A New Protocol for the Detection of Node Replication Attacks in Mobile Wireless Sensor Networks

Transcription

1 Deng XM, Xiong Y. A new protocol for the detection of node replication attacks in mobile wireless sensor networks. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 64): July 11. DOI 1.17/s A New Protocol for the Detection of Node Replication Attacks in Mobile Wireless Sensor Networks Xiao-Ming Deng ) and Yan Xiong ) School of Computer Science and Technology, University of Science and Technology of China, Hefei 37, China dengxm@mail.ustc.edu.cn; yxiong@ustc.edu.cn Received June 16, 9; revised May 3, 11. Abstract Wireless sensor networks WSNs) are often deployed in harsh environments. Thus adversaries can capture some nodes, replicate them and deploy those replicas back into the strategic positions in the network to launch a variety of attacks. These are referred to as node replication attacks. Some methods of defending against node replication attacks have been proposed, yet they are not very suitable for the mobile wireless sensor networks. In this paper, we propose a new protocol to detect the replicas in mobile WSNs. In this protocol, polynomial-based pair-wise key pre-distribution scheme and Counting Bloom Filters are used to guarantee that the replicas can never lie about their real identifiers and collect the number of pair-wise keys established by each sensor node. Replicas are detected by looking at whether the number of pair-wise keys established by them exceeds the threshold. We also derive accurate closed form expression for the expected number of pair-wise keys established by each node, under commonly used random waypoint model. Analyses and simulations verify that the protocol accurately detects the replicas in the mobile WSNs and supports their removal. Keywords node replication attack, network security, mobile WSN wireless sensor network), random waypoint model 1 Introduction A wireless sensor network WSN) is a large network of limited resources sensor nodes that cooperate with each other using wireless communications in order to fulfill different application objectives [1]. Usually, sensor nodes use low-cost commodity hardware components. This makes it feasible to deploy thousands of nodes in the area of interest. Unfortunately, these cost considerations also make it impractical to use physical shielding that could preclude access to a sensor s memory, process and communication components. In both military and civil applications, the WSNs are often deployed in harsh environments. Because they are unattended and not equipped with the tamper-resistance hardware, the adversary could capture some sensor nodes, and then acquire all the information stored within. Thus, once even a single sensor node is compromised, an adversary can easily replicate it and deploy these replicas back into the strategic positions in the network for further malicious activities. This attack process is so-called node replication attack. Since the replicas have legitimate information such as codes, key materials, and credentials) which is replicated from the compromised nodes, they may be considered as legitimate members of the network and participate in network operation in the same way as the non-compromised nodes. Chan and Perrig [] classify a number of attacks that can be launched using replicas. The adversary can monitor all information passing through the nodes, falsify sensor data, extract data from the network, stage denial of service attacks, and so on. Some protocols have been proposed so far to tackle node replication attacks. Yet almost all the schemes are for static WSNs, and not suitable for mobile WSNs. In this paper, we propose a new protocol for the detection of node replication attacks in the mobile WSNs. Counting Bloom Filters collect the number of pair-wise keys established by each node. A server uses this data to create a histogram. We derive expression for the expected number of pair-wise keys established by each node, and give the threshold for detection. Nodes whose number of pair-wise keys exceeds the threshold value are considered to be replicas. The system can recover from the node replication attack by terminating connections established by the replicas. Care is taken to quantify the limitations of the proposed approach. The remainder of this paper is organized as follows: Regular Paper This work is partly supported by the National Natural Science Foundation of China under Grant No , the National High Technology Research and Development 863 Program of China under Grant No. 9AA1Z3. 11 Springer Science + Business Media, LLC & Science Press, China

