2011 Eighth IEEE International Conference on Mobile Ad-Hoc and Sensor Systems
Toward Reliable Actor Services in Wireless Sensor and Actor Networks Xu Li⇤† , Xiaohui Liang† , Rongxing Lu† , Shibo He†‡ , Jiming Chen‡ , and Xuemin (Sherman) Shen†
INRIA Lille - Nord Europe, Univ Lille Nord de France, USTL, CNRS UMR 8022, LIFL, France † Department of Electrical and Computer Engineering, University of Waterloo, Canada ‡ State Key Laboratory of Industrial Control Technology, Zhejiang University, China Email:
[email protected], {x27liang, rxlu, xshen}@bbcr.uwaterloo.ca,
[email protected],
[email protected] ⇤
Abstract—Wireless sensor and actor networks (WSANs) are service-oriented environments, where sensors request actors to service their detected events and actors move to deliver the desired services. Because of their openness and unattended nature, these networks are vulnerable to various security attacks. In this paper we address service fraud attacks for the first time, whose objective is to stop the normal use of actor services by fake service requests and/or delivery. To mitigate this type of security attacks, we propose a novel cooperative authentication scheme. With the scheme, a sensor’s service request is cooperatively authenticated by the sensors that witness the same event, and an actor’s service delivery effort is cooperatively authenticated by the sensors that witness the actor’s behavior. Considering the presence of compromised sensor/actor nodes, the trustworthiness of each authenticated service delivery process is subject to location consistency check and witness diversity check. It may then be taken into account to adjust the corresponding actor’s trust rating so as to influence future actor service selection. We analyze the communication overhead and the security strength of the scheme. We show that our scheme ensures fraud-resistant actor services in our considered WSAN environment. Keywords—Cooperative authentication; service fraud attacks; fraud resistance; wireless sensor and actor networks
Fig. 1. A WSAN deployed for wildfire monitoring. Two fire-fighter actors are dispatched to to extinguish a detected fire.
service providers in taking decisions and performing appropriate actions/tasks on themselves (e.g., controlled movement [4]), sensors (e.g., data collection [5]) and/or the environment. While sensors are static, actors can be static or mobile. Examples of static actors are sprinklers attached on the ceiling of an office room and motion-activated lights installed in a dark hallway. In this paper, we focus on WSANs with mobile actors. These actors can be unmanned vehicles or even human beings that have controllable mobility. Upon request, they offer movement-assisted services to the physical environment under surveillance. An application example of such WSANs is fire detection and fire fighting in a woody area, as illustrated in Fig. 1. After a fire occurs, surrounding sensors detect it and collaborate among themselves to aggregate data, and one of them is then elected to ring the alarm, reporting the fire to the data sink and requesting for firefighting service; one or a few actors are then dispatched to stop the fire. Since a WSAN is an unattended open environment, a malicious adversary may readily compromise sensor and actor nodes and obtain their locally stored key materials. It then becomes able to attack the network directly by impersonating a legitimate node or indirectly through the compromised nodes, with the aim to undermine the network functionalities or even paralyze the entire network. In such critical WSAN applications as aforementioned fire detection and fire fighting, degraded network performance leads to not only economic loss
I. I NTRODUCTION Wireless sensor networks (WSNs) are an integral part of the emerging machine-to-machine communications paradigm [1]. They are recognized important tools for real-time monitoring of critical infrastructures that might be subject to natural and/or human induced hazards [2]. Wireless sensors are autonomous resource-constrained devices with integrated sensing, processing and communication abilities. Thousands of them may be densely placed, mostly at random, in a region of interest. Once deployed, they self-configure into an operational WSN and work unattended, sampling the environment and reporting the samples to a predefined data sink. Limitations of randomly deployed large-scale WSNs for autonomous functioning and reporting were recently recognized. Capable nodes, called actors and also known as robots, have therefore been introduced into WSNs for providing valueadded services and augmented network performance. The resultant wireless sensor and actor networks (WSANs) [3] are an integration of WSNs and multi-robot systems. They comprise of networked sensor and actor nodes that communicate via wireless links to perform distributed sensing and actuation tasks. Actors are usually resource-rich. They are involved as 978-0-7695-4469-4/11 $26.00 © 2011 IEEE DOI 10.1109/MASS.2011.42
351
but loss of precious lives. Among many security attacks that can be used to damage WSANs from different perspectives, we address two particular ones that target at actor services: • Service-request fraud attacks, where a compromised sensor attracts actors by generating forged service requests so that the latter does not respond to true service requests. • Service-delivery fraud attacks, where a compromised actor attracts service requests by pretending to offer best service and then does not deliver the requested service. These two attacks, collectively referred to as service fraud attack, are performed at application layer. Their objective is to stop the normal use of actor services. In a service-oriented environment like WSANs, a straightforward solution to mitigate service fraud attacks is trust management [6]. The logic is to build trust between service consumers and service providers and assign low trust value to service fraud attackers, so that service consumers choose only trustworthy service providers and service providers offers service only to trustworthy service consumers. When realizing such a trust-based fraud-resistant actor service solution, the fundamental problem is authenticating service requests and service delivery behavior for trust evaluation.
Fig. 2.
An overview of our proposed cooperative authentication scheme.
between its own measurements and the event data embedded in a service request from a neighboring sensor, then bogus service requests can be detected. The second fact indicates an actor is able to prove its movement efforts for service delivery by using by-passed sensors as its behavior witness. Note that our objective here is not to develop a complete trust management system for offering fraud-resistant actor services. Rather, we aim to solve the fundamental authentication problem of realizing such a system. To the best of our knowledge, this is the first work addressing this problem.
