}w!"#$%&'()+,-./012345<ya

Transcription

1 }w!"#$%&'()+,-./012345<ya MASARYK UNIVERSITY FACULTY OF INFORMATICS Secure Routing Protocols for Wireless Sensor Networks MASTER S THESIS Bc. Jiří Kůr Brno, spring 2008

2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: Mgr. Petr Švenda ii

3 Acknowledgement I express my gratitude to Petr Švenda for introducing me into the problematic of evolutionary algorithms and for our fruitful discussions. I am grateful to my sister Hanka for the language corrections. iii

4 Abstract In this thesis, we examine the security aspects of wireless sensor networks with emphasis on security of routing. Several secure routing protocols are reviewed and their security is evaluated. In the second part of the thesis, concept for automatic attack generation and introduction to evolutionary algorithms are presented. Usability of the concept was verified using evolutionary algorithms. Several attacks on routing protocols were generated. The impact of generated attacks is discussed with respect to countermeasures. iv

5 Keywords Wireless Sensor Network, Routing, Security, Evolutionary Algorithms v

6 Contents 1 Introduction Wireless sensor networks Applications Hardware characteristics Security in WSN Security goals Key management Attacker model Secure Routing in WSNs Attacks on routing Bogus routing information Selective forwarding Sinkhole attack HELLO flood attack Wormhole attack Acknowledgement spoofing Sybil attack Denial of Service Towards secure routing µtesla ARMS Secure routing protocols Scure Implicit Geographic Forwarding IGF SIGF SIGF SIGF Secure Directed Diffusion SeRINS A Clean-Slate Approach Introduction to Evolutionary Algorithms Population of individuals and their representation vi

7 4.2 Genetic operators Fitness function and selection operator Automatic design of attack strategy Related work Basic concept Elementary rules Generation of attack strategy Translation Strategy execution Fitness function evaluation Concept realization via evolutionary algorithms Attacker model revised Evolutionary algorithms and genome structure Triggers Instructions Network simulator Fitness functions Results Minimum Cost Forwarding Forging beacons Selective forwarding Implicit Geographic Forwarding Rushing attack MAC layer jamming Neighborhood congestion Experience and future work Conclusion A Example of generated attack strategy vii

8 Chapter 1 Introduction Sensor nodes are tiny, low-cost devices equipped with environment sensors and radio for wireless communication. These sensor nodes may constitute the network for monitoring physical phenomena. Such network is called Wireless Sensor Network (WSN). Wireless sensor network consists of high number ( ) of sensor nodes and one or few powerful devices acting as gateways. Wireless sensor networks can be utilized in a broad variety of applications ranging from battlefield surveillance in military, through remote patient monitoring in medicine to forest fire detection in environmental applications. Majority of WSN applications require at least some level of security. In order to achieve the needed level, secure and robust routing is necessary. However, routing protocols for WSN were not designed with security requirements in mind. Karlof and Wagner [KW03] triggered a revolution in this field by proposing a comprehensive study on the security of routing in wireless sensor networks. They showed that all the protocols were then prone to simple attacks. Since then, security of routing has become a hot topic and several secure routing protocols were proposed. In this thesis, we aim to review the issue of secure routing in wireless sensor networks. We first introduce the concept of wireless sensor networks and outline their security aspects. In the second chapter, we examine selected secure routing protocols and evaluate their benefits and drawbacks. We also describe common attacks on routing protocols. The second half of the thesis deals with the problem of the attack strategies automatic generation and presents our results. We introduce the concept of Evolutionary Algorithms (EA) in the chapter 4. In the next chapter, we present our concept for automatic design of attack strategies. We use this concept to discover attacks on routing algorithms. We summarize the results and outline the future work in the conclusion. 1

9 Chapter 2 Wireless sensor networks Wireless Sensor Network is a heterogenous network composed of a large number of tiny low-cost devices, denoted as nodes, and few general-purpose computing devices referred to as base stations. The general purpose of wireless sensor network is to monitor some physical phenomena (e.g., temperature, barometric pressure, light) inside the area of deployment. The basic units of WSN are nodes (sometimes called motes). These nodes are equipped with communication unit, mostly the radio transceiver, processing unit, battery and sensors. Due to the size and expected costs of the nodes, they are constrained in processing power and energy. The number of nodes deployed in WSN can vary from tens to tens of thousands depending on the particular application. Nodes can be deployed, for example, by precise placing one by one into predefined positions or by dropping from the plane. Their positions can be static or mobile. Networks with nodes in static positions are more common. Nodes have to be autonomous and the network itself has to be self organizing. They are also prone to failures, thus the topology of the network changes very often. Beside resource limited nodes, the wireless sensor network includes one or more base stations (sometimes called sinks). These base stations have more resources and capabilities than the nodes. Assume base stations might have laptop capabilities. They act as gateways between the sensor network and other networks, e.g. Internet. They can also somehow coordinate the nodes. In most common application scheme, the nodes collect measured data and send them to the base stations, which forward them to the consumer. 2.1 Applications There is a broad variety of applications for wireless sensor networks. These applications can be divided into five categories [ASSC02]: military, environmental, health, home and other commercial applications. In military, the wireless sensor networks can be used for battlefield surveillance, sniper lo- 2

10 2. WIRELESS SENSOR NETWORKS cation or to detect the chemical or biological attacks. Sensor network can also be greatly beneficial for the environment. For example, it can detect forest fires or help researchers to monitor animal habits. Important application area is medical environment, where nodes can collect patient s physiological data. In commerce, wireless sensor networks can be deployed in car tracking systems or used for securing buildings, temperature regulation in offices, etc. 2.2 Hardware characteristics Sensor nodes are small, low-cost and battery supplied devices. Therefore the concept of WSNs is quite challenging. There are two main constraints, the low processing power of the nodes and the capacity of their batteries. The former constraint directly determines the algorithms we can use. For example, we cannot use asymmetric cryptography or maintain large routing tables. Since the priority in the development is to minimize cost, size and power consumption, there is only a small chance of a significant improvement of computational power and memory in the near future. The later constraint influences the properties of used algorithms indirectly. Capacity of the batteries is essential for the node s lifetime. Often it is impossible or not intended to be possible to change batteries. Therefore the lifetime and usability of the network depends on their capacity and on the consumption of the nodes. Energy consumption is closely related to the algorithms implemented. For example, the biggest energy consumer is radio transceiver, hence the communication between nodes is very expensive in terms of node s energy resources. Efficient algorithms must take this into an account. The batteries are dominating part of the node in terms of size. The size of the node is thus directly proportional to a capacity of its batteries. Here are the parameters of typical today sensor node, TMote Sky [TM006]: size: 65 x 32 x 7 (mm, excluding battery pack) 16-bit RISC processor, 8MHz clock frequency, 48KB flash memory, 10KB RAM 1024KB of external flash memory to store data and code radio: RF frequency 2400 Mhz, bandwidth 250Kbps, with internal antenna outdoor range reaches 125m, indoor range up to 50m tinyos operating systems 3

11 2. WIRELESS SENSOR NETWORKS Figure 2.1: TMote Sky sensor node. Figure taken from [TM006] 2xAA battery lifetime > 1 year using sleep modes senors: temperature, humidity, light Contrary to the nodes, base station is assumed to have laptop capabilities and unlimited energy resources. More on wireless sensor network principals can be found in [ASSC02]. 2.3 Security in WSN Majority of sensor network applications require strong security features. This requirement is obvious in case of military applications or applications working with sensitive personal data, like health or home applications. However security is a very demanded property also in commercial applications, where information means a competitive advantage and all assets have to be protected. Also environmental applications need some level of security, at least in terms of robustness against accidental errors and vandalism. Nodes have two properties, which have critical impact on the security of WSNs, and which both are caused by the small size and low costs of the nodes. First, the nodes are not considered tamper resistant. Attacker with physical access to the node can extract the keys and other sensitive data from the node relatively easily. Attacker can then also turn the node into a malicious one by uploading malicious firmware into it. Second, the node is limited in resources, consequently only some security mechanisms can be applied. Contrary to nodes, base station is considered tamper-resistant and trusted. 4

12 2. WIRELESS SENSOR NETWORKS It also has much greater capabilities, suppose it may have lap-top capabilities and unlimited energy supply Security goals The security goals in sensor networks are similar to those in traditional networks. We require confidentiality, integrity, authenticity, freshness, anonymity and availability of service. Confidentiality, integrity and authentication are traditionally provided by an end-to-end mechanisms on high layers of ISO/OSI model, like SSL/TLS or SSH. But sensor networks often require in-network processing of the messages, like data aggregation, to be efficient and thus end-to-end approach is not in use. Therefore link-layer security architectures such as Tiny- Sec [KSW04] and mechanisms for securing node-to-node communication [PST + 02] are of a great interest in sensor networks. Freshness, anonymity and availability of service should be provided by a secure routing protocol. There are several other security features of the ideal secure routing protocol. For example an attacker should not be able to abuse the routing algorithm to shorten the network s lifetime. Or he should not be able to significantly slow down the traffic or increase latency. However these features are application specific and it is unlikely to design universal secure routing algorithm with all such properties Key management Poor sensor node s capabilities prevent us from massive use of expensive (in terms of computational resources) public key cryptography based on RSA or complexity of discrete logarithm problem. However some new designs [PLGP06] propose to use public key cryptography based on elliptic curves, which is less computationaly complex. They assume that every node contains a public key of a single trusted authority and is able to verify corresponding digital signature. It is questionable whether the public key cryptography will be available in sensor networks in the near future. Primary aim is to miniaturize the node and to decrease its cost, not to increase its processing power. However there are more and more schemes employing asymmetric cryptography and we feel that its use has an increasing tendency. Because of the limited processing power, symmetric cryptography is dominant in sensor networks. There are several schemes of key sharing among the nodes and base stations. We will examine the most common of 5