2 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 733 Section reviews related work; Section 3 presents our new protocol that is used to cope with node replication attacks in mobile WSNs; Section 4 provides an overview of Bloom Filters, Counting Bloom Filters, and their application in our protocol; Section 5 shows how to compress the Counting Bloom Filters to minimize the size of each report to be transmitted; Section 6 analyzes the proposed method and explains how we determine a threshold value for the number of keys established by each sensor node, simulation results verifying our analysis are also presented; Section 7 is a security and efficiency analysis of the detection protocol; in Section 8 we show some experimental results on our protocol; finally, Section 9 gives conclusions and our possible future work. Related Work There are a number of schemes that have been proposed for preventing and detecting node replication attacks. To our best knowledge, the first non-naive detection scheme against node replication attacks is to employ witness nodes, which are randomly selected among the nodes in the network, to undertake the task of node replication attack detection []. In [3], two detection protocols leveraging emergent properties are proposed. One is randomized multicast RM); the other is line selected multicast LSM). In RM, when a node broadcasts its location, each of its neighbors sends with probability p) a digitally signed copy of the location claim to a set of randomly selected witness nodes. In this algorithm each location has n witness nodes, thus in a network of n nodes, according to Birthday Paradox, in the event of a node replication attack at least one witness node is likely to receive conflicting location claims for a particular node. The LSM algorithm behavior is similar to that of RM, but exploits the routing topology and uses geometric probabilities to detect replicated nodes, to reduce the communication costs and improve detection probability. Conti, Zhu et al. [4-5] presented two other improvements. But all these schemes are based on location information and have some defects. For example, if the location claim of a non-compromised node was tampered by the adversary or a malicious node fabricated the location claim of a non-compromised node, the non-compromised node would be detected as a replicated node. Therefore, the integrity and reliability are needed. Since the integrity and reliability are difficult to achieve by symmetric key technology in this replicating situation, in all of these schemes, the public key encryption technology is adopted without exception. For a scheme of periodic detecting, the computational overhead is very remarkable. In addition, in such a hostile environment applications, the location information is required to be kept secret. Broadcasting location information as such schemes is likely to cause more sensor nodes to be captured. Bekara et al. [6] presented a polynomial-based key establishment protocol to prevent nodes replication attacks. But in this scheme, a newly deployed node has no way to check whether the responding node is a replica or not. Therefore, the replica can participate in response by establishing pairwise key with the newly deployed node. In [7], Xing et al. proposed a scheme, which is not based on location information, to detect node replication attacks. In this scheme, each node is preloaded with a codeword generated from a superimposed s- disjunct code. Then a node computes its social fingerprint based on the codewords collected from its neighborhood. Each node should also compute the fingerprints for the nodes in its local community, and store them for later verification purpose. Whenever a node sends a message to the base station, it should include its fingerprint as well. Then the neighboring nodes can verify the legitimacy of the source node by comparing the enclosed fingerprint with their own record. Since the replicas are distributed in different area, and their new neighbors do not have their fingerprints, they cannot cheat their neighbors that can easily tell whether they are using an inconsistent fingerprint. As we can see, this scheme is based on the assumptions that nodes are unable to move if a node changes its location, its new neighbors do not have its fingerprint). But in mobile WSNs, adjacency relation changes dynamically, so this scheme will fail. Brooks et al. [8] proposed another algorithm to detect replicas in WSNs that use random key pre-distribution. However, the random key predistribution model is not suitable for mobile WSNs. There is also another type of schemes to deal with the node replication attacks. These schemes do not detect the replicas after they participate in network operation but prevent them from participating in operation. The polynomial-based space-time related pairwise key pre-distribution scheme PSPP) [9] is the most effective of them. In PSPP, the keyed material of a node can only work at its initial deployment location. If a node leaves its deployment location, its keyed material will become invalid. Thus it cannot participate in network operation. Obviously, it is this characteristic that makes this scheme not be applied to mobile WSNs. Yu et al. [1] proposed a protocol, called extremely Efficient Detection XED), to resist against node replication attacks in mobile WSNs. The basic operations of this protocol are as follows. Once two sensor nodes are within the communication ranges of each other, they respectively generate a random number, and then exchange the random numbers. If the two nodes meet again, both of them request the other for the random number exchanged at earlier time. If the other cannot