A. Motivation and intuition One node’s trust in another node is based on the evidence gathered from previous interactions with that node. In traditional service-oriented networks, service providers offer services in cyberspace following specific protocols; service consumers are direct service benefiter and thus able to verify these services. For instance [7], in wireless ad hoc routing, a node monitors the packets forwarded by its next hop and detects routing misconducts such as malicious packet drop or modification. Another example [8] can be related to peerto-peer storage service. A node evaluates a peer’s service according to how often its storage request is satisfied by the peer and take this as the basis of its trust in that peer. In WSANs, service providers (i.e., actors) however offer services as responses to detected events in real world. Service consumers are defined as the sensors requesting services on behalf of the events. There is no direction interaction between service providers and service consumers during the course of service delivery. This unique characteristic distinguishes WSANs from traditional service-oriented networks, rendering existing trust management implementations not applicable to it. In order to realize the trust-based solution in WSANs to fraud-resistant actor services, we must answer the following questions: Who should provide the evidences of service consumers/providers behavior? And, how to authenticate them? They are actually questions about authenticating service requests and delivery. In this paper, we answer these questions by proposing a novel cooperative authentication scheme. This scheme is grounded on the following two facts: (1) sensors that are geographically close to each other have highly correlated event measurements [9]; (2) sensors that are adjacent to an actor’s trajectory witness the actor’s physical movement. The first fact tells us that, if each sensor checks the correlation
B. Our contributions In this paper, we consider a WSAN, in which mobile actors offer movement-assisted services to detected events upon sensors request. We assume that there is a service directory component (SDC) in the network, responsible for accepting service requests from sensors and assigning the most trustworthy and appropriate actors to delivery the requested services. In such an environment, we address the security problem of service fraud attacks by compromised sensor and actor nodes. We propose a sophisticated cooperative authentication scheme to mitigate this problem and aim to achieve fraud-resistant actor services. In the proposed scheme, when a sensor wants to request an actor service as service consumer for an event, it has to first obtain cooperative authentication for the event data from neighbors. These neighbors determine whether or not the event is true according to their own sensory data and vote accordingly. The votes are embedded in their authentication codes, readable only by the SDC. The service consumer gathers all the authentication codes and submits them together with the event data to the SDC as part of the service request. The SDC accepts the request if majority of the votes are positive, and reject it otherwise. An actor that is dispatched by the SDC to service an event needs to construct a behavior proof for itself during the service delivery process and afterwards submit it to the SDC for crediting. The proof is an integration of a migration proof 352
be validated by multiple keyed message authentication codes (MACs), each generated by a node that detects the same event. As the report being forwarded, each node along the data communication route verifies the correctness of the MACs at earliest point. If the injected false data escape the en-route filtering and are delivered to the sink, the sink will further verify the correctness of each MAC carried in each report and reject false ones. To verify the MACs, each node gets a random subset of the keys from a global key pool and uses them to produce the MACs. To save communication bandwidth, the mechanism adopts bloom filter to reduce the MAC size. The problem with this mechanism is that the filtering probability at each en-route node is relatively low. Besides, it does not consider the possibility of compromised en-route nodes. The concept of inner-circle consistency was adopted in [17] to prevent false data from propagating in a wireless ad hoc network. The k-hop communication neighbors (for a constant k) of a node S form the inner circle of S. Before propagating data X in the network, S needs to get approval from its inner circle. It sends X and a dependability level (L) to all the innercircle members. L indicates the minimum number of innercircle members that must agree on X in order for X to be propagated. The value of L is chosen from a predefined pool of candidate values, with respect to the size of the inner-circle. A secret signing key KL is associated with each candidate value of L. Each node knows only a (L+1)-share of KL rather than KL as a whole. For S to propagate X successfully, L+1 nodes must cooperate to sign X with KL . Each inner-circle member votes on X according to certain policy. It returns S a partial signature obtained using its share of KL if it agrees on X. Having collected L partial signatures, S will be able to recover the complete signature using them together with its own partial signature. Once having the complete signature, S may transmit X, L and this signature altogether by the underlying routing protocol. A receiver node verifies the signature and decides whether to retransmit according to the verification result. This scheme leaves the selection of the value of L to data source. A malicious or compromised source can set L to a small value or to the number of colluding nodes within its inner-circle and thus increase its chance to propagate false data in the network. Lu et al. [18] recently proposed a cooperative authentication scheme that shifts the decision of dependability level (L) to intermediate nodes of data propagation path, achieving better performance. This scheme requires source routing. Source node S informs its k-hop neighborhood nkS about the data X to be propagated and the complete routing path P to be used. Each node in nkS uses an ECC (Elliptic Curve Cryptography)based non-interactive keypair establishment method to compute shared keys with all nodes in P . It generates message authentication codes (MACs) for these en route nodes using these keys if it agrees on X, and randomly otherwise. S collects MACs from nkS and transmits them together with X along P . Each node in P generates the shared keys with nkS similarly and verifies the received MACs intended for it. It decides whether to retransmit or not according to the
and a servicing proof. To generate the migration proof, the actor obtains signatures from sensors that it passes by while moving toward the event location. Each of these signatures is associated with a temporal-spatial point, and they together show the actor’s migration effort for service delivery. The actor aggregates all the signatures into a batch signature as the migration proof, whose verification is more computationally efficient than verifying the original signatures individually. After the actor finishes servicing the event, the service consumer (i.e., the sensor that requested the service) issues it a servicing proof, which contains post-service measurements, indicating the actor’s service quality. This proof is cooperatively authenticated by the sensors neighboring the service consumer. For each received authentic actor behavior proof, the SDC computes the trustworthiness of the proof through location consistency check and witness diversity check. A most trustworthy proof is the one that is authenticated by least frequently used witness sensors whose location is strictly consistent with previous records. This trustworthiness serves as a weighting factor to the proof and helps the SDC adjust the trust rating of the actor for future service selection. Figure 2 gives the overall execution process of our proposed scheme. We analyze the communication overhead and the security strength of the scheme. We show that the scheme indeed ensures fraudresistant actor services in our considered WSAN environment. We finally discuss its limitations on resisting collusion attacks on legitimate service requests. The remainder of the paper is organized as follows. We briefly review related work in Sec. II. We introduce models and definitions to be used throughout the paper in Sec. III. Then we present our cooperative authentication scheme for fraudresistant service requests and fraud-resistant service delivery in Sec. IV and V, respectively. We analyze the communication overhead and the security strength of the scheme in Sec. VI, followed by the closing remarks presented in Sec. VII. II. R ELATED W ORK A few secure service discovery algorithms, e.g., [10], [11], are proposed in the literature. They aim to secure the information of the offered services rather than the services themselves. Some research efforts, e.g., [12], [13], have been devoted to trust-based service discovery. The resultant algorithms have the limitations as presented in Sec. I-A and are not suitable for WSANs. Actor task assignment [14], [15] has been studied as an optimization problem but without security in mind. To the best of our knowledge, there are no previous research addressing fraud-resistant actor services in WSAN environment. In the following we will introduce some cooperative authentication schemes recently proposed for wireless ad hoc networks. We believe they are the most relevant research to this work as the key to achieve fraud-resistant actor services is indeed to cooperatively authenticate service request/delivery. Ye et al. [16] proposed a statistical en-route filtering mechanism for removing false event report from network traffic in wireless sensor networks. This scheme requires every report to
353
verification result and a locally selected vote threshold L. In our proposed fraud-resistant actor services solution, we use a similar approach to detect false service requests and authenticate service delivery results. The approach is coped with a specific technique (which is missing in Lu’s scheme) for each sensor to locally determine the truthfulness of the target data and vote accordingly. Park et al. [19] presented a timestamp series approach for defending against Sybil attack in a vehicular ad hoc network based on roadside unit (RSU) support. In Sybil attack, a malicious sender creates multiple fake identities (called Sybil nodes) to impersonate as normal nodes. In their approach, RSUs are trusted devices, and they issue certificates carrying the current time to passing-by vehicles. Due to the differences of moving dynamics among vehicles, it is very unlikely that two different vehicles pass by multiple RSUs at exactly the same time. According to this spatial and temporal correlation between vehicles and RSUs, a vehicle is considered performing Sybil attack if it sends two messages with similar timestamp series issued by RSUs. In our scheme proposed here, we use the authentication codes of sensors along an actor’s trajectory to prove the migration behavior of the actor. These sensors are similar to the RSUs in the VANET environment considered by Park, but may be malicious and reject to issue any certificate. In addition, a malicious actor may choose its partner sensors to forge a migration proof. These two cases are not possible in Park’s solution as all RSUs are trusted.
