nodes collect measured data and send them to the base stations, which forward them to the consumer.

2.1 Applications

There is a broad variety of applications for wireless sensor networks. These applications can be divided into five categories [ASSC02]: military, envi-ronmental, health, home and other commercial applications. In military, the wireless sensor networks can be used for battlefield surveillance, sniper

(10)

lo-cation or to detect the chemical or biological attacks. Sensor network can also be greatly beneficial for the environment. For example, it can detect forest fires or help researchers to monitor animal habits. Important applica-tion area is medical environment, where nodes can collect patient’s physio-logical data. In commerce, wireless sensor networks can be deployed in car tracking systems or used for securing buildings, temperature regulation in offices, etc.

2.2 Hardware characteristics

Sensor nodes are small, low-cost and battery supplied devices. Therefore the concept of WSNs is quite challenging. There are two main constraints, the low processing power of the nodes and the capacity of their batteries.

The former constraint directly determines the algorithms we can use. For example, we cannot use asymmetric cryptography or maintain large routing tables. Since the priority in the development is to minimize cost, size and power consumption, there is only a small chance of a significant improvement of computational power and memory in the near future.

The later constraint influences the properties of used algorithms indi-rectly. Capacity of the batteries is essential for the node’s lifetime. Often it is impossible or not intended to be possible to change batteries. Therefore the lifetime and usability of the network depends on their capacity and on the consumption of the nodes. Energy consumption is closely related to the algorithms implemented. For example, the biggest energy consumer is ra-dio transceiver, hence the communication between nodes is very expensive in terms of node’s energy resources. Efficient algorithms must take this into an account.

The batteries are dominating part of the node in terms of size. The size of the node is thus directly proportional to a capacity of its batteries.

Here are the parameters of typical today sensor node, TMote Sky [TM006]: • size: 65 x 32 x 7 (mm, excluding battery pack)

• 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory, 10KB RAM

• 1024KB of external flash memory to store data and code

• radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal an-tenna outdoor range reaches 125m, indoor range up to 50m

(11)

2. WIRELESS SENSOR NETWORKS

Figure 2.1: TMote Sky sensor node. Figure taken from [TM006] • 2xAA battery

• lifetime>1 year using sleep modes • senors: temperature, humidity, light

Contrary to the nodes, base station is assumed to have laptop capabili-ties and unlimited energy resources. More on wireless sensor network prin-cipals can be found in [ASSC02].

2.3 Security in WSN

Majority of sensor network applications require strong security features. This requirement is obvious in case of military applications or applications working with sensitive personal data, like health or home applications. However security is a very demanded property also in commercial appli-cations, where information means a competitive advantage and all assets have to be protected. Also environmental applications need some level of security, at least in terms of robustness against accidental errors and van-dalism.

Nodes have two properties, which have critical impact on the security of WSNs, and which both are caused by the small size and low costs of the nodes. First, the nodes are not considered tamper resistant. Attacker with physical access to the node can extract the keys and other sensitive data from the node relatively easily. Attacker can then also turn the node into a malicious one by uploading malicious firmware into it. Second, the node is limited in resources, consequently only some security mechanisms can be applied.

(12)

It also has much greater capabilities, suppose it may have lap-top capabili-ties and unlimited energy supply.

2.3.1 Security goals

The security goals in sensor networks are similar to those in traditional net-works. We require confidentiality, integrity, authenticity, freshness, anonymity and availability of service.

Confidentiality, integrity and authentication are traditionally provided by an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLS or SSH. But sensor networks often require in-network processing of the messages, like data aggregation, to be efficient and thus end-to-end ap-proach is not in use. Therefore link-layer security architectures such as Tiny-Sec [KSW04] and mechanisms for securing node-to-node communication [PST+_{02] are of a great interest in sensor networks.}

Freshness, anonymity and availability of service should be provided by a secure routing protocol. There are several other security features of the ideal secure routing protocol. For example an attacker should not be able to abuse the routing algorithm to shorten the network’s lifetime. Or he should not be able to significantly slow down the traffic or increase latency. How-ever these features are application specific and it is unlikely to design uni-versal secure routing algorithm with all such properties.

2.3.2 Key management

Poor sensor node’s capabilities prevent us from massive use of expensive (in terms of computational resources) public key cryptography based on RSA or complexity of discrete logarithm problem. However some new de-signs [PLGP06] propose to use public key cryptography based on ellip-tic curves, which is less computationaly complex. They assume that every node contains a public key of a single trusted authority and is able to verify corresponding digital signature. It is questionable whether the public key cryptography will be available in sensor networks in the near future. Pri-mary aim is to miniaturize the node and to decrease its cost, not to increase its processing power. However there are more and more schemes employ-ing asymmetric cryptography and we feel that its use has an increasemploy-ing tendency.

Because of the limited processing power, symmetric cryptography is dominant in sensor networks. There are several schemes of key sharing among the nodes and base stations. We will examine the most common of

(13)

2. WIRELESS SENSOR NETWORKS them.Single key shared among all nodes: Simple, but weak scheme. Com-promission of a single node compromise the whole network. This scheme is sometimes used for establishing the keys between each pair of neighboring nodes. It assumes, that attacker needs some time to compromise the node. During this time the new keys are established and globally shared key is erased.Every node shares a unique key with base station: Keys can be in-serted into nodes off-line, prior to their deployment. Compromission of a single node compromise only its own key. Frequent assumption of security protocols.Each pair of neighboring nodes shares a key: Also common as-sumption. Frequently applied together with previous scheme. Enables hop-by-hop encryption and in-network processing, therefore it is convenient for sensor network. However in most applications, keys cannot be preinstalled and must be distributed after deployment. Suppose we deploy the nodes by dropping them from the plane. We do not know, which nodes will be neighbors and which not. The neighborhood is established during the de-ployment process and keys have to be distributed afterwards. This task is nontrivial and requires additional assumptions and complex key distribu-tion protocol [EG02, PST+02, ZSJ03].

2.3.3 Attacker model

Karlof and Wagner have proposed following attacker model [KW03] suit-able for sensor networks and routing. There are two types of attacker: mote-class attackerandlaptop-class attacker.Mote-class attackerhas one or few nodes with capabilities similar to a legitimate node. On the other hand, laptop-class attackerhas a powerful device with capabilities comparable to laptop. He is not energy constrained and can have more sensitive antenna and more powerful radio. Another distinction can be made betweeninsider attacks andoutsider attacks.Insider attacks deal with a legitimate partici-pants of the network behaving in a malicious way, whereasoutsider attacks are mounted by outsider who is not the part of the network. However out-sider can eavesdrop the communication easily due to the broadcast nature of a wireless communication.