13 2. WIRELESS SENSOR NETWORKS them. Single key shared among all nodes: Simple, but weak scheme. Compromission of a single node compromise the whole network. This scheme is sometimes used for establishing the keys between each pair of neighboring nodes. It assumes, that attacker needs some time to compromise the node. During this time the new keys are established and globally shared key is erased. Every node shares a unique key with base station: Keys can be inserted into nodes off-line, prior to their deployment. Compromission of a single node compromise only its own key. Frequent assumption of security protocols. Each pair of neighboring nodes shares a key: Also common assumption. Frequently applied together with previous scheme. Enables hopby-hop encryption and in-network processing, therefore it is convenient for sensor network. However in most applications, keys cannot be preinstalled and must be distributed after deployment. Suppose we deploy the nodes by dropping them from the plane. We do not know, which nodes will be neighbors and which not. The neighborhood is established during the deployment process and keys have to be distributed afterwards. This task is nontrivial and requires additional assumptions and complex key distribution protocol [EG02, PST + 02, ZSJ03] Attacker model Karlof and Wagner have proposed following attacker model [KW03] suitable for sensor networks and routing. There are two types of attacker: moteclass attacker and laptop-class attacker. Mote-class attacker has one or few nodes with capabilities similar to a legitimate node. On the other hand, laptop-class attacker has a powerful device with capabilities comparable to laptop. He is not energy constrained and can have more sensitive antenna and more powerful radio. Another distinction can be made between insider attacks and outsider attacks. Insider attacks deal with a legitimate participants of the network behaving in a malicious way, whereas outsider attacks are mounted by outsider who is not the part of the network. However outsider can eavesdrop the communication easily due to the broadcast nature of a wireless communication. Attacker can be modeled also with respect to the Needham-Schroeder model [NS78]. Needham and Schroeder assume that an intruder can intrpose a computer on all communication paths, and thus can alter or copy parts of messages, replay messages, or emit false material. This model was extended to node-compromise model [EG02], which further assume: 1) keys can be loaded into the nodes in the secure way before the nodes are deployed. 2) the attacker is able to compromise only a fraction of the nodes. 6

14 2. WIRELESS SENSOR NETWORKS 3) attacker can extract all keys from compromitted node and 4) attacker is able to monitor only fraction of links during the short time period after the deployment of the nodes. This means that there is something like period of protection for nodes after deployment. 7

15 Chapter 3 Secure Routing in WSNs Routing techniques in wireless sensor networks are influenced by two factors. First, it has to deal with hardware and resource constraints. The routing algorithm has to be energy aware, thus minimize the control information flows and communication. Routing table maintenance is limited by memory capacity. Second, the nature of sensor network applications defines traffic patterns, which are different from the traditional ones. In sensor networks, it is not necessary to support communication between any pair of nodes, the dominant traffic is one-to-many (base station multicast), many-to-one (data sent to the base station) and local communication between neighbors. As the resources are limited and the number of nodes is large, wireless sensor network usually does not support global addressing, that brings high overhead. It often trade on its data centric character instead and deploys attribute-based addressing. This means the base station sends queries for data with specific properties. However routing technique is strongly dependent on the particular application for which the wireless sensor network is used. Each application has different requirements on routing. Today routing techniques can be divided into three categories [AKK04] based on the network structure: flat-based, hierarchical-based and locationbased routing. In flat-based routed networks, each node plays the same role, due to the large number of nodes the global addressing is not supported, the data-centric approach is used instead. Typical algorithms in this category are Direct Diffusion and Sensor Protocols for Information via Negotiation (SPIN). The hierarchical-based (sometimes called cluster-based) algorithms are used in networks, where the nodes are organized into clusters and route the information via special nodes denoted as cluster heads. The main benefit of such routing algorithms is data aggregation, which saves energy and increases efficiency. The typical representative of this category is Low Energy Adaptive Clustering Hierarchy (LEACH). Locationbased routing uses node s location for addressing. The position of a node can be relative to its neighbors or absolute, detected, for example, by GPS. 8

16 3. SECURE ROUTING IN WSNS To this category are included geographic routing algorithms like Geographic and Energy Aware Routing (GEAR) or Geographic Forwarding (GF). 3.1 Attacks on routing Since the concept of sensor networks originates from the wireless ad-hoc networks, many attacks on wireless ad-hoc networks can be adapted for sensor networks. Sybil attack is such an example [NSSP04]. Karlof and Wagner [KW03] show another types of attacks and furthermore they propose two novel attacks HELLO floods and sinkholes. Denial of Service attacks on sensor networks are studied by Stankovic and Wood [WS02]. We present a brief summary of major attack classes here. Bogus routing information The basic method how to influence routing is to change the routing information. An adversary spoofs, alters or replays routing information. By these methods he can create loops in routing, increase latency, extend the paths or attract the traffic to the chosen node. Selective forwarding Selective forwarding is a variant of the DoS attack. Malicious node forwards only a chosen packets and drops the rest. Attacker has to be included in the path of the data flow to mount selective forwarding. To do so, he can use can use Sybil attack or sinkhole attack. The ultimate variant of this attack is called a Black hole attack. In such case, all the packets are dropped. However node behaving like a Black hole can be easily detected by the neighboring nodes, considered as dead and excluded from the routing path. Therefore dropping only some messages may be more beneficial for the attacker. Sinkhole attack The goal of the sinkhole attack is to attract as much of the traffic as possible to the malicious node. The principle of this attack is that the malicious node tries to look very attractive for other nodes with respect to the routing algorithm. This goal can be achieved, for example, by spoofing the route advertisement or by providing a high-quality path to the base station using wormhole attack. Sinkhole can be further used for selective forwarding, which is very efficient and easy in that case. 9

17 3. SECURE ROUTING IN WSNS HELLO flood attack In some protocols, nodes announce themselves to the neighbors by broadcasting the HELLO packets. Node receiving such packet concludes, that the broadcasting node is his neighbor and is within the normal radio range. A lap-top class attacker can use a powerful radio to send HELLO packets to nodes, which are far more distant than the normal radio range from him. These nodes will send their messages to oblivion trying to reach the neighbor, which is not in their radio range. Wormhole attack Wormhole is a low-latency out-of-band channel used to connect two distant part of the network. Wormhole attack exploits the routing race conditions. This means that message, which should normally traverse multiple nodes, traverse only single one and hence is delivered in a much less time. Time of the delivery can be important for the routing scheme, especially if the influenced message contains routing information. The attacker can send replayed packets through the wormhole to persuade two distant nodes that they are neighbors. He can, for example, create wormhole between the base station and a node at the opposite side of network, thus instead of multiple hops the node appears to be only single hop from the base station. Therefore it becomes a sinkhole for his neighbors providing low-latency route to the base station. Acknowledgement spoofing Acknowledgement spoofing focus on the algorithms using link layer acknowledgements. An attacker spoofs these acknowledgements to persuade the node, that its dead neighbor is alive or that the weak link is reliable. The impact is similar to selective forwarding, chosen packets are lost with high probability. Sybil attack In the sybil attack, the attacker simulates multiple nodes and advertise multiple identities to the rest of the network. By this, he can cripple even the robust multipath routing algorithms, because the bulk of the paths (even all) may pass through him. In geographic routing, attacker s node can be virtually at more locations simultaneously and thus influence routing algo- 10

18 3. SECURE ROUTING IN WSNS rithm. Sybil attack in general means serious threat not only for routing, but also for other algorithms such as voting algorithm or distributed storage. Denial of Service Denial of Service represents more or less general class of attacks, that can be mounted on several ISO/OSI layers of wireless sensor network, including the network layer. Almost all above attacks, especially selective forwarding and HELLO floods, can result in the denial of service. 3.2 Towards secure routing Insecurity of routing algorithms is usually caused by missing authentication, freshness and integrity check of the routing information. This fact is demonstrated in presented attacks. Spoofing of routing information or acknowledgements is not be possible, if proper mechanisms ensuring integrity and authenticity are implemented. Sybil attack becomes more complicated if authentication of nodes is present. Freshness of messages can stop replay attacks. We present two security concepts proposed for sensor networks in this section. These concepts can be used to secure the existing routing protocols or can be taken as a security primitives when designing new protocol. They address the broadcast authentication problem, because broadcast is frequently used to spread the routing information along the network µtesla In several routing protocols [HSW + 00, YCLZ01, AKK04], the base station periodically broadcasts routing information or advertise itself as a base station. Attacker can forge such broadcasted information in case it is not properly authenticated. To achieve authenticated broadcast, asymmetric cryptography is traditionally used. However this approach is not suitable for resource constrained sensor networks. Therefore, µtesla [PST + 02] was designed. It provides an efficient authenticated broadcast based on symmetric cryptography. µtesla is the building block of the security architecture for sensor networks called SPINS (Security Protocols for Sensor Network) [PST + 02]. Another building block is SNEP, which is used to achieve confidentiality, integrity, authentication and freshness. µtesla exploits the concept of one-way hash chain. Because this concept is frequently used in secure routing protocols, we describe it in detail. Let 11

19 3. SECURE ROUTING IN WSNS us assume that we have public one-way function F, and random number r. The one-way hash chain of length n is the sequence of n numbers, where the last number is r, and i th number is obtained by application of function F on (i+1)-th one, for 0 < i < n. Generation of one-way hash chain thus starts by application of function F on r. The key property of this chain is, that everyone can compute i-th item, having arbitrary j-th item, where i < j, but not vice versa. One of the first applications of this chain was Lamport s scheme for one-time password generation [Lam81]. To make use of µtesla, each node has to share a secret key with the base station. There also has to be a loose time synchronization between nodes and the base station. Prior to the actual broadcast, the base station generates the one-way hash chain of the length n with the random key K n as the last element, let us denote this chain as a one-way key chain. Then the derived key K 1, first element of the one-way key chain, is delivered to all nodes in an authenticated (not necessarily confidential) manner using their keys shared with the base station. The time is divided into uniform intervals. Note that we have loose time synchronization. Base station associates each key of the key chain with one interval. Hence in the interval i base station authenticates the packets with the Message Authentication Code (MAC) using key K i. The node receiving these packets, stores them for further authentication. In the following time interval, the base station reveals the key K i. Receiving nodes use that key to check authenticity of the packets stored in previous time interval and verify the integrity and authenticity of the key by application of the oneway function F on it. Note that the nodes already posses key K v, where v < i. If the verification of the key succeeds, K v is replaced by K i and the packet is considered as authentic. In time interval i only packets authenticated by key K i are accepted. This prevents an attacker from using already revealed key to spoof the packets. µtesla has two drawbacks. The nodes have to keep the messages buffered, because the authentication is delayed. It can be problem because of the limited memory of nodes. It also delays the propagation of routing information. The second drawback is the need of loose time synchronization. µtesla can be extended to provide authenticated broadcast not only for base stations but also for nodes. Nevertheless, this model is not needed so often. Nodes usually broadcast messages only to their neighbors and these messages can be authenticated in more efficient way as showed in following subsection. 12

