24
Refining Bogus Data in Wireless Sensor Network Using Non
Repudiation and Enrouting Filter Mechanism
Shobhana S
PG Scholar, Dept of CSE, Apollo Priyadarshanam Institute of Technology, Chennai Abstract—Wireless sensor network is usually composed of
a large number of sensor nodes which are interconnected through wireless links to perform distributed sensing tasks. When a sensor node generates report after being triggered by a special event, it will send the report to a data collection unit (also known as sink) through an established routing path. Wireless sensor networks are usually deployed at unattended or hostile environments. Therefore, they are very vulnerable to various security attacks and also suffer from injecting bogus or false data attack and send the bogus data to the sink to cause upper-level error decision, as well as energy wasted in en-route nodes. So the proposed work deals with a novel bandwidth-efficient cooperative authentication (BECAN) scheme. This scheme can save energy by early detecting and filtering the majority of injected bogus data at the en-route nodes, so that burden of the sink can be reduced. To filter the bogus data, the BECAN adopts cooperative neighbor router (CNR)-based filtering mechanism.
Keywords— cooperative bit-compressed authentication, En-routing filtering, injecting false data attack, sensor network.
I. INTRODUCTION
Wireless sensor network is consists of large number of sensor nodes which are interconnected through wireless links. It also provided with low-cost equipped with necessary sensing and communicating components. Sensor nodes can be imagined as small computers, extremely basic in terms of their interfaces and their components. They
usually consist of processing units with limited
computational power and limited memory, sensors, a communication device and a power source usually in the form of a battery.
A wireless sensor network deployed at hostile environment mainly concern with monitoring physical or environmental condition and sending reports to base station to take future action. In such environment sensor nodes are subjected to various types of attacks such as eavesdropping, masquerade, selective forwarding. It also suffers from various injecting false data attacks [1], [2]. The adversaries can inject bogus data reports into the WSN through compromised nodes which results in false decision at higher level and also leads to wastage of energy and resources.
This may be dangerous in scenarios such as battlefield surveillance and environmental monitoring by making false decision[13]. Moreover, it is a difficult task to monitor all the sensor nodes in the field of interest. At the same time the simultaneous entrance of false data causes not only flooding, but also heavy verification burdens fall into the sink. So some false data filtering mechanisms are used to tackle this problem.
II. EASE OF USE
The proposed Bandwidth efficient cooperative
authentication scheme is used to reduce the impact of bogus data injection into the network through a compromised node is to filter the bogus data by the en-route node as early as possible before reaching the base station. So that, an authentic and accurate data is provided to surrounding sensor node and to the sink. It is an effective way to defeat bogus data injection attacks. In en-route filtering schemes not only the destination node but also the intermediate nodes can check the authenticity of the message in order to reduce the number of hops or nodes the false message travels. It achieves not only high filtering probability but also high reliability. Early detecting the injected bogus data by the en-route sensor nodes reduces the burden of the sink.
The contributions of this paper.
1) Wireless Sensor Node Deployment: Wireless sensor network consist of a sink and a large number of sensor nodes randomly deployed at a certain interest region (CIR). Each sensor nodes are stationary in a location and the
communication between two sensors nodes are
bidirectional. The sensor node close to the sink can directly contact the sink. If the sensor node is far from the transmission range of sink, it makes use of other nodes to establish a route to the sink. Verification can be done in the sink after receiving the report.
2) Cooperative bit-Compressed Authentication: The earlier the injected bogus data is detected and more energy can be
saved using the proposed bandwidth-efficient
authentication scheme. Since the sensor nodes are low-cost and energy constraint, it is desirable to design a bandwidth efficient authentication scheme.
25 3) En-routing Filtering Probability: The effectiveness of proposed scheme can be demonstrated using en-routing filtering probability and detect the false negative rate on true reports. The en-routing filtering probability can be tested as by calculating number of false by en-route nodes from total number of false data.
III. PRELIMINARIES
A. Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) is a public key cryptography. In public key cryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular user knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. ‗Domain parameters‘ in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. The sink distributes the pair key to the sensor nodes during initialization. When a sensor node generates a report m after being triggered by a special event, e.g., a temperature change, it will send the report to the sink via an established routing. The source node encrypts the original text to a cipher text using the
encryption technique called Elliptical Curve
Cryptography(ECC]. It is a public key encryption technique based on elliptic curve theory [5].
It creates faster, smaller and more efficient
cryptography. ECC generate keys through the properties of elliptic curve equation. TinyECC is a configurable library for Elliptic Curve Cryptography (ECC), which allows flexible integration of ECC-based public key cryptography in sensor network applications. It provides a ready-to-use publicly available software package for ECC based PKC operation.