Attacker can be modeled also with respect to the Needham-Schroeder model [NS78]. Needham and Schroeder assume that ”an intruder can intr-pose a computer on all communication paths, and thus can alter or copy parts of messages, replay messages, or emit false material”. This model was extended to node-compromise model [EG02], which further assume: 1) keys can be loaded into the nodes in the secure way before the nodes are deployed. 2) the attacker is able to compromise only a fraction of the nodes.

(14)

3) attacker can extract all keys from compromitted node and 4) attacker is able to monitor only fraction of links during the short time period after the deployment of the nodes. This means that there is something like period of protection for nodes after deployment.

(15)

Chapter 3

Secure Routing in WSNs

Routing techniques in wireless sensor networks are influenced by two fac-tors. First, it has to deal with hardware and resource constraints. The rout-ing algorithm has to be energy aware, thus minimize the control informa-tion flows and communicainforma-tion. Routing table maintenance is limited by memory capacity. Second, the nature of sensor network applications de-fines traffic patterns, which are different from the traditional ones. In sen-sor networks, it is not necessary to support communication between any pair of nodes, the dominant traffic is one-to-many (base station multicast), many-to-one (data sent to the base station) and local communication be-tween neighbors. As the resources are limited and the number of nodes is large, wireless sensor network usually does not support global addressing, that brings high overhead. It often trade on its data centric character in-stead and deploys attribute-based addressing. This means the base station sends queries for data with specific properties. However routing technique is strongly dependent on the particular application for which the wire-less sensor network is used. Each application has different requirements on routing.

Today routing techniques can be divided into three categories [AKK04] based on the network structure:flat-based,hierarchical-based and location-based routing. In flat-based routed networks, each node plays the same role, due to the large number of nodes the global addressing is not sup-ported, the data-centric approach is used instead. Typical algorithms in this category are Direct Diffusion and Sensor Protocols for Information via Ne-gotiation (SPIN). The hierarchical-based (sometimes called cluster-based) algorithms are used in networks, where the nodes are organized into clus-ters and route the information via special nodes denoted as cluster heads. The main benefit of such routing algorithms is data aggregation, which saves energy and increases efficiency. The typical representative of this cat-egory is Low Energy Adaptive Clustering Hierarchy (LEACH). Location-based routing uses node’s location for addressing. The position of a node can be relative to its neighbors or absolute, detected, for example, by GPS.

(16)

To this category are included geographic routing algorithms like Geographic and Energy Aware Routing (GEAR) or Geographic Forwarding (GF).

3.1 Attacks on routing

Since the concept of sensor networks originates from the wireless ad-hoc networks, many attacks on wireless ad-hoc networks can be adapted for sensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wag-ner [KW03] show another types of attacks and furthermore they propose two novel attacks – HELLO floods and sinkholes. Denial of Service attacks on sensor networks are studied by Stankovic and Wood [WS02]. We present a brief summary of major attack classes here.

Bogus routing information

The basic method how to influence routing is to change the routing in-formation. An adversary spoofs, alters or replays routing inin-formation. By these methods he can create loops in routing, increase latency, extend the paths or attract the traffic to the chosen node.

Selective forwarding

Selective forwarding is a variant of the DoS attack. Malicious node forwards only a chosen packets and drops the rest. Attacker has to be included in the path of the data flow to mount selective forwarding. To do so, he can use can use Sybil attack or sinkhole attack. The ultimate variant of this attack is called a Black hole attack. In such case, all the packets are dropped. How-ever node behaving like a Black hole can be easily detected by the neighbor-ing nodes, considered as dead and excluded from the routneighbor-ing path. There-fore dropping only some messages may be more beneficial for the attacker.

Sinkhole attack

The goal of the sinkhole attack is to attract as much of the traffic as possi-ble to the malicious node. The principle of this attack is that the malicious node tries to look very attractive for other nodes with respect to the routing algorithm. This goal can be achieved, for example, by spoofing the route advertisement or by providing a high-quality path to the base station using wormhole attack. Sinkhole can be further used for selective forwarding, which is very efficient and easy in that case.

(17)

3. SECUREROUTING INWSNS

HELLO flood attack

In some protocols, nodes announce themselves to the neighbors by broad-casting the HELLO packets. Node receiving such packet concludes, that the broadcasting node is his neighbor and is within the normal radio range. A lap-top class attacker can use a powerful radio to send HELLO packets to nodes, which are far more distant than the normal radio range from him. These nodes will send their messages to oblivion trying to reach the neigh-bor, which is not in their radio range.

Wormhole attack

Wormhole is a low-latency out-of-band channel used to connect two distant part of the network. Wormhole attack exploits the routing race conditions. This means that message, which should normally traverse multiple nodes, traverse only single one and hence is delivered in a much less time. Time of the delivery can be important for the routing scheme, especially if the influenced message contains routing information.

The attacker can send replayed packets through the wormhole to per-suade two distant nodes that they are neighbors. He can, for example, cre-ate wormhole between the base station and a node at the opposite side of network, thus instead of multiple hops the node appears to be only single hop from the base station. Therefore it becomes a sinkhole for his neighbors providing low-latency route to the base station.

Acknowledgement spoofing

Acknowledgement spoofing focus on the algorithms using link layer ac-knowledgements. An attacker spoofs these acknowledgements to persuade the node, that its dead neighbor is alive or that the weak link is reliable. The impact is similar to selective forwarding, chosen packets are lost with high probability.

Sybil attack

In the sybil attack, the attacker simulates multiple nodes and advertise mul-tiple identities to the rest of the network. By this, he can cripple even the robust multipath routing algorithms, because the bulk of the paths (even all) may pass through him. In geographic routing, attacker’s node can be virtually at more locations simultaneously and thus influence routing

(18)

algo-rithm. Sybil attack in general means serious threat not only for routing, but also for other algorithms such as voting algorithm or distributed storage.

Denial of Service

Denial of Service represents more or less general class of attacks, that can be mounted on several ISO/OSI layers of wireless sensor network, including the network layer. Almost all above attacks, especially selective forwarding and HELLO floods, can result in the denial of service.

3.2 Towards secure routing

Insecurity of routing algorithms is usually caused by missing authentica-tion, freshness and integrity check of the routing information. This fact is demonstrated in presented attacks. Spoofing of routing information or acknowledgements is not be possible, if proper mechanisms ensuring in-tegrity and authenticity are implemented. Sybil attack becomes more com-plicated if authentication of nodes is present. Freshness of messages can stop replay attacks.