20 3. SECURE ROUTING IN WSNS Figure 3.1: ARMS. The relation between packets. i denotes the actual contents of the packet. Message represents sequence F (K n+1 ) K n i. Figure taken from[lc06b] ARMS µtesla aims to authenticate broadcast messages from the base station. Unfortunately this scheme is not suitable for resource constraint nodes, which are not able to maintain long one-way hash chain. Moreover, nodes typically performs only so called local broadcast, which means the packets are broadcasted only to the neighbors. Authentication of a local broadcast can be achieved in an efficient way using ARMS [LC06b] (An Authenticated Routing Message in Sensor Networks). ARMS scheme assumes, that each pair of neighboring nodes share a secret key. This assumption is reasonable and can be achieved by several schemes [EG02, PST + 02, ZSJ03]. As µtesla, ARMS trade on the one-way hash chain principle. In contrast to µtesla, the chain is extremely short and periodically renewed. Prior to the actual broadcast, sender generates random key K 1. Then he derives short one-way key chain F (K 1 ), K 1, and sends the value F (K 1 ) (commitment) to all the neighbors using authenticated unicast. Broadcasted packet has then the form: [F (K 2 ) K 1 i MAC(K 1, message)], where F (K 2 ) is a new commitment, i is the actual authenticated content, message is [F (K 2 ) K 1 i] and MAC(K, m) denotes MAC of m using key K. Since receiver knows previous commitment F (K 1 ), he can immediately verify the authenticity of key K 1 and thus authenticity and integrity of the whole packet. Concurrently, new commitment F (K 2 ) is established. The relation between subsequent packets is shown in the figure 3.1. Note, that if a single message is lost, the phase of authenticated unicast has to be repeated. For this reason, authors have extended the one-way 13

21 3. SECURE ROUTING IN WSNS chain. In extended scheme, up to two messages can be lost without need of restart. Unlike µtesla we do not require time synchronization, because broadcast is only local and the messages are delivered in the same time to all nodes. Thus attacker cannot forge any packet using just revealed key. ARMS is very efficient, it require only 20 additional bytes per message. Also memory requirements are very low (16 bytes for receiver, 48 bytes for sender). The only problem can be the generation of random data. Sender have to generate 8 bytes of random data per every two messages. However these date could be obtained using for example noisy radio channel. 3.3 Secure routing protocols Since Karlof and Wagner [KW03] drew the attention to the problem of secure routing in sensor networks, several novel secure routing protocols were proposed [DHM02, KLP03, LC06a, NC07, PLGP06, WFSH06, WYC04, YM06]. Some of them can be considered completely secure, but some of them prevents only selected types of attacks. We have encountered also few protocols that were pretty secure, but with assumptions unsuitable for sensor networks. In this section we deeper examine four secure routing protocols. We have selected protocols, which we consider innovative, efficient and secure, and which come up with interesting ideas appropriate for further use Scure Implicit Geographic Forwarding Secure Implicit Geographic Forwarding (SIGF) [WFSH06] is a configurable protocol family for secure routing. It consists of three protocols, which represent three security levels. The higher level inherits the capabilities from the lower ones. SIGF extends the Implicit Geographic Routing (IGF) [BHSS03] and thus can be included into location-based class of algorithms. IGF Implicit geographic routing is a stateless hybrid routing/mac protocol. The next hop is determined at the transmission time, during the MAC-layer handshake. The IGF is build on RTS/CTS MAC protocol 1. In IGF, each node is aware of its location. The routing procedure starts when a sender broadcasts Open Request To Send (Open RTS) with its position S and destination position D. Nodes located within the 60 sextant centered on the line from 1. IGF have originaly extended basic DCF MAC protocol [IEE99] 14

22 3. SECURE ROUTING IN WSNS S to D are considered as candidate nodes. Each of these nodes sets the Clear To Send (CTS) response timer according to its distance from S, remaining energy and the distance to center of sextant. The more suitable the node is for forwarding the message the shorter time it sets. When the response timer expires, the node sends CTS. Then the sender sends him the data. Nodes hearing CTS cancel their timers. Authors of SIGF have presented security analysis of IGF [WFSH06]. IGF is robust and fault tolerant. It is safe against altering or spoofing the routing information, because no one is sent. Furthermore neither HELLO floods nor wormhole attacks have much effect, no routing tables are kept and routing is dynamic and independent of routing information exchange. But Sybil attack, Selective forwarding and DoS remains a threat for IGF. In Sybil attack, a single node attacker can create multiple virtual nodes around the sending node and thus increase the chance of being chosen. This attack can result into selective forwarding or black hole. Simple, but very effective attack is so called rushing attack. Malicious node ignores the CTS respond timer and sends CTS immediately. On the other hand such behavior is easy to detect. DoS attack can be performed by replaying either old ORTS message or old CTS message. This confuses the neighboring or sending nodes forcing them to restart their timers or send the data to oblivion. SIGF-0 SIGF-0 is a simple extension of IGF. It allows us to configure several parameters of IGF. Unlike IGF, where the forwarding area is fixed to 60 sextant, SIGF-0 supports enlarging of this area and thus takeing into account more neighboring nodes. This decreases the chances of malicious nodes to be chosen. In IGF, sender chooses the first CTS message he obtains, then closes the collection window and sends the data. Contrary, in SIGF, sender keeps the collection window opened for some time to obtain more CTS messages and then chooses one of them. The choice can be made randomly or based on some priority. Sender can also choose multiple nodes to increase the robustness of the algorithm. Last configurable settings of SIGF-0 is whether the location of a node will be omitted or not in the CTS response timer calculation. Key difference between IGF and SIGF-0 is that IGF closes the CTS collection window after obtaining the first CTS, while SIGF-0 collects multiple of them. Hence SIGF-0 is not so vulnerable against rushing attack. Although it brings a small inefficiency, it significantly improves security. 15

23 3. SECURE ROUTING IN WSNS SIGF-1 This variant inherits all the properties of SIGF-0. Furthermore it introduce an inner state of the node. This state is initialized and maintained by the node itself and it does not bring any communication overhead. SIGF-1 works as SIGF-0, but the choice of a next hop is based also on the reputation value assigned to each neighbor. This value is derived from the state information stored and maintained by the node. The node keeps the number of sent messages T, and several records for each neighbor node N: number of messages sent to N; number of messages actually forwarded by N (this is determined by overhearing the traffic of node N); last claimed location of N; average delay during forwarding of message (again determined by overhearing). From these data node derives the reputation value of node N. Candidates, which has the reputation value below a threshold are dropped from the candidate list. This approach protects the algorithm against a Sybil attack. Note that all options of IGF-0 still remains. SIGF-2 SIGF-2 includes both previous variants and adds the use of cryptography to prevent the DoS attack. It also ensures confidentiality, authenticity, integrity and freshness of the communication between neighboring nodes. SIGF-2 require neighboring nodes to share the secret key. In addition, the neighborhood key has to be establish to enable authenticated broadcast of Open RTS message. The integrity and authenticity of messages is ensured by Message Authentication Code using shared key. Freshness is guaranteed by sequencing the messages, for each neighbor node a counter is kept. SIGF-2 offers payload encryption to keep data confidential and prevent eavesdropping. By using authentication and sequencing, DoS attack is prevented as old messages are discarded by the nodes. However in case of compromitted node, attacker can still mount such an attack. It is optional in SIGF-2, which type of messages will be protected by cryptographic mechanisms. This gives the user ability to set an appropriate level of security. SIGF is a good example of routing protocol, which can be qualified as secure. SIGF can be configured to a certain level of security and robustness. One can easily trade off between security, efficiency and performance of the algorithm. What s more configuration can be done dynamically. For example, system can be set to maximum performance and in case the attacker 16

24 3. SECURE ROUTING IN WSNS is detected, the system can be reconfigured as a reaction to the attack. We consider the configurability of SIGF as a great advantage. We also appreciate the approach of IGF which integrate routing with the medium access control. This significantly increases the performance and efficiency of the overall system, which is important in limited wireless sensor networks. We are aware of the fact, that mixing the ISO/OSI layers has also many drawbacks and that IGF/SIGF is dependent on the particular MAC algorithm, but WSNs are specific and one cannot expect truly universal solution. The important limitation of IGF/SIGF is its essential assumption, that every node knows its location. However we consider this assumption as justifiable. Furthermore such equipped network can offer advanced services. There are two ways to satisfy this assumption. In the first way, every node is equipped with GPS. The second way uses few GPS equipped nodes and mechanism of triangulation to determine the location of the rest of nodes. Comparing the variants of SIGF, we would evaluate the SIGF-0 as the best using cost/performance approach. It is very simple extension of IGF, which provides variety of settings and adorable security properties for trivial cost. SIGF-1 is also very paying. However in a high-density network, the state maintenance can occupy significant part of a memory and the process of overhearing can consume nontrivial amount of energy. SIGF-2 uses encryption, which require key establishment and management. It is costly and the benefits in terms of defense against DoS attack are very small. Since sensor nodes are not tamper resistant, it is relatively easy for the attacker to become part of the network and mount the attack anyway. Nevertheless once the keys are distributed, the cryptography can provide additional services. Hence the SIGF-2 mechanisms can be used in cooperation with other protocols. This could justify the cost. We would consider implementing ARMS for authenticated local broadcast of Open RTS messages, instead of sharing neighborhood key. ARMS would also provide implicit sequencing of the Open RTS messages Secure Directed Diffusion Directed Diffusion is a very important data-centric routing protocol for Wireless Sensor Networks [IGE00]. However this protocol has several security shortcomings. Therefore Secure Directed Diffusion (SDD) [WYC04], a secure variant of this protocol, was designed. SDD protocol makes use of immediate TESLA [PCST01], that is a mechanism for authenticated broadcast. Original Directed Diffusion has four phases. In the first phase, base sta- 17

25 3. SECURE ROUTING IN WSNS tion broadcasts interest for data, which is named by attribute-value pair. This interest floods the network and sets up gradients at each node. Gradients specify data rate and direction in which to send data. Second phase begin, when the interest reaches the node, which can satisfy it. That node sends low-rate data along the reverse path of the interest dissemination. At the end of this phase, base station receives low-rate data from multiple paths. The next phase is reinforcement phase. Base station selects one particular path and sends reinforcement via this path in order to obtain higher data rate. In the last phase, source node generates data at the requested rate and sends it through the reinforced path. Not only base stations can reinforce the path, but also node included in the path can. This enable to repair broken paths. Also negative reinforcements are supported. Directed Diffusion is vulnerable to attacks, because of missing authentication and integrity checking. Karlof and Wagner [KW03] has shown several attacks on Directed Diffusion. Attacker can spoof positive or negative reinforcements in order to change the data flow. This may include him into the path and result into selective forwarding, data tampering, DoS or eavesdropping. Attacker can also clone the data flow by rebroadcasting the interest listing himself as a base station. Lap-top class attacker can create a sinkhole using wormhole attack in combination with forged reinforcements. SDD protocol adopts ideas of immediate TESLA protocol [PCST01] to ensure authenticity and integrity of routing and data messages. Only symmetric cryptography is used and asymmetry is achieved by one-way hash chain. The principle is similar to µtesla described in section SDD protocol requires that there is only one base station and it shares a secret key with each node. All nodes are also seeded with the first value k 1 of the one-way key chain, where only base station knows k n to be able to authenticate its messages. SDD has the same phases as original Directed Diffusion, but in each phase, the integrity and authenticity of origin of the messages is protected. In the first phase, the base station floods message M = (H(INT EREST x ) MAC(k x H(INT EREST x ))), where H(m) denotes hash of the message m, M AC(k, m) denotes Message Authentication Code of m using key k and denotes concatenation. Suppose all nodes have received message M after time t. Then base station floods another message (INT EREST x k x ). Now, node can verify that k x is from base station by computing F x 1 (k x ) = k 1. Having k x, node can verify integrity and authenticity of H(INT EREST x ) and subsequently of INT EREST X. The same technique is used when sending reinforcements in the third phase. Thus the interests and reinforcements cannot be forged or modified. Notice the drawback, that now the broken path cannot be repaired as in the 18

