Secure Data Aggregation in Wireless Sensor Networks

Transcription

1 Secure Data Aggregation in Wireless Sensor Networks by Hani Alzaid Bachelor of Computer Engineering (King Saud University) 2000 Master of Computer Science and Engineering (University of New South Wales) 2005 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Institute Faculty of Science and Technology Queensland University of Technology March 1, 2011

2

3 Keywords Secure data aggregation, wireless sensor networks, performance analysis, security analysis, reputation systems, trust systems, node compromise, attacks, cryptographic-based solutions, reputation-based solutions, forward & backward secure key management, On-Off attacks, i

4 ii

5 Abstract A Wireless Sensor Network (WSN) is a set of sensors that are integrated with a physical environment. These sensors are small in size, and capable of sensing physical phenomena and processing them. They communicate in a multihop manner, due to a short radio range, to form an Ad Hoc network capable of reporting network activities to a data collection sink. Recent advances in WSNs have led to several new promising applications, including habitat monitoring, military target tracking, natural disaster relief, and health monitoring. The current version of sensor node, such as MICA2, uses a 16 bit, 8 MHz Texas Instruments MSP430 micro-controller with only 10 KB RAM, 128 KB program space, 512 KB external flash memory to store measurement data, and is powered by two AA batteries. Due to these unique specifications and a lack of tamper-resistant hardware, devising security protocols for WSNs is complex. Previous studies show that data transmission consumes much more energy than computation. Data aggregation can greatly help to reduce this consumption by eliminating redundant data. However, aggregators are under the threat of various types of attacks. Among them, node compromise is usually considered as one of the most challenging for the security of WSNs. In a node compromise attack, an adversary physically tampers with a node in order to extract the cryptographic secrets. This attack can be very harmful depending on the security architecture of the network. For example, when an aggregator node is compromised, it is easy for the adversary to change the aggregation result and inject false data into the WSN. The contributions of this thesis to the area of secure data aggregation are manifold. We firstly define the security for data aggregation in WSNs. In contrast with existing secure data aggregation definitions, the proposed definition covers the unique characteristics that WSNs have. Secondly, we analyze the relationship between security services and adversarial models considered in existing secure data aggregation in order to provide a general framework of required security services. Thirdly, we analyze existing cryptographic-based and reputationbased secure data aggregation schemes. This analysis covers security services provided by these schemes and their robustness against attacks. Fourthly, we propose a robust reputationbased secure data aggregation scheme for WSNs. This scheme minimizes the use of heavy cryptographic mechanisms. The security advantages provided by this scheme are realized by integrating aggregation functionalities with: (i) a reputation system, (ii) an estimation theory, and (iii) a change detection mechanism. We have shown that this addition helps defend against most of the security attacks discussed in this thesis, including the On-Off attack. Finally, we iii

6 propose a secure key management scheme in order to distribute essential pairwise and group keys among the sensor nodes. The design idea of the proposed scheme is the combination between Lamport s reverse hash chain as well as the usual hash chain to provide both past and future key secrecy. The proposal avoids the delivery of the whole value of a new group key for group key update; instead only the half of the value is transmitted from the network manager to the sensor nodes. This way, the compromise of a pairwise key alone does not lead to the compromise of the group key. The new pairwise key in our scheme is determined by Diffie-Hellman based key agreement. iv

7 Contents Front Matter i Keywords i Abstract iii Table of Contents v List of Figures ix List of Tables xi Declaration xiii Previously Published Material xv Acknowledgements xvii 1 Introduction Background Challenges in Wireless Sensor Networks Challenges in the End Device Challenges in the Network Data Aggregation and Security Challenges Research Objectives Outline Secure Data Aggregation in Wireless Sensor Networks Secure Data Aggregation in Wireless Sensor Networks Security Requirements for Data Aggregation Security The Expected Adversarial Model and Security Concerns Security Attacks Sybil Attack (SY) Selective Forwarding Attack (SF) Replay Attack (RE) Spoofed Data Attack (SD) Adversary Classification Current Secure Data Aggregation Schemes Single Aggregator Model Du et al. s Scheme Przydatek et al. s Scheme v

8 Mahimkar & Rappaport s Scheme Sanli et al. s Scheme Multiple Aggregator Model Hu & Evans s Scheme Jadia & Mathuria s Scheme Westhoff et al. s Scheme Yang et al. s Scheme Security Analysis Security Services Attack Vulnerability Framework for Evaluating New Schemes Performance Analysis First Scenario: No Aggregation & No Security Second Scenario: Aggregation but No Security Third Scenario: Hu & Evans s Scheme Fourth Scenario: Jadia & Mathuria s Scheme Fifth Scenario: Przydatek et al. s Scheme Sixth Scenario: Du et al. s Scheme Example Summary Reputation-based Trust Systems in Wireless Sensor Networks Analysis Framework for Reputation Systems Information Gathering and Sharing Phase Information Modeling Phase Decision Making Phase Dissemination Phase Security Attacks against Reputation-based Trust Systems Bad Mouthing Attack (BM) Ballot Stuffing Attack (BS) On-Off Attack (OO) Newcomer Attack (NE) The State of the Art of Reputation-based Trust Systems in WSNs Boukerche & Ren s Scheme Shaikh et al. s Scheme Michiardi & Molva s Scheme Srinivasan et al. s Scheme Özdemir s Scheme Comparison of Current Reputation-based Systems in WSNs Classification Model Reputation Components Attack Vulnerability Summary vi

9 4 Reputation-based Secure Data Aggregation Network Assumptions Data Model Adversarial Model Security Requirements The Proposal Reputation-based Secure Data Aggregation Scheme Experimental Evaluation Scenario 1: No Attacks Scenario 2: Abrupt Change Scenario 3: 1-per-2 Strategy On-Off Attack Security Analysis Reputation Components Security Services Attacks Resilience Summary Mitigating On-Off Attacks in Reputation-based Secure Data Aggregation Related Work Estimation Theory Change Point Detection The Proposed Enhanced Reputation-based Secure Data Aggregation Scheme Experiment Evaluation Scenario 1: No Attacks Scenario 2: Abrupt or Incipient Change Scenario 3: 1-per-2 Strategy On-Off Attack Scenario 4: 1-per-3 Strategy On-Off Attack Summary A Forward & Backward Secure Key Management in Wireless Sensor Networks Adversary Model and Security Concerns Related Work The Proposed Forward & Backward Secure Key Management Scheme - FBSKM Group Key Update Protocol Pairwise Key Update Protocol Delivery Failure Management The Enhanced FBSKM (E-FBSKM) Security Analysis Robustness Against Adversaries Achievement of Past & Future Secrecy Resilience Against Impersonation Attacks Performance Analysis Memory Overhead vii

10 6.6.2 Communication Overhead Computation Cost Summary Conclusion and Future Work Research Summary Future Work Bibliography 163 viii

11 List of Figures 1.1 Main components of a sensor node An aggregation scenario using the SUM aggregation function Sybil Attack Selective Forwarding Attack Replay Attack Spoofed Data Attack Classification of adversaries A sketch of single and multiple aggregator models Classification of current secure data aggregation schemes A Merkle hash tree The proposed framework for secure data aggregation schemes The aggregation tree model used in the performance analysis section The reputation system phases Bad Mouthing Attack Ballot Stuffing Attack On-Off Attack Newcomer Attack A community as suggested in TOMS [12] Classification of current reputation-based trust systems in WSNs A simplified deployment area for Özdemir s scheme The radio coverage in RSDA A simplified deployment area for RSDA The first scenario of RSDA evaluation in which dataset-1 is used The second scenario of RSDA evaluation in which dataset-2 is used The third scenario of RSDA evaluation in which dataset-3 is used Reputation values of C rep k during the third scenario of RSDA evaluation The third scenario of RSDA evaluation in which dataset-4 is used A simplified estimation model for data aggregation in WSNs A simplified deployment area for E-RSDA A simplified E-RSDA model ix

12 5.4 The first scenario of E-RSDA evaluation in which dataset-1 is used The second scenario of E-RSDA evaluation in which dataset-2 is used The second scenario of E-RSDA evaluation in which dataset-3 is used The third scenario of E-RSDA evaluation in which dataset-4 is used Reputation values of C rep k during the third scenario of E-RSDA evaluation The third scenario of E-RSDA evaluation in which dataset-5 is used The fourth scenario of E-RSDA evaluation in which dataset-6 is used Reputation values of C rep k during the fourth scenario of E-RSDA evaluation The fourth scenario of E-RSDA evaluation in which dataset-7 is used Classification of adversaries Key evolution in the proposed protocol State diagram of key disclosure Relations between keying materials and the significance of node compromise x

13 List of Tables 1.1 Hardware s specifications for three types of sensor nodes Security services provided in current secure data aggregation schemes Attacks vulnerabilities in current secure data aggregation schemes Description of notations used in the performance analysis section Number of bytes transmitted across the network to accomplish a single aggregation transaction Reputation components in current reputation-based trust systems Attacks vulnerabilities in current reputation-based trust systems Description of notations used in Chapter Reputation table format as suggested in RSDA Datasets used in the experimental evaluation section Reputation components in current reputation-based trust systems Security services provided in current secure data aggregation protocols Attacks vulnerabilities in current reputation-based trust systems Description of notations used in Chapter Data sets used in the experiment evaluation Description of notations used in Chapter Memory overhead comparison Number of bits transmitted/received by a sensor Computation cost comparison xi

14 xii

15 Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made. Signed: Date: xiii

16 xiv

17 Previously Published Material The following papers have been published or presented, and contain material based on the content of this thesis. ˆ Book Chapters: Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and DongGook Park. Secure Data Aggregation in Wireless Sensor Networks. In Anna Foerster and Alexander Foerster, editors, Emerging Communications for Wireless Sensor Networks, chapter 10, pages , InTech, Croatia Hani Alzaid. Reputation-based Trust Systems in Wireless Sensor Networks. In Al- Sakib Khan Pathan, editor, Security of Self-Organizing Networks: MANET, WSN, WMN, VANET, chapter 20, pages , Auerbach Publications, CRC Press, Taylor & Francis Group, USA Hani Alzaid, DongGook Park, Juan Manuel González Nieto, Colin Boyd, and Ernest Foo. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA. In Raúl Aquino Santos, Arthur Edwards, and Victor Rangel Licea, editors, Emerging Technologies in Wireless Ad Hoc Networks: Applications and Future Development, chapter 3, pages 41-60, IGI Global, USA ˆ Journal Articles: Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and DongGook Park. Secure Data Aggregation in Wireless Sensor Networks: A Comprehensive Review. International Journal of Communication Networks and Distributed Systems (IJCNDS), Invited Article, In press, InderScience Publishers. Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and Ejaz Ahmed. Mitigating the On-Off Attacks in Reputation-based Secure Data Aggregation for Wireless Sensor Networks. Security and Communication Networks, In press. ˆ Conference Papers: Hani Alzaid, DongGook Park, Juan Manuel González Nieto, and Ernest Foo. Mitigating Sandwich Attacks against a Secure Key Management Scheme in Wireless Sensor Networks for PCS/SCADA. In Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, AINA 10, Perth, Australia, April 2010, pages , IEEE Computer Society, xv

18 Hani Alzaid, DongGook Park, Juan Manuel González Nieto, Colin Boyd, and Ernest Foo. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA. In Proceedings of the 1st International ICST Conference on Sensor Systems and Software, S-CUBE 09, 7-9 September 2009, Grand Hotel Duomo of Pisa, Pisa. Hani Alzaid, Ernest Foo, and Juan Manuel González Nieto. RSDA: Reputationbased Secure Data Aggregation in Wireless Sensor Networks. In Proceedings of the 9th International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 08, Dunedin, New Zealand, 1-4 December 2008, pages , IEEE Computer Society, Hani Alzaid, Ernest Foo, and Juan Manuel González Nieto. Secure Data Aggregation in Wireless Sensor Networks: A Survey. In Proceedings of the 6th Australasian Information Security Conference: Conferences in Research and Practice in Information Technology, AISC 08, Wollongong, NSW, Australia, January 2008, pages , Australian Computer Society Inc., xvi

19 Acknowledgements xvii

20 xviii

21 Chapter 1 Introduction A Wireless Sensor Network (WSN) is a highly distributed network of small wireless nodes deployed in large numbers to monitor the environment or other systems by the measurement of physical parameters such as temperature, pressure, or relative humidity [85, page 647]. Advancements in micro-electro-mechanical systems, digital electronics, and wireless communications have enabled the development of a new generation of sensor nodes. These sensors are small in size and communicate in a multihop manner due to a short radio range, and are powered by a limited energy source. These sensor nodes collaborate to form an Ad Hoc Network capable of reporting network activities to a data collection sink. Recently, WSNs have been used in many promising applications, including habitat monitoring [76], military target tracking [55, 116], natural disaster relief [19], and health monitoring [82]. 1.1 Background WSN applications are classified into four classes [61]: (i) event detection, (ii) periodic reporting, (iii) base station querying, and (iv) tracking. These classes are briefly explained as follows: ˆ Event Detection: The objective of sensor networks in this application class is to detect rare events, such as forest fires or intrusions, and to promptly communicate a report of such an event to the sink. ˆ Periodic Reporting: The objective of the sensor networks in this type of application is to send periodic updates to the sink. Thus, there is regularity in terms of data gathering phases, and there is a steady flow of data from the sensor nodes to the sink. In-network data aggregation is useful in such applications because measurements of neighboring nodes are likely to be correlated, and could be used to reduce the amount of data that needs to be communicated to the sink. This in turn reduces communication energy expenditure of the nodes, and prolongs the lifetime of the network. 1

22 2 Chapter 1. Introduction Figure 1.1: Main components of a sensor node ˆ Base Station Querying: In several application classes, the sink is not interested in data updates from all the nodes in the network. The sink may want updates from different regions at different times. Thus, requiring all the nodes to send their data to the sink at all times increases the energy consumption on communication as well as on computation. In such cases, the sink selectively queries a set of sensor nodes located in the region of interest. This results in a more energy-efficient use of resources. ˆ Tracking: Tracking WSN applications are interested in detecting, localizing and tracking targets, and conveying the relevant information to the sink, in a timely fashion. They combine some of the characteristics of the three application classes discussed earlier. The end device in WSNs, the sensor node, is composed of four basic units [123]: (i) sensing unit, (ii) processing unit, (iii) power unit, and (iv) transceiver unit as depicted in Figure 1.1. These four units are briefly explained as follows: ˆ Sensing Unit: It consists of an array of sensors that can measure the physical characteristics of its environment, like temperature, light, vibration, and others. Each sensor has the ability to sense environmental characteristics via the sensing unit and then use the Analog to Digital Converter (ADC) to convert the sensed analog data into digital. ˆ Processing Unit: It is, in most cases, composed of an internal memory to store data and application programs, and a microcontroller to process the data. The microcontroller can be considered as a highly constrained computer that contains the memory and interfaces required to create simple applications. This unit should be able to work with a limited resource of energy and process efficiently the digital data delivered by the sensing unit. ˆ Power Unit: It provides the energy required by all the sensor components, and such energy may come from either a battery or from renewable sources. ˆ Transceiver Unit: It is able to send and receive messages through a wireless channel. In other words, it gives the sensor the ability to talk to other sensor nodes and form an Ad Hoc Network. Note that, the sensor node may have an external memory unit that works as a secondary memory in order to keep a data log. Devising solutions for WSNs are not successfully accomplished by the simple adaptation of solutions designed for wired networks, or even for the more closely related, Ad Hoc Networks. This is due to the limitations and challenges that

23 1.2. Challenges in Wireless Sensor Networks 3 WSNs have, which will be discussed in Section 1.2. A wireless Ad Hoc Network is a collection of wireless devices that can dynamically self-organize into an arbitrary and temporary topology to form a network without necessarily using any pre-existing infrastructure. In fact, wireless sensor networks could be considered as a specific subset of Ad Hoc Networks where end devices in wireless sensor networks are able to sense physical phenomena. However, there are great differences between Ad Hoc Networks and WSNs as listed in the following paragraphs [16, 18]: ˆ Energy Source: Most WSNs are deployed in remote or hostile environments, whereas Ad Hoc Networks are not. Consequently, replacing the batteries of these WSN nodes is more of a problem than it is for Ad Hoc Networks. As a result, the energy consumption of any solution designed for WSNs should be carefully considered at the design time. ˆ Data Centric: Routing in WSNs is more likely to be querying attributes of the phenomenon (attribute-based naming) rather than querying individual nodes addresses (IPs). For example, what is the area where the temperature is over 70 o celsius? is more a common query in WSNs than the temperature read by a certain sensor node. ˆ Node Density: The number of nodes in the WSN can be higher than the number of nodes in the Ad Hoc Network. The nature of WSNs is that they are deployed in large scale environments, and each sensor has a limited transmission range. Therefore, dense deployment is necessary to achieve stable connectivity and to overcome the limited transmission coverage. ˆ End Device: In Ad Hoc Networks, the end node device is less constrained than sensor nodes. For example, the end device in Ad Hoc Networks, a laptop, has a larger memory and battery, and has a more powerful processor. ˆ Network Structure: Whereas Ad Hoc networks are usually completely distributed networks, WSNs have a central control system, which is the base station. Therefore, most traffic in WSNs is sent from the sensor nodes to the base station, and vice versa. Only in a few cases; one node will send information directly to another sensor node. However, it is normal for end devices of an Ad Hoc Network to communicate with other devices in the network as part of their normal functionality. The rest of this chapter is organized as follows: Section 1.2 discusses limitations and challenges in Wireless Sensor Networks. These limitations and challenges affect the performance of any application intended to run on WSNs, especially data aggregation applications. Section 1.3 provides the motivation for this thesis and highlights the importance of secure data aggregation. Then, the research objectives and contributions are stated in Section 1.4. Finally, the thesis structure is detailed in Section Challenges in Wireless Sensor Networks As discussed above, WSNs have unique specifications and constraints as compared with Ad Hoc Networks, which makes the simple adaptation of existing solutions designed for traditional