TABLE I K EY N OTATIONS
si aj cR ID(u) N BR(si ) H(M ) Signu (M ) Encvu (M ) s
Eki s IN F (Eki ) s CD(Eki ) s Belnj (Eki ) ✓
We define the network model, service discovery model and security model, on which our cooperative authentication scheme is to be designed. Some key notations to be used in the sequel are listed in Tab. I.
The hash result of message M The signature of node u on message M M is encrypted by a shared key of nodes u and v An event detected by si at local time Tk (si ) s The information about Eki s The code uniquely identifying Eki s The belief of nj in Eki reported by si The belief threshold for considering an event true
s
The authentication code of nj for Eki s s The vote of nj on Eki , embedded in Autnj (Eki ) The vote threshold for SDC to accept a service req.
T C(aj , Eki ) s PB (aj , Eki ) s PM (aj , Eki ) s PS (aj , Eki )
s
The The The The The
transaction that aj services Eki s behavior proof of aj for T C(aj , Eki ) s migration proof of aj for T C(aj , Eki ) si servicing proof of aj for T C(aj , Ek ) minimum granularity of a migration proof
W D(PB ) LC(PB ) EF F (PB ) ↵
The The The The
witness diversity of behavior proof PB location consistency of behavior proof PB effectiveness of behavior proof PB weighting factor of W D(PB )
Autnj (Eki ) s V OT Enj (Eki )
III. M ODELS AND D EFINITIONS
An arbitrary sensor An arbitrary actor Communication rage The unique identifier of node u The set of sensors neighboring si
s
s
delivery. In the course of relocation, actors keep connected to at least one sensor node and thus the entire network so that they may respond to yet emergent events.
A. Network model
B. Service discovery model
We consider a WSAN consisting of static sensors and mobile actors. We denote by S = {s1 , · · · , sm } the sensor set and by A = {a1 , · · · , am0 } the actor set. Sensors have the same communication range Rs ; actors have the same communication range Ra . In order for a sensor si and an actor aj to be able to communicate mutually in a direct manner, they have to be within each other’s communication rage, i.e., |si aj | min{Rs , Ra }. Thus, we assume Ra = Rs = cR for simplicity. Sensors are connected with one another through multi-hop routing paths composed of other sensors. Intersensor communication therefore does not rely on actors. Each node is associated with a unique identifier (ID). Both sensors and actors are aware of their own spatial coordinates. Sensors act on behalf of their detected interesting events, e.g., fire, toxic material leakage, enemy invasion, etc. to request services, i.e., event responses, from actors. For each event, multiple nearby sensors may detect it. We assume that only one of them is appointed as service consumer by some distributed election algorithm and requests an actor service for the event. Actors are service providers. Upon service request, they geographically relocate to the event location for service
The process that a sensor finds an actor is called service discovery. It can be carried out through a directory-based approach or a directory-less approach. The former uses a well structured service directory component (SDC) to store service provider information and answer any service lookup. The latter does not maintain any special component but rely on periodical service advertisement and multicasting-/anycasting- based service lookup. In order to concentrate on the authentication problem, we use a directory-based service discovery model. In this mode, actors inform the SDC about their locations and availability; sensors send service requests to the SDC, which then dispatches the most appropriate actors to deliver the requested services according to certain selection criterion. Sensors (and actors) also submit authenticated proofs about the truthfulness of their service requests (resp., service delivery) to the SDC. Using these proofs, the SDC is able to decide whether to respond to a service request. We further assume that a trust management system is installed on the SDC. This system computes the trust value of an actor according to certain trust model and the submitted actor behavior proofs. With this system, the SDC is able to choose the most trustworthy 354
actors for event response. The SDC may be implemented distributedly, for example, as in [20]. However, as data sink is a necessary in-network node for gathering and analyzing sensory data, it is convenient to host the SDC on the data sink without bringing any essential change to the network structure and the networking process.