26 3. SECURE ROUTING IN WSNS insecure Directed Diffusion, because only base station can send reinforcements. The data sent in the second and fourth phase by the source node are also authenticated and its integrity is protected. In the phase of low-rate data propagation, source node N floods D = (H(DAT A 1 ) MAC(kN 1 H(DAT A 1)) (kn 1 ) S F N), where kn 1 is the first key of the one-way key chain generated by node N, and (m) Sn denotes encryption of m using key S n shared between node N and base station. Base station decrypts the key kn 0 and sends it in the authenticated way as in first phase to all nodes on the path. After this source node N sends data (DAT A 1 kn 2 nonce1 N (nonce1) S N ), where N is the list of nodes. nonce 1 is used to ensure freshness. If node E receives this data, it sends (DAT A 1 kn 1 nonce1 N, E ((nonce1) S N ) SE ). The process continues until base station receives the data. Base station can verify authenticity and integrity of the data and also check the identity of the nodes on the path. Than base station probabilistically selects one of the possible paths. In the last phase, data are sent from the source node N in the similar authenticated way as the interests and reinforcements, but in opposite direction. Sequence numbers are also contained in the data to ensure freshness. Secure Directed Diffusion is secure variant of popular data-centric protocol. Unlike the original one, it does not support data aggregation and path recovery. On the other hand, it is resistant to almost all known attacks. However there is a problem during the low-rate data propagation phase. Possible paths are discovered and one is probabilistically selected. The probability of attacker being on the path is proportional to the fraction of paths including attacker and all the paths. Suppose the attacker A overhears message (DAT A 1 k 1 N nonce1 N, E ((nonce1) S N ) SE ). He can create message (DAT A 1 k 1 N nonce1 N, E, A (((nonce1) S N ) SE ) SA ) and thus introduce new path. The more such paths are created the greater the probability for the attacker to be on the selected path. The authors are aware of this attack. However they rely on the property of the original Directed Diffusion, that for data dissemination the MAC unicast is used. We believe, that this is a poor countermeasure. Unicast is not used for security purposes. It is still possible for an attacker to eavesdrop the communication. In addition, strong attacker can use, for example, selective jamming to prune away the original path. 19

27 3. SECURE ROUTING IN WSNS SeRINS Secure alternate path Routing IN Sensor networks [LC06a] is a routing protocol, which combines several existing security mechanisms together with its neighbor report system to ensure secure routing. The goal of SeRINS is to protect the network against insider, which launches selective forwarding or advertise bogus routing information. Authors of SeRINS assume that attacker can compromise only small number of nodes. They also assume, that each node shares a unique secret key with base station, and that each pair of neighboring nodes agrees on the shared secret key. The last assumption protects outsider attacker from joining the network, because all communication is protected by hop-by-hop encryption. SeRINS consists of three different schemes, an alternate path scheme, neighbor report system, and neighbor authentication. An alternate path scheme establishes a routing topology. Base station builds a tree with itself as a root by periodic broadcast of routing information. There are two difference over the MCF or TinyOS beaconing. First, the routing information packets are authenticated. Second, each node keeps more than one parent node and hence multiple paths to the base station exist. Regarding the authentication of the routing updates, first hop from base station is authenticated using one-way hash chain, so no one can impersonate base station, subsequent hops are authenticated using neighbor authentication scheme. This scheme is no more than ARMS scheme described in section To mitigate the impact of the selective forwarding, multiple paths are established and for every packet one of them is randomly chosen. The third scheme, neighbor report system, was designed to identify and eliminate malicious nodes, which advertise bogus routing information. All neighbor nodes checks the routing information send by a node and if inconsistency is detected, malicious node is reported. Decision whether reported or reporting node is malicious is done by base station based on votes from neighboring nodes. Base station eliminates the malicious node by flooding this information and revoking its keys. Under given assumptions, SeRINS seems to be resistant to all known attacks mentioned in section 3.1. Sybil attack, Sinkhole attack, HELLO floods and acknowledgement spoofing are impossible due to secure channels between each pair of neighboring nodes. Note that responsibility is moved to the underlaying key distribution scheme. Wormhole attack is supposed to be defended by extern schemes like packet leashes [HPJ03]. SeRINS itself defends routing against selective forwarding and advertising of bogus routing 20

28 3. SECURE ROUTING IN WSNS information. Impact of selective forwarding is minimized using multiple paths scheme, yet some impact remains. Problem of bogus routing information is solved using detection and reaction mechanism called neighbor report system. We consider this system very inspiring. It is the example of leveraging the fact, that neighboring nodes can overhear the surrounding communication. It can be denoted as intrusion detection system. However it is strongly embedded in the routing scheme and cannot be applied alone without massive changes A Clean-Slate Approach Parno et al. [PLGP06] have decided to design a completely novel routing protocol with security and efficiency as the main goals. Their protocol trade on the combination of prevention, detection/recovery and resiliency. Furthermore, it provides node-to-node routing scheme. Unlike the majority of algorithms for sensor networks, this one exploits public key cryptography. There is a single trusted authority NA and each node is preloaded with its public key P NA and is able to verify the signature. Authors argue, that verification of signature can be very efficient and performed even by a node. Each node has also unique ID and a certificate (ID) SNA signed by the trusted authority. Additionally the node has a one-way hash chain of challenge values C 1...C k. Node also possesses (C1 ID) SNA to be able to send authenticate the challenges. Note, that these assumptions are strict indeed, but can be satisfied off-line prior to the actual deployment of the nodes. The algorithm assigns the unique network address to each node and establishes the routing tables using recursive grouping. Recursive grouping algorithm is initiated by every node broadcasting its ID and certificate. Neighboring nodes thus constructs a list of authenticated neighbors. After this phase, no node can join the neighborhood. The grouping algorithm itself starts with every node comprising its own group. Than the process continues by recursive merging of the groups until the whole network comprises single group. During the grouping algorithm, hierarchical network addresses are constructed and forwarding is based on the address prefixes. After this procedure each node posses the routing table, that maps address prefixes to the neighboring nodes. To make routing resilient, multiple routing entries can be maintained for routing into a subgroup. Thus node can choose between multiple paths. Besides the grouping algorithm, there are several additional techniques to detect malicious behavior, eliminate malicious node and recover normal state. Grouping Verification Tree (GVT) algorithm detects malicious behav- 21

29 3. SECURE ROUTING IN WSNS ior during recursive grouping algorithm. It is based on Merkle hash tree [Mer80], which provides authentication of leaves having authentic root, and validation of the tree construction having authenticated leaves. GVT exploits authenticated challenges C k and prevents the malicious node from joining the group or corrupting the grouping algorithm. GVT can be extended to verify the neighbor lists of the node or to verify the address of a particular node. The routing protocol implements a distributed detection algorithm [PPG05] for detection of a node claiming multiple identities, or replaying the broadcasted packets in the first phase. A simple algorithm (HoneyBee) is used to eliminate such nodes. Legitimate node, who has detected the malicious one, sacrifices itself. It floods its own ID together with the malicious node s ID in an authenticated way. Both refereed nodes are revoked. The security of this algorithm is ensured by running authenticated neighborhood discovery and by the GVT algorithm which detects possible tampering. The recursive grouping algorithm runs deterministically and is protected by GVT, hence it prevents an intruder from altering the resulting topology. The Sybil attack is prevented using unique node IDs and certificates signed by trusted authority. Multiple path variant is also fault tolerant and robust. The algorithm itself cannot cope with wormhole. To overcome this, authors suggest integrating one of the wormhole detection algorithms. We consider the Clean-slate approach as innovative due to the efficient asymmetric cryptography usage. On the other hand, we are still not fully convinced, that it is necessary to employ asymmetric cryptography. Even though it is relatively efficient it still remains costly. Moreover, nodes need to maintain routing tables, merge tables and challenge constants in memory. This algorithm consumes much resources of the node. We rate this as the biggest weakness of the algorithm. To be really secure, algorithm has to integrate many additional mechanisms, this fact also degrades the usability of the algorithm. Regarding benefits, this protocol is designed to route between any pair of nodes, whereas the huge majority of routing schemes relaxed to this traffic pattern. Therefore it predestines this technique to be employed in specific applications where such pattern is needed. 22

30 Chapter 4 Introduction to Evolutionary Algorithms In this thesis, we try to automatically generate attack strategies on routing algorithms for WSNs. We have decided to employ evolutionary algorithms for this purpose. Evolutionary algorithms are stochastic search algorithms inspired by biologic evolution. In order to find the optimal solution, evolutionary algorithms employ the basic mechanisms of evolution. They work with a set of individuals (denoted as population), in which each individual represents a possible solution. From these individuals, new ones are created using operations of mutation, crossover and reproduction. The quality of new individuals is evaluated by the fitness function. The new population is then sieved by the natural selection, that is based on the fitness function. The natural selection decides, which individuals will be reproduced (and thus their capabilities and features will be used for further generations) and which will be forgotten. This process is repeated until good enough solution is found. Details on the evolutionary mechanisms follow. 4.1 Population of individuals and their representation Most algorithms for solving optimization problems work with a single candidate solution at a time. Evolutionary algorithms work with a population of candidate solutions instead. This enables parallel search for the solution and natural selection mechanism. The number of candidate solutions in population has significant impact on the convergency towards optimal solution and is typically set by an expert. Another key factor of the evolution progress is the representation of the candidate solutions, which is denoted as genome. In linear genetic programming [BNKF98], which is the technique we use in this work, genome consists of a sequence of instructions. Another common structure of genome is a tree-based structure used in genetic programming [Koz92]. 23