24 4 Chapter 1. Introduction Table 1.1: Hardware s specifications for three types of sensor nodes Specifications MICA2 [30] FLECK [32] MICAZ [31] Processor Atmega 128L Atmega 128L Atmega 128L RAM 4 KB 4 KB 4 KB Memory ROM 128 KB 512 KB 128 KB EPROM 512 KB 1 MB 512 KB Power Supply 2AA 3AA & ISB 2AA Data Rate 38.4 kbps 72 kbps 250 kbps Radio RR 152 m 500 m 75 m RF 868/916 MHz 913 MHz GHz Transmit 27 ma 5 ma N/A Current Draw Receive 10 ma N/A 19.7 ma Sleep < 1 µa 30 ua 1 µa * Transmit with Maximum Power RR Radio Range ISB Integrated Solar Board RF Radio Frequency N/A Not Available networks impractical. Thus, understanding the unique specifications of WSNs is highly recommended to adapt any new idea with these specifications and make it feasible in the WSN real world [59]. These unique specifications and constraints are named challenges in the rest of this section, and classified into: (i) challenges in the end device (the sensor node), and (ii) challenges in the wireless sensor network, as follows [69, 107, 124, 129]: Challenges in the End Device All security approaches require a certain amount of resources for the implementation, including data memory, code space, and energy to power the sensor during the run of the approach. However, currently these resources are very limited in a tiny wireless sensor node. Table 1.1 lists the hardware specifications for three types of sensor node, namely MICA2 [30], FLECK [32], and MICAZ [31] and highlights the resource constraints in the end device of WSNs. We refer interested readers to the mini hardware survey done by Tatiana Bokareva for more information about the hardware specifications of more types of sensor node [10]. The challenges in the sensor s hardware are discussed as follows: ˆ Limited Memory: A sensor node is a tiny device with only a small amount of memory and storage space for the code. In order to build an effective security mechanism, it is necessary to limit the code size of the security algorithm. For example, one common sensor type (MICA2) has 4K RAM, 128K program memory, and 512K flash storage [30]. The total code space of TinyOS, the de-facto standard operating system for wireless sensors, is approximately 4K [57], and the core scheduler occupies only 178 bytes. With

25 1.2. Challenges in Wireless Sensor Networks 5 such a limitation, the code size for the proposed solution must be small. ˆ Limited Energy Resource: The energy resource is the biggest challenge in WSNs. It is assumed that once sensor nodes are deployed in a WSN, their batteries cannot be easily replaced due to the high operating costs of being deployed in remote areas. This will be discussed in Section Some current versions of sensor nodes such as MICA2 are powered by 2AA batteries as shown in Table 1.1. Therefore, the battery charge taken with them to the field must be conserved to prolong the life of the individual sensor node and the entire sensor network. For example, when implementing a cryptographic function or protocol in a sensor node, the energy impact of the proposed solution should be considered. ˆ Limited CPU Performance: The CPU used in MICA2 sensors, for example, is the 16 bit, 8MHz Texas Instruments MSP430 microcontroller [30]. Embedded processors are generally not as powerful as those in nodes of a wired network. As such, complex cryptographic algorithms should be avoided in WSNs. ˆ Tamper-Resistant Hardware: The most obvious tamper-resistance strategies are hardware-based ones, which involve extra cost to implement special complex hardware circuits in the electronic device. To run these circuits, extra energy should be ensured. Due to the targeted low cost and the limited power resource existing in sensor nodes, the hardware-based tamper protection solutions are very limited [126] Challenges in the Network Sensor nodes are usually scattered randomly in the field to perform certain tasks. There is usually no infrastructure support for sensor networks. Sensor nodes self-organize to form a network. However, some network challenges exist. These challenges are discussed as follows: ˆ Hostile & Remote Environment: Depending on the function of a particular sensor network, the sensor nodes may be left unattended for long periods of time. Most WSNs are deployed in remote or hostile environments such as battlefields. Therefore, sensor nodes without tamper-resistant hardware cannot be protected from physical attacks since the deployment area accessible to anyone. An adversary could capture a sensor node or even introduce his own malicious nodes inside the network. ˆ Random Topology: WSN is often deployed in random distribution since it is mostly used in remote or hostile environments. Consequently, there is no chance to know its topology beforehand. Also, the topology after the deployment keeps changing because some sensors disappear due to drained resources, or for instance by being damaged, or faulty. ˆ Latency: The communication range of most sensor nodes is limited in order to conserve energy. According to Table 1.1, the MICA2, FLECK, and MICAZ sensor nodes have radio coverage area up to 152 m, 500 m, and 75 m, respectively. To move a packet from one end of the network to another, a multi-hop routing approach is needed. In a congested wireless

26 6 Chapter 1. Introduction sensor network, multi-hop routing and node processing can lead to great latency in the network, which makes synchronization among sensor nodes difficult. The synchronization issues can be critical to sensor security where the security mechanism relies on critical event reports and cryptographic key distribution. ˆ Unreliable Communication: This challenge is inherited from Ad Hoc Networks, since end devices in both WSNs and Ad Hoc Networks communicate with each other wirelessly. Packets may get damaged due to channel errors, lack of radio coverage, or by being dropped at highly congested nodes. 1.3 Data Aggregation and Security Challenges In many WSN applications, a physical phenomenon is sensed by sensor nodes and then reported to the base station. To reduce the communication energy expenditure of sensor nodes, these applications should minimize the number of packets traveling across the network by eliminating redundant data. Thus, these applications may employ in-network aggregation before the raw data reaches the base station. Typically, there are three types of nodes in WSN applications where in-network aggregation is implemented. These three types are: (i) normal sensor nodes, (ii) aggregators, and (iii) a querier (or queriers). The aggregators are intermediate nodes that collect raw data from downstream sensor nodes, process the data and apply a suitable aggregation function. Then they transmit the processed data to an upper aggregator or to the querier who generated the query. The querier processes the received sensor data and derives meaningful information reflecting the events in the target field. It can be the base station or sometimes an external user who has permission to interact with the network, depending on the network architecture. Let us consider the example depicted in Figure 1.2. The network topology contains 16 sensor nodes and performs the sum (SUM) as the aggregation function. Nodes N1, N2,..., and N8 are normal sensor nodes that sense specific physical phenomena and report them back to upper nodes. Nodes N9, N10,..., and N16 are aggregators that perform both sensing and aggregation activities. To answer a single aggregation query sent by the base station, every normal sensor node (nodes N1-N8) will report individually the sensed physical phenomena to the aggregators (nodes N9-N13). These aggregators add their sensed physical phenomena to the received raw data, and then apply the SUM aggregation function. Subsequently, they send the processed information to the upper aggregators (nodes N14-N15), which will do the same. At node N16, only one packet will be sent to the base station as an answer to its query. Thus, the total number of packets transmitted across the network is only 16 packets. If the in-network aggregation is not implemented in the example given in Figure 1.2, every node will respond to the received query and report its sensed information individually. Thus, the total number of packets, traveled across the network, would be 50 packets in order to deliver 16 packets to the base station. These 16 packets are the nodes responses to the base station s query.

27 1.4. Research Objectives 7 Nxx Nxx Aggregator Normal Sensor Base Station ri represents the reading from node i. Ni represents the node i. A@i represents the aggregation result at node i. N14 r14= 9 r16= 2 N16 r15= 3 N15 A@16= r16 + A@14 + A@15 = 58 r13= 0 N13 r12= 3 N12 r11= 2 N11 r10= 7 N10 r9= 7 N9 A@15= r15 + A@9 + A@10 = 24 N1 N2 N3 N4 N5 N6 N7 N8 A@9= r7 + r8 + r9 = 9 r1= 1 r2= 4 r3= 7 r4= 6 r5= 4 r6= 1 r7= 0 r8= 2 Figure 1.2: An aggregation scenario using the SUM aggregation function Previous studies [72,96,128] show that data transmission consumes much more energy than computation. As illustrated in the two examples given above, data aggregation can greatly help to reduce this consumption by eliminating redundant data. This in turn helps prolong the network lifetime. Most existing schemes for data aggregation are under the threat of various types of attacks [128]. Among them, the node compromise is usually considered as one of the most challenging issues in the security of WSNs [8, 54, 69, 69, 95, 107, 135]. In a node compromise attack, an adversary tries to physically tamper with a node in order to extract the cryptographic secrets. This attack can be very harmful depending on the security architecture of the network. For example, when an aggregator node is compromised, it is easy for the adversary to change the aggregation result and inject false data into the WSNs. Because of this, the need for secure data aggregation is raised and its importance needs to be highlighted. 1.4 Research Objectives According to the discussion in Section 1.3, the node compromise attack is the most challenging security threat. Simple adaptation of security solutions designed for the wired and Ad Hoc networks is impractical due to the unique characteristics of WSNs as discussed in Section 1.2. Two main directions exist to circumvent this important threat [36]. The first one involves in improving the tamper-resistance of the nodes in order to increase the effort of the attacker. However, tamper-resistant mechanisms are costly for small sensor nodes and are therefore usually not present on these devices. The second alternative adopts a reputation-based approach, which monitors the network activities and tries to detect events related to the node compromise. It assumes that a node capture will provoke some noticeable events, such as inconsistent sensing or aggregation results, a displacement or removal of a node, and malicious routing

28 8 Chapter 1. Introduction activities [71]. The objective of this thesis is to address the security issues of data aggregation in wireless sensor networks, and study the strengths and weaknesses of both the cryptographic-based and reputation-based secure data aggregation schemes found in the literature. Our goal is to design a robust secure data aggregation scheme that minimizes the use of heavy cryptographic mechanisms, defends against most security attacks, and securely computes the aggregation. Our research contributions in this thesis are summarized as follows: ˆ Define the security for data aggregation in wireless sensor networks. The thesis takes a step further and stipulate the main components of a robust secure data aggregation scheme as follows: Ability to provide fair approximations of the sensor readings even though a limited number of nodes are compromised. Dynamic response to attack activities by rejecting incorrect aggregation results as soon as possible, possibly by nodes in the neighborhood, not at the base station level. These properties should work together to provide accurate aggregation results securely without exhausting the network s limited resources. In contrast with existing secure data aggregation definitions, the proposed definition covers the unique characteristics that wireless sensor networks have. ˆ Analyze the relationship between security services and the adversarial model considered in existing secure data aggregation schemes, in order to provide a general framework of required security services. This framework helps identify the minimum security services that a secure data aggregation design should provide to defend against specific types of adversaries. ˆ Analyze both cryptographic-based and reputation-based secure data aggregation schemes. This analysis covers security services provided by these schemes and their robustness against security attacks. It is believed that this analysis can help to identify the security level in these schemes. Surprisingly, most of the examined data aggregation schemes are vulnerable to selective forwarding attacks. ˆ Propose an efficient reputation-based secure data aggregation scheme that overcomes the weaknesses in other schemes found in the literature. The security advantages provided by this proposal are realized by integrating aggregation functionalities with: (i) a reputation system, (ii) an estimation theory, and (iii) a change point detection mechanism. The significance of the proposal is two-fold: (i) it mitigates the effect of On-Off attacks on aggregation results, and (ii) it distinguishes between an abrupt change and a temporary departure in heterogeneous environments. The proposal is tested in different scenarios to validate the superior performance of the proposal. The experiment results showed that the proposal is able to detect On-Off attacks as long as the attack frequency is

29 1.5. Outline 9 smaller than the buffer window size. The results showed that the proposal follows the reputation-based estimate behavior during the On-Off attack, but it has a better reaction once the attack was over. This proposal re-initializes the estimator as soon as the end of the On-Off attack has been recognized. This ensures a quick convergence afterwards with the reputation-based aggregation results. To the best of our knowledge, this proposal is the only secure data aggregation scheme in the literature that is able to mitigate the On-Off attack. ˆ Propose a secure key management protocol in order to distribute essential pairwise and group keys among the sensor nodes. The protocols also helps to revoke misbehaved nodes and isolate them from the network. Importantly, the proposal provide backward & forward secrecy that are not provided by similar schemes such as Nilson et al. s scheme [88]. The design idea of the proposed scheme is the combination between Lamport s reverse hash chain as well as the usual hash chain to provide both past and future key secrecy. The proposal avoids the delivery of the whole value of a new group key for group key update; instead only the half of the value is transmitted from the base station to the sensor nodes. The performance analysis result shows that a sensor node in the proposal consumes approximately µj and µj in order to update the pairwise key and the group key, respectively. This energy consumption includes the communication cost and the computation cost. The proposal s energy consumption for the pairwise key update protocol is µj more than Nilsson et al. s scheme. This difference is due to the security enhancements that are required to overcome the weaknesses in Nilsson et al. s scheme, as will be discussed in Section 6.2. To update the group key, the proposal consumes µj more energy than Nilsson et al. s scheme. These additional costs result from defeating the Sandwich attack and overcoming the weaknesses of Nilsson et al. s scheme. 1.5 Outline The organization of the thesis is as follows: Chapter 2: This chapter is about cryptographic-based secure data aggregation. We first give introductory information about secure data aggregation in WSNs, which defines the data aggregation security considering the unique characteristics of WSNs. Then, we highlight the security requirements for data aggregation in WSNs, since the thesis is centered on providing security to data aggregation applications. We also discuss the security attacks against cryptographic-based secure data aggregation schemes. Then, we survey, in detail, some of the current secure data aggregation schemes and classify them into two models: (i) the single aggregator, and (ii) the multiple aggregator model. We also undertake security and performance analyses of current cryptographic-based secure data aggregation schemes. The security analysis covers the security services the current schemes provide and their robustness against the security attacks discussed in this thesis. The performance analysis covers the number of bits transmitted in order to accomplish the aggregation phase in some selected schemes.

30 10 Chapter 1. Introduction The contents of this chapter have appeared in the following publications: ˆ Hani Alzaid, Ernest Foo, and Juan Manuel González Nieto. Secure Data Aggregation in Wireless Sensor Networks: A Survey. In Proceedings of the 6th Australasian Information Security Conference: Conferences in Research and Practice in Information Technology, AISC 08, Wollongong, NSW, Australia, January 2008, pages , Australian Computer Society Inc., ˆ Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and DongGook Park. Secure Data Aggregation in Wireless Sensor Networks: A Comprehensive Review. International Journal of Communication Networks and Distributed Systems (IJCNDS), Invited Article, In press, InderScience Publishers. ˆ Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and DongGook Park. Secure Data Aggregation in Wireless Sensor Networks. In Anna Foerster and Alexander Foerster, editors, Emerging Communications for Wireless Sensor Networks, chapter 10, pages , InTech, Croatia Chapter 3: This chapter investigates the use of reputation-based systems to provide trust among sensors in WSNs. We first discuss security attacks against reputation-based trust systems. Then, we present a comprehensive survey of the state-of-the-art in reputation-based trust systems for WSNs and classify these systems to five categories: (i) generic, (ii) localization, (iii) mobility, (iv) routing, and (v) aggregation. Finally, we compare in detail these reputation-based trust systems. The comparison includes: (i) investigating the visibility of the main components of the reputation systems, and (ii) studying the appearance of attacks, which is related either to WSNs or reputation systems, in existing reputation-based systems. The contents of this chapter have appeared in the following publication: ˆ Hani Alzaid. Reputation-based Trust Systems in Wireless Sensor Networks. In Al-Sakib Khan Pathan, editor, Security of Self-Organizing Networks: MANET, WSN, WMN, VANET, chapter 20, pages , Auerbach Publications, CRC Press, Taylor & Francis Group, USA Chapter 4: In this chapter, we propose a Reputation-based Secure Data Aggregation (RSDA) for wireless sensor networks. RSDA minimizes the use of heavy cryptographic mechanisms, and integrates the aggregation functionalities with the advantages that are provided by a reputation system in order to enhance the network lifetime and the accuracy of the aggregated data. The chapter also discusses performance and security analyses of RSDA. In the performance analysis, RSDA is tested in three scenarios, depending on the adversary capability to affect the aggregation results, as follows: (i) no attack on the data, (ii) abrupt change, and (iii) 1-per-2 strategy-based On-Off attacks. The security analysis of RSDA follows the same methodology used in Chapters 2 and 3.