{Xq (si ), Xq 1 (si ), · · · , X1 (si )}, where the subscript k indicates that the last sample Xq (si ) was obtained at local time Tk (si ). We denote by V (si ) the geographic location of si . Suppose that si detects that event Eksi is happening and needs to request actor services for Eksi as a service consumer. In this case, si compiles the event information using the latest sample set Qk (si ) as follows
C. Security model
IN F (Eksi ) = (ID(si ), V (si ), Tk (si ), Qk (si ))
We assume a secure routing protocol at the network layer, and there is a secure neighborhood discovery algorithm [21] so that each node knows its true neighbors. A small fraction of sensors and actors may be compromised and launch service fraud attacks at the application layer. Within any area not smaller than nodal communication range in the the network, the number of compromised sensors is smaller than the number of normal sensors. Compromised sensors do not know about each other due to their weakness; a compromised powerful actor, however, knows about all the other compromised nodes in the network as well as their key materials. Let G and GT be two finite multiplicative cyclic groups of prime order q. Suppose that they are equipped with a pairing, i.e., a non-degenerated and efficiently computable bilinear mapping e : G ⇥ G ! GT such that: i) 8u, v 2 G, 8a, b 2 Zq , e(ua , v b ) = e(u, v)ab ; ii) 9g 2 G, e(g, g) has order q in GT . Before the network starts operation, an initialization phase is executed to set up security parameters in the network. In the network initialization phase, a trusted authority (TA) chooses a generator g of G and selects a public cryptographic hash function H : {0, 1}⇤ ! G. It publishes these two parameters to all the nodes, whether sensors or actors, in the network. Then for each node a, the TA chooses a random number xa 2 Z⇤q and computes ya = g xa , which become respectively the private key and the public key of a. The TA issues a certificate containing the key pair to a through a secure channel (usually offline), and it opens ya to the public. Then cryptography is readily available to the underlying routing protocol for providing secure data communication. Node a computes its signature for a given message M as Signa (M ) = (H(M ))xa . Any other node b is able to verify the signature by checking e(Signa (M ), g) = e(H(M ), ya ). The signature is valid if the equality holds. When node a wants to send a secret message M to b, it encrypts M using the public key yb of b as follows [22]: it chooses a random h 2 Z⇤q and calculates a shared secret s = ybh for M ; it converts M to M 0 2 G and sends a ciphertext Encba (M ) = (c1 , c2 ) to b, where c1 = g h and c2 = M 0 s. Node b is able to decrypt Encba (M ) with its private key xb as follows: it calculates the shared secret s = (g h )xb , retrieves M 0 = c2 s 1 and then converts M 0 back to M . The shared encryption/decryption key s only needs to be negotiated once in the above non-interactive way, unless the public key of b is changed.
and the event code CD(Eksi ) = H(IN F (Eksi )). The former describes Eksi in detail; the latter serves as the unique identifier of Eksi in the future. And, si transmits an event report (REP) message to all its neighbors N BR(si ) for authentication in the following formate: (IN F (Eksi ), Signsi (IN F (Eksi ))). Because si and its neighbors N BR(si ) are geographically close to each other, it is very likely that every nj 2 N BR(si ) detects the same event as si does. Thus nj is able to authenticate Eksi according to its own sensory data. Considering the possibility that nj is compromised, cooperative authentication by the entire neighbor set N BR(si ) is necessary. We elaborate below how each neighbor nj computes its belief in Eksi according to IN F (Eksi ) and its own measurements and how cooperative authentication is performed and verified. A. Computing the belief in a reported event Assuming negligible transmission delay, the event report of si arrives at each node nj 2 N BR(si ) instantly. On receiving the report, nj verifies the attached signature of si . Let Tk0 (nj ) be the local time of nj . If the signature is invalid, it discards the message; otherwise, it computes the correlation of the embedded sample set Qk (si ) and its own sample set Qk0 (nj ) as its belief Belnj (Eksi ) in the reported event Eksi . Because sensors may not be time synchronized, the two sample sets are not necessarily covering the same time period. But nevertheless, they are off each other in time by at most one sampling interval since sensors use the same sampling frequency. Here we consider them synchronized for simplicity. For ease of presentation, we apply notation Y to the samples in Qk0 (nj ). Without ambiguity, we now may express a single sample in Qk (si ) (or Qk0 (nj )) without using the parenthesis (si ) (resp., (nj )). Each sample has p > 0 dimensions. Denote by X l (or Y l ) the l-th dimension of X (resp., Y ). The belief Belnj (Eksi ) is defined as the average of the correlation on each dimension of Qk (si ) and Qk0 (nj ) based on Pearson’s Correlation coefficient [23]. Specifically, Pq p l X l )(Ytl Y l ) 1X t=1 (Xt qP qP Belnj (Eksi ) = . p p p l l l )2 l )2 l=1 (X X (Y Y t t=1 t=1 t
IV. F RAUD - RESISTANT S ERVICE R EQUESTS
The belief Belnj (Eksi ) is a value between 1 and 1 inclusive. A positive value means that relatively high scores on one variable are mapped to relatively high scores on the other,
Each sensor si samples the environment at a fixed frequency and records the most recent q samples: Qk (si ) =
355
request, the SDC retrieves the event information and all the embedded votes and computes the ratio of the number of positive votes to the total number of votes. If the ratio is larger than a predefined threshold , it accepts the request, and reject it otherwise. The vote threshold may be different for different types of events. For an accepted service request, the SDC may dispatch one or multiple actors for service delivery, and it informs the service consumer about these coming actors. V. F RAUD - RESISTANT S ERVICE D ELIVERY
Fig. 3.
A transaction is a service delivery process, where an actor aj located at position V (aj ) moves along a self-identified physical path to service an event Eksi located at position V (Eksi ). It is uniquely identified by a transaction code
Cooperative authentication on a service request.
T C(aj , Eksi ) = (ID(aj ), CD(Eksi )). To achieve fraud-resistant service delivery, the service delivery behavior of each actor has to be authenticated during every transaction. For our proposed scheme, the key component of service delivery authentication is an actor behavior proof (PB ), which is composed of two parts: a migration proof (PM ) and a servicing proof (PS ). The former proves that an actor physically relocates to the event location; the latter proves the quality of the service offered by the actor. These two sub proofs are distributedly issued to an actor by sensors witnessing the actor’s service delivery behavior. In the following, we will examine how an actor behavior proof is constructed and verified.
and low scores are mapped to relatively low scores. On the other hand, a negative value means that relatively high scores on one variable are mapped to relatively low scores on the other. Belnj (Eksi ) is expected to be positive and close to 1. If it is beyond a pre-define belief threshold ✓, node nj considers that Eksi is true, and false otherwise. B. Cooperative authentication and voting After determining whether Eksi is true or not, each neighbor nj generates an authentication code Autnj (Eksi ) for it. The code has the following structure: Autnj (Eksi ) = (ID(nj ), V OT Enj (Eksi ), Signnj (Eksi )), where V OT Enj (Eksi ) =
(
EncSDC (CD(Eksi )) nj EncSDC (random data) nj
A. Actor behavior proof During and after delivering service to event Eksi , actor aj receives portions of its behavior proof PB (aj , Eksi ) from a sub set of sensors. It integrates these proof portions and constructs PB (aj , Eksi ) for itself. It then submits PB (aj , Eksi ) to the SDC by a service completion (COM) message for credits. The COM message (i.e., PB (aj , Eksi )) has the following structure:
Eksi
if is true otherwise
and Signnj (Eksi ) =Signnj (CD(Eksi ), ID(nj ), V OT E(Eksi)). It then sends an authentication (AUT) message to si as follows: (CD(Eksi ), Autnj (Eksi )).