We present two security concepts proposed for sensor networks in this section. These concepts can be used to secure the existing routing proto-cols or can be taken as a security primitives when designing new protocol. They address the broadcast authentication problem, because broadcast is frequently used to spread the routing information along the network.

3.2.1 µTesla

In several routing protocols [HSW+_{00, YCLZ01, AKK04], the base station} periodically broadcasts routing information or advertise itself as a base sta-tion. Attacker can forge such broadcasted information in case it is not prop-erly authenticated. To achieve authenticated broadcast, asymmetric cryp-tography is traditionally used. However this approach is not suitable for resource constrained sensor networks. Therefore,µTesla [PST+02] was de-signed. It provides an efficient authenticated broadcast based on symmet-ric cryptography. µTesla is the building block of the security architecture for sensor networks called SPINS (Security Protocols for Sensor Network) [PST+_{02]. Another building block is SNEP, which is used to achieve} confi-dentiality, integrity, authentication and freshness.

µTesla exploits the concept of one-way hash chain. Because this concept is frequently used in secure routing protocols, we describe it in detail. Let

(19)

3. SECUREROUTING INWSNS us assume that we have public one-way functionF, and random numberr. The one-way hash chain of lengthnis the sequence ofnnumbers, where the last number isr, andi−thnumber is obtained by application of functionF

on(i+1)-th one, for0< i < n. Generation of one-way hash chain thus starts by application of function F on r. The key property of this chain is, that everyone can compute i-th item, having arbitrary j-th item, wherei < j, but not vice versa. One of the first applications of this chain was Lamport’s scheme for one-time password generation [Lam81].

To make use ofµTesla, each node has to share a secret key with the base station. There also has to be a loose time synchronization between nodes and the base station. Prior to the actual broadcast, the base station generates the one-way hash chain of the lengthnwith the random keyKnas the last element, let us denote this chain as aone-way key chain. Then the derived key K1, first element of the one-way key chain, is delivered to all nodes in an authenticated (not necessarily confidential) manner using their keys shared with the base station.

The time is divided into uniform intervals. Note that we have loose time synchronization. Base station associates each key of the key chain with one interval. Hence in the intervalibase station authenticates the packets with the Message Authentication Code (MAC) using keyKi. The node receiving these packets, stores them for further authentication. In the following time interval, the base station reveals the keyKi. Receiving nodes use that key to check authenticity of the packets stored in previous time interval and verify the integrity and authenticity of the key by application of the one-way functionFon it. Note that the nodes already posses keyKv, wherev < i. If the verification of the key succeeds,Kvis replaced byKiand the packet is considered as authentic. In time intervalionly packets authenticated by keyKiare accepted. This prevents an attacker from using already revealed key to spoof the packets.

µTesla has two drawbacks. The nodes have to keep the messages buffered, because the authentication is delayed. It can be problem because of the lim-ited memory of nodes. It also delays the propagation of routing informa-tion. The second drawback is the need of loose time synchronizainforma-tion.

µTesla can be extended to provide authenticated broadcast not only for base stations but also for nodes. Nevertheless, this model is not needed so often. Nodes usually broadcast messages only to their neighbors and these messages can be authenticated in more efficient way as showed in following subsection.

(20)

Figure 3.1: ARMS. The relation between packets.idenotes the actual con-tents of the packet. Message represents sequence F(Kn+1)|Kn|i. Figure taken from[LC06b]

3.2.2 ARMS

µTesla aims to authenticate broadcast messages from the base station. Un-fortunately this scheme is not suitable for resource constraint nodes, which are not able to maintain long one-way hash chain. Moreover, nodes typi-cally performs only so calledlocal broadcast, which means the packets are broadcasted only to the neighbors. Authentication of a local broadcast can be achieved in an efficient way using ARMS [LC06b] (An Authenticated Routing Message in Sensor Networks). ARMS scheme assumes, that each pair of neighboring nodes share a secret key. This assumption is reasonable and can be achieved by several schemes [EG02, PST+_{02, ZSJ03]. As}_µ_Tesla, ARMS trade on the one-way hash chain principle. In contrast toµTesla, the chain is extremely short and periodically renewed.

Prior to the actual broadcast, sender generates random key K1. Then he derives short one-way key chainF(K1),K1, and sends the valueF(K1) (commitment) to all the neighbors using authenticated unicast. Broadcasted packet has then the form:[F(K2)|K1|i|M AC(K1, message)], whereF(K2) is a new commitment, i is the actual authenticated content, message is

[F(K2)|K1|i]andM AC(K, m) denotes MAC of m using keyK. Since re-ceiver knows previous commitmentF(K1), he can immediately verify the authenticity of key K1 and thus authenticity and integrity of the whole packet. Concurrently, new commitmentF(K2)is established. The relation between subsequent packets is shown in the figure 3.1.

Note, that if a single message is lost, the phase of authenticated uni-cast has to be repeated. For this reason, authors have extended the one-way

(21)

3. SECUREROUTING INWSNS chain. In extended scheme, up to two messages can be lost without need of restart. Unlike µTesla we do not require time synchronization, because broadcast is only local and the messages are delivered in the same time to all nodes. Thus attacker cannot forge any packet using just revealed key.

ARMS is very efficient, it require only 20 additional bytes per message. Also memory requirements are very low (16 bytes for receiver, 48 bytes for sender). The only problem can be the generation of random data. Sender have to generate 8 bytes of random data per every two messages. However these date could be obtained using for example noisy radio channel.

3.3 Secure routing protocols

Since Karlof and Wagner [KW03] drew the attention to the problem of se-cure routing in sensor networks, several novel sese-cure routing protocols were proposed [DHM02, KLP03, LC06a, NC07, PLGP06, WFSH06, WYC04, YM06]. Some of them can be considered completely secure, but some of them prevents only selected types of attacks. We have encountered also few protocols that were pretty secure, but with assumptions unsuitable for sen-sor networks. In this section we deeper examine four secure routing pro-tocols. We have selected protocols, which we consider innovative, efficient and secure, and which come up with interesting ideas appropriate for fur-ther use.

3.3.1 Scure Implicit Geographic Forwarding

Secure Implicit Geographic Forwarding (SIGF) [WFSH06] is a configurable protocol family for secure routing. It consists of three protocols, which rep-resent three security levels. The higher level inherits the capabilities from the lower ones. SIGF extends the Implicit Geographic Routing (IGF) [BHSS03] and thus can be included into location-based class of algorithms.