31 1.5. Outline 11 The contents of this chapter have appeared in the following publication: ˆ Hani Alzaid, Ernest Foo, and Juan Manuel González Nieto. RSDA: Reputation-based Secure Data Aggregation in Wireless Sensor Networks. In Proceedings of the 9th International Conference on Parallel and Distributed Computing, Applications and Technologies, PDCAT 08, Dunedin, New Zealand, 1-4 December 2008, pages , IEEE Computer Society, Chapter 5: This chapter focuses on investigating the ability to mitigate the On-Off attack where the adversary aims to disrupt the system s overall performance without being detected or excluded from the network. The proposal in this chapter extends RSDA, the contribution of Chapter 4, by adding an estimation theory and a change point detection mechanism. Through extensive simulations, it can be shown that this addition helps defend against On-Off attacks and enhances the data accuracy in the aggregation results. We first provide a brief overview of some techniques used in the proposal, namely: the estimation theory, and the change detection mechanism. Then, we explain the damage caused by the On-Off attack on RSDA. Finally, we discuss in detail the proposed solution. The solution is tested in four scenarios, depending on the adversary s capability to affect the aggregation results, as follows: (i) no attack on the data, (ii) abrupt and incipient change, (iii) 1-per-2 strategy-based On-Off attacks, and (iv) 1-per-3 strategy-based On-Off attacks. The contents of this chapter have appeared in the following publication: ˆ Hani Alzaid, Ernest Foo, Juan Manuel González Nieto, and Ejaz Ahmed. Mitigating the On-Off Attacks in Reputation-based Secure Data Aggregation for Wireless Sensor Networks. Security and Communication Networks, In press. Chapter 6: This chapter proposes a secure key management scheme which helps distribute and renew pairwise and group (cell) keys to sensor nodes. It also helps to revoke misbehaved nodes and isolate them from the network. The design idea of the proposed scheme is the combination of Lamport s reverse hash chain and the usual hash chain to provide both past and future key secrecy. We first define the term future & past secrecy and then use it instead of the similar terminology forward & backward secrecy, which has always been quite confusing. Then, we discuss the motivation behind the proposal by analyzing the security strengths and weaknesses of current key management schemes. We then present two variants of the proposed key management scheme. Finally, a performance analysis of these two variants is discussed. This analysis covers: (i) memory overhead, (ii) communication cost, and (iii) computation cost. The contents of this chapter have appeared in the following publications: ˆ Hani Alzaid, DongGook Park, Juan Manuel González Nieto, Colin Boyd, and Ernest Foo. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA. In Proceedings of the 1st International ICST Conference on Sensor Systems and Software, S-CUBE 09, Grand Hotel Duomo of Pisa, Pisa, 7-9 September 2009, pages 66-82, Springer, 2010.

32 12 Chapter 1. Introduction ˆ Hani Alzaid, DongGook Park, Juan Manuel González Nieto, and Ernest Foo. Mitigating Sandwich Attacks against a Secure Key Management Scheme in Wireless Sensor Networks for PCS/SCADA. In Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications, AINA 10, Perth, Australia, April 2010, pages , IEEE Computer Society, ˆ Hani Alzaid, DongGook Park, Juan Manuel González Nieto, Colin Boyd, and Ernest Foo. A Forward & Backward Secure Key Management in Wireless Sensor Networks for PCS/SCADA. In Raúl Aquino Santos, Arthur Edwards, and Victor Rangel Licea, editors, Emerging Technologies in Wireless Ad Hoc Networks: Applications and Future Development, chapter 3, pages 41-60, IGI Global, USA Chapter 7: Finally the thesis contributions are summarized in this chapter. Several open problems and possible research directions are also discussed.

33 Chapter 2 Secure Data Aggregation in Wireless Sensor Networks Studies by Wagner [128] and Krishnamachari et al. [72] showed that data transmission consumes much more energy than computation. Data transmission accounts for 70% of the energy cost of computation and communication for the SNEP protocol [96]. Data aggregation can significantly help to reduce this consumption by eliminating redundant data. However, aggregators are vulnerable to attacks such as node compromise attacks, especially if they are not equipped with tamper-resistant hardware. When an aggregator node is compromised, it is easy for the adversary to change the aggregation result and inject false data into WSNs. Due to the WSNs unique characteristics discussed in Chapter 1, devising security protocols for WSNs is complicated and may not be successfully accomplished by the simple adaptation of security solutions designed for wired networks. Unfortunately, the security mechanisms used in other network environments are not appropriate for WSN domains, since they are typically based on public key cryptography, which is too expensive for sensor nodes. There are two approaches to circumvent the node compromise threat. The first one, which is the focus of this chapter, involves in increasing the needed efforts of the adversary to succeed in launching the attack. This can be done by employing some cryptographic-based techniques. For example, the Merkle hash tree is used in Przydatek et al. s Scheme in order to facilitate the verification process at the querier and ensure the correctness of the aggregation results (more details are given in Section 2.3). The second alternative mitigates node compromise attacks by adopting a reputation-based scheme to monitor the network activities and detect events related to the node compromise. A detailed discussion of the second approach is presented in Chapter 3. Our contributions in this chapter are four-fold: ˆ Define the security for data aggregation in WSNs. In contrast with existing secure data aggregation definitions, the proposed definition covers the unique characteristics that 13

34 14 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks WSNs have. ˆ Present a survey of the state-of-the-art in secure data aggregation schemes. These schemes are then classified into two groups according to the number of aggregator nodes, and whether the verification phase of the aggregation result is considered or not. ˆ Explore the relation between the security services and the adversarial model considered in existing secure data aggregation schemes for possible general framework. This framework helps identify the minimum security services that a secure data aggregation design should provide to defend against a specific type of adversary. ˆ Evaluate current cryptographic-based secure data aggregation schemes. The evaluation is composed of: (i) security analysis, and (ii) performance analysis. The security analysis covers the robustness against security attacks discussed in this chapter, and the security services provided. The performance analysis focuses on calculating the number of bits transmitted within the network, in order to show which secure data aggregation scheme is more energy hungry and sends more information to accomplish the scheme objectives. The rest of the chapter is organized as follows: Section 2.1 gives introductory information about secure data aggregation in WSNs. Section 2.2 lists security concerns in data aggregation, and highlights different capabilities that an adversary may have against a secure data aggregation scheme. Section 2.3 surveys, in detail, some of the current cryptographic-based secure data aggregation schemes and classifies them into two models: (i) the single aggregator, and (ii) the multiple aggregator model. Then, a security analysis of these schemes is discussed in Section 2.4. The analysis covers the security services these schemes provide, and their robustness against the security attacks mentioned above. Section 2.5 discusses the performance analysis of some of these schemes. Finally, the chapter is concluded in Section Secure Data Aggregation in Wireless Sensor Networks The motivation behind secure data aggregation in WSNs is explained in Section 1.3. Unfortunately, the design principles for secure data aggregation schemes are poorly understood. There is no clear definition of what secure data aggregation should mean, what security requirements a scheme should have, and what adversary capability a scheme should defend against. Existing schemes might have one or more of the security requirements, depending on how secure data aggregation has been addressed, and the strength of the expected adversary. For example, secure data aggregation has been addressed in Przydatek et al. s scheme from the point of view of detecting forged data aggregation values [99]. This does not cover security issues such as how to elect aggregators, rotate aggregation functionality between nodes, or how to set up trust between aggregators and sensor nodes. Also, some schemes provide more security requirements than others, as discussed in Section 2.4, or send more bits than others, as discussed in Section 2.5. Generally speaking, there is no common ground that allows for a complete comparison between different aggregation schemes.

35 2.1. Secure Data Aggregation in Wireless Sensor Networks 15 Secure data aggregation is defined as the efficient delivery of the summary of sensor readings that are reported to an off-site user in such a way that ensures these reported readings have not been altered [21, 99]. This definition considers WSN applications where the querier is located outside the deployment area and a base station acts as an aggregator. Shi and Perrig [115] highlight error sources that affect the aggregated data, and define secure data aggregation as the process of obtaining a relative estimate of the sensor readings with the ability to detect and reject reported data that is significantly distorted by corrupted nodes or injected by malicious nodes. However, rejecting reported data injected by malicious nodes consumes the network resources, specifically the nodes batteries. The malicious packet will be processed by intermediate nodes until it reaches the verifier, which is normally the base station. The damage caused by malicious nodes or compromised nodes should be reduced by adding a self-healing property to the network. This property helps the network to learn how to handle new threats through extensive monitoring of network activities. Therefore, we take a step further and stipulate the main components of a robust secure data aggregation scheme as follows: ˆ Ability to provide fair approximations of the sensor readings even though a limited number of nodes are compromised. ˆ Dynamic response to attack activities by rejecting incorrect aggregation results as soon as possible, possibly by nodes in the neighborhood, not at the base station level. These properties should work together to provide accurate aggregation results securely without exhausting the network s limited resources Security Requirements for Data Aggregation Security Since WSNs share some properties with traditional wireless networks, data security requirements in WSNs are similar to those in traditional networks [96, 115]. This section discusses security requirements for strengthening attack-resistant data aggregation schemes for WSNs. These security requirements are as follows: ˆ Data Confidentiality: ensures that information content is never revealed to unauthorized parties. In WSN applications where in-network aggregation is required, data confidentiality can be implemented in two ways: (i) a hop-by-hop basis and (ii) an endto-end basis. In the hop-by-hop basis, any aggregator node needs to decrypt the received encrypted data, apply an aggregation function, encrypt the aggregated data, and send it to an upper aggregator point. This kind of confidentiality implementation requires extra computation, which leads to more delays in the network and increases the energy consumption. It also facilitates the adversary s mission. For example, the secrecy of sensed data is disclosed once any intermediate node is compromised. In the end-to-end basis, an aggregator does not need to perform decrypting and encrypting on received data; it instead applies aggregation functions directly on encrypted data by using some techniques such as homomorphic encryption [131]. End-to-end confidentiality greatly reduces energy consumption since there is no need for decryption and encryption of the received encrypted data at intermediate nodes.

36 16 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks ˆ Data Integrity: ensures that a message has not been altered, either maliciously or accidentally, in transit. Even if the network provides data confidentiality, there is still a possibility that data integrity can be affected. In certain applications, data confidentiality is not as important as data integrity. It is sometimes acceptable for an adversary to eavesdrop and learn about aggregation results, but not to change them. Suppose a secure data aggregation scheme provides only data confidentiality in order to defend against an adversary that is capable of compromising an aggregator node. The adversary could then alter the aggregation result and mislead the base station. Moreover, even without the existence of an adversary, data might be damaged or corrupted due to the nature of the wireless environment. ˆ Data Freshness: ensures that the data are recent and no old messages have been replayed, thereby protecting data aggregation schemes against replay attacks. In this kind of attack, it is not enough that these schemes provide only data confidentiality and data integrity, because an adversary able to intercept even encrypted messages could later replay them to disrupt the data aggregation results. This requirement is important in real time applications or key management schemes. For example, an adversary could replay an old distributed shared key and mislead a sensor concerning the current cryptographic key used to secure sensing information or aggregation results. ˆ Data Availability: ensures that the network is alive and data are accessible. In the presence of malicious nodes, it is highly recommended that the network react to these bad (compromised) nodes and eliminate them. Once an adversary gets into the network by compromising some legitimate nodes, the adversary can affect network services, especially in those parts of the network where the attack was launched. It is preferable that a secure data aggregation scheme contains the following mechanism to ensure a reasonable level of data availability in the network: Self-healing: which can diagnose and react to an adversary s activities, especially when some legitimate nodes are compromised, and then start corrective actions based on defined policies to recover the network or isolate the compromised nodes. The reason for adding cryptographic mechanisms is to protect WSNs from adversaries whose goals may include decreasing WSN lifetime. However, adding these cryptographic mechanisms comes at cost. Thus, these mechanisms should be carefully implemented to fit WSNs characteristics. ˆ Authentication: allows a receiver to verify whether a message is sent by the claimed sender or not. An adversary would not be able to participate and inject data into the network without valid authentication keys. If entity authentication is not implemented, an adversary could impersonate other nodes and get access to sensitive data. In the aggregation context, without entity authentication, an adversary could masquerade as an aggregator and claim to a querier that an aggregation result is x instead of x.

37 2.2. The Expected Adversarial Model and Security Concerns The Expected Adversarial Model and Security Concerns WSNs are vulnerable to different types of attack. The damage caused by these attacks varies from one scheme to another according to the adversarial model. One of the potential vulnerabilities in WSNs results from compromising its sensor nodes, given the lack of tamper-resistant packaging [54, 135]. An adversary could gain control of one or more sensor nodes and readily access sensitive information. It is usually assumed that node capture is easy in WSNs due to a lack of physical restrictions that help control access to the deployment area in outdoor environments [8]. This attack is referred to as the supervision attack and sometimes the physical attack. Considering the data aggregation scenario, once a node has been taken over, all the secret information stored on it can be extracted and the adversary can then participate in aggregation activities. Even worse, the adversary may also inject their own commodity nodes into the network by fooling nodes into believing that these commodity nodes are legitimate members of the network, especially if there is no proper authentication scheme in place. A simulation study showed that network operation and maintenance can be easily jeopardized and network performance will severely degrade once a single node starts misbehaving [80]. The purpose of this section is to highlight different capabilities that an adversary may have against a secure data aggregation scheme. Before we classify expected adversaries, possible security attacks related to WSNs are discussed in the following section Security Attacks This subsection studies how attacks related to WSNs (WSNs attacks) can affect any proposal to secure data aggregation in WSNs. WSNs attacks are discussed as follows: Sybil Attack (SY) The Sybil attack 1 is a type of attacks where the adversary is able to present more than one identity (node) within the network to deceive other nodes [39]. A node that wishes to conduct the SY attack can affect an aggregation scheme in different ways: it can (i) create multiple identities to generate additional votes in the aggregator election phase to make a malicious node an aggregator instead of legitimate nodes, (ii) generate multiple entries to an aggregation function with different incorrect readings, or (iii) create multiple identities to affect reputation values of legitimate nodes in reputation-based applications by falsely degrading legitimate node reputation values. Let us consider the example given in Figure 2.1 where an adversary creates fake IDs in order to affect the overall performance of the network. Figure 2.1-A shows a sketch of the normal scenario without any adversary. The real path starts from node A(D) and ends at 1 It has also been defined as a malicious device illegitimately taking on multiple identities [87].

38 18 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks B B Adversary Compromised Sensor Genuine Sensor A A B B B` C C D A. Normal Scenario B. Modified Scenario D Figure 2.1: Sybil Attack node D(A). Nodes B and C are adjacent neighbors. A simple form of the SY attack occurs when an adversary has the ability to compromise some sensor nodes. Suppose that an adversary succeeded in compromising node B and then manipulating the route discovery messages within the routing activities. Thus, the adversary can add another node to the network, which is node B in Figure 2.1-B. Now, the adversary can communicate with node A using node B and communicate with node C using node B. It can perform malicious activities in the network and trickily blame node B (or node B) for those activities and leave the reputation value of node B (or node B ) untouched. Selective Forwarding Attack (SF) It is sometimes assumed that each node will accurately forward received messages. However, a compromised node may refuse to do so. It is up to the adversary that is controlling the compromised node whether to forward received messages or not [67]. To put it in another way, the process of stopping the propagation of certain messages at the compromised node is under the control of the adversary. Once the adversary has succeeded in launching a SF attack, it can affect the propagation of the reputation information, such as direct observations across the network. Note that SF attacks are most effective when the attacking nodes are included in the path of the data flow. Figure 2.2 depicts a simplified scenario of a SF attack. The scenario follows the single aggregator model [6], where node A acts as an aggregator. In Figure 2.2-A, an adversary succeeded in compromising node B but behaved well and forwarded the request message sent by node A. Later on, node B, which is still under the adversary control, drops the response from D as in Figure 2.2-B. Since the aggregator has not received any reply for its recent request, node A updates its reputation table and reduces the reputation value of node D

39 2.2. The Expected Adversarial Model and Security Concerns 19 B B Adversary Compromised Sensor Genuine Sensor A B A X B C C D D A. Request Path B. Reply Path Figure 2.2: Selective Forwarding Attack as in Figure 2.2-B. Note that the reputation table does not usually contain any reputation information for the node that maintains the table. For example, the reputation table which is maintained by node A in Figure 2.2 does not have reputation information for the node itself (node A). Replay Attack (RE) Some WSN applications are vulnerable to replay attacks where an adversary is able to eavesdrop on the traffic and replay old messages. Replay attacks are the easiest, because the adversary does not need to physically capture a sensor node and get access to its internal memory, or analyze intercepted encrypted data. In the reputation-based applications context, an adversary can record some reputation information, which has been exchanged wirelessly between sensor nodes, without even understanding its content and then replay them (with no changes) to mislead other nodes and make their reputation tables out-dated. Figure 2.3 describes a simplified scenario of a RE attack in which the adversary has captured the reputation update message at a certain time t 1 (see Figure 2.3-A), and then re-injected it at time t 2 where t 2 > t 1 (see Figure 2.3-B). With no proper verification, nodes B, C, and D will accept this re-injection and end up being out-dated and thus potentially with incorrect reputation values. Spoofed Data Attack (SD) In this type of attack, an adversary alters intercepted data in order to inject false data into the network and affects the reputation values. This attack cannot be launched alone; the adversary needs to combine either a RE attack or node compromise attack with a SD attack. In

40 20 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks B B Adversary Compromised Sensor Genuine Sensor A A D B C A. Reputation Update at t 1 D B C B. Reputation Update at t 2 Figure 2.3: Replay Attack B B Adversary Compromised Sensor Genuine Sensor A A B B C C D D A. Normal Scenario B. Modified Scenario Figure 2.4: Spoofed Data Attack