(T C(aj , Eksi ), PM (aj , Eksi ), PS (aj , Eksi ), Signaj (M )), where M = (T C(aj , Eksi ), PM (aj , Eksi ), PS (aj , Eksi )). 1) Migration proof (PM ): While migrating from its initial location V (aj ) to event location V (Eksi ), actor aj discovers sensors adjacent to its movement path, by listening to their ‘hello’ messages. Among these sensors, it chooses a random sub-set of sensors as the witnesses of its physical migration behavior. Its migration proof is then composed of a sequence of temporal-spatial points signed by these witness sensors. Specifically, before starting the migration, aj computes a s |V (aj )V (Eki )| step distance d = , where |V (aj )V (Eksi )| is the Euclidean distance between V (aj ) and V (Eksi ) and a system parameter defining the granularity of a migration proof. It then moves step by step, each step at distance d. Notice that it is not necessary that aj moves exactly steps during migration since its movement path may not be a straight line (e.g., due to the presence of physical obstacles). After each movement step, it stops and discovers adjacent sensors. If no sensors are discovered, it starts next movement step. Otherwise, among
One may discover the belief of nj in Eksi by decrypting V OT Enj (Eksi ) and comparing the decryption result with CD(Eksi ). However, this requires the private key of the SDC. Thus Autnj (Eksi ) serves as a secret vote of nj on the truthfulness of Eksi and is readable by the SDC only. The service consumer si is able to verify the authenticity of Autnj (Eksi ). Having collected the authentication codes from all neighbors, si encapsulates them along with IN F (Eksi ) into a signed service request (REQ) message as follows: (IN F (Eksi ), Autn1 (Eksi ), · · · , Autnt (Eksi ), Signsi (M )),
where M = (IN F (Eksi ), Autn1 (Eksi ), · · · , Autnt (Eksi )). The above described cooperative authentication and voting process is illustrated in Fig. 3. The SDC validates each received service request by verifying attached the signature of the corresponding service consumer and the authentication codes. It discards the request if the validation result is negative. From each valid service 356
follows: 0
SIGN (aj , Eksi )
=
Y
Signst (Matj )).
t=1
Then, using Attt (aj , Eksi ) and SIGN (aj , Eksi ), it generates migration proof PM (aj , Eksi ) for itself as follows:
a
(Att1 (aj , Eksi ), · · · , Att 0 (aj , Eksi ), SIGN (aj , Eksi )).
Fig. 4.
It stores PM (aj , Eksi )) locally so as to, later after obtaining PS (aj , Eksi )), generate PB (aj , Eksi )) for itself. 2) Servicing proof (PS ): After finishing transaction T C(aj , Eksi ), actor aj sends a notification (NOF) message to sensor si whose service request triggered T C(aj , Eksi ). Recall that the SDC has informed si that who are servicing Eksi . Having received the notification from aj and confirmed that aj is indeed an authorized service provider, si sends a servicing proof PS (aj , Eksi ) to aj by an acknowledge (ACK) message. This ACK message (i.e., actor servicing proof) has the same structure, and is therefore generated in the same way as the previous REQ message of si (see Sec. IV). But, as opposed to the REQ message which contains before-service event measurements, it carries post-service measurements as evidence, showing how Eksi is impacted by aj ’s service.
Cooperative authentication on actor migration behavior.
the discovered sensors, it selects one that has been chosen least frequently in the previous steps. If multiple such sensors exist, a random choice is made. Suppose that aj selects a sensor st at the t-th step for t > 0. It sends to st a selection (SEL) message in the following format: (ID(st ), T C(aj , Eksi ), Vt (aj ), Tt (aj ), Signaj (Matj )), where ID(st ) implies the intended receiver is st , Vt (aj ) is the current location of aj , Tt (aj ) a time stamp and Matj = (ID(st ), T C(aj , Eksi ), Vt (aj ), Tt (aj )) the message body. Having received the message, sensor st removes the signature of aj from the message, attaches its own signature Signst (Matj ) to the message and returns the modified message back to aj . This modified message, called evidence (EVD) message, is an evidence that st observes aj at location Vt (aj ) at aj ’s local time Tt (aj ). Actor aj verifies the evidence using the public key of st . It accepts the evidence only if it is valid. Otherwise, aj repeats the above sensor selection process with the rest of the discovered sensors until a valid evidence is received or all the discovered sensors have been tried. Then, it starts its next movement step. Figure 4 shows the above described migration process of actor aj . In the figure, the solid small squares indicate the temporal-spatial points where aj pulls evidences from witness sensors, and the associations between these points and the witness sensors are represented by thin arrowed lines. Assume that aj has accepted 0 evidences for its presence at 0 temporal-spatial points when it reaches V (Eksi ). We know 0 since the length of the trajectory of aj cannot be smaller than the Euclidean distance |V (aj )V (Eksi )| between the initial position V (aj ) of aj and event location V (Eksi ). From these 0 evidences, aj obtains the association between witness sensors and temporal-spatial points:
B. Actor behavior evaluation The migration proof PM (aj , Eksi ) and the servicing proof PS (si , Eksi ) together constitute the behavior proof PB (aj , Eksi ) of actor aj in transaction T C(aj , Eksi ). This integrated proof is submitted to the SDC by aj for verification and accounting after aj finishes T C(aj , Eksi ). The SDC maintains an account for aj . The account contains the information embedded in the behavior proofs of aj for the most recent p transactions, including the physical paths used, the witness sensors selected, and the quality of the service offered. It also includes an overall trust rating toward aj , which is computed according the recorded behaviors of aj . For each newly received behavior proof PB (aj , Eksi ), the SDC identifies the litigant actor aj and the corresponding event Eksi and verifies the integrity and the authenticity of the proof. Invalid proofs will not be accepted. From a newly accepted behavior proof PB (aj , Eksi ), the SDC retrieves the actor trajectory (a sequence of temporalspatial points) and the witness sensor set as well as their associations. It then computes the service quality SQ(T C(aj , Eksi )) of aj according to the post-service event measurements in PB (aj , Eksi ) and the before-service event measurements in the service request. This computation is event dependent and not studied here. In accordance with the past records, the SDC computes witness sensor diversity W D(PB (aj , Eksi )) and witness sensor location consistency LC(PB (aj , Eksi )) of the proof, which are both within range [0, 1]. Finally, it computes the effectiveness EF F (PB (aj , Eksi ) of the proof by a weighted linear summa-