3 734 J. Comput. Sci. & Technol., July 11, Vol.6, No.4 reply or replies a number which does not match the number stored in its memory, it announces the detection of a replica. To a smart attacker, this scheme is naive, and he/she can establish secret channels among replicas. By this way, replicas can share the random numbers, and make the protocol exist in name only. 3 Detection Protocol 3.1 Assumptions Here, the sensor nodes are assumed to have mobility. In the beginning, all the sensor nodes are uniformly deployed in the network area. Once deployed, sensor nodes can move according to some mobility models such as the random waypoint model [11]. We also assume that the sensor nodes are loosely time-synchronized. The loose time synchronization can be achieved both in a centralized and in a distributed way [1-13]. Furthermore, we assume that the base station is sufficiently powerful to defend itself against security threats. Table 1 lists the symbols and notations used in this paper. Notation Description R ID i N i K ij E k ) Table 1. Notation Used The communication radius of each sensor node The unique identifier of node i The unique random number of node i The pair-wise key shared between node i and j Encryption function using key K MAC k ) Message authentication code function using key K H) One-way hash function Concatenation operation 3. Protocol 3..1 Node Initialization Before sensor nodes are deployed, the key server randomly generates a bivariate symmetric polynomial [14] fx, y) = t a ij x i y j 1) i,j= over a finite field GF p), where p is a prime that is large enough to accommodate a cryptographic key, t is the degree of the polynomial and a security parameter, and the symmetric means that we have fx, y) = fy, x) for any x and y. The polynomial fx, y) should be kept secret. For each node u, the key server loads a unique secret share polynomial f u y) = fhid u N u ), y) = t a jy j. ) j= Note that it is impossible that two different nodes have the same secret share polynomial. Indeed, suppose that u and v are two different nodes. f u y) = f v y) is possible, if and only if HID u N u ) = HID v N v ), which means ID u N u = ID v N v. Since u and v are two different nodes, ID u N u ID v N v, f u y) = f v y) is impossible. In addition, the key server generates a Bloom Filter and its corresponding Counting Bloom Filter. The elements added to the Bloom Filter are the unique identifier concatenated to the unique random number of each node to be deployed in the network area. It means that the format of each element is ID N. All the counters in the Counting Bloom Filter are initialized with zero. The key server loads each node with the Bloom Filter and the Counting Bloom Filter generated before. 3.. Pair-Wise Key Establishment After deployment, a node, taking a legal node u as an example, broadcasts its Hello message u : {Hello, ID u, N u, Nonce u }, where Nonce u is a random number, for verifying freshness. Once receiving the Hello message sent by u, a node, node v as an example, executes as follows. 1) Test whether the ID u N u is a member of legal nodes in the Bloom Filter. If verification fails, reject the request and aborts, because node u is suspected to be malicious. ) Otherwise, generate a shared key K vu, where K vu = f v HID u N u )), and sends the following ACK message back to node u: { } ACK, ID v u : v, N v, Nonce v, MAC Kvu. ACK, ID v, N v, Nonce v, Nonce u ) Once receiving the ACK message from v, node u follows four steps. 1) Test whether the ID v N v is a member of legal nodes in the Bloom Filter. If verification fails, reject it, and end the processing. ) Compute K uv = f u HID v N v )), and check the message authenticity. If the message is not authenticated, simply reject the message, and abort. 3) Save K uv as the shared pair-wise key with node v and send the OK message back to node v: u v : {OK, ID u, MAC Kuv OK, ID u, Nonce v )}. 4) Insert ID v N v into its Counting Bloom Filter. Upon receiving node u s response, node v checks the message authenticity using K vu, and, if success, node v