B. Message Authentication Code
Message Authentication Code (MAC) is a short piece of information used to authenticate a message. It provides assurance to the recipient of the message which came from the expected sender. It is appended to the message then transmitted to the neighboring nodes. It is defined as, MAC (m, k, n) = h (m || k) (1)
Where m, k, n are a message, a key and an adjustable parameter respectively. The encrypted report along with MAC value is send to the next node to check authentication of the report. The en-route nodes receive the event report verify the validity of the report through the received MAC. If found valid replace the received MAC with its MAC, otherwise drop the report. If an en-route node receives a
forged report found the MAC is invalid and drop the report.
IV. ENROUTE FILTERATION
A. Common Security Threats on WSN
An attack is an event that diminishes or eliminates a network's capacity to perform its expected function and an adversary is a person or another entity that attempts to cause harm to the network by unauthorized access or denial of service. Since sensor nodes are deployed in unattended environment an attacker can falsify local sensor values in the area of WSN and may be able to mislead monitors in those areas. So a sensor node is not able to communicate and coordinate with the network and it is disrupted.
Fig. 1. Classification of attacks on communication in Wireless sensor network
Attacks [9] against wireless sensor networks could be broadly considered from different viewpoints. In the network layer, the key issues include locating destinations and calculating the optimal path to a destination. By tampering with routing service such as modifying routing information and replicating data packets, attackers can fail the communication in WSNs. As shown in Fig.1.attacks that affect the communication can be categorized into routing attack [10] and attacks on transit.
26
In routing attack adversaries can gain access to routing paths, redirect the traffic, distribute false information to mislead routing direction or launch DOS attack against routing, acting as black holes to swallow all the received messages and selectively forwarding packets through certain sensors. The routing attacks [9] can be categorized as
1) Selective Forwarding: A malicious node can selectively drop only certain packets. In sensor networks it is assumed that nodes faithfully forward received messages. But some compromised node might refuse to forward packets, however neighbors might start using another route.
2) Altered routing information: Attack against the routing information exchanged between nodes. An adversary can alter or replay routing information.
3) Sinkhole Attack: Attracting traffic to a specific node in called sinkhole attack. In this attack, the adversary‘s goal is to attract nearly all the traffic from a particular area through a compromised node. Sinkhole attacks typically work by making a compromised node look attractive to surrounding nodes.
4) Sybil Attacks: A single node duplicates itself and presented in the multiple locations. In a Sybil attack, a single node presents multiple identities to other nodes in the network. Authentication and encryption techniques can prevent an outsider to launch a Sybil attack on the sensor network.
5) Wormholes Attacks: In the wormhole attack, an attacker records packet (orbits) at one location in the network, tunnels them to another location, and retransmits them into
the network.
6) False data injection: Sensor nodes are not tamper resistant and can be easily compromised by an adversary. In this attack an adversary injects false data and compromises the trust worthiness of the information communicated. False sensing reports can be injected through compromised nodes.
B. Enrouting Filtering Scheme
Wireless sensor networks (WSNs) have attracted a lot of attention recently due to their broad applications in both military and civilian operations [7]. Many WSNs are deployed in unattended and often hostile environments such as military and homeland security operations. Typically, a sensor detecting an event sends a report to a special node called a sink, which collects and processes such reports.
Fig. 2. En-route filtering scheme
Wireless sensor networks deployed at hostile
environments are vulnerable to many types of security attacks, including false data injection, data forgery, and eavesdropping [2]. Sensor nodes can be compromised by intruders, and the compromised nodes can distort data integrity by injecting useless data. The transmission of
useless data depletes the constrained battery power and
degrades the bandwidth utilization. To detect and drop false data number of en-route filtering schemes have been developed. The earlier the injected bogus data is detected, the more energy can be saved in the whole network.
In en-route filtering schemes not only the destination node but also the intermediate nodes can check the authenticity of the message in order to reduce the number of hops or nodes the false message travels is illustrated in Fig. 2. In the en-route filtering phase, every forwarding node verifies the MAC computed by its lower association node, and then removes that MAC from the received report. If the verification succeeds, it then computes and attaches a new MAC based on its pair wise key shared with its upper associated node. Finally, it forwards the report to the next node towards the BS. Here the en-route node receives a report from the source node or the lower associated en-route node and check the integrity of the received report by means of the MAC enclosed in the report. If the verification succeeds then forward the report otherwise drop the report.
V. BECANAUTHENTICATION SCHEME
A. Sensor Node Deployment
The sink deploys these initialized sensor nodes at certain region.