Attt (aj , Eksi ) = (Vt (aj ), Tt (aj ), ID(st )) and the corresponding signatures Signst (Matj ). It aggregates these signatures into a batch signature SIGN (aj , Eksi ) as 357
as witness so that its manipulated behavior proof can pass the authenticity check by the SDC. Thus, witness sensor diversity W D(PB (aj , Eksi )) measures how different the witness sensors used in the new proof PB (aj , Eksi ) is from those in previously submitted behavior proofs. It is computed as the multiplicity of two factors F1 and F2 , which respectively measures migration witness sensor diversity and servicing witness sensor diversity, namely
tion of W D(PB (aj , Eksi )) and LC(PB (aj , Eksi )) as follows: EF F (PB (aj , Eksi ))
=
↵W D(PB (aj , Eksi ))+ (1 ↵)LC(PB (aj , Eksi )),
where 0 ↵ 1 is a predefined application-dependent weighting factor. EF F (PB (aj , Eksi )) implies how trustworthy the authenticated service delivery is. The SDC adjusts aj ’s trust rating based on certain trust model according to SQ(T C(aj , Eksi )), EF F (PB (aj , Eksi ) and other relevant data. Since trust modeling is out of the scope of this paper, below we focus only on the computation of LC(PB (aj , Eksi )) and W D(PB (aj , Eksi )). 1) Location consistency: The SDC obtains the set of migration witness sensors of aj from the most recent p behavior proofs of aj (locally stored on the SDC), and for each of these sensors st , it maintains the set ALp (st ) of associated locations in the proofs. Consider an arbitrary location l 2 ALp (st ). If the association of l and st is not forged, then st must be located within the circle of radius cR (communication range) and centered at l, and any other location l0 2 ALp (st ) that is truly associated with st must be at most 2cR away from l. We define the consistency of two locations l, l0 2 ALp (st ) as ( 1 if |ll0 | 2cR 0 Cst (l, l ) = 0 otherwise
W D(PB (aj , Eksi )) = F1 ⇥ F2 . Let M W z (aj ) be the set of distinct migration witness (MW) sensors in the z-th migration proof of aj among Sp the recorded past p proofs. Define multi set M W (aj ) = z=1 M W z (aj ). Let M W 0 (aj ) be the set of distinct migration witness sensors in PB (aj , Eksi ). And define Eq(w, w0 ) = 1 if sensors w and w0 are identical, and Eq(w, w0 ) = 0 otherwise. F1 is defined as P P 0 w0 2M W 0 (aj ) w2M W (aj ) Eq(w, w ) F1 = 1 . 0 |M W (aj )||M W (aj )| F2 is similarly computed as F1 , but with respect to servicing witness (SW) sensors in the servicing proofs of aj : P P 0 w0 2SW 0 (aj ) w2SW (aj ) Eq(w, w ) F2 = 1 . |SW (aj )||SW 0 (aj )|
By the above definitions, W D(PB (aj , Eksi )) is in range [0, 1]. If PB (aj , Eksi ) contains no witness sensor that has been used in the recent p behavior proofs of aj , we will have W D(PB (aj , Eksi )) = 1. Otherwise, the more witness sensors have been used and the more frequently they have been reused, the closer W D(PB (aj , Eksi )) approaches to 0.
We further define the truthfulness T Hst (l) of the association of st and l as the average consistency of l with the other locations in ALp (st ), namely, P 0 l0 2ALp (st )\{l} Cst (l, l ) T Hst (l) = . |ALp (st )\{l}|
VI. A NALYSIS
Let P S be the set of temporal-spatial points in the newly received behavior proof PB (aj , Eksi ) of aj . Consider any point v 2 P S and its associated witness sensor W (v) in PB (aj , Eksi ). The consistency CW (v) (v) of v with the past p behavior proofs of aj is defined as the weighted average consistency of v with each element in ALp (W (v)): P 0 0 v 0 2ALp (W (v)) T HW (v) (v )CW (v) (v, v ) CW (v) (v) = . |ALp (W (v))|
In this section, we analyze the communication overhead and the security strength of our proposed cooperative authentication scheme. A. Communication overhead When analyzing the communication overhead, we consider a single cycle of service request and delivery, where sensor si with t neighbors requests actor services and actor aj delivers the service. The communication process is illustrated in Fig. 2. We calculate the total number of bits transmitted by sensors and by the actor aj . Bit cost is a more precise performance metric than message count as the later ignores the length of each message. Let v be the number of bits in an environment sample, k the number of hops along the routing path from si to the SDC and z the number of migration evidences obtained by aj during service delivery. Since the location of si is considered event location, we reasonably assume that aj is located nearby si after completing the service delivery and at most k + 1 hop away from the SDC. To facilitate analysis, we choose to use an unsigned 16bit integer in the range [0, 65536] to represent node ID and two 32-bit floating point numbers, each in the range of [1.175494351e 38 , 3.402823466e+38 ], to represent nodal
The location consistency LC(PB (aj , Eksi )) of PB (aj , Eksi ) is then computed as the average consistency of each location v 2 P S with the past p behavior proofs. That is, 1 X CW (v) (v). LC(PB (aj , Eksi )) = |P S| v2P S
LC(PB (aj , Eksi ))
is a value in the range of [0, 1]. The more closer to 1, the more consistent PB (aj , Eksi ) is with previous proofs in terms of witness sensors location. 2) Witness diversity: The migration witness sensors used by aj are normally diversified due to random selection. The servicing witness sensors are normally different as well since event locations are randomly distributed. If aj is malicious and forging its behavior proof, it will frequently choose its friends
358
be detected at the SDC. and that a legitimate service request will be treated by the SDC properly. a) False service request: This is the case that s is a compromised node. Before s sends the request, it has to get the cooperative authentication from its neighbors for the corresponding event. Compromised neighbors will collude with s and embed positive votes in their authentication codes; normal neighbors will authenticate the event honestly and give negative votes. Because the number of compromised nodes is smaller than the number of normal nodes within the communication range of s, majority of the votes are negative, and the false service request of s is guaranteed to be detected at the SDC as a result. b) True service request: This is the case that s is a normal node. In this case, the compromised neighbors of s will lie and provide negative votes for s’s event report, while the normal neighbors give votes based on the correlation of its own measurements and the reported event data. But because the number of compromised nodes is smaller than the number of normal nodes within the communication range of s, majority of the votes are genuine, meaning that the SDC will treat the service request correctly. 