IGF

Implicit geographic routing is a stateless hybrid routing/MAC protocol. The next hop is determined at the transmission time, during the MAC-layer handshake. The IGF is build on RTS/CTS MAC protocol1. In IGF, each node is aware of its location. The routing procedure starts when a sender broad-casts Open Request To Send (Open RTS) with its positionSand destination positionD. Nodes located within the 60◦sextant centered on the line from 1. IGF have originaly extended basic 802.11 DCF MAC protocol [IEE99]

(22)

StoDare considered as candidate nodes. Each of these nodes sets the Clear To Send (CTS) response timer according to its distance from S, remaining energy and the distance to center of sextant. The more suitable the node is for forwarding the message the shorter time it sets. When the response timer expires, the node sends CTS. Then the sender sends him the data. Nodes hearing CTS cancel their timers.

Authors of SIGF have presented security analysis of IGF [WFSH06]. IGF is robust and fault tolerant. It is safe against altering or spoofing the routing information, because no one is sent. Furthermore neither HELLO floods nor wormhole attacks have much effect, no routing tables are kept and routing is dynamic and independent of routing information exchange. But Sybil at-tack, Selective forwarding and DoS remains a threat for IGF. In Sybil atat-tack, a single node attacker can create multiple virtual nodes around the sending node and thus increase the chance of being chosen. This attack can result into selective forwarding or black hole. Simple, but very effective attack is so called rushing attack. Malicious node ignores the CTS respond timer and sends CTS immediately. On the other hand such behavior is easy to detect. DoS attack can be performed by replaying either old ORTS message or old CTS message. This confuses the neighboring or sending nodes forcing them to restart their timers or send the data to oblivion.

SIGF-0

SIGF-0 is a simple extension of IGF. It allows us to configure several param-eters of IGF. Unlike IGF, where the forwarding area is fixed to 60◦ sextant, SIGF-0 supports enlarging of this area and thus takeing into account more neighboring nodes. This decreases the chances of malicious nodes to be cho-sen. In IGF, sender chooses the first CTS message he obtains, then closes the collection window and sends the data. Contrary, in SIGF, sender keeps the collection window opened for some time to obtain more CTS messages and then chooses one of them. The choice can be made randomly or based on some priority. Sender can also choose multiple nodes to increase the ro-bustness of the algorithm. Last configurable settings of SIGF-0 is whether the location of a node will be omitted or not in the CTS response timer cal-culation.

Key difference between IGF and SIGF-0 is that IGF closes the CTS collec-tion window after obtaining the first CTS, while SIGF-0 collects multiple of them. Hence SIGF-0 is not so vulnerable against rushing attack. Although it brings a small inefficiency, it significantly improves security.

(23)

SIGF-1

This variant inherits all the properties of SIGF-0. Furthermore it introduce an inner state of the node. This state is initialized and maintained by the node itself and it does not bring any communication overhead. SIGF-1 works as SIGF-0, but the choice of a next hop is based also on the reputation value assigned to each neighbor. This value is derived from the state informa-tion stored and maintained by the node. The node keeps the number of sent messagesT, and several records for each neighbor node N: number of messages sent toN; number of messages actually forwarded byN (this is determined by overhearing the traffic of nodeN); last claimed location of N; average delay during forwarding of message (again determined by overhearing). From these data node derives the reputation value of nodeN. Candidates, which has the reputation value below a threshold are dropped from the candidate list. This approach protects the algorithm against a Sybil attack. Note that all options of IGF-0 still remains.

SIGF-2

SIGF-2 includes both previous variants and adds the use of cryptography to prevent the DoS attack. It also ensures confidentiality, authenticity, in-tegrity and freshness of the communication between neighboring nodes. SIGF-2 require neighboring nodes to share the secret key. In addition, the neighborhood key has to be establish to enable authenticated broadcast of Open RTS message.

The integrity and authenticity of messages is ensured by Message Au-thentication Code using shared key. Freshness is guaranteed by sequencing the messages, for each neighbor node a counter is kept. SIGF-2 offers pay-load encryption to keep data confidential and prevent eavesdropping. By using authentication and sequencing, DoS attack is prevented as old mes-sages are discarded by the nodes. However in case of compromitted node, attacker can still mount such an attack. It is optional in SIGF-2, which type of messages will be protected by cryptographic mechanisms. This gives the user ability to set an appropriate level of security.

SIGF is a good example of routing protocol, which can be qualified as secure. SIGF can be configured to a certain level of security and robustness. One can easily trade off between security, efficiency and performance of the algorithm. What’s more configuration can be done dynamically. For exam-ple, system can be set to maximum performance and in case the attacker

(24)

is detected, the system can be reconfigured as a reaction to the attack. We consider the configurability of SIGF as a great advantage. We also appre-ciate the approach of IGF which integrate routing with the medium access control. This significantly increases the performance and efficiency of the overall system, which is important in limited wireless sensor networks. We are aware of the fact, that mixing the ISO/OSI layers has also many draw-backs and that IGF/SIGF is dependent on the particular MAC algorithm, but WSNs are specific and one cannot expect truly universal solution. The important limitation of IGF/SIGF is its essential assumption, that every node knows its location. However we consider this assumption as justi-fiable. Furthermore such equipped network can offer advanced services. There are two ways to satisfy this assumption. In the first way, every node is equipped with GPS. The second way uses few GPS equipped nodes and mechanism of triangulation to determine the location of the rest of nodes.

Comparing the variants of SIGF, we would evaluate the SIGF-0 as the best using cost/performance approach. It is very simple extension of IGF, which provides variety of settings and adorable security properties for triv-ial cost. SIGF-1 is also very paying. However in a high-density network, the state maintenance can occupy significant part of a memory and the process of overhearing can consume nontrivial amount of energy. SIGF-2 uses en-cryption, which require key establishment and management. It is costly and the benefits in terms of defense against DoS attack are very small. Since sen-sor nodes are not tamper resistant, it is relatively easy for the attacker to be-come part of the network and mount the attack anyway. Nevertheless once the keys are distributed, the cryptography can provide additional services. Hence the SIGF-2 mechanisms can be used in cooperation with other pro-tocols. This could justify the cost. We would consider implementing ARMS for authenticated local broadcast of Open RTS messages, instead of sharing neighborhood key. ARMS would also provide implicit sequencing of the Open RTS messages.