4 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 735 sets K vu as the shared pair-wise key with node u and inserts ID u N u into its Counting Bloom Filter, otherwise failed authentication, or no response), erases K vu. At the end of this phase, a node including the replicas) can never lie about its real identifier or the unique random number to which it belongs, on account of the characteristic of the basic polynomial-based pair-wise key pre-distribution scheme [15-16]. Since each node can move from place to place, it is nonsense to keep each pair-wise key throughout one s life time. If a neighbor of one node is out off range, the pair-wise key shared between them should be erased. Meanwhile, when a node is moving out off one s range, it could enter the other s range, if the latter two nodes do not have a shared pair-wise key, they should establish one Detection Each node periodically constructs a report, which includes its ID and Counting Bloom Filter or compressed Counting Bloom Filter), and sends it to the base station. Take node u as an example, { EKuB u B : ID } u, Nonce u, Counting filter u ), MAC KuB ID u, Nonce u, Counting filter u ) where B is the base station, and K ub is the key shared between node u and B. After sending the report, the Counting Bloom Filter of each node is reset to. This process is executed in fixed intervals of time. Having received most of the reports, the base station decrypts them, and counts the number of keys established by each node. If the number of keys established by one node is above a threshold value, the node is considered as a replica. Once some replicas are detected, the base station updates the Bloom Filter to delete the replicated ones, and broadcasts the new Bloom Filter, using broadcast authentication protocol such as µtesla [17], to the whole network. And then, each node terminates connections with the node which is not in the Bloom Filter. Since we assume that the nodes are uniformly deployed in the network area, and randomly select their speed, direction, and pause time, the number of keys established by each node will be very close to each other in the same fixed intervals of time. When replicas are deployed in the network, the number of key establishments of the replicated nodes is greater than that of non-compromised nodes. Because the replicas cannot lie about its real identifier or the unique random number which they copied, all the key establishment of them must be related to the replicated node. By collecting statistics, we can determine which nodes have been replicated. 4 Bloom Filters and Counting Bloom Filters The Bloom Filter [18] is a space-efficient set that supports membership queries. It is a bit array of m bits, all initialized with, and has h different hash functions. Each element of the set is mapped or hashed) using the hash functions to h of the m positions with a uniform random distribution. And the bit position corresponding to each hash value is set to 1. Note that a position might be set more than once. An element to be queried for is hashed using the h hash functions. If and only if the corresponding bit positions in the filter array are all 1, the element is said to be a member of that set. False positives are possible, since it is possible that all the bits, corresponding to an element which is not a member of the set, are set to 1 because of the other elements in that set. The false positive probability [19] e is minimized to 1/) h, when h = ln m/n) 3) where n is the number of elements in the set. As [19] shows, e decreases as m increases. For the fixed h and n, to get the minimum value of e, the size of filter m should not be smaller than n log 1/e) ln = n h ln n h. 4) The Counting Bloom Filter is an extension of Bloom Filter where each bit is replaced by an l-bit counter where l ranges from four to six) [], thus is an array of l m) bits. The insert operation is extended to increase the counters at the index positions given by the hash values instead of setting the bit as in standard Bloom Filters. And when the value of a certain counter is up to its maximum value, which is l 1), the value will be maintained until the counter is reset. Each sensor node makes a counting of the key establishment times of its each neighbor, where the key is shared between itself and one of its neighbors. By using the Counting Bloom Filters, we reduce the length of message transmitted we will discuss it in the next section) and make data aggregation not only easy but also high efficient. The base station adds up all the Counting Bloom Filters it receives, and does membership queries on the result. At the end of this process, the base station has the statistics describing the key establishment times of each node. 5 Data Compression If we use 1 hash functions, 4) shows that the bit length of Counting Bloom Filters l m) must be 57 times larger than the number of sensor nodes. Assuming there are thousands of sensor nodes deployed in the