2) Resilience to service delivery attacks: An actor behavior proof indicates actor behavior during service delivery. It is composed of two parts: a migration proof and a servicing proof. It is authentic and accepted by the SDC if and only if both of the two parts are authentic. For a received authentic behavior proof, the SDC adjusts the corresponding actor’s trust rating according to the results of location consistence check and witness diversity check as well as and the actor’s service quality (see Sec. V-B). Suppose that an actor a is assigned by the SDC to service an event, which is reported by sensor s. This service consumer s is a normal node because, otherwise, the SDC would not respond to its service request. Depending on the nature (compromised or not) of actor a, we have two cases to explore: false service delivery and true service delivery. There are two combinations of migration and servicing that make the service delivery process false: (false migration + false servicing) and (true migration + false servicing). The combination of false migration and true servicing is obviously not possible. Notice that the two combinations both involve false servicing. Given that s is a normal node, it appears to be sufficient to authenticate a’s servicing behavior for detecting false service delivery. This is true if a is the only actor that is dispatched to service the event. When there are some other actors servicing the event in the meantime, migration authentication becomes necessary. In this case, the scheme is vulnerable to the service delivery fraud attack implemented by true migration and false servicing. Because it is not able to identify which actors are actually providing the service, compromised actors will be given credit for the services provided by normal actors. However, we would argue that this situation happens rarely, and in the long run compromised actors will have low trust rating and be isolated from the system. As actor servicing is cooperatively authenticated in the same
TABLE II M ESSAGE LENGTH AND PROPAGATION DISTANCE
Message
Length (bits)
Propagation
Actor’s
SEL NOF COM
4480 4112 12672 + 112z + 8208t + qv
1-hop 1-hop 1-hop
Sensor’s
REP AUT REQ’ EVD SER COM
4208 + qv 8464 4208 + 8208t 4480 4208 + 8208t + qv 12672 + 112z + 8208t + qv
1-hop 1-hop k-hop 1-hop 1-hop k-hop
geographic location. Time may be represented by 32-bit in second precision, covering a period of 136 years or so. We use cryptographic hash function SHA-256 [24], which generates 256-bit digital digests, and 4096-bit Elgamal signature and the encryption scheme introduced in Sec. III-C. Table II lists the length of each type of message in bit and its propagation distance in hop count. Notice that in the table REQ’ indicates the part added by our scheme to an ordinary REQ message (which contains event information only). We do not measure the complete REQ message because we are studying the communication overhead of our scheme rather than the entire service request/delivery process. The COM message is transmitted from the generator actor aj to a sensor 1-hop away and then propagates from there to the SDC through at most k sensors (k retransmissions by sensors). We can easily derive that the total bit cost of our scheme on sensors is not larger than REP + AU T ⇥ t + REQ0 ⇥ k + EV D ⇥ z + SER + COM ⇥ k. Suppose that the average node degree along aj ’s trajectory is t0 . In the worst case, only half of the neighbors are good, and aj keeps selecting a compromised sensor as witness until all compromised sensors have been tried. This means, at each temporal-spatial point it has to transmit SEL message dt0 /2e times. Then the upper bound of the total bit cost of our scheme on aj is SEL ⇥ z ⇥ dt0 /2e + N OF + COM . B. Security strength Cryptographic techniques such as hashing, encryption and digital signature are extensively used in our scheme. The scheme is already resilient to various traditional security attacks. Notice that it is secure against replay attacks since time is considered when authenticating service requests and service delivery. Below we analyze the security strength of the scheme in particular with respect to our design goal, i.e., achieving fraud-resistant actor services. 1) Resilience to service request attacks: Suppose that a service consumer s is about to submit a service request to the SDC. Depending on whether s is compromised or not, the service request can be false or true. Below we explore the two cases and conclude that a false service request is guaranteed to 359
ACKNOWLEDGMENTS
way as service request, in the following, we investigate the security strength of migration proof. a) False actor migration: This is the case that a is a compromised actor, i.e., a does not migrate, but tries to use some compromised sensors to create a false migration proof. Once being used, these compromised nodes are associated with a small geographic region where they may or may not be located. Any future use of these sensors as migration witness must be consistent with this association. Location inconsistency will lead to reduced trustworthiness of the migration proof. In addition, repeated use of the same witness sensors will also decrease the the trustworthiness of the proof. So, location consistency check and witness diversity check together limit such collusion attacks to a very limited extent. That is, by colluding with compromised sensors, a may cheat the SDC only a few times at initiation. Then its behavior will no longer have much impact on the network performance. b) True actor migration: In this case, a may be normal or compromised. During its migration, a pulls evidences showing its presence at different temporal-spatial points from randomly selected sensors adjacent to those points. Note that compromised actors know each other, while normal nodes (whether actors or sensors) are not aware of any compromised node. If a is compromised, these sensors, whether normal or compromised, will all provide evidences (by giving signature on a’s current temporal-spatial point); otherwise, only normal witness sensors offer evidences. Sensors will not give fake evidences because a is able to verify them. If a does not get response from a selected sensor to its evidence request, it will select another adjacent sensor as witness. Because in any area not smaller than nodal communication range, the number of normal sensors is larger than the number of compromised ones, and therefore, a is able to eventually receives evidence and construct its migration proof.