41 2.2. The Expected Adversarial Model and Security Concerns 21 the former, the adversary first eavesdrops on the traffic, captures some reputation information in understandable format, performs some changes on the captured information, and then reinjects it into the network. In the latter, the adversary first needs to overtake a sensor node, and can then affect the reputation calculation by falsely claiming that his direct observation for node N i is R i (instead of the correct R i ). R i is then propagated to neighboring nodes which are misled by the received indirect observation R i and thus their calculations for the reputation value of N i are affected. Figure 2.4 presents a simplified scenario of a SD attack once the adversary has succeeded in compromising node B. The adversary, in Figure 2.4-B, during the reputation update phase, claims that the reputation value for node A is R A not R A and then sends it to neighboring nodes C and D. Therefore, nodes C and D will use R A as an indirect observation for node A when they calculate the reputation value for node A Adversary Classification Current cryptographic-based secure data aggregation schemes are threatened by adversaries with different capabilities. The following criteria are used to classify adversaries: ˆ The adversary can take over a sensor node. The adversary can then read and modify all the software code and configurations, including secret keys, installed in the sensor node. For example, once the adversary has succeeded in compromising a sensor node, the adversary can then alter any software installed in this node. In other words, adversaries can be: passive or active. Passive adversaries take advantage of the wireless communication nature (broadcasting) and eavesdrop on the traffic to obtain any important information about the sensed data. Active adversaries interact with WSNs by injecting packets, destroying or compromising nodes, extracting sensitive data, and stopping or delaying packets from being delivered to a querier, etc. They can launch any type of attack listed in Section ˆ The adversary has access to the whole network. As discussed in Section 1.3, there are three components in WSNs: sensor nodes, aggregators, and a base station with different functionalities and capabilities. The adversary s ability to interact with these components is determined by the network access. Passive adversaries with total network access can listen to all communications between sensor nodes in the network; and active adversaries can interact maliciously with all components in WSNs (nodes, aggregators, base stations) by launching any attack listed in Section However, this type of access is not common in most WSN applications. Moving from the total network access capability to partial network access, passive adversaries can listen to communications between a subset of nodes in the network. Active adversaries can interact only with a subset of nodes in the WSN. According to the above two criteria, adversaries are divided into four distinct types as shown in Figure 2.5. Type I is the weakest adversary: capable of eavesdropping on communications

42 22 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks Figure 2.5: Classification of adversaries in some parts of the network in which it has access to, but not capable of interacting with the network. To the best of our knowledge, this type of adversary has never been considered in any secure data aggregation scheme. Type IV is the strongest. It refers to an active adversary that has total access to the network. This type of adversary is interested in affecting the data aggregation results by launching any attack listed in Section against any network component (nodes, aggregators, base stations). We believe that this adversary classification can help to make better evaluation of new schemes and facilitate making decisions on which scheme is more suitable for specific conditions, as discussed in Section In the following section, current cryptographic-based secure data aggregation schemes are discussed. Aggregator Sensor Base Station A. Single Aggregator B. Multiple Aggregator Figure 2.6: A sketch of single and multiple aggregator models 2.3 Current Secure Data Aggregation Schemes To the best of our knowledge, there have been four surveys in which current secure data aggregation schemes are compared. Setia et al. [112] discussed the security vulnerabilities of data

43 2.3. Current Secure Data Aggregation Schemes 23 aggregation schemes and surveyed secure data aggregation schemes that are resilient to false data injection attacks. However, this survey covered only a few schemes. Sang et al. [109] classified secure data aggregation schemes into hop-by-hop encrypted data aggregation and end-to-end encrypted data aggregation. However, this classification does not detail the security analysis nor the performance analysis of these schemes. In early 2008, we classified these schemes based on how many times the data is aggregated during its travel to the base station, and whether these schemes have a verification phase or not [6]. This taxonomy also discussed performance and security analyses of these schemes. A year later, Ozdemir and Xiao [93] surveyed current work in the area of secure data aggregation and provided some details on the security services provided by each scheme. It is found that their security analysis is similar to our published taxonomy. This section follows the same methodology used in our previous taxonomy [6] and extends it by analyzing more secure data aggregation schemes. The security analysis covers the robustness against security attacks discussed in this chapter, and the security services provided. The performance analysis focuses on calculating the number of bits transmitted within the network, in order to show which secure data aggregation scheme is more energy hungry and, sends more information to accomplish the scheme objectives. It was found that current secure data aggregation schemes fall under either a single aggregator model or a multiple aggregator model. These will be discussed in the following subsections. A sketch of these two aggregation models can be found in Figure 2.6. Under each model, each secure data aggregation scheme either has a verification phase or does not, depending on security primitives used to defend against the expected adversary capability. To put it in another way, the verification phase is used to validate the aggregation results (or the aggregator behavior) by using methods such as interactive protocols between the base station (or the querier) and normal sensor nodes. Figure 2.7 classifies secure aggregation schemes depending on the aggregation model they follow and whether they have a verification phase or not Single Aggregator Model The aggregation process, in this model, takes place once between the sensor nodes and the base station or the querier. All individual collected physical phenomena (PP), therefore, travel to only one aggregator point in the network before reaching the querier. This aggregator node should be powerful enough to perform the expected high computation and communication. The main role of the data aggregation might not be fully satisfied since redundant data still travel in the network for a while until they reach the aggregator node, as shown in Figure 2.6- A. This model is useful when the network is small. However, large networks are unsuitable places for implementing this model, especially when data redundancy at lower levels is high. Examples of secure data aggregation schemes that follow the one aggregator model are: Du et al. s scheme [40], Przydatek et al. s scheme [99], Mahimkar & Rappaport s scheme [75], and Sanli et al. s scheme [110], which are discussed in the following sections.

44 24 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks Secure Data Aggregation Schemes Single Aggregator Model Multiple Aggregator Model No Verification Phase Verification Phase No Verification Phase Verification Phase Sanli et al. Du et al. Przydatek et al. Mahimkar & Rappaport Westhoff et al. Castelluccia et al. Yang et al. Chan et al. Jadia & Mathuria Hu & Evans Frikken & Dougherty Haghani et al. Figure 2.7: Classification of current secure data aggregation schemes Du et al. s Scheme Du et al. [40] proposed a witness-based scheme, which enhances the assurance of aggregation results reported to the base station. Du et al. argued that selecting some nodes around the aggregator, as witnesses to monitor the data aggregation results, helps to assure the validity of the aggregation results. The leaf nodes report their sensing information to aggregator nodes. The aggregator then needs to perform the aggregation function and forward the aggregation results to the base station. In order to prove the validity of the aggregation results, the aggregator node has to provide proofs from several witnesses. A witness is a node around the aggregator, which also performs data aggregation like the aggregator node, but without forwarding its aggregation result to the base station. Instead, each witness computes the message authentication code (MAC ) of the aggregation result and then sends it to the aggregator node. The aggregator subsequently must forward the proofs with its aggregation calculation to the base station. Verification Phase This scheme does not have a verification phase since the base station can verify the correctness of the aggregation results without the need to interact with the network. Instead, the scheme designers rely on the proofs that are computed by the witnesses and coupled with the aggregation results. Upon receiving the aggregation result with its proofs, the base station uses the n out of m + 1 voting strategy to determine the correctness of the aggregation results. In the n out of m + 1 strategy, m denotes the number of witnesses nodes for each aggregator node, and n denotes the minimum number of witnesses that should agree with the aggregation result provided by the aggregator. If less than n proofs agreed with

45 2.3. Current Secure Data Aggregation Schemes 25 the aggregation result, the base station discards the result. Otherwise, the base station accepts the aggregation result. Adversarial Model and Attack Resistance Du et al. considered an adversary that can compromise the aggregator and some witnesses as well. Du et al., however, limited the adversary capability to compromising less than n witnesses for a single aggregator node. This type of adversary falls into the type III adversary, according to the discussion in Section Once the adversary has succeeded in compromising an aggregator node, it can then decide whether to forward the aggregation result and the proofs or not. This is an example of the Selective Forwarding attack. The adversary, once it compromises an aggregator node, is also able to replay an old aggregation result with its valid proofs instead of the current result to mislead the base station. This is an example of the Replay attack. Moreover, the adversary can take over some leaf nodes and then present multiple identities to affect the aggregation results, which is one form of the Sybil attack. The scheme is vulnerable to Sybil attacks because the sensed PP are not authenticated by the aggregator. Security Services The data aggregation security is provided by coupling the aggregation result with proofs from the witnesses around the aggregator node. These proofs, as discussed above, are MAC s computed on the aggregation result to ensure its integrity and authenticate the witnesses to the base station. Other security services such as data confidentiality, data freshness, and data authentication for leaf nodes were not considered by Du et al. Discussion The security primitives used in this scheme to defend against type III adversary is the n out of m + 1 voting strategy. This strategy authenticates witnesses and aggregators to the base station but not leaf nodes. The leaf nodes, therefore, are appropriate targets for the adversary to launch the Node Compromise attack and then report invalid readings to aggregators. Moreover, resource utilization efficiency in this scheme is poor due to three reasons: ˆ The aggregator needs to receive m more proofs from the witnesses and the aggregator then needs to forward these extra proofs with its aggregation result to the base station. ˆ The number of times the aggregation takes place in the network is increased by m times, because the aggregation function is repeated m times by the witnesses for each query. ˆ Finally, the aggregation result with the proofs are traveled unchecked all the way to the base station, because the verification process is done at the base station. Przydatek et al. s Scheme Przydatek et al. [21, 99] proposed a secure information aggregation scheme which provides efficient sub-schemes for securely computing the median and the average of the measurements, estimating the network size, and finding the minimum and the maximum sensor readings. It

46 26 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks consists of three types of network components: (i) an off-site home server (or user), (ii) a base station (or aggregator), and (iii) a large number of sensors. The scheme designers claimed that their scheme is robust against stealthy attacks where the attacker s goal is to make the user accept false aggregation results without revealing its presence. It is believed that stealthy attack can be accomplished by using any type of attack discussed in Section The scheme employed an aggregate-commit-prove approach, to achieve its goal, where the aggregator performs aggregation activities and then proves to the home server that it has computed the aggregation function correctly. In this approach, the aggregator helps with computing the aggregation results and then forwards them to the home server together with a commitment to the collected data. The home server and the aggregator then use interactive proofs, where the home server will be able to verify the correctness of the results. From the proposed sub-schemes, we limit the discussion in this chapter to the minimum aggregation sub-scheme (MIN). Przydatek et al. proposed a secure MIN discovery sub-scheme that enables the home server to find the minimum of the reported value. They, however, restricted the adversary capability to not reporting smaller values than real values. The subscheme works by first constructing a spanning tree such that the root of the tree holds the minimum element as illustrated in Algorithm 1. The tree construction proceeds in iterations. Throughout the scheme, each sensor node S i maintains a tuple of state variable (p i, v i, id i ), where p i denotes the ID of the current parent of S i in the tree being constructed, v i denotes the smallest value seen so far, and id i denotes the ID of the node whose value is equal to v i. Each S i initializes its state variables with its information as in steps 1, 2, and 3 in Algorithm 1. In each iteration, S i broadcasts (v i, id i ) to its neighbors. Let (v i, id i ) denote a message sent by S with a smaller value picked by S i. Then, S i updates its state by setting p i = S, v i = v i, id i = id i. The tree construction terminates after d iteration where d is an upper bound on the diameter of the network. Upon constructing the tree, each node S i authenticates its final state (p i, v i, id i ) using the key shared with the home server and then forwards it to the aggregator. The aggregator checks the consistency of the constructed tree with the values committed. If the check is successful, the aggregator commits to the list of all nodes and their states, finds the root of the constructed tree, and reports the root node to the home server. Otherwise, the aggregator reports the inconsistency. The commitment to the collected data is done using the Merkle hash tree [79] to ensure that the aggregator used the data provided by sensors. For example, the aggregator constructs the Merkle hash tree over the sensor measurements m 0, m 1, m 2,..., m 7 as in Figure 3, and then sends the root of the tree (called a commitment) to the home server. Verification Phase The home server, upon receiving the aggregation results and the commitment of the collected data from the aggregator, needs to verify the correctness of the reported data. The home server checks whether or not the committed data is a good representative of the true values in the sensors network. In other words, the home server checks if the aggregator is trying to provide an invalid aggregation result or not by using an interactive proof with the aggregator. It randomly picks a node in the committed list, say m 5 in

47 2.3. Current Secure Data Aggregation Schemes 27 Algorithm 2.1: Finding the minimum value from nodes sensed data /* code for sensor node i */ /* Initialization phase */ 1 p i = S i ; // current parent. 2 v i = v i ; // current sensed physical phenomenon. 3 id i = S i ; // owner of the current minimum value. 4 for i = 1.. d do 5 send (v i, id i ) to all neighbors. 6 receive (v j, id j ) from neighbors. 7 if (v j < v i ) for sensor j then 8 p i = S j ; 9 v i = v j ; 10 id i = id j ; 11 end if; 12 end loop; 13 return < p i, v i, id i >; Figure 2.8, and then traverses the path from the picked node to the root using the information provided by the aggregator. During the traversal, the home server checks the consistency of the constructed tree. If the checks are successful, then the home server accepts the aggregation result; otherwise, it rejects it. In other words, the aggregator sends the values of v 1,0, v 3,4, v 2,2 to the base station, and then the base station checks whether the following equality holds: v 0,0 = h(v 1,0 h(h(v 3,4 h(m 5 )) v 2,2 )) where h is a cryptographic hash function. Adversarial Model and Attack Resistance Przydatek et al. considered an adversary which can corrupt, at most, a small fraction of all the sensor nodes and then misbehave in any arbitrary way. However, more restrictions apply in their sub-schemes, such as that they assumed that the adversary, in the secure MIN sub-scheme, cannot lie about its value or is uninterested in reporting a smaller value. This adversary is classified as type III according to our discussion in Section According to Przydatek et al., this type III adversary can launch the Node Compromise attack but it is still unable to affect the secure MIN aggregation sub-scheme, because the adversary is not allowed to report values smaller than the real values. It is argued that this restriction should be relaxed because the adversary, with the ability to launch the Node Compromise attack, can report whatever data it likes or selectively drop messages. Thus, it is found that this scheme is vulnerable to Selective Forwarding attack. Moreover, the scheme is robust against the Replay attack due to the single usage of each temporary key shared with the base station. The scheme is also robust against the Sybil attack, because the adversary cannot mislead the base station to accept new hash chains for the newly created fake identities. Thus, these fake identities cannot predict the next component of the

48 28 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks i, j 0,0 i+1, j i+1, j+1 1,0 2,0 2,1 1,1 2,0 3,0 3,1 2,0 2,1 2,2 3,0 j 3,1 3,2 3,3 3,4 5 3,5 3,6 3,7 Figure 2.8: A Merkle hash tree hash chain and thus they cannot participate in the network. Security Services Przydatek et al. employed the Merkle hash tree together with µtesla [96] and MAC to defend against a type III adversary. The usage of µtesla and MAC provides authentication and data freshness to the network, and the Merkle hash tree provides data integrity. Authentication is offered because only legitimate sensor nodes, with synchronized hash chains with the base station, are able to participate and contribute to the aggregation function. Data freshness is offered because of the single usage of the temporary key provided by µtesla. Unfortunately, data availability was not considered by Przydatek et al., due to the number of bits that traveled across the network in order to accomplish the aggregation task for a single query, as will be discussed in Section Discussion As discussed above, the scheme is able to check the validity of the aggregation result, but with no further action to remove or isolate the node which caused inconsistency in the aggregation results. Przydatek et al. also restricted the adversary capability into compromising the node but with no ability to report a value smaller than the real value when calculating the MIN aggregation function. It is believed that this assumption should be relaxed because an adversary with the ability to compromise nodes is also able to perform whatever activities it likes. Once the assumption is relaxed, then the secure MIN sub-scheme should be revisited. Mahimkar & Rappaport s Scheme Mahimkar & Rappaport s scheme is similar to Przydatek et al. s scheme except that it provides one more security service; data confidentiality. It is composed of two phases: (i) the key establishment and (ii) the secure data aggregation and verification. The key establishment phase

49 2.3. Current Secure Data Aggregation Schemes 29 generates a secret key for each cluster, and each node belonging to the cluster has a share of the secret key. The node uses this share to generate a partial signature on its reading. The second phase ensures that the base station does not accept invalid aggregation results from the cluster head (or the aggregator). Each node senses the required physical phenomena (PP), encrypts it using its share of the cluster s private key, and computes the MAC on its PP using the key shared between itself and the base station. Then, it sends these data, the encryption result and the MAC to the cluster head, which aggregates the nodes PP s and computes the average of the sensed physical phenomena. The cluster head then broadcasts the average to all cluster members in order to let them compare their PPs with the average. If the difference is less than a threshold, the node creates a partial signature on the average using its share of the cluster s private key, and then sends it to the cluster head. The cluster head combines these signatures into a full signature and sends it along with the average value to the base station. Mahimkar & Rappaport used the Merkle hash tree together with encryption and digital signature to achieve their goals. They used elliptic curve cryptography to encrypt PPs reported to the cluster head, digital signature concept to sign aggregation results, and the Merkle hash tree to verify the integrity of the reported aggregation results once the signature verification failed. Verification Phase The base station, upon receiving the average value and the full signature, verifies the validity of the signature using the cluster s public key. A valid signature is generated by a collusion of t or more nodes within the cluster. The base station accepts the aggregation result, which is the average value, once the signature validity is accepted. Otherwise, the base station rejects the aggregation result and uses the Merkle hash tree to ensure the integrity of the PPs. This is done as suggested in Przydatek et al. s scheme. Adversarial Model and Attack Resistance Mahimkar & Rappaport aimed to defeat an adversary that is able to compromise up to t 1 nodes in each cluster, where t should be less than half of the total number of sensors in the cluster. This adversary falls into type III according to the discussion in Section Type III adversary is able to launch Node Compromise attack as assumed by the designers of the scheme. Once the adversary has succeeded in compromising a sensor node, it can forward messages selectively to upper nodes or drop them. This is an example of the Selective Forwarding attack. Also, the adversary is able to replay an old message with its own valid signature, instead of the current message, which misleads the base station and affects the aggregation results. Finally, the scheme is robust against the Sybil attack since each node should have a legitimate share of the cluster s private key that cannot be generated by the adversary. Security Services The scheme, through the key establishment phase, provides authentication service because only the cluster members with legitimate shares are able to participate in the aggregation processing. Data confidentiality and integrity are offered through the