27
Each sensor nodes are stationary in a location and the
communication between two sensors nodes are
bidirectional are shown in fig.3 [1]. The sensor node close to the sink can directly contact the sink. If the sensor node is far from the transmission range of sink, it makes use of other nodes to establish a route to the sink.
Fig. 3. Deployment of Sensor Nodes
Each sensor is preloaded with a secret key shared with the sink. The sensor node ID‘s are register to the Sink via Router. Between the sensor nodes they elect the cluster head using the high battery and memory power. To enable en-route nodes to verify reports, the sink sends the indices of the latest hash values on the corresponding hash chains to each cluster head.
B. Key Sharing and Path Finding
Sink share their Public keys for each particular sensors, after choosing the Cluster Head of a particular region [4]. The Dijkstra‗s Algorithm is suitable for finding the shortest path between the sensor nodes. Sensors their routing protocol to the sink using the shortest path algorithm. The multiple paths will be found to the Cluster Head for data transmission.The Dijkstra‘s Algorithm is used for finding the shortest path between the sensor nodes and to the sink. It can be represented as an undirected graph G = (V, E), where ‗V‘ is an set of vertices which represents the sensor
nodes {N0, N1, . . .} and ‗E‘ is the set of edges.
Algorithm 1. Dijkstra‘s Single Source All Shortest Path
1: procedure DIJKSTRA(G = (V, E))
2: for each vertex v in graph
3: dist[v] := infinity 4: end for
5: dist[source] :=0;
6: Q := the set of all nodes in graph ; While Q is not empty
Remove u from Q 7: if dist[u] = infinity 8: break 9: end if
10: alt := dist[u] + dist_between(u,v); 11: If alt < dist[v]; 12: dist[v] := alt; 13: previous[v] := u; 14: end if 15: end for 16: end while 17: return dist 18: end procedure
C. Cooperative Neighbor Router (CNR)-Based Filtering Mechanism
The proposed system deals with a novel bandwidth-efficient cooperative authentication (BECAN) scheme for filtering injected bogus data. To filter the bogus data injected by compromised sensor nodes, the BECAN adopts
cooperative neighbor router (CNR)-based filtering
mechanism. CNR consist of three components that work in concert to detect and filter out forged messages: (1) each legitimate report carries multiple MACs generated by different nodes that detect the stimulus, (2) intermediate forwarding nodes detect incorrect MACs and filter out false reports en-route, and (3) the sink verifies the correctness of each MAC and eliminates remaining false reports that elude en-route filtering.
The sink distributes the pair key to the sensor nodes during initialization. When a sensor node generates a report m after being triggered by a special event, e.g., a temperature change, it will send the report to the sink via an established routing.
28
Fig. 4. Cooperative CNR – based authentication mechanism
Fig. 4 shows the sensor (source) node has sensed some data m and is ready to report m to the sink via the routing path [1]. While transmitting the data to the sink the source node will gains the current Timestamp. In the cooperative CNR-based authentication, the MAC authentication does not work, if the number of the neighbors of the source node is less than the preset threshold. The effectiveness of our proposed scheme can be demonstrated using en-routing filtering probability and detect the false negative rate on true reports. The false negative rate (FNR) of the true reports is tested as, the number of true data that cannot reach the sink from the total number of true data. If FNR is small, the BECAN scheme is demonstrated high reliability. When the number of independent reports increases, the FNR decreases. Thus, the multireports technology in this scheme fits to the realistic scenarios. As the result, the BECAN scheme can achieve high reliability.
VI. DETECTING GANG INJECTION ATTACK
A new stronger injecting false data attack, called gang injecting false data attack, occurs in wireless sensor networks. This kind of attack is usually launched by a gang of compromised sensor nodes controlled and moved by an adversary.
Fig.5.Gang injecting bogus data attack
When a compromised source node is ready to send a false data, several compromised nodes will first move and aggregate at the source node, and then collude to inject the false data. Because of the mobility, the gang injecting false data attack is more challenging and hard to resist. To tackle this kind of attack a possible solution with the BECAN scheme is to require each participating sensor node to provide its position information. If the current position is not consistent with the previous ones, the gang attack can be detected.
To find out gangs injecting false data attack shown in Fig.5, the proposed scheme make use of Ad hoc on-demand distance vector (AODV) routing protocol [11]. We preferred AODV as routing protocol because it does not need any central administrative system to control the routing process. Generally reactive routing protocols like AODV tend to reduce the control message overheads at the cost of increased latency in finding new routes and also it reacts relatively fast to the topology changes in the network and updates only the nodes affected by these changes. It also saves storage place and energy. Both theoretical and simulation results are given to demonstrate the effectiveness of the proposed scheme in terms of high filtering probability and energy saving.