This work was partially supported by a grant from CPER Nord-Pas-de-Calais/FEDER Campus Intelligence Ambiante, the NSERC PDF program and ORF-RE grant. R EFERENCES [1] R. Lu, X. Li, X. Liang, X. Lin, and X. Shen, “GRS: The Green, Reliability, and Security of Emerging Machine to Machine Communications”, IEEE Communications Magazine, 49(4): 28-35, 2011. [2] S. He, J. Chen, X. Li, X. Shen, and Y. Sun, “Leveraging Prediction to Improve the Coverage of Wireless Sensor Networks”, IEEE Trans. on Parallel and Distributed Systems, 2011. To appear. [3] I.F. Akyildiz and I.H. Kasimoglu, “Wireless Sensor and Actor Networks: Research Challenges”, Ad Hoc Networks, 2(4):351-367, 2004. [4] X. Li, H. Frey, N. Santoro, and I. Stojmenovic, “Strictly Localized Sensor Self-Deployment for Optimal Focused Coverage”, IEEE Trans. on Mobile Computing, 2011. To appear. [5] X. Li, A. Nayak, and I. Stojmenovic, “Sink Mobility in Wireless Sensor Networks”, Wireless Sensor and Actuator Networks: Algorithms and Protocols for Scalable Coordination and Data Communication, Wiley, 2010. [6] H. Li and M. Singhal, “Trust management in distributed systems”, IEEE Computer, 40(2):45-53, 2007. [7] C. Zhang, X. Zhu, Y. Song, and Y. Fang, “A Formal Study of Trust-Based Routing in Wireless Ad Hoc Networks”, In Proc. of IEEE Infocom, 2010. [8] I. Osipkov, P. Wang, N. Hopper, and Y. Kim, “Robust Accounting in Decentralized P2P Storage Systems”, In Proc. of IEEE ICDCS, 2006. [9] A. Jindal and K. Psounis, “Modeling spatially correlated data in sensor networks”. ACM Transactions on Sensor Networks, 2(4):466-499, 2006. [10] S.E. Czerwinski, B.Y. Zhao, T.D. Hodes, A.D. Joseph, and R.H. Katz, “An Architecture for a Secure Service Discovery Service”, In Proc. of ACM Mobicom, 1999. [11] E. Moschetta, R.S. Antunes, and M.P. Barcellos, Flexible and secure service discovery in ubiquitous computing, Journal of Network and Computer Applications, 33(2):128-140, 2010. [12] S.I. Ahameda and M. Sharmin, “A trust-based secure service discovery (TSSD) model for pervasive computing”, Computer Communications, 31(18):4281-4293, 2008. [13] K. Jung and Y. Lee, “Autonomic Trust Extraction for Trustworthy Service Discovery in Urban Computing”, In Proc. of IEEE DASC, 2009. [14] H. Liu, V. Malbasa, I. Mezei, A. Nayak, and I. Stojmenovic, “Coordination in Sensor, Actuator, and Robot Networks”, Wireless Sensor and Actuator Networks: Algorithms and Protocols for Scalable Coordination and Data Communication, Wiley, 2010. [15] I. Mezei, V. Malbasa and I. Stojmenovic, “Robot to robot: Communication aspects of coordination in robot wireless networks”, IEEE Robotics and Automation Magazine, 17(4):63-69, 2010. [16] F. Ye, H. Luo, S. Lu, and L. Zhang, “Statistical en-route detection and filtering of injected false data in sensor networks”, In Proc. of IEEE Infocom, 2004. [17] C. Basile, Z. Kalbarczyk, and R.K. Lyer, “Inner-circle consistency for wireless hoc networks”. IEEE Trans. Mobile Comp., 6(1):39-55, 2007. [18] R. Lu, X. Lin, H. Zhu, X. Liang, and X. Shen, “BECAN: A BandwidthEfficient Cooperative Authentication Scheme for Filtering Injected False Data in Wireless Sensor Networks”, IEEE Trans. on Parallel and Distributed Systems, 2011. To appear. [19] S. Park, B. Aslam, D. Turgut, C.C. Zou, “Defense against Sybil Attack in Vehicular Ad Hoc Network based on roadside Unit Support”. In Proc. of Milcom, 2009. [20] X. Li, N. Santoro, and I. Stojmenovic, “Localized Distance-Sensitive Service Discovery in Wireless Sensor and Actor Networks”. IEEE Trans. on Computers, 58(9):1275-1288, 2009. [21] M. Poturalski, P. Papadimitratos, and J.-P. Hubaux, “Secure neighbor discovery in wireless networks: formal investigation of possibility”. In Prof. of ACM ASIACCS, pp. 189-200, 2008. [22] T. ElGamal, “A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms”. IEEE Trans. Inform. Theory, 31(4):469-472. [23] J.L. Rodgers and W.A. Nicewander, “Thirteen ways to look at the correlation coefficient”. The American Statistician, 42(1):59-66, 1988. [24] Internet resource. http://www.iwar.org.uk/comsec/resources/cipher/ sha256-384-512.pdf.
VII. C ONCLUSIONS AND F UTURE W ORK In this paper, we have for the first time addressed service fraud attacks launched by compromised sensor and actor nodes in a wireless sensor and actor network (WSAN). We proposed a sophisticated cooperative authentication scheme to deal with those attacks, which considered a secure voting technique and a novel trajectory-based authentication method. We analyzed its communication overhead and security strength, and demonstrated its capability of resisting service fraud attacks in our considered WSAN environment. In the future, we will evaluate its communication overhead through simulation. As extensions to this work, the following two problems need to be addressed too. The first one is to early filtering fake service requests before they reach the service discovery component (SDC). The objective is to reduce the SDC’s workload and the unnecessary network computing efforts caused by the attackers. Currently, compromised sensors are assumed not to know about each other. However, it is likely that neighboring compromised sensors may be aware of one another and collude to perform service-request fraud attacks. The second problem is thus to improve the scheme to resist such collusion attacks.
360