31 4.2 Genetic operators 4. INTRODUCTION TO EVOLUTIONARY ALGORITHMS In order to work, evolution has to have mechanisms, that ensure replication of individuals and that introduce new abilities to them. The replication of individuals is provided by the replication operator, which simply copies the individual, and by the crossover operator, that combines different parts from two or more individuals into a single one. In specific settings, crossover can supply the task of replication New properties are introduced to an individual by the mutation operator. Mutation modifies the genome of the individual by replacing some parts of the genome by newly generated ones. 4.3 Fitness function and selection operator The crucial part of the evolution process is the natural selection. It decides which individuals are replicated or modified and which are removed from the population. In evolutionary algorithms, the selection is based on the output of the fitness function. The fitness function captures the relation between the candidate solution and the optimal solution for the problem in question. It expresses the quality of the candidate solution with respect to the desired goal and provides feedback to the evolution. The fitness function has to be graded with sufficient granularity to be able to distinguish the quality of two similar individuals. If it is not, then the search process can degrade down to a random search. For example, suppose we have only binary fitness function, which outputs 1 if the solution succeeds and 0 if not. Then, until the optimal solution is found, all candidate solutions have the same quality and hence the selection is completely random. This results into the random search. Fitness function must be also fast to compute. This condition is purely practical, because in the evolution process, we have to be able to evaluate a large number ( ) of candidate solutions in a reasonable time. The fitness function leads the evolution to the intended goal, thus we set the subject of the search by the definition of the proper fitness function. Note that some problems cannot be solved using evolutionary algorithms, because we are not able to define the fitness function satisfying above properties, especially gradation. 24

32 Chapter 5 Automatic design of attack strategy In this work, we examine the security of routing protocols for wireless sensor networks. We aim to design an automatic method for generating attack strategies on these protocols. Such method can help us reveal, understand and countermeasure potential weaknesses. There is a significant asymmetry between designing a secure system and attacking such system. The designer of a system has to consider and prevent all possible strategies, whereas the attacker needs to employ only one of those strategies to be successful. This is analogous to an exhaustive search through the whole search space versus a guided search through a part of the search space. The exhaustive search is practically impossible in our case, because the space of possible attack strategies is extremely large. Thus, we have decided to employ guided search and try to find at least some attack strategies. We are aware of the fact, that the chosen approach cannot prove the security of a system, even in case no attack strategy is found. However, it can help to secure the system by revealing its potential weaknesses. 5.1 Related work So far, there have been several proposals for use of automatic attack generation. The automatic attacks were mainly used in relation with Intrusion Detection Systems (IDS). Automatic generation of attack graphs 2 using symbolic model checking algorithms was proposed [SHJ + 02]. Constructing of attack graphs is crucial part of the vulnerability analysis of the network. In [MGL + 06], virtual network infrastructure is proposed, which is able to generate testing data set. This set would be further used for evaluation and testing of intrusion detection systems. Polymorphic blending attacks (PBA) can be used to evade some payloadbased intrusion detection systems. The principal of PBA is to transform the 2. Attack graph is the data structure used to represent all possible attack on the network. [SHJ + 02] 25

33 5. AUTOMATIC DESIGN OF ATTACK STRATEGY attack packets into the form, that match the normal packet profile and thus evade IDS. In [FL06], authors propose to use the hill climbing for automatic generation of PBA instances, given the IDS and particular attack. Combination of evolutionary algorithms and network simulator was successfully used to produce also the defensive strategy. Secrecy amplification protocol for WSN [SM07] was evolved. This protocol might significantly increase resiliency of link keys against link compromise attack. 5.2 Basic concept The basic concept for automatic design of attack strategies is a result of joint work with my advisor Petr Švenda. It combines automatic attack strategy generator with simulator or real system to generate and evaluate the large number of potential attack strategies. In this thesis we use this concept to automatically generate attack strategies on routing protocols. The basic concept consists of the following five steps: 1. Execution of the X-th round of generator attack strategy in a metalanguage. 2. Translation from the metalanguage into a domain language. 3. Strategy execution (either by a simulation or in a real system). 4. Evaluation of the fitness function (obtaining attack success value). 5. Proceed to the (X+1)-th round. We have to seed the generator with a set of elementary rules before the actual process of attack generation begins. These rules are basic building blocks creating the attack strategy. This action is viewed as a step 0. We will discuss all steps in detail. Since this work examines the secure routing for WSNs, we use examples from this area Elementary rules Prior to the actual generation process, we have to define elementary rules, which act as building blocks for new attack strategies. To do so, we first observe the attacked system and look for ways of influence that an attacker could have on it. For example he can intercept, send or generate message. These methods are then decomposed into elementary rules, such as intercept message from node X, change parameter X of the message or generate 26

34 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Attack strategy in metalanguage Translation Attack strategy in domain language Elementary rules Attack strategy generator - random search - exhaustive search - educated guess - guided search Simulator Real system Attack success Fitness function Statistics Ways of influence that an attacker can have on simulated/real system Figure 5.1: Basic concept for automatic attack generation. Attack strategy in metalanguage is generated from elementary rules. Strategy is translated to the language of evaluation environment (simulator, real system). During evaluation of attack strategy statistics are collected. These statistics are used for computation of fitness function, which qualify the success of the strategy and provides guideline to the generator. particular message. Granularity of these rules is a very important factor. The more detailed the rules are, the bigger the possibilities of the generator. On the other hand, the larger the search space of attack strategies. We divide the granularity into three levels. Note that these levels are not strict and depends on the viewpoint. In one scenario we consider something as a primitive attack, whereas in other scenario it is only an elementary rule of high granularity and vice versa. Moreover, we can use both primitive attacks and detailed elementary rules in a single scenario. Recombination of primitive attacks - if we take primitive known attacks (sequences of elementary rules) as an elementary rules, we can generate new attacks by recombination of these known attacks. This can significantly speed up generation process, because known con- 27

35 5. AUTOMATIC DESIGN OF ATTACK STRATEGY structions need not to be generated from scratch. On the other hand, novel primitive attacks cannot be generated. For example, elementary rule can be replay message, delay message or drop message. Optimization of known attacks - we already have an attack strategy (e.g., compromise node and extract its keys) and we want to optimize its parameters (e.g., which nodes should be compromitted). In this case, elementary rules represent the parameters. Novel attacks - if the elementary rules are detailed enough, generator can combine them into a completely novel attack. These rules should represent all the basic actions an attacker can do. For example, intercept a message or even modify X-th bit of the message. In this work, we will try to define high granularity rules and generate novel attacks Generation of attack strategy Generator constructs the attack strategy from the elementary rules. One of the following techniques can be used for construction. Random search - elementary rules are randomly combined into an attack strategy. No information about previously generated attack strategies is used in generation process. Exhaustive search - all possible combinations of elementary rules are generated. This technique finds optimal attack strategy that can be constructed from elementary rules. Exhaustive search is not convenient for large search spaces, which is our case. Educated guess - an expert combines elementary rules into a possibly successful attack strategy. Information about previously generated attack strategies can be used to speed up the process. Guided search - new attack strategy is modification of the previously generated attack strategy. Information about the quality of previous attack strategy is available and is shape the new attack strategy. The representatives of the guided search are for example hill climbing 3 or evolutionary algorithms. We use evolutionary algorithms to generate attack strategies in this work. 3. Hill climbing is an optimization algorithm. It starts with a random solution and gradually improves this solution by making small changes to it. 28

36 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Translation Elementary rules and resulting attack strategies are written in a metalanguage, which is suitable for the generator. On the other hand, in most cases this language cannot be interpreted by a simulator or a real system. Therefore we have to translate the attack strategy in order to execute it on the simulator. Note that we can use multiple simulators or real systems, which use different languages, and single generator. Thus the translation into multiple languages is necessary Strategy execution Attack strategy is executed in the simulator or real system. The statistics from the simulator or real system are used as an input of the fitness function, that evaluates the success of the attack strategy. For example, the statistics can include average length of the message route or number of delivered messages. The possibility of using real system for the evaluation of the attack strategy can be very useful. No abstraction is used and the generated attack strategies can exploit, for example, bugs in particular real system implementation Fitness function evaluation In our concept, the feedback about the attack strategy success is very important, especially if a form of the guided search is used for attack strategy generation. This feedback is provided by the fitness function 4, that evaluates the quality of the attack strategy. Note that the fitness function determines the attacker s goal. For example, if the goal is to decrease the network lifetime, the fitness function can be defined as the inverse value of the remaining energy. Thus having elementary rules, translation rules and simulator, we can generate attack strategies with different goals by switching the fitness functions. 5.3 Concept realization via evolutionary algorithms Now we demonstrate the practical use of the basic concept. Due to our focus, we aim to generate attack strategies on the routing protocols for wire- 4. Term fitness function is borrowed from the terminology of evolutionary algorithms. In contrast to the original fitness function used in evolutionary algorithms our fitness function does not need to fulfill all its properties. Properties of the original fitness function are discussed in section

37 5. AUTOMATIC DESIGN OF ATTACK STRATEGY less sensor networks. The ultimate goal of our effort is to generate successful attack strategy on a secure routing protocol, that would reveal the conceptional weakness of the protocol. However we are aware of high complexity and hardness of achieving such goal, so we first focus on an insecure protocols with known weaknesses. The attack strategy generator should be able to reveal these weaknesses and to generate appropriate attack strategies. We have chosen two insecure routing protocols, Minimum cost forwarding, described in section 5.4.1, and Implicit geographic forwarding, presented in section The first was chosen because it represents widely used class of routing protocols, that construct a minimum spanning tree as a routing structure. It also has several documented weaknesses which are easy to find for a human expert. The second protocol is more robust and incorporates a randomness into the routing process. However also this protocol contains weaknesses that can be turned into a successful attack. Another reason, why to choose IGF is, that it can be easily upgraded to one of the security levels of SIGF. We could thus potentially analyze what impact the attack strategy generated for IGF has on its secured version SIGF. A particular instance of the basic concept is shown in the figure 5.2. If we follow the basic steps of the concept, we first define the elementary rules. These rules are strongly dependant on the attacker s abilities. Therefore, prior to the elementary rules definition we have revised the attacker model in section There are two kinds of elementary rules, triggers and instructions. Details are presented in subsequent section. We employ evolutionary algorithms as the attack strategy generator. We do not need a translation step, because the simulator was designed to accept the output of the generator. For routing simulation we have extended the Sensor Security Simulator. The feedback is provided by one of four fitness functions we have implemented. Each fitness function guides the evolution to a slightly different attack strategy with a different goal. Details on implementation and Sensor Security Simulator follow in subsequent sections Attacker model revised To clarify the attacker s capabilities, we have to define an attacker model. We have revised and extended the Karlof s attacker model described in section for this purpose. We assume that our attacker is authorized to take part in the routing process, thus to mount insider attacks. This state can be achieved by capturing the legitimate node. However also outsider attacker can have abilities similar to insider attacker in some conditions. This is caused by the 30