5 736 J. Comput. Sci. & Technol., July 11, Vol.6, No.4 network area, take 1 as an example, the length of Counting Bloom Filters is about bits. It is unadvisable to transmit them immutably. Assume that each hash function maps each position with equal probability. The probability that a certain counter is not increased by a certain hash function during the insertion of an element is 1 1/m). The probability that it is not increased by any of the hash functions is 1 1/m) h. With pi), where i l 1, denote that the probability of a certain bit is i after n elements have been inserted, we have pi) = hn i hn j= l 1 ) 1 m ) i 1 1 m) hn i, i < l 1, ) hn 1 ) j 1 1 hn j, j m m) i = l 1. 5) Theorem 1. If m > hn + 1, for the above pi), there is pi) > l 1 j=i+1 Proof. ) hn 1 ) i pi) = 1 1 ) hn i i m m = 1 1 ) hn ) 1 i hn m m 1) i l 1 j=i+1 pj) = ) hn < i + k L pi) > l j=i+1 hn j= l 1 pj). 6) ) hn 1 ) j 1 1 hn j + j m m) ) hn 1 ) j 1 1 ) hn j j m m = 1 1 ) hn 1 ) i m m 1 hn i ) hn 1 i + k m 1 k=1 ) hn hn) k i j=i+1 [ 1 pj) > hn i k=1 ) k 1 1 ) hn ) 1 i hn m m 1) i hn ) k ] m ) hn )[ hn ] 1 i hn 1 m 1 m m 1) i 1 hn m 1 > m > hn + 1) L pi) > pj). j=i+1 Using A = {i 1 i l 1} as a set of symbols, and W = {pi) 1 i l 1} as their weights, we can construct a Huffman Tree [1]. According to the algorithm proposed in [1] and Theorem 1, the Huffman Tree must be as shown in Fig.1. Fig.1. Structure of Huffman tree. The algorithm to compress the Counting Bloom Filters is as follows. 1) If the value of a counter is, ignore it; ) otherwise, the code is composed of the index of the counter, which is in a fixed bit length of a where a 1 1 < m a 1, and the Huffman codeword of the counter value. After compression, the length of the Counting Bloom Filters is L = l i=1 m pi) a + i) + m p l 1) a + l ) m a 1 e hn/m ) + hn, 7) where a satisfies a 1 1 < m a 1 and n is the number of elements inserted. We use 1 hash functions and 4-bit counters. Table compares the message size with and without compression for different numbers of sensor nodes in the network, if 1 elements are inserted into each Counting Bloom filter. Table. Message Size Number of Message Size in Message Size in Bits Sensor Nodes Bits with Compression Without Compression Threshold Determination In this section, we show how to determine which sensor nodes are being replicated. We assume that

6 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 737 the random waypoint model [11] is used. Hence, each node in the network randomly chooses a destination point in the area and moves to this point with a constant speed which is chosen from a uniform distribution [V min, V max ] where V min is the minimum speed and V max is the maximum speed in the movement. Once the destination is reached, the node pauses for a certain pause time t pause, then chooses a new destination with another speed, moves at the speed to this destination, and so on. To simplify the evaluation, we also assume that a pair-wise key is kept for a certain period of time t keep once being established, and then erased. It is reasonable to set t keep = / 8) where R is the communication radius of each sensor node and is regarded as the average speed of each movement epoch. From [], we have = V max V min lnv max /V min ). 9) From [3], for the random waypoint movement in a rectangular area of size a b, the expected value of the epoch length is given by EL) = 1 [ a 3 15 b + b3 a + )] a + b 3 a b b a 1 [ a 6 b arcosh a + b a b + + b a arcosh a + b and the expected value of the epoch time is given by t epoch = EL) ], 1) 11) where arcoshx) = lnx+ x 1). Usually, we assume R < a/4 and R < b/4, so that R < EL)/. During a very short time interval [t, t + t], a sensor node u moves from position O to position O as shown in Fig.a)). We assume this process has two steps: firstly jump from position O to position O which takes no time); and then at a standstill. Furthermore, we assume that all the nodes in shaded area A 1 A 1 is the newer communication range of u) do not have pair-wise key shared with u. When u is at the standstill, its communication range is made up of areas B and B 1, as shown in Fig.b). Since a node x in area B randomly selects its direction, it moves along a distance of t in the time interval [t, t + t], and enters into area B 1 with a probability P. Meanwhile, a node x in area B 1 enters into area B with a probability P. Obviously, if the node x in area B is not from area B 1, it does not have pair-wise key shared with u. Fig.. Steps to derive N t). Therefore, when node u is at a movement, the number of pair-wise keys being established, in a time interval [t, t + t], between node u and its new neighbors is about N move t) = S A1 ρ + S B ρ S B1 ρ EP S ) B ) EP ), S B+B 3 1) where S X denotes the acreage of X, ρ is the density of the nodes in the network area, and EY ) is the expected value of Y. Theorem. When t is close to, the expected probability P and P is EP ) = EP ) = 1 π. 13) Proof. 1) In time interval [t, t + t], the motion distance of node is t. Let r = t. After t, the probable position of node u is on a circle, of which radius is r, as shown in Fig.3. Since arc CED is in area A 1, we have P = L CED π r = CO O r π r = CO O, 14) π where L CED denotes the length of arc CED, and r )/ P arccos π. 15) Assuming P = x if the original position O is on the common border of areas A -1 and A -, the distribution function of P is F x) = PrP x) = S A -1 S A = π OA π OO π OA π OB 16)