3.3.2 Secure Directed Diffusion

Directed Diffusion is a very important data-centric routing protocol for Wireless Sensor Networks [IGE00]. However this protocol has several se-curity shortcomings. Therefore Secure Directed Diffusion (SDD) [WYC04], a secure variant of this protocol, was designed. SDD protocol makes use of immediate TESLA [PCST01], that is a mechanism for authenticated broad-cast.

(25)

sta-3. SECUREROUTING INWSNS tion broadcasts interest for data, which is named by attribute-value pair. Thisinterest floods the network and sets upgradients at each node. Gra-dients specify data rate and direction in which to send data. Second phase begin, when theinterest reaches the node, which can satisfy it. That node sends low-rate data along the reverse path of the interest dissemination. At the end of this phase, base station receives low-rate data from multiple paths. The next phase is reinforcement phase. Base station selects one par-ticular path and sendsreinforcementvia this path in order to obtain higher data rate. In the last phase, source node generates data at the requested rate and sends it through the reinforced path. Not only base stations can rein-force the path, but also node included in the path can. This enable to repair broken paths. Also negativereinforcementsare supported.

Directed Diffusion is vulnerable to attacks, because of missing authen-tication and integrity checking. Karlof and Wagner [KW03] has shown sev-eral attacks on Directed Diffusion. Attacker can spoof positive or negative reinforcements in order to change the data flow. This may include him into the path and result into selective forwarding, data tampering, DoS or eaves-dropping. Attacker can also clone the data flow by rebroadcasting the inter-est listing himself as a base station. Lap-top class attacker can create a sink-hole using wormsink-hole attack in combination with forged reinforcements.

SDD protocol adopts ideas of immediate TESLA protocol [PCST01] to ensure authenticity and integrity of routing and data messages. Only sym-metric cryptography is used and asymmetry is achieved by one-way hash chain. The principle is similar toµTESLA described in section 3.2.1. SDD protocol requires that there is only one base station and it shares a secret key with each node. All nodes are also seeded with the first value k1 of the one-way key chain, where only base station knows kn to be able to authenticate its messages. SDD has the same phases as original Directed Diffusion, but in each phase, the integrity and authenticity of origin of the messages is protected. In the first phase, the base station floods mes-sage M = (H(IN T ERESTx)|M AC(kx|H(IN T ERESTx))), where H(m) denotes hash of the messagem,M AC(k, m)denotes Message Authentica-tion Code ofmusing keykand|denotes concatenation. Suppose all nodes have received message M after time t. Then base station floods another message(IN T ERESTx|kx). Now, node can verify thatkxis from base sta-tion by computingFx−1(kx) =k1. Havingkx, node can verify integrity and authenticity ofH(IN T ERESTx)and subsequently ofIN T ERESTX. The same technique is used when sending reinforcements in the third phase. Thus theinterests andreinforcements cannot be forged or modified. No-tice the drawback, that now the broken path cannot be repaired as in the

(26)

insecure Directed Diffusion, because only base station can send reinforce-ments.

The data sent in the second and fourth phase by the source node are also authenticated and its integrity is protected. In the phase of low-rate data propagation, source nodeN floods

D = (H(DAT A1)|M AC(k1N|H(DAT A1))|(kN1 )SF|N), wherek 1

N is the first key of the one-way key chain generated by node N, and (m)Sn denotes encryption of m using key Sn shared between node N and base station. Base station decrypts the keyk0_N and sends it in the authenticated way as in first phase to all nodes on the path. After this source nodeN sends data

(DAT A1|k2_N|nonce1|N|(nonce1)SN), whereN is the list of nodes.nonce1is used to ensure freshness. If nodeEreceives this data, it sends

(DAT A1|k1N|nonce1|N, E|((nonce1)SN)SE). The process continues until base station receives the data. Base station can verify authenticity and integrity of the data and also check the identity of the nodes on the path. Than base station probabilistically selects one of the possible paths. In the last phase, data are sent from the source nodeNin the similar authenticated way as the interests andreinforcements, but in opposite direction. Sequence numbers are also contained in the data to ensure freshness.

Secure Directed Diffusion is secure variant of popular data-centric pro-tocol. Unlike the original one, it does not support data aggregation and path recovery. On the other hand, it is resistant to almost all known at-tacks. However there is a problem during the low-rate data propagation phase. Possible paths are discovered and one is probabilistically selected. The probability of attacker being on the path is proportional to the frac-tion of paths including attacker and all the paths. Suppose the attacker A

overhears message(DAT A1|k1N|nonce1|N, E|((nonce1)SN)SE). He can cre-ate message

(DAT A1|k1N|nonce1|N, E, A|(((nonce1)SN)SE)SA) and thus introduce new path. The more such paths are created the greater the probability for the at-tacker to be on the selected path. The authors are aware of this attack. How-ever they rely on the property of the original Directed Diffusion, that for data dissemination the MAC unicast is used. We believe, that this is a poor countermeasure. Unicast is not used for security purposes. It is still pos-sible for an attacker to eavesdrop the communication. In addition, strong attacker can use, for example, selective jamming to prune away the original path.

(27)

3.3.3 SeRINS

Secure alternate path Routing IN Sensor networks [LC06a] is a routing pro-tocol, which combines several existing security mechanisms together with itsneighbor report systemto ensure secure routing. The goal of SeRINS is to protect the network against insider, which launches selective forward-ing or advertise bogus routforward-ing information. Authors of SeRINS assume that attacker can compromise only small number of nodes. They also as-sume, that each node shares a unique secret key with base station, and that each pair of neighboring nodes agrees on the shared secret key. The last assumption protects outsider attacker from joining the network, because all communication is protected by hop-by-hop encryption. SeRINS consists of three different schemes,an alternate path scheme,neighbor report sys-tem, andneighbor authentication.An alternate path scheme establishes a routing topology. Base station builds a tree with itself as a root by periodic broadcast of routing information. There are two difference over the MCF or TinyOS beaconing. First, the routing information packets are authenticated. Second, each node keeps more than one parent node and hence multiple paths to the base station exist. Regarding the authentication of the routing updates, first hop from base station is authenticated using one-way hash chain, so no one can impersonate base station, subsequent hops are authen-ticated usingneighbor authentication scheme. This scheme is no more than ARMS scheme described in section 3.2.2. To mitigate the impact of the selec-tive forwarding, multiple paths are established and for every packet one of them is randomly chosen. The third scheme,neighbor report system, was designed to identify and eliminate malicious nodes, which advertise bo-gus routing information. All neighbor nodes checks the routing information send by a node and if inconsistency is detected, malicious node is reported. Decision whether reported or reporting node is malicious is done by base station based on votes from neighboring nodes. Base station eliminates the malicious node by flooding this information and revoking its keys. Under

given assumptions, SeRINS seems to be resistant to all known attacks men-tioned in section 3.1. Sybil attack, Sinkhole attack, HELLO floods and ac-knowledgement spoofing are impossible due to secure channels between each pair of neighboring nodes. Note that responsibility is moved to the underlaying key distribution scheme. Wormhole attack is supposed to be defended by extern schemes like packet leashes [HPJ03]. SeRINS itself de-fends routing against selective forwarding and advertising of bogus routing