50 30 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks aggregation and verification phase. Elliptic curve encryption provides data confidentiality, and digital signatures and the Merkle hash tree enhance data integrity of the aggregation results. Data freshness, however, is not considered. Discussion If the adversary compromised any of the cluster members, except the aggregator, it is able to affect the aggregation result by reporting invalid PP s. Wagner proved that the average function, which is implemented in this scheme as the aggregation function, is insecure in the existence of only one compromised sensor node [128]. Even worse, when the adversary succeeds in compromising the cluster head (or the aggregator), the adversary can then replay old but valid signed aggregation results to mislead the base station. In this case the base station would not be able to detect it. Moreover, Mahimkar & Rappaport considered only the average function and replacing this function with another function is impossible given the same scheme run. In the current scenario, each sensor node is able to check the aggregation result by dividing its PP by the number of sensor nodes in its cluster, and then comparing the result with the average value broadcasted by the cluster head. The sum function, for example, cannot be implemented because each sensor node encrypts its PP using a different share of the cluster private key, and this is inaccessible to other cluster members. Sanli et al. s Scheme Sanli et al. [110] proposed a secure reference-based data aggregation scheme that encrypts the aggregation results and applies variable security strength at different levels of the cluster heads (or aggregators) hierarchy. The differential data, which is the difference between the reference value and the sensed data, is reported to aggregator points instead of the sensed data itself in order to reduce the number of transmitted bits. Sanli et al. argued that intercepting messages transmitted at higher levels of clustering hierarchy provides a summary of a large number of transmissions at lower levels. They, therefore, believed that the security level of the network should be gradually increased as messages are transmitted through higher levels. Based on this observation, they chose a cryptographic algorithm that allows adjustment of its parameter and the number of encryption rounds to change its security strength as required. Instead of sending the raw data to the aggregator, a sensor node compares its sensed data with the reference data and then sends the encryption of the difference data. The reference data is taken as the average value of a number of previous sensor readings, N, where N > 1. The aggregator, upon receiving these differential data, performs the following activities: ˆ Decrypts the data and then determines the distance to the base station in number of hops (hop).

51 2.3. Current Secure Data Aggregation Schemes 31 ˆ Encrypts the aggregation result using RC6 with the number of rounds calculated as: number of rounds = 1 hop 100 (2.1) They adjust the number of rounds, which RC6 performs to accomplish an encryption operation, depending on how far the aggregator point is from the base station. The closer the aggregator is, the larger the number of rounds that should be used. ˆ Forwards the encrypted aggregated data to the base station. Verification Phase This scheme does not contain a verification phase to check the validity of the aggregation results. Sanli et al., instead, rely on the security primitives, RC6, to enhance the security for the aggregation results. Once the base station has received the encrypted aggregation results, it decrypts them with the corresponding keys. Adversarial Model and Attack Resistance Sanli et al. did not discuss the adversary capability that was considered in their scheme. It is believed, however, from the discussion in their paper, that the adversary type is a type II adversary for the following reasons: ˆ They rely only on encryption to provide accurate data aggregation. ˆ A single node compromise can breach the security of the scheme. For example, once the adversary has succeeded in compromising an aggregator node, the privacy and accuracy of the aggregation results can be manipulated and then affect the overall aggregation activities of the system. Security Services The data aggregation security is achieved by encrypting traveled data using the block cipher RC6. This provides a data confidentiality service to the network. Data freshness is also provided due to the key update component adhered to the aggregation component. Other security services are not considered because of the type of adversary considered by Sanli et al. Discussion The security primitives, used to defeat the type I adversary, are impractical for use in constrained devices such as sensor nodes. Law et al. [74] constructed an evaluation framework in which suitable block cipher candidates for WSNs can be identified. They concluded, based on evaluation results, that RC6 is lacking in energy efficiency (i.e., a large RAM consumer), and performs poorly on 8/16 bits architectures. They further concluded that RC6 with 20 rounds is secure against a list of attacks such as chosen ciphertext attack. However, the number of rounds for RC6 encryption in Sanli et al. s scheme can be as low as 10 rounds once the aggregator node is 10 hops away from the base station, according to Equation Multiple Aggregator Model In this model, collected data are aggregated more than once before reaching the final destination (or the querier) see Figure 2.6-B. As discussed in Section 1.3, this model achieves greater

52 32 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks reduction in the number of bits transmitted across the network, especially in large WSNs. The importance of this model grows as the network size gets bigger. Examples of secure data aggregation schemes that fall under this model are: Hu & Evans s scheme [58], Jadia & Mathuria s scheme [62], Westhoff et al. s scheme [131], and Sanli et al. s scheme [110], which are discussed in the following sections. Hu & Evans s Scheme Hu & Evans [58] proposed a secure aggregation scheme that achieves resilience against node compromise by delaying the aggregation and authentication at the upper levels. The required physical phenomena (PP) are, therefore, forwarded unchanged and then aggregated at the second hop instead of aggregating them at the immediate next hop. Thus, the parents need to buffer the data to authenticate it once the shared key is revealed by the base station. This represents the first attempt towards studying the problem of data aggregation security once a node is compromised. Each sensor node shares a temporary symmetric key with the base station, which lasts for a single aggregation calculation. The base station periodically broadcasts these authentication keys as soon as it receives the aggregation result. Each leaf node, as a part of the aggregation phase, transmits its PP to its parent. This transmission includes the node ID, the sensed PP, and the message authentication code MAC KID (ID, PP). It uses the temporary key shared with the base station, but not yet known to the other nodes, to calculate the MAC. The parent (or any intermediate node) applies the aggregation function on messages received from its children, calculates the MAC of the aggregation result, and then transmits messages and MAC s received from its direct children along with the MAC computed on the aggregation result. The parent, which has grandchildren nodes, is permitted to remove its grandchildren s raw data (or PPs) and confirm the aggregation result done by its children nodes (or the parent of its grandchildren). It is important that each parent stores raw data received from its children (and its grandchildren if it available) and the MAC computed on the reported data from its children (and its grandchildren if available). The parent will use this information at the end of the aggregation process when the base station reveals the temporary keys, as discussed in the subsequent paragraph. Verification Phase This scheme has a verification phase where the base station interacts with sensor nodes and aggregators in order to verify the aggregation results. Hu & Evans used µtesla protocol to update the shared keys between sensor nodes and the base station. The µtesla protocol delays the disclosure of symmetric keys to achieve asymmetry [96]. The base station generates the one-way key chain of length n. It then chooses the last key K n and generates the remaining values by applying a one-way function F as follows: K j = F (K j+1 ) Because F is a one-way function, anybody can compute backward, such as compute K 0, K 1,..., K j given K j+1, but nobody can compute forward such as compute K j+1 given K 0, K 1,

53 2.3. Current Secure Data Aggregation Schemes 33..., K j. In the time interval t, the sender is given the key of the current interval K t by the base station through a secure channel, and then the sender uses the key to calculate MAC Kt on its PP in that interval. The base station then discloses K t after a delay, which helps other nodes to verify the received MAC Kt. When aggregation results arrive at the base station, the base station reveals the temporary symmetric keys shared with every node. Every parent is now able to verify whether the information (raw data and the MAC ) stored for its children is matched or not. If the parent detects an inconsistent MAC from a child or a grandchild, it sends out an alarm message to the base station along with MAC computed using the node s temporary key. Adversarial Model and Attack Resistance The most serious threat considered by Hu & Evans is that of an adversary that can compromise the network to provide false readings without being detected by the operator. Each intermediate node (parent) can thus modify, forge, discard messages, or transmit false aggregation values. Hu & Evans, however, limited the adversary capability to not launching the Node Compromise attack for two consecutive nodes in the hierarchy. This type of adversary falls into type III according to the discussion in Section Once an intermediate node is compromised, the adversary is then able to launch the Selective Forwarding attack. The scheme, however, is robust against the Replay attack due to the single usage of each temporary key shared with the base station. Also, the scheme is robust against Sybil attack, because the adversary cannot mislead the base station to accept new hash chains for the newly created fake identities. Security Services Hu & Evans regarded data confidentiality of messages to be unnecessary for their scheme. They focused only on the integrity of aggregation results by using µtesla protocol, which also provides authentication and data freshness security services. Authentication is offered because only legitimate sensor nodes, with synchronized hash chains with the base station, are able to participate and contribute to the aggregation function. Data freshness is offered because of the single usage of the temporary key. Unfortunately, data availability was not considered by Hu & Evans, because each parent has to store and verify received information from its children and grandchildren. This verification requires each parent to listen to every shared key revealed by the base station until it hears the keys of its children and grandchildren. Even worse for data availability, the data keeps traveling towards the base station even when it has been corrupted, because the keys are revealed when the aggregation results reach the base station. Another factor that affects data availability is that once a compromised node is detected, no practical action is taken to reduce the damage caused by this compromise, and the compromised node can still participate in the aggregation activities. Discussion Hu & Evans considered data integrity and used µtesla to defeat a type III adversary. The scheme is able to detect a single node compromise, but without further action to remove or isolate this compromised node. Much worse, once a grandfather node detects a node compromise, it could not decide whether the cheating node is its child or grandchild. The scheme, moreover, fails to provide data integrity once the adversary compromised two consecutive nodes successfully in the hierarchy, such as the parent and the grandparent. The

54 34 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks scheme also suffers from extra memory overhead because of the delayed authentication and the need to buffer the data received by parents to be authenticated later. Finally, parents waste some energy listening to some of the revealed keys that are not intended for them. Jadia & Mathuria s Scheme The data confidentiality in Hu & Evans s scheme was not considered. Jadia and Mathuria, however, argued that messages relayed in data aggregation hierarchy may need confidentiality. Thus, they extended Hu & Evans s scheme to enhance the security services by adding data confidentiality [62]. This scheme uses encryption for confidentiality but without requiring decryption at intermediate nodes. The designers of the scheme adopted an encryption method where the data is added to a sufficiently long random encryption key. Let K A denote the master key shared between node A and the base station. The encryption of the sensed PP reported by a sensor node A can be calculated as follows: C KA = (PP A + K A ) (2.2) After encrypting the required PP, node A computes two MAC s on these PP. One MAC is calculated by using one-hop pairwise key shared with the node s parent, and the second MAC is calculated using two-hop key shared with the node s grandparent. The aggregation phase is accomplished in the same way as the Hu & Evans s scheme, except for two differences listed below: ˆ Leaf nodes encrypt their PP s before sending them. ˆ Leaf nodes compute two MAC s on the encrypted data. Each, leaf node then forwards its ID, encrypted data, and two MAC s to its parent. The parent node (say node C) receives the message and verifies the origin of the data using the one-hop pairwise key. It performs the aggregation over the encrypted data received from its children (node A and node B) as follows: EAR = C KA + C KB + C KC (2.3) where EAR denotes the Encrypted Aggregation Result. Node C then calculates the MAC of EAR using the two-hop pairwise key shared with its grandparent node, and transmits it along with the encrypted PPs and MAC s received from its children (of course without the MAC intended for itself). Verification Phase This scheme does not have a verification phase. Jadia & Mathuria argued that the two MAC s, which are discussed in the previous paragraph, help provide the integrity of the data while minimizing the communication required between the base station and sensor nodes. In other words, the verification phase in Hu & Evans s scheme, where the base station reveals temporary shared keys with nodes, is replaced with MAC s in order to improve data availability in the network. Jadia & Mathuria, however, did not discuss how these

55 2.3. Current Secure Data Aggregation Schemes 35 pairwise keys are distributed, nor how much bandwidth and energy consumption were required. If the base station did not receive alarm messages from parents regarding inconsistency between encrypted data and MAC s computed on them, the base station decrypts the aggregation result (EAR) from Equation 2.3 as follows: Aggregation result = EAR (K A + K B + K C ) (2.4) Adversarial Model and Attack Resistance Since this scheme is an extension to Hu & Evans s scheme, the scheme designers considered the same adversary type, which is type II. Unfortunately, the scheme is vulnerable to the Selective Forwarding attack due to the capability of a type III adversary and due to the same discussion given on Hu & Evans s scheme. However, the scheme is robust against the Sybil and Replay attacks due to the design assumption which states that the authentication and encryption keys are changed with every message. However, no details on changing these keys was given. Security Services This scheme provides data confidentiality, data integrity, data freshness, and authentication services. The usage of two MAC s, which are calculated by onehop and two-hop pairwise keys, provides data integrity and authentication for the aggregation results. Data confidentiality is provided by using the adopted end-to-end encryption that is summarized by Equations 2.2, 2.3, and 2.4. Finally, data freshness service is ensured in the network due to the authors assumption that the authentication and encryption keys are changed with every message. Discussion As discussed above, Jadia & Mathuria added data confidentiality to the security services provided by Hu & Evans s scheme, but their scheme has the same weaknesses. However, the memory overhead weakness is not visible in this scheme because it uses pairwise keys and does not need to keep copies of MAC s information until the base station reveals temporary keys. Westhoff et al. s Scheme Westhoff et al. [131] solved the problem of aggregating encrypted data in WSNs, and proposed a secure data aggregation scheme that provides aggregator nodes with the possibility to perform aggregation functions directly on ciphertexts. This work is an extension to their initial work in [131]. It uses an additive and multiplicative Privacy Homomorphic (PH ) encryption scheme [38] in order to provide end-to-end encryption. The aggregator nodes do not need to decrypt encrypted messages when they aggregate them. If the usual encryption algorithms, such as RC5, were used instead of PH to provide data confidentiality, hop-to-hop encryption then should be used instead of end-to-end encryption. This is because usual encryption algorithms do not let aggregator nodes apply aggregation functions directly on ciphertexts. Hop-by-hop encryption means that every intermediate node has to decrypt received encrypted messages, and then aggregate them according to the corresponding aggregation function, encrypt the aggregation results, and finally forward the aggregation results to upper nodes.