38 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Translation Attack strategy in metalanguage Attack strategy in domain language Attack strategy in domain language Elementary rules - triggers and instructions Attack strategy generator - evolutionary algorithms Simulator - Sensor Security Simulator Attack success Fitness function - number of delivered messages - length of path Statistics... Ways of influence that an attacker can have on simulated/real system Figure 5.2: A particular instance of the basic concept. Evolutionary algorithms are used as the attack strategy generator. Translation step is omitted, because simulator accepts the generator s output. Generated attack strategy runs on Sensor Security Simulator. Statistics include total number of generated messages, number of delivered messages and many others. One of fitness functions evaluates the attack strategy success. nature of wireless medium and the fact, that attacked protocols do not employ cryptographic mechanisms for ensuring confidentiality, authenticity and integrity. Therefore if no link layer encryption is implemented, outsider attacker can act as an insider in our case. Our attacker falls into the category of mote-class attacker. Therefore, we further divide this category into three subclasses for our purpose. Single node attacker, Multiple nodes attacker with homogenous strategy and Multiple nodes attacker with heterogenous strategy. Single node attacker controls only one node. Thus only one instance of attack strategy is executed at a time. Multiple nodes attacker with homogenous strategy controls multiple nodes and each one of these nodes executes the same attack strategy. Thus there are multiple similar attack strategies running at a time. 31

39 5. AUTOMATIC DESIGN OF ATTACK STRATEGY In the simplest case, this attacker is nothing more than multiple instances of single node attacker. But attack strategy can leverage the knowledge that there are several malicious nodes and implement some sort of cooperation between them. Multiple nodes attacker with heterogenous strategy controls multiple nodes. These nodes are divided into groups and each group acts as a multiple nodes attacker with homogenous strategy. The advantage is, that each group can run different attack strategy, and these attack strategies can be designed to cooperate and support each other. So at the and we get several cooperating attackers. For example, suppose there are 2 groups of malicious nodes denoted as A and B. Then, attack strategy of group A can redirect the traffic to the malicious nodes of group B, which,according to their attack strategy B, drop the packets. In our practical work, we are not interested in laptop-class attacker. Though, we can extend our attack strategy generator to generate attack strategies for laptop-class attacker by defining additional elementary rules (and thus giving the attacker more capabilities) Evolutionary algorithms and genome structure As we have stated, we apply evolutionary algorithms to generate attack strategies. We have chosen an open source library GAlib 5 for practical implementation of evolution process. It is written in C++ and supports multiple genome representations and genetic operators. One of the key parameters of evolution is the representation of genome. In our case, genome stands for an attack strategy. In linear genetic programming, genom is usually represented as a sequence of instructions. This is not totally suitable for our problem. We have thus extended this representation. Attack on routing is not typically represented as a sequence of steps executed one by one, but rather steps triggered by various events. Therefore we have decided to represent the strategy as a composition of substrategies. These substrategies can be executed in an arbitrary order. The execution of a substrategy is triggered by the event corresponding to the substrategy. Hence the genome is a two-dimensional array, where each row represents the substrategy. Each substrategy begins with its trigger. The genome structure is shown in figure 5.3 by the black color. The gray color demonstrates the possible three-dimensional genome, which can represent the attack strategy of the Multiple nodes attacker with heterogenous strategy. Each two-dimensional layer acts as a strategy for one group of malicious 5. (May 2008) 32

40 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Trig_1 INS INS... INS Trig_1 INS INS... INS Trig_1 Trig_2 INS INS INS INS INS INS Trig_2 INS INS... INS Trig_2 INS INS... INS Trig_x INS INS... INS Trig_x INS INS... INS Trig_x INS INS... INS Figure 5.3: Genome structure. The black color describes the single attack strategy. Each row represents a substrategy. The first slot contains trigger, subsequent slots contain sequence of instructions. The gray color demonstrates the possible three dimensional genome representing the attack strategies of Multiple nodes attacker with heterogenous strategy nodes. Three-dimensional genom structure enables us to generate multiple cooperating strategies. Now we present the structure of triggers and instructions. Our model of node contains several memory slots, which are used for temporal storage of messages and identities of nodes. In order to address these memory slots, instructions include one or more parameters. For example, the instruction can be defined as INS SEND M P1, which mean: send message stored in memory slot P1. In addition to these parameters, we have incorporated the mechanism of conditional execution of instructions and triggers. Each node contains so called condition memory slots (cms). These slots contain numeric value, which acts as a basis for condition. Instruction has thus two additional parameters, cms addresses the conditional memory slot and cv denotes the condition value. If the condition value is lesser than the value in addressed conditional memory slot, instruction is executed, otherwise not. If the cms refers to the condition memory slot number 0, instruction is executed no matter the condition value. Values in condition memory slots can be automatically decremented by node or manipulated by special instructions. The same as for instructions holds for triggers. If the trigger is not executed, 33

41 5. AUTOMATIC DESIGN OF ATTACK STRATEGY whole corresponding substrategy is also skipped. We have designed condition mechanism, to enable complex dependencies between various events, instructions and triggers. Each node is also equipped with temporary memory, which is used for handling incoming messages or messages loaded from memory slots. As an elementary rules for generating the attack strategy on IGF, we have define following triggers and instructions. We aimed to create high granularity rules, which could lead to generation of completely novel attack. Triggers The majority of triggers contain parameters cms and cv described above. We briefly describe the event, which triggers the strategy execution. TRIG NOP no operation trigger, the corresponding substrategy is never executed TRIG TIME p1 time trigger, the substrategy is repeatedly executed each p1 time units (lets say milliseconds) TRIG DATA cms cv data message not addressed to the malicious node was overheard TRIG DATA ME cms cv data message was delivered to the malicious node TRIG ORTS cms cv Open RTS was received TRIG CTS cms cv CTS message not addressed to the malicious node was overheard TRIG CTS ME cms cv CTS message was delivered to the malicious node TRIG ACK cms cv acknowledgement not addressed to the malicious node was overheard TRIG ACK ME cms cv acknowledgement was delivered to the malicious node TRIG COLLISION cms cv collision on medium was detected TRIG RNG cms cv p1 the substrategy is executed with probability p1 34

42 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Instructions All the instructions, except no operation instruction, contain parameters of condition mechanism cms and cv described above. Each instruction also includes boolean switch, which determines, whether the instruction will be executed or not. This switch enables to temporarily prune away the instruction and helps in pruning process (discussed in section 5.4). INS NOP - no operation INS DROP M cms cv p1 - drop message from memory slot p1 INS SEND M cms cv p1 - send message from memory slot p1 INS STORE M cms cv p1 - store message from temporary memory into memory slot p1 INS LOAD M cms cv p1 - load message from memory slot p1 into the temporary memory. INS GENERATE M cms cv p1 p2 p3 - generate message, store this message into memory slot p1, p2 denotes the type of the generated message (ORTS,CTS,ACK,DATA), destination of the message is loaded from memory slot p3 INS SEND ORTS cms cv - send Open Request To Send INS SEND ACK cms cv p1 - send acknowledge, destination is loaded from memory slot p1 INS SEND CTS cms cv p1 - send CTS, destination is loaded from memory slot p1 INS GET N cms cv p1 p2 p3 - get the information from message stored in memory slot p1, p2 denotes type of the information (ultimate source, ultimate destination, transmitting node, receiving node), store the information into memory slot p3 INS FAKE N cms cv p1 p2p3 - forge the information in message stored in memory slot p1, p2 denotes type of the information (ultimate source, ultimate destination, transmitting node, receiving node), load the information from memory slot p3 INS SET CMEM cms cv p1 p2 - set the value in condition memory slot p1 to value p2 35

43 5. AUTOMATIC DESIGN OF ATTACK STRATEGY INS ADD CMEM cms cv p1 p2 - add the value p2 to the value stored in condition memory slot p1 INS SUB CMEM cms cv p1 p2 - subtract the value p2 from the value stored in condition memory slot p1 Our evolution process involves two genetic operators crossover and mutation. Crossover derives two new genomes (offsprings), from two existing ones (parents). We have implemented one point crossover. Both parents are split in the same point. One offspring inherits the first part from the one parent and second part from the other. Second offspring inherits remaining parts. The point of splitting is chosen randomly, but have to respect the boundaries of substrategies. Hence the point is between two substrategies. We used the crossover with probability starting at 0 probability (no crossover) up to 0.5, which means massive crossover. Note that crossover can substitute the reproduction operator, that we thus have not implemented. Mutation simply goes through the genome elements (triggers, instructions and all the parameters and switches) and each one randomly changes with the probability of mutation. This probability is fixed for the whole evolution process, we used both massive mutation (probability was 0.1), and normal mutation (probability was 0.01). After the actual mutation, we performed a validation step to validate the resulting genome. Unwanted constructions can be removed from the genome in this phase. We are thus able to ban some kind of attacks. Regarding the population size, we have tried small population of 5 individuals as well as larger population of 20 individuals. Natural selection was based on fitness function. One third of individuals with the best fitness value became parents of the new generation Network simulator Generated attack strategies are evaluated using wireless sensor network simulator Sensor Security Simulator [SM07]. This simulator was developed at FI MUNI for security analysis of the key distribution protocols for WSNs. It supports evolutionary algorithms, GAlib package is included. We have extended Sensor Security Simulator by implementation of advanced support of routing protocols containing time dimension of routing. We have also implemented two routing protocols: Minimum Cost Forwarding (details in section 5.4.1) and Implicit Geographic Forwarding (details in section 3.3.1). The implementation was designed to support the execution of 36

44 5. AUTOMATIC DESIGN OF ATTACK STRATEGY generated attack strategies. Furthermore it accepts the language of the attack strategy generator, thus no translation of generated attack strategy is needed. One of the goals of the implementation was high performance of the simulator, because we needed to evaluate large number of attack strategies in reasonable time. Hence the simulator contains some level of abstraction, for example, time of the message transmission between two nodes is constant. However we believe that this abstraction should not have much impact on our aims. We have also considered the possibility of using existing simulator such as NS-2 simulator [NS08]. But these simulators are mainly designed to maximally emulate real conditions and thus are significantly slower than our simulator Fitness functions In order to successfully use the evolutionary algorithms, it is necessary to find an appropriate fitness function. We have implemented four different fitness functions. Each represents slightly different attacker s goal. number of delivered messages fitness value is computed as a fraction of all generated messages and messages delivered to the base stations. This value reflects the ability of attacker to deny the service and disrupt the message availability. number of messages passing through malicious nodes fitness value equals to the number of legitimate messages (not generated by attacker), passed through the malicious nodes. Each message is counted only once, although it may pass through many malicious nodes. The value indicates the ability of attacker to attract the traffic and include itself to the path of the data flow. Attacker controlling data flow may effectively eavesdrop or perform selective forwarding. length of the path average physical length of the path taken by legitimate messages. Attacker may extend the length of the path, to increase the latency and involve more nodes into routing process, thus bring in the inefficiency and energy wastage. length of the path in unique hops average path of the legitimate messages counted in unique hops. The goals of this attacker are similar to the goals of previous one. However previous fitness function could trade 37