(28)

information. Impact of selective forwarding is minimized using multiple paths scheme, yet some impact remains. Problem of bogus routing infor-mation is solved using detection and reaction mechanism calledneighbor report system. We consider this system very inspiring. It is the example of leveraging the fact, that neighboring nodes can overhear the surrounding communication. It can be denoted as intrusion detection system. However it is strongly embedded in the routing scheme and cannot be applied alone without massive changes.

3.3.4 A Clean-Slate Approach

Parnoet al. [PLGP06] have decided to design a completely novel routing protocol with security and efficiency as the main goals. Their protocol trade on the combination of prevention, detection/recovery and resiliency. Fur-thermore, it provides node-to-node routing scheme. Unlike the majority of algorithms for sensor networks, this one exploits public key cryptog-raphy. There is a single trusted authority NA and each node is preloaded with its public keyPN Aand is able to verify the signature. Authors argue, that verification of signature can be very efficient and performed even by a node. Each node has also uniqueIDand a certificate(ID)SN Asigned by the trusted authority. Additionally the node has a one-way hash chain of chal-lenge valuesC1...Ck. Node also possesses (C1||ID)SN A to be able to send authenticate the challenges. Note, that these assumptions are strict indeed, but can be satisfied off-line prior to the actual deployment of the nodes.

The algorithm assigns the unique network address to each node and establishes the routing tables using recursive grouping. Recursive group-ing algorithm is initiated by every node broadcastgroup-ing itsIDand certificate. Neighboring nodes thus constructs a list of authenticated neighbors. Af-ter this phase, no node can join the neighborhood. The grouping algorithm itself starts with every node comprising its own group. Than the process continues by recursive merging of the groups until the whole network com-prises single group. During the grouping algorithm, hierarchical network addresses are constructed and forwarding is based on the address prefixes. After this procedure each node posses the routing table, that maps address prefixes to the neighboring nodes. To make routing resilient, multiple rout-ing entries can be maintained for routrout-ing into a subgroup. Thus node can choose between multiple paths.

Besides the grouping algorithm, there are several additional techniques to detect malicious behavior, eliminate malicious node and recover normal state. Grouping Verification Tree (GVT) algorithm detects malicious

(29)

behav-3. SECUREROUTING INWSNS ior during recursive grouping algorithm. It is based on Merkle hash tree [Mer80], which provides authentication of leaves having authentic root, and validation of the tree construction having authenticated leaves. GVT exploits authenticated challengesCkand prevents the malicious node from joining the group or corrupting the grouping algorithm. GVT can be ex-tended to verify the neighbor lists of the node or to verify the address of a particular node. The routing protocol implements a distributed detection algorithm [PPG05] for detection of a node claiming multiple identities, or replaying the broadcasted packets in the first phase. A simple algorithm (HoneyBee) is used to eliminate such nodes. Legitimate node, who has de-tected the malicious one, sacrifices itself. It floods its own ID together with the malicious node’s ID in an authenticated way. Both refereed nodes are revoked.

The security of this algorithm is ensured by running authenticated neigh-borhood discovery and by the GVT algorithm which detects possible tam-pering. The recursive grouping algorithm runs deterministically and is pro-tected by GVT, hence it prevents an intruder from altering the resulting topology. The Sybil attack is prevented using unique node IDs and certifi-cates signed by trusted authority. Multiple path variant is also fault tolerant and robust. The algorithm itself cannot cope with wormhole. To overcome this, authors suggest integrating one of the wormhole detection algorithms.

We consider the ”Clean-slate approach” as innovative due to the effi-cient asymmetric cryptography usage. On the other hand, we are still not fully convinced, that it is necessary to employ asymmetric cryptography. Even though it is relatively efficient it still remains costly. Moreover, nodes need to maintain routing tables, merge tables and challenge constants in memory. This algorithm consumes much resources of the node. We rate this as the biggest weakness of the algorithm. To be really secure, algorithm has to integrate many additional mechanisms, this fact also degrades the usabil-ity of the algorithm. Regarding benefits, this protocol is designed to route between any pair of nodes, whereas the huge majority of routing schemes relaxed to this traffic pattern. Therefore it predestines this technique to be employed in specific applications where such pattern is needed.

(30)

Introduction to Evolutionary Algorithms

In this thesis, we try to automatically generate attack strategies on routing algorithms for WSNs. We have decided to employ evolutionary algorithms for this purpose. Evolutionary algorithms are stochastic search algorithms inspired by biologic evolution. In order to find the optimal solution, evolu-tionary algorithms employ the basic mechanisms of evolution. They work with a set of individuals (denoted as population), in which each individual represents a possible solution. From these individuals, new ones are cre-ated using operations of mutation, crossover and reproduction. The quality of new individuals is evaluated by the fitness function. The new population is then sieved by the natural selection, that is based on the fitness function. The natural selection decides, which individuals will be reproduced (and thus their capabilities and features will be used for further generations) and which will be forgotten. This process is repeated until good enough solution is found. Details on the evolutionary mechanisms follow.

4.1 Population of individuals and their representation

Most algorithms for solving optimization problems work with a single can-didate solution at a time. Evolutionary algorithms work with a population of candidate solutions instead. This enables parallel search for the solu-tion and natural selecsolu-tion mechanism. The number of candidate solusolu-tions in population has significant impact on the convergency towards optimal solution and is typically set by an expert. Another key factor of the evo-lution progress is the representation of the candidate soevo-lutions, which is denoted asgenome. In linear genetic programming [BNKF98], which is the technique we use in this work,genome consists of a sequence of instruc-tions. Another common structure ofgenomeis a tree-based structure used in genetic programming [Koz92].