7 738 J. Comput. Sci. & Technol., July 11, Vol.6, No.4 where S A denotes the area of A. According the law of cosines, we have R = r + OO r OO cos CO O. 17) From 14) to 17), we obtain F x) = R + r) r cos πx + r cos πx + R r ) R + r) R, r )/ x arccos π, r )/, x < or x > arccos π. 18) Since EP ) = + x F x)dx 19) where F x) is the derivation of F x), we calculate 1 [ 4R EP ) = r 4R r + rarcsin + πr + ) R r arcsinr 4R r ] where r = t. Therefore, lim EP ) = lim EP ) = 1/π. t r Fig.3. Figure to derive EP ). ) We similarly obtain that the distribution function of P is F x) = r cos πx + r cos πx + R r ) R r) R R r), r )/ x 1 arccos π r )/, x < or x > 1 arccos π ) where r = t, so that EP ) = = + x F x)dx 1 [ 4R r π r) rarccos r + R r arcsinr 4R r + rarcsin 4R r ] and lim EP ) = lim EP ) = 1/π. t r From 1) and Theorem, ignoring the t in S X, we obtain N move t) = 3π 1 π R d t 1) since ρ = d/πr ). In a very short time interval [t, t + t], if a node u is paused, we can similarly obtain that the number of pair-wise keys being established between node u and its new neighbors is about N pause t) = π 1 π R d t. ) Since we assume that a pair-wise key is kept for a certain period of time t keep once being established and then is erased, if a node x is still in a node u s communication range after the period of time t keep, the pair-wise key shared between them needs to be reestablished. We further assume that in a time interval [t, t + t keep ] the probability denoted by P x ), that both node u and x are paused, is. It means that if node u is paused in time interval [t, t + t keep ], its new neighbor x at time t will be out of its range after the period of time t keep. However, if the node u is on the move, the probability is not the case. Theorem 3. 1) If in a time interval [t, t+t keep ] node u is on the move, the expected value of the probability P x is E m m P x ) = π π/ 1 π arccos cos θ dθ. 3) 5 4 cos θ ) If in a time interval [t, t + t x ] node u is on the move and in a time interval [t + t x, t + t keep ] node u is paused, the expected value of the probability P x is E m p P x ) = π π arccos 1 t t ) + 4R t ) cos θ arccos 4R t ) + R t ) cos θ where t t keep. ) ) dθ 4)

8 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 739 3) If in a time interval [t, t + t x ] node u is paused and in a time interval [t + t x, t + t keep ] node u is on the move, the expected value is E p m P x ) = π π t arccos ) t ) + 4R t ) cos θ arccos 4R t ) + R t ) cos θ ) dθ 5) where t t keep. 4) If in a time interval [t, t + t x ] node u is on the move, in a time interval [t+t x, t+t x +t pause ] node u is paused, and in a time interval [t + t x + t pause, t + t keep ] node u is on the move, the expected value is E m p m P x ) = π π arccos 1 tpause { arccos [ t pause ) + 4R t pause ) cos θ] / } [R t pause ) + R t pause ) cos θ] dθ. ) 6) Proof. Here we only proof the first situation, and the rest three are similar. As shown in Fig.4, in a time interval [t, t + t keep ] node u moves from O to O. Since u keeps moving, all the new neighbors of it at time t are on arc EAF. Take a new neighbor x, which position at time t is A, as an example. After time t keep, the probable position of node x is on a circle, of which radius is r and center is A. Since only arc CGB is in the new communication range of u, we have P x = L CGB πr = BAC π = BAO. 7) π At the triangle O AB, according to the law of cosines, we have BAO cos θ = arccos, π 5 4 cos θ θ π. 8) Since node x is with equal probability at any position on the arc EAF, the expected value of P x is E m m P x ) = π = π π π P x dθ 1 π arccos cos θ dθ. 5 4 cos θ 9) Fig.4. Figure to derive E m mp x). We compute this integral numerically to obtain E m m P x ) ) Therefore, the number of pair-wise keys being established, in the epoch time, between a node and its new neighbors is about EN) = tpause E m p m P x ) N move dt + ) E p m P x ) N pause dt tpause tepoch tpause E m m P x ) N move dt + 4 tepoch π + N move dt + tpause N pause dt + E m p P x )N move dt 31) if t pause EN) = tepoch tpause < EL) ; or ) E p m P x ) N pause dt tepoch N move dt + N pause dt + tpause EL) if t pause > and <. Form 11) to 3), we obtain EN) = [ a 1 EL) R a + 6 i=1 [ a 1 EL) R a + b 1 4 π + for t pause t pause R for t pause > E m m P x ) N move dt + E m p P x )N move dt 3) tpause ) i ] b i d, R ] d, < EL) and < EL) 33)