45 5. AUTOMATIC DESIGN OF ATTACK STRATEGY on the loops in the routing scheme. Since such loops could be detected, we have decided to implement fitness function, that does not support creating loops. Another difference is, that this function reflects only length in hops, whereas the previous one include physical length of the path no mater the hop count. The design of the proper fitness function is often matter of intuition and educated guess. At least in the initial phases of the design process. Some fitness functions can turn out to be inconvenient after some time. Experience are very important and may lead to further improvement of the fitness function. We have decided to implement our fitness functions, because we felt they could express the attacker s gradual progress. 5.4 Results We have tried to generate attack strategies on two insecure routing protocols, Minimum Cost Forwarding and Implicit Geographic Forwarding. The granularity of the elementary rules corresponded to the level suitable for generating novel attack strategies. Prior to the presentation of results, we have to admit, that we have understood only a fraction of all generated strategies and we were not able to fully analyze the results. It is extremely hard in general to understand the outcome of the evolution algorithms. We have implemented a pruning technique, which is common technique that helps to analyze the results of evolution. It prunes out the instructions, which have no impact on the fitness value. Our analyses are further based on statistics from the simulator. We have also implemented simple graphical interface to display the deployment of the network. We took into account two types of attacker: Single node attacker and Multiple nodes attacker with homogenous strategy. However we were not able to distinguish the fundamental differences in the resulting strategies for both attackers. The impact of the discovered attacks was more or less proportional to the number of malicious nodes involved in the attack. We have not detected any interconnection between the actions of malicious nodes (which unfortunately does not mean there are no such interconnections). Thus we will discuss the results without respect to the number of malicious nodes. 38

46 5.4.1 Minimum Cost Forwarding 5. AUTOMATIC DESIGN OF ATTACK STRATEGY We first briefly describe the protocol and review its security weaknesses. Minimum Cost Forwarding [YCLZ01] is a simple routing technique, which indirectly constructs minimum spanning tree routing structure. The routing is based on cost fields (cost of the optimal path from node to the base station) established by periodic broadcast of beacons. The process starts at base station, which broadcasts its cost fields 0. Nodes in the range of the broadcast set their cost field to the sum of their own cost (e.g. remaining energy, latency,...) and the broadcasted cost field. Then they broadcast their own cost field. It is obvious each node receives multiple different cost fields. The node only accepts such cost field, that is equal or lower then previous one. In that case, the node modifies its cost field and starts a new broadcast. After some time, all nodes have their cost fields equal to the cost of the optimal path to the base station. When the node generates new message, it assigns a credit to that message. The credit equals to the node s cost field minus the cost of the node. Message is then broadcasted to all neighboring nodes. One of these nodes has the cost equal to the message credit. This node lies on the optimal path and thus forwards the message. First, it modifies the credit of the message and then rebroadcasts it. The routing does not require IDs of the nodes for the routing purposes. The path of the message is optimal with respect to the costs of the nodes. Hence the routing structure forms a minimum spanning tree rooted at the base station. The initial flooding can be reduced by forcing the nodes to wait some time before rebroadcasting the beacon. They can obtain lower cost during this time interval. Karlof and Wagner [KW03] have analyzed the security of this protocol. It is obvious, that attacker can claim itself to be a base station and attract all traffic. Also HELLO flood attack is possible. The missing authentication is critical in this case. We suggest to use ARMS protocol for authentication of local broadcast. This could prevent HELLO floods, because each node knows its neighbors and messages are authenticated. It could also discourage the outsider attacker. If a node is compromitted, it can easily advertise extremely low cost path also in case that ARMS is implemented. However, such node could be somehow detected by its neighbors and eliminated from the network. This possibility can be subject of further research. Ideas of algorithm SeRINS and its neighbor report system could be helpful. 39

47 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Several basic attacks were discovered by our mechanism. Forging beacons The generated attack strategy exploited the fundamental weakness of the algorithm. Attacker based on this strategy impersonated the base station by sending the beacon packet with cost field equal to 0. We consider this result as trivial, because one of the instructions was SEND BEACON with parameter cost field. However attacker understood the need of broadcasting the low cost field. This attack was extremely powerful and stopped further evolution. New individuals were always getting back to this solution. We thus decided to ban broadcasting cost field 0, but attacker kept broadcasting as low cost field as possible. Finally we banned the instruction SEND BEACON completely. Attacker, who was not able to generate fake beacons, came up with replay attack. After obtaining a beacon from his neighbor, he immediately forwarded it without proper modification of the cost field. Hence he was able to decrease its realcost field. In this case, the impact on routing was not so dramatic. Selective forwarding Evolution also generated attack strategy capable of dropping messages passing through his malicious nodes. This can be classified as a selective forwarding or blackhole attack. Attacker found out several techniques for dropping messages. The basic one is using simple DROP MESSAGE instruction from the set of elementary rules. But he was also able to find more complicated mechanism for dropping messages. He first stored the message into a memory slot, without its forwarding. Subsequently he overwrote the memory slot with another message. This approach is complicated and unnecessary indeed, but it demonstrates the capabilities of evolutionary algorithms to come up with several procedures to achieve the same goal. Dropping messages occurred in strategies, whose evolution used the fitness functions based on number of delivered messages. This result was expected. However, it became also the basic principal of the strategies which tried to extend the path of the messages. This holds for both fitness functions including the length of path. Attacker tried to maximize the average length of the path by dropping messages which traveled only short distances. To evolve these attack strategies, we have used three basic settings. First settings has fixed network topology and the message flows. Thus the attacker is able to identify mes- 40

48 5. AUTOMATIC DESIGN OF ATTACK STRATEGY sages witch travel only short distances by trying to drop them. Fitness value provides him with the feedback on how the average length has changed. In the next generation, attacker can try to drop another message. The attacker is thus learning the flows of data during the evolution. The ability of attacker to adapt the strategy for the concrete topology and traffic pattern can be classified as success. There can be applications with a priori known and fixed data flows and topology. In such scenario, attacker can optimize itself to achieve optimal results. Another settings used random topology and data flow for each attack strategy. This setting was not suitable for evolution. The fitness value achieved by an individual was highly dependant on the topology generated. Hence even poor individual was able to achieve good fitness value in the specific run of simulator. This led to varying fitness values and elimination of good individuals. Last settings uses the set of multiple different topologies and data flows for evaluation of a single attack strategy. We expected the downgrade of the fitness value, because evolution could not optimize the strategy for specific pattern. This expectation was confirmed. However the evolution was still able to find at least some strategy for dropping the messages which improved its fitness value. These results have confirmed the predominating opinion, that evolution algorithms are primarily suitable for simple optimization problems. We see the great potential in this. We should focus more on optimization-like problems in the future. Attacks revealed by evolution has confirmed the weakness of IGF, which is the missing authentication of messages and check of their integrity. Replay attack also drew the attention to the problem of message freshness. Possible countermeasures were discussed above Implicit Geographic Forwarding Evolution was also successful in generating attack strategies on IGF. Implicit geographic forwarding is described in section Elementary rules used for evolution of attack strategies aiming IGF are presented in section

49 5. AUTOMATIC DESIGN OF ATTACK STRATEGY incoming ORTS 1 temporary memory ORTS ID M TRIG_ORTS STORE_M 1 LOAD_M 1 GET_N SEND_CTS 1 temporary memory ORTS ID 3 M 4 message memory ID identity memory CTS MY ID ID 5 5 sending immediate CTS Figure 5.4: Rushing attack. The action is triggered by incoming Open RTS message M. This message is stored into the message memory slot 1. Then, M is loaded from the slot into temporary memory. Instruction GET N extracts from the message in slot 1 the ID of the sender (0) and stores it into identity memory slot 1. Last instruction sends the CTS message to the ID from identity memory slot 1. We were not able to identify the purpose of loading the message into the temporary memory. Rushing attack We have defined four different fitness functions. Each one stands for slightly different attacker s goal. However, all these goals have some sub-goals in common. On of these sub-goal is to attract as much traffic as possible. Therefore the evolution has developed the attack strategy, which mounts so called rushing attack. This attack is one of the known attacks on IGF and its goal is to attract the traffic flowing through the neighboring nodes. Malicious node does not respect the CTS timer an immediately answer the Open RTS. Thus sender choose him as the next hop. The generated strategy consists of five substrategies. The pruned substrategy describing the rushing attack is 42

50 5. AUTOMATIC DESIGN OF ATTACK STRATEGY described in the figure 5.4. There are 4 instructions in the substrategy, however only 3 of them form rushing attack. The extra instruction is instruction LOAD M, which loads the message into temporary memory. Unfortunately we were not able to identify the purpose of this step. The message stored in the temporary memory may be send by another substrategy or used to overwrite the memory slot. We consider this attack as the a nice example of evolution capabilities. The problem of rushing attack is addressed and solved in SIGF. The sender waits for multiple CTS messages and selects on of them. The selection can be random or based on a reputation system. MAC layer jamming IGF is integrated in RTS/CTS handshake, thus elementary rules contain instructions such as SEND ORTS and SEND CTS, which enable the attack strategy to control the medium access. Evolution exploited these instructions to cause collisions on the medium. Two or more packets have to be send during the short time period (during one substrategy) to block the medium for all neighboring nodes. This fact led to the DoS attack strategy, which totaly crippled the neighborhood. The probability that this attack occurs in the substrategy is very high and the blocked medium can limit also the attacker not only his neighbors. We have thus banned this kind of attack. In the new settings, attack strategies could send just single message at a time. This was exploited to selectively corrupt communication and thus to perform selective forwarding (dropping). Attacker sent a message at the time another node was transmitting. The impact was same as in the case of IGF and selective forwarding. The evolution started to optimize the occurrence of collisions to achieve the best fitness value. Same settings of topology as for IGF were tested and the results were similar. These attacks exploited the properties of physical layer. Majority of routing protocol designs neglects this kind of attacks and let the lower layers solve it. However IGF and also SIGF are integrated into the RTS/CTS handshake and cannot be build on a different MAC protocol. We consider this as a weakness of both IGF and SIGF. No robust MAC protocol can be used with them. However local jamming attacks decrease the performance of all MAC protocols and therefore this weakness should not be taken as critical. 43