(31)

4. INTRODUCTION TOEVOLUTIONARYALGORITHMS

4.2 Genetic operators

In order to work, evolution has to have mechanisms, that ensure tion of individuals and that introduce new abilities to them. The replica-tion of individuals is provided by the replication operator, which simply copies the individual, and by thecrossoveroperator, that combines differ-ent parts from two or more individuals into a single one. In specific settings, crossovercan supply the task ofreplication New properties are introduced to an individual by themutation operator.Mutation modifies the genome of the individual by replacing some parts of the genome by newly gener-ated ones.

4.3 Fitness function and selection operator

The crucial part of the evolution process is the natural selection. It decides which individuals are replicated or modified and which are removed from the population. In evolutionary algorithms, the selection is based on the output of the fitness function.

The fitness function captures the relation between the candidate solu-tion and the optimal solusolu-tion for the problem in quessolu-tion. It expresses the quality of the candidate solution with respect to the desired goal and pro-vides feedback to the evolution.

The fitness function has to be graded with sufficient granularity to be able to distinguish the quality of two similar individuals. If it is not, then the search process can degrade down to a random search. For example, sup-pose we have only binary fitness function, which outputs ’1’ if the solution succeeds and ’0’ if not. Then, until the optimal solution is found, all candi-date solutions have the same quality and hence the selection is completely random. This results into the random search.

Fitness function must be also fast to compute. This condition is purely practical, because in the evolution process, we have to be able to evaluate a large number (103−106) of candidate solutions in a reasonable time.

The fitness function leads the evolution to the intended goal, thus we set the subject of the search by the definition of the proper fitness function. Note that some problems cannot be solved using evolutionary algorithms, because we are not able to define the fitness function satisfying above prop-erties, especially gradation.

(32)

Automatic design of attack strategy

In this work, we examine the security of routing protocols for wireless sen-sor networks. We aim to design an automatic method for generating attack strategies on these protocols. Such method can help us reveal, understand and countermeasure potential weaknesses.

There is a significant asymmetry between designing a secure system and attacking such system. The designer of a system has to consider and prevent all possible strategies, whereas the attacker needs to employ only one of those strategies to be successful. This is analogous to an exhaustive search through the whole search space versus a guided search through a part of the search space. The exhaustive search is practically impossible in our case, because the space of possible attack strategies is extremely large. Thus, we have decided to employ guided search and try to find at least some attack strategies. We are aware of the fact, that the chosen approach cannot prove the security of a system, even in case no attack strategy is found. However, it can help to secure the system by revealing its potential weaknesses.

5.1 Related work

So far, there have been several proposals for use of automatic attack genera-tion. The automatic attacks were mainly used in relation with Intrusion De-tection Systems (IDS). Automatic generation ofattack graphs2 using sym-bolic model checking algorithms was proposed [SHJ+02]. Constructing of attack graphsis crucial part of the vulnerability analysis of the network.

In [MGL+06], virtual network infrastructure is proposed, which is able to generate testing data set. This set would be further used for evaluation and testing of intrusion detection systems.

Polymorphic blending attacks (PBA) can be used to evade some payload-based intrusion detection systems. The principal of PBA is to transform the 2. Attack graphis ”the data structure used to represent all possible attack on the network”. [SHJ+_02]

(33)

5. AUTOMATIC DESIGN OF ATTACK STRATEGY attack packets into the form, that match the normal packet profile and thus evade IDS. In [FL06], authors propose to use the hill climbing for automatic generation of PBA instances, given the IDS and particular attack.

Combination of evolutionary algorithms and network simulator was successfully used to produce also the defensive strategy. Secrecy amplifi-cation protocol for WSN [SM07] was evolved. This protocol might signifi-cantly increase resiliency of link keys against link compromise attack.

5.2 Basic concept

The basic concept for automatic design of attack strategies is a result of joint work with my advisor Petr ˇSvenda. It combines automatic attack strategy generator with simulator or real system to generate and evaluate the large number of potential attack strategies. In this thesis we use this concept to automatically generate attack strategies on routing protocols.

The basic concept consists of the following five steps:

1. Execution of the X-th round of generator→attack strategy in a meta-language.

2. Translation from the metalanguage into a domain language. 3. Strategy execution (either by a simulation or in a real system). 4. Evaluation of the fitness function (obtaining attack success value). 5. Proceed to the (X+1)-th round.

We have to seed the generator with a set of elementary rules before the actual process of attack generation begins. These rules are basic building blocks creating the attack strategy. This action is viewed as a step 0.

We will discuss all steps in detail. Since this work examines the secure routing for WSNs, we use examples from this area.

5.2.1 Elementary rules

Prior to the actual generation process, we have to define elementary rules, which act as building blocks for new attack strategies. To do so, we first observe the attacked system and look for ways of influence that an attacker could have on it. For example he can intercept, send or generate message. These methods are then decomposed into elementary rules, such as inter-cept message from node X, change parameter X of the message or generate

(34)

Attack strategy generator - random search - exhaustive search - educated guess - guided search Translation Simulator Real system Fitness function Elementary rules Attack strategy

in metalanguage in domain languageAttack strategy

Statistics Attack success

Ways of influence that an attacker can have on simulated/real system

Figure 5.1: Basic concept for automatic attack generation. Attack strategy in metalanguage is generated from elementary rules. Strategy is translated to the language of evaluation environment (simulator, real system). Dur-ing evaluation of attack strategy statistics are collected. These statistics are used for computation of fitness function, which qualify the success of the strategy and provides guideline to the generator.

particular message. Granularity of these rules is a very important factor. The more detailed the rules are, the bigger the possibilities of the genera-tor. On the other hand, the larger the search space of attack strategies. We divide the granularity into three levels. Note that these levels are not strict and depends on the viewpoint. In one scenario we consider something as a primitive attack, whereas in other scenario it is only an elementary rule of high granularity and vice versa. Moreover, we can use both primitive attacks and detailed elementary rules in a single scenario.

• Recombination of primitive attacks - if we take primitive known at-tacks (sequences of elementary rules) as an elementary rules, we can generate new attacks by recombination of these known attacks. This can significantly speed up generation process, because known

(35)

con-5. AUTOMATIC DESIGN OF ATTACK STRATEGY structions need not to be generated from scratch. On the other hand, novel primitive attacks cannot be generated. For example, elementary rule can be replay message, delay message or drop message.

• Optimization of known attacks - we already have an attack strategy (e.g., compromise node and extract its keys) and we want to optimize its parameters (e.g., which nodes should be compromitted). In this case, elementary rules represent the parameters.