9 74 J. Comput. Sci. & Technol., July 11, Vol.6, No.4 where a 1 =.96454, a =.13197, a = , b 1 = , b 1 =.16989, b =.83445, b 3 =.91443, b 4 = , b 5 = and b 6 = Since the detection process executes at fixed intervals of time, assuming the length of the intervals is T, the expected number of pair-wise keys being established in each time interval by any node is about T N) = EN) EL)/ + t pause T d. 34) Consider a network in a rectangular area of size, communication radius of each node is 1, detection interval is 6 and pause time is. Fig.5 compares analytical and simulation values for varying settings of the neighbor degree d, the maximum speed V max and the minimum speed V min. It shows that the very tight errors and close agreement between simulations and predictions. Fig.5. Number of pair-wise keys being established in each time interval. 7 Analysis 7.1 Security Analysis The polynomial-based pair-wise key pre-distribution scheme is t + 1)t + )/-collusion resistant, where t is the degree of fx, y), that is to say, only if the adversary captured and compromised more than t + 1)t + )/ nodes, he/she can deduce fx, y). If t is designed as large as possible, it is impossible to capture so many nodes. Therefore, the polynomial to establish pairwise keys) in each replica is as same as that in one of the compromised nodes. According to the property of polynomial-based pair-wise key pre-distribution scheme, if a replica fabricates an ID and N which is different from what it replicated, it cannot establish pair-wise key with its non-compromised neighbors and cannot participate in network operations. Considering the situation from replica node r s viewpoint, it attempts to mask its existence and participate in network by sending Hello message with a wrong ID or N. Or even more, it uses a legal ID and N which belongs to a non-compromised node and attempts to make that node more apparent. Since its neighbor u generates a different pair-wise key, u cannot authenticate the OK message in the last phase of key establishment, and tampering is futile. That means any attempts by replicas to participate in network operations will expose their existence. The more replicas with the same ID) and the number of them connected to network, the more probability that they will be found. On the other side, any attempts by replicas to mask their presence by reducing the number of attempts to connect to the network will dramatically reduce the effect of node replication attacks. In a Sybile attack [4], a malicious node illegitimately claims multiple legal identities. But, in polynomialbased pair-wise key pre-distribution scheme, no one can use other s identity to establish pair-wise key with its neighbors, as shown above. In our scheme, an adversary cannot launch any Sybile attacks at all. Since all the communications between sensor nodes and base station are encrypted with their different shared keys and appended with a nonce which is a large random number, it is impossible for an adversary to eavesdrop on the communications, modify the contents or launch a replay attack. An adversary can randomly generate a bit array and deliver it as a valid Counting Bloom Filter to disrupt the protocol. But he/she should firstly guarantee that it is a valid one. Theorem 4. If there are m counters and h hash functions in Counting Bloom Filter, the probability, that a randomly generated bit array is valid, is less than / ) m P r = 1 m1 1/m) hn where n is the number of elements inserted. 35) Proof. From 5), the probability a certain counter is after n elements have been inserted is 1 1/m) hn. Therefore, after n elements have been inserted, about m1 1/m) hn counters are. Only if in the randomly generated bit array, these counters are also, while the rest of counters are not, the bit array is possible to be

10 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 741 a valid one. So, the probability is less than / ) m P r = 1 m1 1/m) hn. For example, we assume a Counting Bloom Filter has the parameters: m = 1, h = 4, n = 1. The probability a randomly generated bit string forms a valid Counting Bloom Filter in this case is less than This indicates that this attack does not work. But a compromised node can generate a valid Counting Bloom Filter. While a compromised node exaggerates the number of pair-wise keys established by one of its non-compromised neighbors, since the neighbor also records that number in its own Counting Bloom Filter, the two values will be different. By balancing the two values, the base station can find that malicious node. In Blackhole attack and Greyhole attack [5], a malicious node drops or randomly drops) the messages forwarded to it. These two attacks are seemed to result in the replicas not being detected. However, the following shows that they are futile, too. Results from analysis of the Byzantine Generals Problem indicate that no security scheme is likely to be successful if 1/3 or more of the participants are malicious [6]. Because of this, we assume that the number of replicas is much less than that of non-replicated nodes. Dropped packets are more likely to describe the non-replicated nodes than the replicas. Therefore, dropping packets will not weaken the detection process. error rate for varying settings of the number of replicas and threshold value. Note that for threshold value is twice T N), the detection probability is about 99%, but the detection error rate is over 55%, which means that more than half of the