56 36 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks During the last few years, PH encryption schemes have been studied extensively since they have proved to be useful in many cryptographic applications such as electronic elections [49], sensor networks [17, 131] and so on. Homomorphic cryptosystem is a cryptosystem that allows direct computation on encrypted data by using an efficient scheme. It is an important tool that can be used in a secure aggregation scheme to provide end-to-end privacy if needed. The RSA scheme is a good example of a deterministic, multiplicative homomorphic cryptosystem on M = NZ Z, where N is the product of two large primes [105]. Let K e, K d, E, D, m, c denote the private key, public key, encryption function, decryption function, message in plaintext, ciphertext, respectively. Thus, C = NZ Z is the ciphertext space and the key space is: K = {(k e, k d ) = ((N, e), d) N = pq, ed 1 mod ϕ(n)} The encryption of any message m M is defined as: E ke (m) = m e mod N while the decryption of any ciphertext c C is defined as: D ke,k d (c) = c d mod N = m mod N Obviously, the encryption of the product of two messages m 1, m 2 M can be computed by multiplying the corresponding ciphertexts: E ke (m 1 m 2 ) = (m 1 m 2 ) e mod N = (m e 1 mod N)(m e 2 mod N) = E ke (m 1 ) E ke (m 2 ) Westhoff et al. s scheme employs the Domingo-Ferrer s encryption function that chooses the ciphertext corresponding to given plaintexts (or messages) from a set of possible ciphertexts. The public parameters, for the encryption function, are a positive integer d 2, and a large integer g that has many small divisors. There should be, at the same time, many integers < g that can be inverted modulo g. Then, the secret key is computed as: k = (r, g ) The plaintext r Z g is chosen such that r 1 mod g exists, where log g g indicates the security level provided by the function. The set of plaintext is Z g and the set of ciphertext is (Z g ) d. The encryption process is executed at leaf nodes as follows: ˆ Randomly split the plaintext a Z g into secretes a 1, a 2,..., a d such that d j=1 (a j mod g ) = a

57 2.3. Current Secure Data Aggregation Schemes 37 ˆ Compute E k (a) = (a 1 r 1 mod g, a 2 r 2 mod g,..., a d r d mod g) Leaf nodes then forward the encrypted data to aggregator nodes where PH is used to apply aggregation function on these encrypted data with no need to decrypt them. The decryption process is performed at the base station (or the querier), which is discussed in the subsequent paragraph. Verification Phase This scheme does not have a verification phase. Westhoff et al., instead, relied on the additive and multiplicative Privacy Homomorphic (PH ) encryption scheme to defend against the considered type of adversary. The scheme is designed to encrypt the required physical phenomenon in a way that aggregators are able to apply aggregation functions directly on ciphertexts. The aggregators then forward the aggregation results to upper nodes. When these aggregation results reach the querier, the querier decrypts them as follows: ˆ Compute the j th coordinate by r j mod g to retrieve a j mod g. ˆ In order to compute a, the querier computes D k (E k (a)) = d j=1 (a j mod g ) Adversarial Model and Attack Resistance Westhoff et al. aimed to defeat passive adversaries that eavesdrop on communication between sensor nodes, aggregators, and the base station. However, Westhoff et al. extended the capability of the adversary to be able to take over aggregator nodes but not other network components. Thus, we classify this adversary as type III due to its capability to launch the Node Compromise attack. Since the adversary is able to compromise aggregator nodes, it can then launch the Replay attack by replacing old but valid encrypted messages as long as encryption keys of leaf nodes have not been updated/renewed. Once an aggregator is compromised, the adversary is easily able to launch the Selective Forwarding attack. Security Services The data aggregation security is provided by encrypting the reported data and thus only data confidentiality is provided. Other security services, discussed in Section 2.1.1, are not provided due to the focus of Westhoff s paper. Discussion The security primitive used to defeat the type III adversary is PH. This primitive is impractical for use in constraint devices, such as the sensor node, due to its high computational cost [131]. Westhoff et al. argued that their scheme considered this disadvantage, the high computational cost, by rotating the aggregation duties between aggregators to balance the energy consumption. Moreover, it has been proved that PH is insecure against chosen plain text attacks [127]. However, Westhoff et al. argued that for data aggregation scenarios in WSNs, the security level

58 38 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks is still adequate and they used this encryption transformation as a reference PH. Unfortunately, this scheme can support only average and movement detection aggregation functions. Applying PH on the context of WSNs in order to support other aggregation functions is an open area of research. Yang et al. s Scheme Yang et al. [136] proposed a secure data aggregation that can tolerate more than one node compromise. The scheme is composed of two phases: (i) divide-and-conquer and (ii) commit-andattest. In the former phase, the scheme uses a probabilistic grouping technique that partitions nodes in a tree topology into several logical groups. In the latter phase, a commitment-based hop-by-hop aggregation is performed in each group to generate a group aggregate. The base station then identifies the suspicious groups based on a set of group aggregates. Each group under suspicion participates in an attestation process to prove the validity of its group aggregation result. A leaf node encrypts its ID, physical phenomena (PP), count value (C), and the query sequence number (SQ) using a pairwise key shared with its parent. The count value represents the number of the node s children, and therefore C for any leaf node is always zero. It then forwards to its parent the encryption result, a MAC computed on inputs to the encryption function, and a one bit aggregation flag. This flag instructs the node s parent upon receiving the transmission whether there is a need for further aggregation or not. When an intermediate node receives a message from its child, it first checks the flag and then follows one of the following scenarios: ˆ 1st scenario (flag=1): the intermediate node forwards the packet untouched to the base station via its parent. ˆ 2nd scenario (flag=0): the intermediate node decrypts the received message and then checks whether or not the received data is a legitimate response to the current query. Once this checking is passed, the intermediate node adds its own PP and other aggregation results received from other children nodes (with flag=0) to the received data. The C is subsequently updated by adding up count values of all other participants. To set the aggregation flag to one, which represents that no more aggregation should be done by this intermediate node, the node performs the following check: H(SQ ID) < F g (C) (2.5) where H is a secure pseudo random function that uniformly maps the input values into the range of [0, 1] and F g is a grouping function that outputs a real number between [0, 1]. This check helps the intermediate node to decide whether it is a leader node or not. Using the pairwise key shared with its parent, non-leader node encrypts its ID, new C, aggregation result, and SQ. It then sets the flag to zero and forwards these data along with a MAC, which is

59 2.3. Current Secure Data Aggregation Schemes 39 Algorithm 2.2: Grubbs test algorithm Input: a set T of n tuple (x, c x, Agg x ), where x is group leader ID, c x is group count value, Agg x is group aggregation result, and n is the total number of groups; Output: a set L of leader IDs of groups with invalid aggregation results. Procedure: 1 loop 2 compute µ c and s c for all counts in set T ; 3 compute µ v and s v for all values in set T ; 4 find the maximum count value c x in set T ; 5 compute statistic Z c for count c x as cx µc S c ; 6 compute p-value P c based on the statistic Z c ; 7 compute statistic Z v for corresponding values Agg x as Agg x µv S c ; 8 compute p-value P v based on the statistic Z v ; 9 if (P c P v ) < α then 10 T = T (x, c x, Agg x ); 11 L = L x; 12 else 13 break; 14 end if; 15 end loop; 16 return L; computed on inputs to the encryption function, and an XOR result for all MAC s received from its children and included in this aggregation. The leader node on the other hand performs the same operation as the non-leader node, except that it encrypts the new aggregation using the key shared with the base station and sets the flag to one. Verification Phase The base station, upon receiving the aggregation result from a leader node, needs to verify whether the received aggregation result is accurate and came from a genuine leader node. It decrypts this aggregation result and then applies Equation 2.5 to check the legitimacy of the node as a leader node. Once the test is passed, the base station needs to check the validity of the received aggregation result. First, the base station uses an adaptive Grubbs test [50] to verify the abnormality in the aggregation result before accepting or rejecting the received aggregation result. The adaptive Grubbs test, as shown in Algorithm 2, first computes the sample statistic for each datum X in the set by X µ, where µ and s are the mean and the standard deviation of s the data, respectively. The result represents the datum s absolute deviation from the mean in units of the standard deviation. To decide whether H 0 should be accepted or not, the test compares the p-value computed based on the sample statistic with the predefined significance level α (α = 0 typically), where p-value is set as the product of the p-values of the data aggregation and the count (the number of participants in the aggregation). When the p-value is smaller than α, H 0 is rejected and the datum under consideration is an outlier, and then the attestation mechanism is called. The attestation process is similar to the Merkle hash tree discussed in Przydatek et al. s scheme. The base station interacts with the group under

60 40 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks suspicion to prove the correctness of its group aggregation result. Adversarial Model and Attack Resistance The scheme designers considered an adversary that can compromise a small fraction of sensor nodes to obtain the keys as well as reprogramming these sensor nodes with attacking code. This type of adversary falls within type III according to the discussion in Section Although Yang et al. mentioned that they did not consider any type of behavior-based attack such as the Selective Forwarding attack, their scheme is examined against this attack for the sake of a complete survey. It is argued that if the adversary is able to launch the Node Compromise attack in order to mislead the base station about the aggregation results, the adversary can also perform some of the Selective Forwarding attack activities for the same purpose. The scheme, however, is robust against the Replay and Sybil attacks due to the query sequence number embedded in the reported PP and due to the use of µtesla, respectively. Security Services The data aggregation security is achieved by encrypting PP destined to the base station and then by checking the validity of the aggregation results. This ensures data confidentiality, authentication, and data integrity within the network. Due to the query sequence number, which is embedded in any response, data freshness is also offered. Data availability, however, is not ensured because of the high number of transmissions required to accomplish the aggregation activities, as will be discussed in Section 2.5. Discussion As discussed above, Yang et al. used an adaptive test to check the validity of aggregation results. This adaptive test is subject to attack when some nodes are compromised. The test uses reported aggregation results to compute the µ and s (see Algorithm 2). Compromised nodes can collude and report invalid aggregation results to mislead the calculation of the mean of the data (µ) and then affect steps 3-16 in Algorithm 2. This will affect the base station s decision and may enforce it to start the attestation process with honest groups instead of malicious groups. Moreover, invalid aggregation results are attested (or verified) through centralized verification that incurs high communication cost. 2.4 Security Analysis This section provides security analysis for several secure data aggregation schemes. Not surprisingly, this analysis can be difficult for the following reasons: ˆ The data aggregation security problem was solved using different approaches. For example, some authors solved the problem by considering either a single aggregator model or a multiple aggregator model. Each model has its own challenges that need to be considered carefully. End-to-end encryption, for example, is easier to implement in the single aggregator model than the multiple aggregator model. However, the energy consumption in the single aggregator model is high, because of the large number of transmissions required to accomplish a single aggregation query, as will be covered in Section 2.5.

61 2.4. Security Analysis 41 Table 2.1: Security services provided in current secure data aggregation schemes Missing Provided Scheme CO IN FR AV AU AT Sanli et al. [110] II Castelluccia et al. [17] II Westhoff et al. [131] III Hu & Evans [58] III Przydatek et al. [99] III Chan et al. [22] III Du et al. [40] III Mahimkar & Rappaport [75] III Yang et al. [136] III Jadia & Mathuria [62] III Frikken & Dougherty [43] III Haghani et al. [53] III CO Confidentiality IN Integrity FR Freshness AV Availability AU Authentication AT Adversary Type ˆ There is no standard adversarial model where current cryptographic-based secure data aggregation schemes compete to provide a higher level of security, or resilience to attacks discussed in Section For example, schemes that defend against a type I adversary are secure in the face of Sybil, Selective Forwarding, and Replay attacks. However, the resilience against these attacks is not provided by the scheme itself, but is due to the limited capability of a type I adversary, as discussed in Section Current cryptographic-based secure data aggregation schemes are consequently compared with respect to: the security services they provide, and the attacks they are secure against Security Services Since the considered adversarial model in current cryptographic-based secure data aggregation schemes varies from one scheme to another, as discussed in Section 2.3, each scheme provides different security services to defeat the expected type of adversary. This section investigates which security services, discussed in Section 2.1.1, are provided in each of the cryptographic-based secure data aggregation schemes discussed in this chapter. It is obvious from Table 2.1 that schemes designed with a type I adversary in mind, such as Castelluccia et al. s scheme [17] and Sanli et al. s scheme [110], do not provide entity authentication service, which is a must in most schemes that aim to defeat active adversaries (type III or type IV) as in [22,40,43,53,58,75,99,131,136]. This is because active adversaries can launch, for example, Sybil attacks where the adversary is able to present more than one node and then interact with the network. Adversaries can successfully inject fake identities to affect aggregation results and

62 42 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks mislead the base station. Security Services discussed in this section are as follows: Data Confidentiality Data confidentiality is provided in cryptographic-based secure data aggregation schemes whenever the privacy of the data is required. Some of the schemes in which a type II adversary is expected, such as Castelluccia et al. s scheme [17] and Sanli et al. s scheme [110], aimed to secure raw data and aggregation results from revelation by a passive adversary. Thus, they focused on providing data confidentiality only. This level of security is acceptable, because a type II adversary has no interest in destroying the overall performance but it is only interested in knowing the content of the reported information. Other schemes, which consider type III or type IV adversaries, may or may not provide data confidentiality. This depends on whether the privacy of aggregation results is important for WSN applications. For example, Jadia & Mathuria s [62], Mahimkar & Rappaport s [75], Przydatek et al. s [99], Yang et al. s [136], and Westhoff et al. s [131] schemes provide data confidentiality with other security services. Data Integrity Data integrity is provided in some cryptographic-based secure data aggregation schemes in which active adversaries (type III or type IV) are expected in the deployment area. These two types of adversary, as discussed in Section 2.2.2, can launch node compromise attacks and then they are able to alter the content of data received from downstream nodes before it is forwarded to upper stream nodes. If data integrity service is not offered by a scheme, upper stream nodes would have no knowledge of this alteration. Table 2.1 shows that most cryptographic-based secure data aggregation schemes that have at least a type III adversary in mind [22, 40, 43, 53, 58, 62, 75, 99, 136] provide data integrity service. However, Westhoff et al. s scheme [131] does not offer data integrity although it is built with type III adversary in mind. This is because the authors of this scheme limited their discussion to offering data confidentiality only. Data Freshness Active adversaries (type III or IV) can launch different types of attack such as Replay attacks. They can affect the aggregation result by simply replaying old messages into networks that do not have data freshness provided. Not surprisingly, each scheme where active adversaries are expected, ensures data freshness. However, data freshness is not provided in schemes such as Du et al. s [40], Mahimkar & Rappaport s [75], and Westhoff et al. s [131]. Witnesses in Du et al. s scheme help the base station (or the querier) to validate the aggregation results but the freshness of the aggregation is left unconsidered. Therefore, the aggregator - if compromised - can mislead the base station by replaying old messages with valid (but old) proofs from the witnesses. Westhoff et al. s scheme also does not offer data freshness, although was built with a type III adversary in mind. This is because the authors of this scheme limited their discussion to offering data confidentiality only. Table 2.1 shows that data freshness is ensured in Chan et al. s scheme [22], Hu & Evans s scheme [58], Jadia & Mathuria s scheme [62], Przydatek et al. s scheme [99], and Yang et al. s scheme [136].

63 2.4. Security Analysis 43 Table 2.2: Attacks vulnerabilities in current secure data aggregation schemes Robust Vulnerable Scheme NC SY SF RE AT Castelluccia et al. [17] II Sani et al. [110] II Westhoff et al. [131] III Hu & Evans [58] III Przydatek et al. [99] III Chan et al. [22] III Du et al. [40] III Mahimkar & Rappaport [75] III Yang et al. [136] III Jadia & Mathuria [62] III Frikken & Dougherty [43] III Haghani et al. [53] III SF Selective Forwarding RE REplay SY SYbil NC Node Compromise AT Adversary Type Data Availability Recently, data availability has gained some attention in cryptographic-based secure data aggregation schemes. Detecting the inconsistency in aggregation results with no further action to determine the node that caused this inconsistency is not enough. An adversary could keep manipulating aggregation results in order to bring the network down by consuming the energy resources of intermediate sensor nodes. Table 2.1 shows that Haghani et al. s scheme is the only scheme that provides data availability [53]. This scheme allows the identification of nodes that caused the inconsistency in the aggregation result (or the aggregation disruption) and then allows the removal of malicious nodes. These nodes can be detected through successive polling of the layers on a commitment tree. However, the energy consumption of successive polling is questionably high. Entity Authentication As discussed in Section 2.1.1, entity authentication ensures the reliability of a message by verifying its origin. Table 2.1 shows that cryptographic-based secure data aggregation schemes that provide data integrity also provide entity authentication. This is because the message authentication code (MAC ) is used to verify both data authenticity and data integrity. Note that, entity authentication is partially provided in Du et al. s scheme, because only communications between an aggregator and a querier are authenticated. Communications between leaf nodes and the aggregator are not authenticated.

64 44 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks Attack Vulnerability This section extends the attacks vulnerability analysis that is discussed in Section 2.3. Cryptographic-based secure data aggregation schemes are investigated to determine whether or not they are vulnerable to the security attacks listed in Section Node Compromise Attack The node compromise attack explains whether or not the adversary is able to reach any deployed sensor node and extract all credentials stored in its memory. It is usually assumed that node capture is easy in WSNs due to the lack of tamper-resistant packaging [8,69,69,107]. Thus, all cryptographic-based secure data aggregation schemes that consider active adversaries (type III or type IV) are vulnerable to the node compromise attack. Other schemes that consider passive adversaries (type I or type II) such as Sanli et al. s [110] and Castelluccia et al. s [17] schemes are robust against the node compromise attack due to assumptions about adversary capability. However, these two schemes are vulnerable to the Node Compromise attack once the adversary assumption is relaxed. Sybil Attack As the capability of the adversary varies from type I to type IV, the damage caused by these attacks also varies. Passive adversaries (type I or type II), as discussed in Section 2.2.2, have insufficient capability to launch the Sybil attack. Therefore, Castelluccia et al. s scheme [17] and Sanli et al. s scheme [110] are robust against the Sybil attack because of the considered adversary capability, not because of the security primitives employed in these schemes. Du et al. s scheme [40] is vulnerable to the Sybil attack, because leaf nodes are not authenticated to the aggregator. An adversary, upon compromising a leaf node, can present more than one identity and then mislead an aggregator with respect to aggregation results, as discussed in Section 2.3. Selective Forwarding Attack Once the adversary has succeeded in launching the node compromise, the adversary has full control of the compromised node and can then selectively drop messages. This is an example of the Selective Forwarding attack. All secure data aggregation schemes that considered active adversaries (type III or type IV) are vulnerable to this type of attack, except Haghani et al. s scheme [53]. This scheme has an adversary localizer component that marks nodes that disrupted an acknowledgment collection, and can then detect any selective forwarding activity. Once again, Castelluccia et al. s scheme [17] and Sanli et al. s scheme [110] are robust against the selective forwarding attack, because of the considered adversary capability, not because of the security primitives employed in these schemes. Replay Attack Replay attacks occur when the adversary has the ability to re-inject (or replay) old messages without even understanding their content. Most cryptographic-based secure data aggregation schemes are robust against this attack except Castelluccia et al. s [17], Du et al. s [40], Mahimkar & Rappaport s [75], Sanli et al. s [110], and Westhoff et al. s [131]. Surprisingly, Du