51 5. AUTOMATIC DESIGN OF ATTACK STRATEGY Neighborhood congestion Also another attack strategy has turn out to be a DoS attack. Sensor nodes have limited buffers for storing forwarded messages. Attack strategy repeatedly sending data in combination with blocked medium results into the congestion of these buffers. Thus nodes are forced to drop subsequent incoming messages. Overloading the system is typical DoS attack which is usually protected using intrusion detection systems. Malicious node sending extreme number of packets should be thus detected by IDS and eliminated from the network Experience and future work We have collected lot of experience during the work with evolutionary algorithms. We see the greatest potential of their use in optimization problems. Thus in optimization of known attacks strategies rather than in generation of novel attacks. We also have encountered an ability of evolutionary algorithms to exploit the bugs in implementation. At the early phases of our experiments, the strategies were sometimes achieving unusually high fitness values. This was caused by unexpected constructions of strategies. These strategies have exploited incomplete specification of routing protocol and thus incomplete implementation or the fitness functions. The weird behavior of an attacker has also revealed bugs in code, which led to massive memory leaks. Therefore we suggest using real system instead of simulator. Evolution could find out bugs in particular implementation or in the incomplete specification of the routing algorithm. There is lot of space for future research in this area. We would like to focus on development of tools for better analysis of generated strategies. We have designed the architecture of a graphical module, which would display the routing and attacker actions in time step by step. Implementation of this module is awaiting. Furthermore, we would like to design more complex fitness functions combining several metrics. Redefinition of elementary rules could also bring new results. There is also possibility to implement and test another routing protocols. We are aware of the evolution power in optimization. Therefore we will try to formulate the task as an optimization problem in the future. It is challenging for us to find out such problems in the area of secure routing. We are also considering to generate the attack strategies against particular defenses or detection mechanisms rather than routing protocols. Similar approach as for IDS testing [FL06] could be beneficial. Attacker is trying to 44

52 5. AUTOMATIC DESIGN OF ATTACK STRATEGY modify the appearance of known attack strategy to bypass particular IDS. Completely different idea is to automatically generate defensive strategies. We know that it is unlikely to evolve universal defense strategy, however evolution could be useful in case of generating defensive strategy against particular attack. Evolution was already successful in this task [SM07]. 45

53 Chapter 6 Conclusion In this thesis, we have examined the security in the wireless sensor networks with special emphasis on security of routing protocols. We have reviewed two mechanisms for authenticated broadcast (µtesla, ARMS) and several secure routing protocols (SIGF, SDD, SeRINS, Clean Slate Approach). We also have considered their weaknesses and strong points. The results show, that these protocols are suitable for sensor networks and provide sufficient level of security for most of the applications. In the second half of the thesis, novel concept for automatic design of attack strategies was described. This concept is a result of my joint work with Petr Švenda. Usability of the concept was tested. New attack strategies on routing protocols for wireless sensor networks were generated using evolutionary algorithms. Several basic attacks were found. These attacks demonstrate the possibilities and potential of evolutionary algorithms. We have also extended the Sensor Security Simulator and implemented two routing algorithms (Minimum cost forwarding, Implicit geographic routing). We take the results of this thesis as a solid basis for further research in this field. Both, problematic of the secure routing in WSN and problematic of the automatic attack design, require novel research directions. 46

54 Bibliography [AKK04] [ASSC02] J. N. Al-Karaki and A. E. Kamal. Routing techniques in wireless sensor networks: a survey. IEEE Wireless Communications, vol. 11, issue 6, pages 6 28, I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. Wireless sensor networks: a survey. Comput. Netw., vol. 38, issue 4, pages , [BHSS03] B. Blum, T. He, S. Son, and J. Stankovic. Igf: A state-free robust communication protocol for wireless sensor networks. In Technical Report, CS Department of Computer Science, University of Virginia, USA, [BNKF98] [DHM02] [EG02] [FL06] W. Banzhaf, P. Nordin, R.E. Keller, and F.D. Francone. Genetic Programming An Introduction. Morgan Kaufmann Publishers, San Francisco, CA, J. Deng, R. Han, and S. Mishra. Insens: Intrusion-tolerant routing in wireless sensor networks. In Technical Report CU CS Department of Computer Science, University of Colorado, Laurent Eschenauer and Virgil D. Gligor. A key-management scheme for distributed sensor networks. In CCS 02: Proceedings of the 9th ACM conference on Computer and communications security, pages 41 47, New York, NY, USA, ACM. Prahlad Fogla and Wenke Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In CCS 06: Proceedings of the 13th ACM conference on Computer and communications security, pages 59 68, New York, NY, USA, ACM. [HPJ03] Y. C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: a defense against wormhole attacks in wireless networks. In 47

55 6. CONCLUSION INFOCOM Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, volume 3, pages , [HSW + 00] Jason Hill, Robert Szewczyk, Alec Woo, Seth Hollar, David E. Culler, and Kristofer S. J. Pister. System architecture directions for networked sensors. In Architectural Support for Programming Languages and Operating Systems, pages , [IEE99] [IGE00] [KLP03] [Koz92] [KSW04] [KW03] [Lam81] Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Standard , June Chalermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin. Directed diffusion: a scalable and robust communication paradigm for sensor networks. In MobiCom 00: Proceedings of the 6th annual international conference on Mobile computing and networking, pages 56 67, New York, NY, USA, ACM Press. Chris Karlof, Yaping Li, and Joseph Polastre. Arrive: Algorithm for robust routing in volatile environments. Technical Report UCB//CSD , Berkeley, CA, March John R. Koza. Genetic Programming: On the Programming of Computers by Means of Natural Selection (Complex Adaptive Systems). The MIT Press, December Chris Karlof, Naveen Sastry, and David Wagner. Tinysec: a link layer security architecture for wireless sensor networks. In Sen- Sys 04: Proceedings of the 2nd international conference on Embedded networked sensor systems, pages , New York, NY, USA, ACM Press. Chris Karlof and David Wagner. Secure routing in wireless sensor networks: Attacks and countermeasures. Elsevier s AdHoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, vol. 1, issue 2-3, pages , September Leslie Lamport. Password authentication with insecure communication. Communications of the ACM, vol. 24, issue 11, pages ,

56 6. CONCLUSION [LC06a] [LC06b] [Mer80] Suk-Bok Lee and Yoon-Hwa Choi. A secure alternate path routing in sensor networks. Computer Communications, vol. 30, issue 1, pages , December Suk-Bok Lee and Yoon-Hwa Choi. Secure Mobile Ad-hoc Networks and Sensors, volume Volume 4074/2006 of Lecture Notes in Computer Science, chapter ARMS: An Authenticated Routing Message in Sensor Networks, pages Springer Berlin / Heidelberg, Ralph C. Merkle. Protocols for public key cryptosystems. sp, vol. 00, page 122, [MGL + 06] Frederic Massicotte, Francois Gagnon, Yvan Labiche, Lionel Briand, and Mathieu Couture. Automatic evaluation of intrusion detection systems. In ACSAC 06: Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pages , Washington, DC, USA, IEEE Computer Society. [NC07] [NS78] Nidal Nasser and Yunfeng Chen. Secure multipath routing protocol for wireless sensor networks. In ICDCSW 07: Proceedings of the 27th International Conference on Distributed Computing Systems Workshops, page 12, Washington, DC, USA, IEEE Computer Society. Roger M. Needham and Michael D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, vol. 21, issue 12, pages , [NS08] The Network Simulator NS-2. nsnam/ns/, (May 2008). [NSSP04] [PCST01] James Newsome, Elaine Shi, Dawn Song, and Adrian Perrig. The sybil attack in sensor networks: analysis & defenses. In IPSN 04: Proceedings of the third international symposium on Information processing in sensor networks, pages , New York, NY, USA, ACM Press. Adrian Perrig, Ran Canetti, Dawn Song, and Doug Tygar. Efficient and secure source authentication for multicast

57 6. CONCLUSION [PLGP06] [PPG05] [PST + 02] [SHJ + 02] [SM07] Bryan Parno, Mark Luk, Evan Gaustad, and Adrian Perrig. Secure sensor network routing: a clean-slate approach. In CoNEXT, page 11, Bryan Parno, Adrian Perrig, and Virgil Gligor. Distributed detection of node replication attacks in sensor networks. In SP 05: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 49 63, Washington, DC, USA, IEEE Computer Society. Adrian Perrig, Robert Szewczyk, J. D. Tygar, Victor Wen, and David E. Culler. Spins: security protocols for sensor networks. Wirel. Netw., vol. 8, issue 5, pages , Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. Automated generation and analysis of attack graphs. In SP 02: Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 273, Washington, DC, USA, IEEE Computer Society. Petr Svenda and Vaclav Matyas. Key distribution and secrecy amplification in wireless sensor networks. In Technical Report, FIMU-RS , Brno, ČR, Masaryk University. [TM006] Tmote Sky: Datasheet. eol/tmote-sky-datasheet.pdf, [WFSH06] Anthony D. Wood, Lei Fang, John A. Stankovic, and Tian He. Sigf: a family of configurable, secure routing protocols for wireless sensor networks. In SASN 06: Proceedings of the fourth ACM workshop on Security of ad hoc and sensor networks, pages 35 48, New York, NY, USA, ACM Press. [WS02] [WYC04] Anthony D. Wood and John A. Stankovic. Denial of service in sensor networks. IEEE Computer, vol. 35, issue 10, pages 54 62, Xiaoyun Wang, Lizhen Yang, and Kefei Chen. Sdd: Secure directed diffusion protocol for sensor networks. In Security in Adhoc and Sensor Networks, volume 3313/2005 of Lecture Notes in Computer Science, pages , First European Workshop, ESAS 2004, Heidelberg, Germany, August Springer Berlin/Heidelberg. 50

58 6. CONCLUSION [YCLZ01] [YM06] [ZSJ03] F. Ye, A. Chen, S. Liu, and L. Zhang. A scalable solution to minimum cost forwarding in large sensor networks. In Proceedings of Tenth International Conference on Computer Communications and Networks, pages , Jian Yin and Sanjay Madria. Secrout: A secure routing protocol for sensor networks. In AINA 06: Proceedings of the 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA 06), pages , Washington, DC, USA, IEEE Computer Society. Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap: efficient security mechanisms for large-scale distributed sensor networks. In CCS 03: Proceedings of the 10th ACM conference on Computer and communications security, pages 62 72, New York, NY, USA, ACM. 51

59 Appendix A Example of generated attack strategy Here is the example of generated attack strategy after pruning. It does not use the conditional memory slots, hence the instructions do not contain all parameters that are showed in section All presented instructions are necessary for achieving maximum fitness value. This strategy contains rushing attack (substrategy triggered by TRIG ORTS). It also disturb sending of selected messages by causing collisions on the medium (two messages are send in the single substrategy e.g. two subsequent SEND ORTS instructions in the last substrategy). This example illustrates the hardness of the strategy analysis. We were not able to completely interpret this strategy. TRIG CTS SEND ORTS GENERATE M LOAD M 1 STORE M 1 SEND M 1 GENERATE M *** TRIG CTS ME STORE M 0 LOAD M 0 SEND CTS 0 DROP M 1 SEND M 0 *** 52

60 A. EXAMPLE OF GENERATED ATTACK STRATEGY TRIG COLLISION SEND ORTS LOAD M 1 SEND ACK 0 DROP M 1 GENERATE M GET N *** TRIG ORTS STORE M 1 LOAD M 1 GET N SEND CTS 1 *** TRIG ACK GET N SEND ORTS SEND ORTS GENERATE M