VII. CONCLUSION
Existing filtering mechanism do not provide high filtering probability, which results in false decision at higher level and also leads to wastage of energy and
resources. Compromised sensors can cause not only false
alarms but also the depletion of the finite amount of energy in a battery powered network. On the other hand BECAN scheme has been demonstrated to achieve not only high en-routing filtering probability but also high reliability with multi-reports. Due to the simplicity and effectiveness, the BECAN scheme could be applied to other fast and distributed authentication scenarios, e.g., the efficient authentication in wireless mesh network. One of the main contributions of the proposed work is CNR based filtering mechanism and also it does not require a complicated security association because of noninteractive key establishment. While our current focus is distribution of en-routing authentication to all sensor nodes along the en-routing path, it is important to notice it is bandwidth efficient. To save bandwidth, it also adopts the bit-compressed authentication technique. Currently, the scheme lacks preventing the gang injecting false data attack from mobile compromised sensor nodes.
29 Acknowledgment
Foremost I thank Almighty Lord for success full completion of my thesis. I would like to express my sincere gratitude to my guide Ms.G.Sumathi, for her guidance. She helped me in all the time of my studies and writing of this thesis. Finally I thank my parents who always encourages for my higher studies.
REFERENCES
[1] Rongxing Lu, Xiaodong Lin, Haojin Zhu, Xiaohui Liang, and Xuemin (Sherman) Shen, ―BECAN: A Bandwidth-Efficient Cooperative Authentication Scheme for Filtering Injected False Data in Wireless Sensor Networks‖, IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 1, January 2012.
[2] S. Zhu, S. Setia, S. Jajodia, and P. Ning, ―An Interleaved Hop-by- Hop Authentication Scheme for Filtering of Injected False Data in Sensor Networks,‖ Proc. IEEE Symp. Security and Privacy, 2004. [3] F. Ye, H. Luo, S. Lu, and L. Zhang, ―Statistical En-Route Detection
and Filtering of Injected False Data in Sensor Networks,‖ Proc.IEEE INFOCOM ‘04, Mar. 2004.
[4] K. Akkaya and M. Younis, ―A Survey on Routing Protocols for Wireless Sensor Networks,‖ Ad Hoc Networks, vol. 3, no. 3, pp. 325- 349, May 2005.
[5] A. Liu and P. Ning, ―TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks,‖ Proc. Seventh Int‘l Conf. Information Processing in Sensor Networks (IPSN ‘08),pp. 245-256, Apr. 2008.
[6] Y. Zhang, W. Liu, W. Lou, and Y. Fang, ―Location-Based Compromise-Tolerant Security Mechanisms for Wireless Sensor Networks,‖ IEEE J. Selected Areas in Comm., vol. 24, no. 2, pp. 247- 260, Feb. 2006.
[7] R. Szewczky, A. Mainwaring, J. Anderson, and D. Culler, ―An Analysis of a Large Scale Habit Monitoring Application,‖ Proc.Second ACM Int‘l Conf. Embedded Networked Sensor Systems (Sensys ‘04), 2004.
[8] C. Zhang, R. Lu, X. Lin, P. Ho, and X. Shen, ―An Efficient Identity- Based Batch Verification Scheme for Vehicular Sensor Networks,‖ Proc. IEEE INFOCOM ‘08, Apr. 2008.
[9] A.D. Wood and J.A. Stankovic (2002), ―Denial of service in sensor networks‖, IEEE Computer, Vol. 35, No. 10, pp. 54-62.
[10] J. A. Al-Karaki and A. E. Kamal(2004), ―Routing Techniques in Wireless Sensor Networks: A Survey,‖ IEEE Wireless Commun., vol.11, no. 6.
[11] Usop, N. S. M. Azizol Abdullah. Abidin, A.F.A. (2009),―Performance Evaluation of AODV, DSDV & DSR Routing Protocol in Grid Environment‖, International Journal of Computer Science and Network Security (IJCSNS), Vol.9 No.7, pp 261-268. [12] L. Zhou and C. Ravishankar, ―A Fault Localized Scheme for False
Report Filtering in Sensor Networks,‖ in Proceedings of the IEEE International Conference on Pervasive Services,2005.
[13] C. Hartung, J. Balasalle, and R. Han(2004), ―Node compromise in sensor networks: The need for secure systems‖, Technical Report CU-CS-988-04, Department of ComputerScience, University of Colorado at Boulder.H. Yang and S. Lu (2006), ―Commutative cipher based en-route filtering in wireless sensor networks,‖ in Proc. IEEE VTC, 2004, vol. 2, pp.1223–1227.