65 2.4. Security Analysis 45 CO: Confidentiality FR: Freshness IN: Integrity AU: Authentication Start Passive Adversary Active Partial Network Access Network Access Total Total Partial Type I Type II Type III Type IV FR & CO* FR & CO* FR & IN & AU & CO* Tamper Proof Finish Finish Finish Finish Figure 2.9: The proposed framework for secure data aggregation schemes et al. s, Mahimkar & Rappaport s, and Westhoff s [131] schemes are vulnerable to the replay attack although they are designed to defeat active adversaries. For example, once an adversary has compromised an aggregator node in Du et al. s scheme, it is able to replay an old aggregation result with its valid proofs, instead of a current result, to mislead the base station. In Mahimkar & Rappaport s scheme an adversary, upon compromising an aggregator, can replay old valid signed aggregation results to mislead the base station. In Westhoff et al. s scheme, an adversary can replay old encrypted messages once the compromise of an aggregator node has succeeded, which affects the aggregation results. The security analysis discussed above raises the point that relying on cryptographic countermeasure is insufficient to protect data aggregation schemes due to node compromise attacks. Table 2.2 shows that most cryptographic-based secure data aggregation schemes are vulnerable to different types of attacks Framework for Evaluating New Schemes Based on our discussion provided in Sections 2.1, 2.2, and 2.4, a conceptual framework for secure data aggregation schemes is proposed in this section. The framework helps to identify the minimum security services that a secure data aggregation design should provide to defend against a specific type of adversary. In other words, we believe that these minimum security services provide resilience against security attacks that can be launched by the expected adversary. Figure 2.9 depicts the relation between the security services, discussed in Section 2.1.1, and the adversarial model, discussed in Section Since type IV is so much more powerful, it is unlikely that any practical cryptographic-based secure data aggregation scheme against this adversary can be devised. The framework, therefore, suggests the use of tamper-proof

66 46 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks Parent Parent & Child Child 1 2 b d 1 2 b 1 2 b 1 2 b Figure 2.10: The aggregation tree model used in the performance analysis section technology to deny physical access to this type of adversary. Since a type III adversary is able to launch the security attacks discussed in Section 2.2.1, the framework suggests that any secure data aggregation scheme should provide at least data integrity, data freshness, and authentication. Data integrity helps to detect any spoofed data attack activity, data freshness is important to detect any replayed attack activity, and authentication helps to defend against any Sybil attack activity. The framework puts data confidentiality as an optional requirement. If data privacy is valuable for any application, then data confidentiality is necessary. A type I adversary is capable of eavesdropping on communications in parts of the network that it has access to, and type II can eavesdrop on all communications in the network. However, both types can not interact with any component in the network. To defend against these adversaries, the framework suggests that any scheme should provide at least data integrity. Data integrity is important to minimize the effect of unreliable data delivery due to the transmission media or drained batteries. Again, data confidentiality is suggested as an optional requirement. If a WSN application, where in-network aggregation is implemented, has concerns about data privacy, then data confidentiality should be provided. To the best of our knowledge, this framework is the first work that enables comparisons between different secure data aggregation schemes. 2.5 Performance Analysis This section provides a performance analysis of some cryptographic-based secure data aggregation schemes discussed in this chapter. This analysis focuses on calculating the number of bits transmitted within the network, in order to determine which secure data aggregation scheme is the most energy hungry and sends more information in order to accomplish the scheme

67 2.5. Performance Analysis 47 Table 2.3: Description of notations used in the performance analysis section Notation b d x y z qn h w N n Description The number of children nodes that an intermediate node has. The depth of the aggregation tree. The length of the reported information (raw or aggregation result) excluding the header. The length of the sensor ID in bits. The length of the MAC in bits. The length of the query nonce in bits. The length of the packet s header in bits. The number of witnesses per aggregator. The total number of nodes in the aggregation tree. The length of N in bits. objectives. Notations used in this section are listed in Table 2.3. For concreteness, we consider an aggregation tree where its depth is d and each node (except leaf nodes) has b children as shown in Figure This means that the distance between the base station and leaf nodes are d + 1, where d starts with zero at the first level. The total number of nodes (N), excluding the base station, in the tree is n bits long and can be calculated as: N = bd+1 1 b 1 (2.6) This kind of tree, therefore, has b d leaf nodes. If a scenario belongs to the single aggregator model, we consider the root of the tree to be the aggregator. Otherwise, any parent node acts as an aggregator (see Figure 2.10). In both models, each sensor node in the tree has to participate in the aggregation activity by sensing the environment and then report its reading to its parent. Moreover, TinyOS packet is pre-configured with a maximum size of 35 bytes (29 bytes payload and 6 bytes header) and thus we denote the packet header by h. We discuss six scenarios where both the single and the multiple aggregator models are covered. These scenarios are: no aggregation, aggregation but no security, two representatives for the single aggregator model (Hu & Evans s scheme [58], Jadia & Mathuria s scheme [62]), and two representatives for the multiple aggregator model (Przydatek et al. s scheme [99], Du et al. s scheme [40]). Since not all of these scenarios have a verification phase, we limit our analysis to the aggregation phase only First Scenario: No Aggregation & No Security We analyze the number of transmitted bits by considering the situation where no aggregation and no security are used within our example summarized in Figure Leaf nodes sense some

68 48 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks physical phenomena and report them to upper nodes (their parents). The parents subsequently forward this information to upper nodes until the information is delivered and collected by the base station (or the querier). Each reported set of information contains the sensor node ID and the sensed physical phenomena, which required each sensor node at level d to send x+y +h bits long message to its parent. Each parent, or intermediate node, needs to forward x + y + h bits for each child it has and x + y + h bits to report its reading. Thus, the total number of bits forwarded by each parent at level d i (where i = d 1) is: (b + 1)(x + y + h) (2.7) From Equation 2.7, the total number of bits traveled across the network to perform a single aggregation function can be estimated as follows: ( bd+1 1 b 1 d ) (x + y + h) + (d i)b (d i) (x + y + h) (2.8) Second Scenario: Aggregation but No Security i=0 The aggregation functionality in this scenario is implemented but the security is not considered. This scenario is similar to the example discussed in Section 1.3, where each parent combines the reported b messages from its children with its reading. Then, it forwards only one message to represent these b + 1 messages. The number of bits forwarded by each parent at any level is estimated as x + y + h and the total number of bits, traveled across the network in order to accomplish the aggregation phase, is calculated as: ( bd+1 1 ) (x + y + h) (2.9) b Third Scenario: Hu & Evans s Scheme This scenario analyzes Hu & Evans s scheme [58]. This scheme, as discussed in Section 2.3, follows the multiple aggregator model with a verification phase. Each leaf node (at level d i where i = 0) needs to send its ID, data, and one message authentication code toward its parent. The length of this message in bits can be calculated as x + y + z + h. Then, the total number of bits sent by all leaf nodes at level d i (where i = 0) can be estimated as: b d (x + y + z + h) (2.10) Each parent (at levels d i where 0 < i d) needs to forward the received data unchanged and adds one more MAC. Thus, the length of this message in bits can be calculated as b(x + y + z) + z + h. This means that the total number of bits sent by all parents in the tree is: d i=1 b (d i) [b(x + y + z) + z + h] (2.11)

69 2.5. Performance Analysis 49 Thus, the approximate number of bits transmitted across the network to perform a single aggregation transaction, in Hu & Evans s scheme, can be calculated by adding Equation 2.10 and Equation 2.11 together as follows: d i=1 b (d i) [b(x + y + z) + z + h] + b d (x + y + z + h) = ( bd+1 1 b 1 bd ) [b(x + y + z) + z + h] + b d (x + y + z + h) (2.12) Fourth Scenario: Jadia & Mathuria s Scheme As discussed in Section 2.3, Jadia & Mathuria s scheme [62] enhanced the security services provided in Hu & Evans s scheme [58] by adding data confidentiality. This requires each node to add one more message authentication code into each message. So, each sensor node at level d i (where i = 0) sends x + y + 2z + h bits instead of sending x + y + z + h bits in Hu & Evans s scheme. Then, the total number of bits sent by all leaf nodes can be estimated as: b d (x + y + 2z + h) (2.13) By substituting Equation 2.13 with the second part of the right side of Equation 2.12, the total number of bits sent by the scheme to accomplish a single aggregation function is approximately: = ( bd+1 1 b 1 bd ) [b(x + y + z) + z + h] + b d (x + y + 2z + h) (2.14) Fifth Scenario: Przydatek et al. s Scheme In this scenario, Przydatek et al. s scheme [99] is analyzed. The scheme follows the single aggregator model and uses the aggregate-commit-prove approach discussed in Section 2.3. In the aggregate phase, each sensor sends its ID, data, query nonce, and two message authentication codes keyed with two shared keys: the first key is shared with the aggregator and the other key is shared with the base station. The length of this message in bits is x + y + qn + 2z + h and it travels all the way toward the aggregator. Therefore, the total number of bits traveled

70 50 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks across the network until the sensed data reaches the aggregator can be estimated as: d i=0 (d i)b (d i) (x + y + qn + 2z + h) (2.15) In the commit phase, the aggregator constructs a Merkle hash tree of received messages. The aggregator sends the root of this tree (as a commitment value), the number of leaves in the hash tree, and an aggregation result. Let us assume for simplicity the length of the commitment value is x + y + qn + 2z + h bits long, and the length of the aggregation result is the same as the reported data x. Thus, the total number of bits sent to the home server (or remote user) by the aggregator is: n + 2x + y + qn + 2z + h (2.16) Adding the number of bits in Equations 2.15 and 2.16 gives the total number of bits sent by the scheme to perform the aggregation phase for a single aggregation query as follows: d i=0 n + 2x + y + qn + 2z + h + (d i)b (d i) (x + y + qn + 2z + h) (2.17) Sixth Scenario: Du et al. s Scheme According to the discussion in Section 2.3, Du et al. s scheme follows the single aggregator model. It is assumed that leaf nodes are honest and the sensed data reaches the aggregator and witnesses correctly. Let us assume that each sensor needs to send at least its ID and its sensed data. The length of this message in bits is x + y + h. Therefore, the number of bits sent by leaf nodes to the aggregator in order to accomplish the aggregation phase for a single aggregation activity can be estimated as: d i=0 (d i)b (d i) (x + y + h) (2.18) According to the scheme design, the same number of bits goes to each witness (w) and consequently the total number of bits sent to the witnesses can be estimated as: d w (d i)b (d i) (x + y + h) (2.19) i=0 where w is the number of witnesses. Then, each witness computes the aggregation result and sends it to the aggregator with a message authentication code (MAC ) that contains its ID and the aggregation result. The length in bits for this transmission can be calculated as: w(x + y + z + h) (2.20)

71 2.5. Performance Analysis 51 Table 2.4: Number of bytes transmitted across the network to accomplish a single aggregation transaction Scenarios b=2 b=3 b=4 d=3 d=4 d=3 d=4 d=3 d=4 First Scenario: No Aggregation & No Security Second Scenario: Aggregation but No Security Third Scenario: Hu & Evans s scheme [58] Fourth Scenario: Jadia & Mathuria s scheme [62] Fifth Scenario: Przydatek et al. s scheme [99] Sixth Scenario: Du et al. s scheme [40] Finally, the aggregator forwards its ID, the aggregation result that is computed by itself, and all MAC s received from its witnesses as follows: x + y + wz + h (2.21) Therefore, the total number of traveled bits can be calculated by adding Equations 2.18, 2.19, 2.20, and 2.21 as follows: d i=0 d (d i)b (d i) (x + y + h) + w (d i)b (d i) (x + y + h) + i=0 w(x + y + z + h) + (x + y + wz + h) (2.22) Example For better understanding the transmission overhead caused by scenarios mentioned above, an example with numbers is given. Let us select the length of the reported information without the header (x), the length of the sensor ID (y), the MAC s length (z), the number of witnesses (w), the length of the query number (qn), and the length of the total number of sensor nodes (n) to be 7 bytes, 2 bytes, 6 bytes, 5 witnesses, 3 bytes, and 4 bytes respectively. We compare the scenarios discussed in this section by computing the number of bytes that each scenario transmits to accomplish the aggregation phase. This can be done by substituting the values given above into Equations 2.8, 2.9, 2.12, 2.14, 2.17, and Table 2.4 investigates our scenarios by varying the depth of the aggregation tree, and the number of children each parent has. In contrast with the first scenario, the second scenario shows that in-network aggregation

72 52 Chapter 2. Secure Data Aggregation in Wireless Sensor Networks greatly helps reduce the number of bits required to accomplish the aggregation phase. This reduction increases as the depth of the aggregation tree or the number of children per parent increases. Table 2.4 also shows that cryptographic-based secure data aggregation schemes that follow the single aggregator model send many more bits than schemes that follow the multiple aggregator model. In fact, they send at least double the number of bits sent by single aggregator model schemes. 2.6 Summary This chapter is about cryptographic-based secure data aggregation. It first gives introductory information about secure data aggregation in WSNs, which leads to a new definition of data aggregation security with respect to the challenges that WSNs have. Then, it highlights the security requirements for data aggregation in WSNs, since this thesis is centered on providing security to data aggregation applications. It also discusses security attacks against cryptographic-based secure data aggregation schemes. Then, it surveys in detail some of the current secure data aggregation schemes and classifies them into two models: (i) the single aggregator, and (ii) the multiple aggregator model. It also discusses the security and performance analysis of current cryptographic-based secure data aggregation schemes. The security analysis covers the security services the current schemes provide and their robustness against the security attacks discussed in this thesis. Based on the security analysis, a conceptual framework is proposed. This framework helps to identify the minimum security services that a secure data aggregation design should provide to defend against a specific type of adversary. The security analysis also shows that relying on cryptographic countermeasure is insufficient to protect data aggregation schemes due to node compromise attacks. Table 2.2 shows that most cryptographic-based secure data aggregation schemes are vulnerable to different types of attacks. The performance analysis covers the number of bits transmitted in order to accomplish the aggregation phase in some selected schemes. Schemes that follow the multiple aggregator model are more efficient than schemes that follow the single aggregator model. In the next chapter, an alternative direction to circumvent node compromise attacks is discussed. Reputation-based approach, in this direction, monitors the network activities and tries to detect events related to the node compromise.

73 Chapter 3 Reputation-based Trust Systems in Wireless Sensor Networks Chapter 2 has reviewed cryptographic-based secure data aggregation schemes. It was found that cryptographic mechanisms alone are insufficient to defend against node compromise attacks. The wireless security community has consequently developed a suite of mechanisms to complement cryptographic techniques, such as reputation-based trust systems. These systems can be defined as systems that collect, processe, and disseminate feedback about the history of the sensors behaviors. To the best of our knowledge, there is only one survey in which current reputation-based trust systems for WSNs have been studied. Roman et al. gave the state of the art in trust management systems for WSNs and they also tried to identify the main components of these systems architectures [106]. The main two components, according to Roman et al. s study, are information gathering and information modeling. This chapter extends the work in [106] by considering more components in the architecture of reputation-based trust systems, and analyzing more trust systems. It also provides insights into the reputation components and vulnerability to the security attacks discussed in Sections and 3.2 for each system. Trust has become an important topic of research in many fields including sociology, psychology, philosophy, economics, business, law and information technology. The most cited definition of trust has been presented by Dasgupta as the expectation of one person about the actions of others that affects the first person s choice, when an action must be taken before the actions of others are known [33]. This definition captures both the purpose of trust and its nature in a form that can be reasoned. Another definition for trust by Gambetta [45] is also often quoted in the literature: trust (or, symmetrically, distrust) is a particular level of the 53

74 54 Chapter 3. Reputation-based Trust Systems in Wireless Sensor Networks subjective probability with which an agent assesses that another agent or group of agents will perform a particular action, both before he can monitor such action (or independently of his capacity ever to be able to monitor it) and in a context in which it affects his own action. Though many definitions are available in the literature, a complete formal unambiguous definition of trust is rare because trust is a complex term with multiple dimensions. A concept that is often mentioned together with trust is reputation. In order to avoid confusion, a definition for reputation as well as the relation between reputation and trust are highlighted in this paragraph. Mui et al. [84] define reputation as a perception that an agent creates through past actions about its intentions and norms. A similar definition given by Abdul-Rahman et al. [1] is a reputation is an expectation about an agent s behavior based on information about or observations of its past behavior. Another definition for reputation is given by Jøsang et al. [65] as: reputation is what is generally said or believed about a person s or thing s character or standing. Although the definition only introduces an abstract notion of reputation, it allows one to easily differentiate between trust and reputation. Trust describes a subjective relation between an entity and another entity (or group of entities) while reputation is what is generally said about an entity. Thus, the reputation of an entity is based on the opinions provided by all entities. Trust may be used to determine the reputation of an entity. The other way around, reputation may also be used to determine the trustworthiness of an entity [65]. The Feedback Forum on ebay is the most prominent example of online reputation systems [68] in which the basic idea is to let parties rate each other. After the completion of a transaction, each party is allowed to leave feedback about their experience of the other party. Then, the aggregated ratings about a given party are used to derive a reputation score, which can assist other parties in deciding whether or not to deal with that party in the future. In general, trust and reputation models provide means for assessing the trustworthiness of an entity within a specific context or scope. However, traditional trust management schemes used for wired and wireless Ad Hoc networks are not suitable for WSNs due to higher computational costs, and large memory and communication overheads [113, 114]. Our contributions in this chapter include the following: ˆ Proposal of an analysis framework for reputation-based trust systems. This framework helps to understand the limitation of each system. ˆ Discussion of the security concerns in reputation-based trust systems designed for WSNs. This includes discussion of how the integration between wireless sensor networks and reputation systems can open doors for an adversary to threaten reputation-based trust systems, and thus affect their entire performance. ˆ Presentation a comprehensive survey of the state-of-the-art in reputation-based trust systems for WSNs, and then classification of these systems according to the context they were designed for. ˆ Finally, a detailed comparison of these reputation-based trust systems. This comparison