• Novel attacks- if the elementary rules are detailed enough, generator can combine them into a completely novel attack. These rules should represent all the basic actions an attacker can do. For example, inter-cept a message or even modify X-th bit of the message. In this work, we will try to define high granularity rules and generate novel attacks.

5.2.2 Generation of attack strategy

Generator constructs the attack strategy from the elementary rules. One of the following techniques can be used for construction.

• Random search- elementary rules are randomly combined into an at-tack strategy. No information about previously generated atat-tack strate-gies is used in generation process.

• Exhaustive search - all possible combinations of elementary rules are generated. This technique finds optimal attack strategy that can be constructed from elementary rules. Exhaustive search is not conve-nient for large search spaces, which is our case.

• Educated guess- an expert combines elementary rules into a possibly successful attack strategy. Information about previously generated at-tack strategies can be used to speed up the process.

• Guided search - new attack strategy is modification of the previously generated attack strategy. Information about the quality of previous attack strategy is available and is shape the new attack strategy. The representatives of the guided search are for example hill climbing3or evolutionary algorithms. We use evolutionary algorithms to generate attack strategies in this work.

3. Hill climbing is an optimization algorithm. It starts with a random solution and gradu-ally improves this solution by making small changes to it.

(36)

5.2.3 Translation

Elementary rules and resulting attack strategies are written in a metalan-guage, which is suitable for the generator. On the other hand, in most cases this language cannot be interpreted by a simulator or a real system. There-fore we have to translate the attack strategy in order to execute it on the simulator. Note that we can use multiple simulators or real systems, which use different languages, and single generator. Thus the translation into mul-tiple languages is necessary.

5.2.4 Strategy execution

Attack strategy is executed in the simulator or real system. The statistics from the simulator or real system are used as an input of the fitness func-tion, that evaluates the success of the attack strategy. For example, the statis-tics can include average length of the message route or number of delivered messages. The possibility of using real system for the evaluation of the at-tack strategy can be very useful. No abstraction is used and the generated attack strategies can exploit, for example, bugs in particular real system im-plementation.

5.2.5 Fitness function evaluation

In our concept, the feedback about the attack strategy success is very im-portant, especially if a form of the guided search is used for attack strategy generation. This feedback is provided by thefitness function4, that evalu-ates the quality of the attack strategy. Note that the fitness function deter-mines the attacker’s goal. For example, if the goal is to decrease the net-work lifetime, the fitness function can be defined as the inverse value of the remaining energy. Thus having elementary rules, translation rules and sim-ulator, we can generate attack strategies with different goals by switching the fitness functions.

5.3 Concept realization via evolutionary algorithms

Now we demonstrate the practical use of the basic concept. Due to our fo-cus, we aim to generate attack strategies on the routing protocols for wire-4. Termfitness functionis borrowed from the terminology of evolutionary algorithms. In contrast to the original fitness function used in evolutionary algorithms ourfitness func-tiondoes not need to fulfill all its properties. Properties of the original fitness function are discussed in section 4.3.

(37)

5. AUTOMATIC DESIGN OF ATTACK STRATEGY less sensor networks. The ultimate goal of our effort is to generate success-ful attack strategy on a secure routing protocol, that would reveal the con-ceptional weakness of the protocol. However we are aware of high com-plexity and hardness of achieving such goal, so we first focus on an insecure protocols with known weaknesses. The attack strategy generator should be able to reveal these weaknesses and to generate appropriate attack strate-gies. We have chosen two insecure routing protocols, Minimum cost for-warding, described in section 5.4.1, and Implicit geographic forfor-warding, presented in section 3.3.1. The first was chosen because it represents widely used class of routing protocols, that construct a minimum spanning tree as a routing structure. It also has several documented weaknesses which are easy to find for a human expert. The second protocol is more robust and incorporates a randomness into the routing process. However also this pro-tocol contains weaknesses that can be turned into a successful attack. An-other reason, why to choose IGF is, that it can be easily upgraded to one of the security levels of SIGF. We could thus potentially analyze what impact the attack strategy generated for IGF has on its secured version SIGF.

A particular instance of the basic concept is shown in the figure 5.2. If we follow the basic steps of the concept, we first define the elementary rules. These rules are strongly dependant on the attacker’s abilities. There-fore, prior to the elementary rules definition we have revised the attacker model in section 5.3.1. There are two kinds of elementary rules, triggers and instructions. Details are presented in subsequent section. We employ evolutionary algorithms as the attack strategy generator . We do not need a translation step, because the simulator was designed to accept the output of the generator. For routing simulation we have extended the Sensor Secu-rity Simulator. The feedback is provided by one of four fitness functions we have implemented. Each fitness function guides the evolution to a slightly different attack strategy with a different goal. Details on implementation and Sensor Security Simulator follow in subsequent sections.

5.3.1 Attacker model revised

To clarify the attacker’s capabilities, we have to define an attacker model. We have revised and extended the Karlof’s attacker model described in sec-tion 2.3.3 for this purpose.

We assume that our attacker is authorized to take part in the routing process, thus to mountinsider attacks. This state can be achieved by cap-turing the legitimate node. However also outsider attacker can have abil-ities similar to insider attacker in some conditions. This is caused by the

(38)

- evolutionary algorithms Translation Fitness function Elementary rules Attack strategy

in metalanguage in domain languageAttack strategy

Statistics Attack success

Ways of influence that an attacker can have on simulated/real system

Simulator Attack strategy generator

- Sensor Security Simulator

Attack strategy in domain language

- triggers and instructions

- number of delivered messages - length of path

...

Figure 5.2: A particular instance of the basic concept. Evolutionary algo-rithms are used as the attack strategy generator. Translation step is omitted, because simulator accepts the generator’s output. Generated attack strat-egy runs on Sensor Security Simulator. Statistics include total number of generated messages, number of delivered messages and many others. One of fitness functions evaluates the attack strategy success.

nature of wireless medium and the fact, that attacked protocols do not em-ploy cryptographic mechanisms for ensuring confidentiality, authenticity and integrity. Therefore if no link layer encryption is implemented, outsider attacker can act as an insider in our case.

Our attacker falls into the category of mote-class attacker. Therefore, we further divide this category into three subclasses for our purpose. Sin-gle node attacker,Multiple nodes attacker with homogenous strategyand Multiple nodes attacker with heterogenous strategy.Single node attacker controls only one node. Thus only one instance of attack strategy is exe-cuted at a time. Multiple nodes attacker with homogenous strategy con-trols multiple nodes and each one of these nodes executes the same attack strategy. Thus there are multiple similar attack strategies running at a time.