75 3.1. Analysis Framework for Reputation Systems 55 Phase 1 Phase 2 Phase 3 Phase 4 Source Approach WDM Type Direct Indirect Observations Decision Metric Approach Structure Scope Structure Another entity Another entity Figure 3.1: The reputation system phases includes: (i) investigating the feasibility of main components of existing reputation systems, and (ii) analyze vulnerability of these systems to security attacks related either to WSNs or reputation systems. It is believed that this comparison will help in assessing the strengths and weaknesses of existing reputation-based trust systems. The rest of the chapter is organized as follows: Section 3.1 proposes a framework to analyze current reputation-based trust systems. The framework is composed of four phases: (i) information gathering and sharing, (ii) information modeling, (iii) decision making, and (iv) dissemination. Section 3.2 discusses possible security attacks against reputation systems. Section 3.3 surveys, in detail, some of the current reputation-based trust systems intended to work in WSNs and then classifies them into five categories: (i) generic, (ii) localization, (iii) mobility, (iv) routing, and (v) aggregation. Then, a comparison between current reputation-based trust systems is given in Section 3.4. Finally, the chapter is concluded in Section Analysis Framework for Reputation Systems Reputation systems often share similar structural patterns due to the common purposes they are used for, such as enhancing the system s overall performance by monitoring network activities. They consist of four main phases: information gathering and sharing, information modeling (or reputation calculation), decision making, and dissemination (See Figure 3.1). These four phases are discussed in the following subsections Information Gathering and Sharing Phase This phase compromises the communication and collection of reputation ratings. A reputation system design must specify the type of information to be collected about other neighboring

76 56 Chapter 3. Reputation-based Trust Systems in Wireless Sensor Networks nodes, and how it should be collected. The metrics for collected ratings can for example accept only positive ratings, only negative ratings, both types, or any rating on continuous scales. It is believed that this phase is the core component of any reputation system, because it evaluates current activities and gathers the available information about the system and then hands it to the next phase; the information modeling phase. The information gathering and sharing phase has four components: information source, information type, information gathering approach, and gathering scope. These components are discussed as follows: Information Source: The information source in any reputation system can be either manual or automatic. The manual information source is obtained in the form of user ratings for other entities as a result of being involved in a single transaction, such as in the ebay rating system [68]. This type of source is not available in WSNs due to the lack of user interaction with the network. The only user interaction with WSNs usually occurs at the base station, whereas the reputation system gathers information from every device within the WSNs. The automatic information source does not involve user interaction and can be either direct or indirect observation. Direct observations, sometimes called first-hand information, are computed based on the node s observations and experience with neighboring nodes, such as the success and failure of forwarding aggregated data within an error rate. In some reputation systems, direct observations need to be propagated to other nodes in the neighborhood. Then, this propagated information is called indirect observation, or second-hand information, at the receiving nodes. In other words, an indirect observation for one node is a propagated direct observation of another node. Indirect observation helps to build up the reputation system more quickly than using only direct observation, since nodes will be able to learn about other nodes behaviors even though no direct communications (observations) have occurred. However, propagating reputation information between nodes makes the system vulnerable to different attacks such as Bad Mouthing (BM), Ballot Stuffing (BS), and On-Off (OO) attacks as discussed in Section 3.2. Information Type: The type of the reputation information shared between sensor nodes can be unary, i.e., either only negative [14], or only positive [81], or binary, i.e, meaning positive or negative [13, 117, 118], discrete, i.e., positive, neutral, negative as in ebay, a natural number on a scale from 1 (untrusted) to 10 (trusted) [48], or continuous [66], e.g., real values in the range of [0,1]. The choice of the information type is up to the system designer, but designers should be aware of the consequences of any choice. Considering only positive feedback on the one hand, the BM attack can be prevented because malicious nodes would not be able to affect the trust level of trustworthy nodes by propagating negative reputation ratings. However, malicious nodes can collude and falsely praise misbehaved nodes to launch a BS attack. Propagating positive feedback also exhausts the network s limited resources since the number of nodes that behave correctly in general is supposed to be larger than those which do not. Thus, the number of transmissions required to update reputation values is high, which depletes the limited energy source. On the other hand, considering only negative feedback helps prevent malicious nodes from colluding and praising misbehaving nodes (BS attack), because they could not propagate positive feedback. It also helps to minimize the number of

77 3.1. Analysis Framework for Reputation Systems 57 transmission required to update the reputation values. However, malicious nodes can assign negative reputation ratings/feedback for trustworthy nodes in order to affect their trust level (BM attack). Information Gathering Approach: As discussed earlier, the main task of this phase is to collect information about other sensor nodes in the neighborhood. This information is gathered by a sensor node based on its observations and experience about other nodes. Most current reputation-based trust systems in WSNs use monitoring mechanisms such as the Watchdog mechanism (WDM) [81] as an approach to collect these direct observations. When a node forwards a packet, the node s WDM verifies that the next node in the path also forwards the packet. The WDM is implemented by maintaining a buffer of recently sent packets. The WDM compares each overheard packets with the packet in the buffer in order to see if they match or not. Once there is a match, the packet is removed from the buffer. If the packet has remained in the buffer for longer than a certain timeout, the WDM increments a failure tally for the node that is responsible for forwarding activities. Reputation System Scope: In the current literature, most reputation-based trust systems destined to WSNs focus on specific functions. For example, CORE [81], and CONFIDANT [14] focus on detecting misbehaviors related to routing functionalities, while DRBTS [118] focuses on enforcing cooperation between beacon nodes by motivating them to provide correct location information. Comparison between reputation-based trust systems with different scopes is difficult. This is because a scope-specific reputation system requires the WDM to be tailored in order to monitor activities related to the chosen scope. For example, the aggregation scope requires the WDM to monitor routing, forwarding, sensing, and aggregation activities where each activity may use different reputation information type, while the localization scope requires the WDM to focus only on the provided location information. Thus, applying the reputation system destined for the aggregation scope directly to the localization scope is impractical; the system has to be modified. However, there might be cases, where a trust model that has been developed for a specific scope can be also applied to another scope with only minor changes, especially in scenarios where the input parameters for the trust model come from the same domain Information Modeling Phase The main task of this phase is to calculate the reputation values for such a node from the available information (direct and indirect observations), which is provided by the previous phase; the information gathering and sharing phase. This phase has two components: the information modeling structure, and the information modeling approach. These components are discussed as follows:

78 58 Chapter 3. Reputation-based Trust Systems in Wireless Sensor Networks Information Modeling Structure: Reputation systems can be designed to calculate reputation values via a centralized entity, distributed entities, or a hybrid approach. In the centralized structure, observations about a node s performance are propagated to a central authority that collects these observations, derives reputation values for each node and subsequently updates nodes with new reputation values. This structure relies on some assumptions, namely that nodes completely trust the centralized authority which in turn must be correct and always available. However, if the centralized structure is not carefully designed, it can become a single point of failure for the whole reputation-based trust system. Also, centralized systems suffer from a lack of scalability, especially if the information is obtained from high latency sources. In the domain of WSNs, most recent applications were designed with a central robust authority, the base station, in place. However, propagating observations across the network to the central point is impractical due to the scalability issue and the huge energy consumption. Hence, minimizing energy consumption is important in environments where end nodes are operated with 2AA batteries, such as MICA2 sensor nodes [30]. One way to minimize energy consumption is by considering the distributed structure for information modeling. In the distributed structure, each node propagates its observations to neighboring nodes and then these nodes calculate the reputation values individually. In other words, each node is responsible for collecting direct and indirect observations, and calculating reputation values of other nodes in the neighborhood. Although the distributed structure of the information modeling is inherently more complex, it scales well, avoids single points of failure in the system, and balances load across multiple nodes. Finally, reputation values in the hybrid structure are calculated by more than one entity. For example, Shaikh et al. s scheme [113, 114] follows the distributed approach for calculating reputation values for nodes within a cluster, but it follows a centralized approach when the base station calculates reputation values for cluster-heads. Information Modeling Approach: The information modeling approach can be either deterministic or probabilistic. In the former, the output is uniquely determined by the input with no existence for randomness, whereas the output in the latter can be predicted only within certain errors, due to some randomness resources added to the input. The Bayesian model [64, 104, 121], for example, uses a probabilistic approach, which is Bayes formula, to model the reputation information [24, page 256]. On the other hand, the majority vote used in Srinivasan et al. s system [118] is an example of the deterministic information modeling approach. In this voting approach, a sensor node calculates the reputation value of a specific beacon node, which is equipped with a GPS unit and provides location information, by summation of the positive and negative votes reported by neighboring beacon nodes Decision Making Phase The main task of this phase is to decide, based on the available reputation information resulting from the information modeling phase, whether or not the trustworthiness of a specific node

79 3.1. Analysis Framework for Reputation Systems 59 is enough for a certain interaction or task. In this phase, the decision metric component is discussed as follows: Decision Metric: The decision metric can be either binary, discrete, or continuous. In the binary decision metric, the decisions (cooperate and do not cooperate notions) are represented by two symbols 1 and 0, respectively. This is usually based on a threshold policy, which is common in most reputation-based trust systems for WSNs. If a reputation value of a sensor node is above a predefined threshold, then cooperation with this node is preferable. If a trust model provides more information about the trustworthiness of an entity, e.g. the trustworthiness comes from a set of discrete values such as distrusted, uncertain, trusted, and very trusted, then the final decision of whether to interact with an entity or not can be made in a more sophisticated way. For example, if the trust value can be interpreted in terms of the probability of a successful interaction, and if it is possible to assign values for utilities and costs to successful and unsuccessful interactions, respectively, then one might apply utilitybased decision making for deciding whether it is rational to interact or not [9, 83] Dissemination Phase The main task of this phase is to ensure that reputation values resulting from the previous phase, the decision making phase, are available at each legitimate neighboring sensor node. This phase has two components: dissemination structure and dissemination approach. These components are discussed as follows: Dissemination Structure: Calculated reputation values are distributed within trust systems according to the dissemination structure, which can be either a distributed or centralized structure. In the former, each sensor node calculates reputation values of other nodes in the neighborhood, stores them locally, and then shares them with its neighbors. This type of structure helps sensor nodes to be updated about other nodes by quickly filling their reputation tables. However, redundancy in this reported reputation information exists, which affects the limited energy source in sensor nodes. Unfortunately, the distributed structure opens doors for an adversary to affect reputation values by launching BS, BM, or OO attacks. In the latter, the centralized structure, calculated reputation values are stored and distributed by a single entity, which can be a cluster-head or a base station. To manage the dissemination activities, this single entity has to have greater resources, such as enough memory space to store reputation information for other nodes, and enough energy and processing capability to ensure availability of this single entity. It is worth mentioning that there is an overlap between the information modeling structure component and the Dissemination structure component, as will be discussed in Section Dissemination Approach: The dissemination approach can be either proactive or reactive. In the former, reputation values are broadcasted periodically, although there are no changes to reputation values since last update. In the latter, reputation values are only broadcasted

80 60 Chapter 3. Reputation-based Trust Systems in Wireless Sensor Networks when there are sufficient changes to these reputation values, such as the occurrence of a specific event, or that a request for a reputation value is received. Periodic dissemination, on the one hand, is suitable for resource constraint devices in busy networks, because reputation values are updated regularly for more than one activity. This helps reduce the number of transmissions required to update reputation values. On the other hand, the reactive dissemination approach, where reputation information is disseminated only on request, is suitable in networks with light traffic. This helps minimize the number of transmissions in cases where there are not sufficient changes in reputation values. It also covers designs where reputation values are piggy-backed on reply messages such as in CORE [81]. 3.2 Security Attacks against Reputation-based Trust Systems This thesis integrates reputation system capabilities with in-network aggregation functionalities for WSNs. This integration helps strengthen the performance and security levels of WSNs by providing continuous monitoring, evaluating the quality of different activities, and warning neighboring nodes about malicious behaviors. Although the use of trust and reputation concepts does not prevent an adversary from taking over legitimate nodes or adding malicious nodes, these concepts help detect malicious behaviors and then exclude from the network nodes that caused these malicious behaviors. As we propose to increase the robustness of WSNs by reputation systems, two types of attack may threaten the proposal s robustness. These two types are: (i) WSNs-related attacks (WSNs attacks), and (ii) reputation-related attacks (reputation attacks). WSNs attacks and examples of how they can affect reputation functions were discussed in Section The reputation system itself is threatened by several types of attacks [60, 63]. Understanding these attacks is crucial in order to ensure that the integration between reputation systems and WSNs does not open doors for more threats. Attacks that are only applicable to reputation systems are discussed in this section as follows: Bad Mouthing Attack (BM) This attack involves providing unfair negative ratings for trustworthy nodes. It is also known as False Accusation attack. Once an adversary has compromised a sensor node, it can affect the reputation system by assigning falsely negative feedback as the compromised node s observation of well-behaved neighboring nodes. When these incorrect direct observations are propagated to other neighboring nodes, they will be considered by neighboring nodes at the reputation calculation phase if no proper verification is in place, as will be discussed in Section 3.1. This results in incorrect reputation values for victim well-behaved nodes. In other words, the BM attack happens when the adversary has the ability to assign negative feedback for trustworthy nodes in order to reduce the trustworthiness in those nodes. This attack is possible in scenarios where the indirect observations are taken into consideration and parties

81 3.2. Security Attacks against Reputation-based Trust Systems 61 B B Adversary Compromised Sensor Genuine Sensor A A D B A. Normal reputation update C D B C B. Altered reputation update Figure 3.2: Bad Mouthing Attack are allowed to share their negative feedback with nodes in the neighborhood. Figure 3.2 depicts a simplified scenario where the BM attack can take place. Figure 3.2-A shows a sketch of the normal reputation update where nodes A and D have the same reputation value R C for node C. Note that the reputation table does not usually contain any reputation information for the node that maintains the table. For example, the reputation table which is maintained by node A in Figure 3.2 does not have reputation information for the node itself (node A). In figure 3.2-B, the adversary has succeeded in compromising node B. Later on, it assigned a negative reputation value R C for a well-behaved node C in order to mislead node A with its calculation of the reputation value of node C. This results in that nodes A and D have different reputation values R C and R C, respectively. Ballot Stuffing Attack (BS) The ballot attack is similar to the BM attack, but the adversary tries to perform the opposite effect by providing unfair positive ratings (false praise). The trustworthiness of well-behaved nodes, in this attack, is not affected as in the BM attack; however, the trustworthiness of the bad-behaved nodes is affected by assigning falsely positive feedback to malicious nodes. This attack is feasible in scenarios where indirect observations are taken into consideration and parties are allowed to share their positive feedback with their neighboring nodes. Figure 3.3 depicts a simplified scenario where the BS attack can take place. Nodes B and C, in Figure 3.3-A, are compromised and their reputation values (or maybe one of their reputation values) are low due to their previous malicious behaviors. These compromised nodes colluded with each other and assigned higher reputation values to each other as in Figure 3.3-B,

82 62 Chapter 3. Reputation-based Trust Systems in Wireless Sensor Networks B B Adversary Compromised Sensor Genuine Sensor A A B D C A. Before launching BS Attack B D C B. After launching BS Attack Figure 3.3: Ballot Stuffing Attack which will affect the reputation calculation for nodes B and C at nodes A and D. Generally speaking, the adversary can substitute low reputation values with high reputation values for any neighboring node in order to affect the overall performance of the system. On-Off Attack (OO) In this type of attack, an adversary aims to disrupt the system s overall performance with the hope that it will not be detected or excluded from the network. The adversary alternates in showing abnormal and normal behavior in order to extend the detection time required to recognize its misbehaviors. This attack can be launched against either the reputation activities or general activities in WSNs. For example, showing abnormal and normal behaviors can be done in the context of reputation activities, such as forwarding and calculating reputation information, or can be done in the context of normal sensor network activities, such as aggregation, routing, and sensing physical phenomena. A simple scenario where an adversary is able to perform some OO attack activities is shown in Figure 3.4. Figure 3.4-A shows a subset of genuine sensor nodes where a sensor node B shares broadcasts its reputation table or its experience with neighboring nodes. Let us assume that node B has been compromised at t 2 where t 2 > t 1. Later on, node B behaves maliciously intermittently when it deals with nodes C and D by claiming that the reputation value for node A is R A instead of R A. However, it behaves normally when it deals with node A and disseminates the real reputation values for nodes C and D (see Figure 3.4-B). Another form of the OO attack happens when a sensor node misbehaves once every l well-behaved transactions, which makes nodes A, C and D uncertain about the behavior of node B. In other words, they are not sure whether the misbehavior of node B was intended or whether it was due to some other factors such as the wireless medium.

83 3.2. Security Attacks against Reputation-based Trust Systems 63 Adversary B Compromised Sensor B Genuine Sensor A A D B C A. Normal reputation update at t 1 D B C B. Altered reputation update at t 2 Figure 3.4: On-Off Attack B B Adversary Compromised Sensor Genuine Sensor A A D B A. Reputation update at t 1 C D B C C` B. Reputation update at t 2 Figure 3.5: Newcomer Attack