sensor nodes in the network are detected as replicas. Therefore, setting the threshold value to T N) is not an advisable choice. When the threshold value is equal to 4 T N) or 5 T N), the detection error rate is less than 1, and the detection probability is very high except when there are only one or two replicas. Here, detection probability is determined by the number of detected replicas and the number of compromised nodes. And detection error rate is determined by the number of non-compromised nodes detected falsely and the number of non-compromised nodes. After setting the threshold value to 4 T N) and 5 T N), and letting replicas which have different IDs be deployed at different time intervals, the results of our simulations are shown in Fig.7. The x-axis indicates the different detection time, and the y-axis shows the number of replicas. We can see that the detection probability is not influenced by the detection time, and 7. Efficiency Analysis In our protocol, we use Counting Bloom Filters to collect the number of pair-wise keys established by each node, and let each node periodically send these collected data to the base station. Since each node participates in operation and the number of hops between nodes on a random graph is Olog n) [7] n is the number of nodes in the network), our protocol only requires On log n) communication for the entire network, which is lower than LSM [3] in LSM, the communication overhead is On n). 8 Results This section shows simulation results of testing our detection protocol. In the following simulations, we consider sensor network on a rectangular area of size. And the random waypoint model with parameters: V max = 3, V min = 1, t pause = ) is used. We fixed 5 sensor nodes in the network. Communication radius of each node is 5. And detection interval is 6. Fig.6 shows the detection probability and detection Fig.6. Detection probability and detection error rate. a) Detection probability. b) Detection error rate.

11 74 J. Comput. Sci. & Technol., July 11, Vol.6, No.4 Fig.7. Detection probability and detection error rate at different time. a) Threshold equal to 4 T N). b) Threshold equal to 5 T N). the detection error rate is not influenced by both the detection time and the number of replicas. Here, each detection probability is determined by the total number of replicas that have been detected and the total number of nodes that have compromised by that time point. And each detection error rate is determined by the total number of non-compromised nodes that have been mistakenly detected by that time point and the total number of non-compromised nodes in the network. 9 Conclusion In this paper, we propose a new protocol for detection of node replication attacks in mobile WSNs, which do not base on the geographic location of each sensor node and do not assume that the resource-constrained devices are able to perform public key cryptographic operations. Polynomial-based pair-wise key pre-distribution scheme is used in our protocol to guarantee that the replicas can never lie about their real identifiers. And Counting Bloom Filters is used to collect the number of pair-wise keys established by each sensor node. Nodes whose number of pair-wise keys exceeds the threshold value are regarded as replicas and kicked out. When deriving the detection threshold, we give a method of deriving the expression for the expected number of pair-wise keys established by each node. This can be transformed into a very useful way of analyzing the calculation overhead of key establishment in ad hoc network and improve the network performance. Analyses and simulations show that the protocol accurately detects the replicas in the mobile WSNs and supports their removal, and many possible attacks such as Sybile attack, eavesdrop, reply attack) are futile. Some aspects of the protocol need to be improved and many avenues exist for further research. For example, centralized detection using a base station is undesirable. It introduces a single point of failure into the network and can become a signification system bottleneck. Distributed mechanisms, such as that proposed in [-4], are needed. Acknowledgements The authors thank the anonymous reviewers for their helpful comments and suggestions. References [1] Akyildiz I F, Su W, Sankarasubramaniam Y, Cayirci E. A survey on sensor networks. IEEE Communications Magazine,, 48): [] Chan H, Perrig A. Security and privacy in sensor networks. Computer, 3, 361): [3] Parno B, Perrig A, Gligor V. Distributed detection of node

12 Xiao-Ming Deng et al.: Detection of Node Replication Attacks in Mobile WSNs 743 replication attacks in sensor networks. In Proc. IEEE Symposium on Security and Privacy, Oakland, USA, May 8-11, 5, pp [4] Conti M, Di Pietro R, Mancini L V, Mei A. A randomized, efficient, and distributed protocol for the detection of node replication attacks in wireless sensor networks. In Proc. the 8th ACM International Symposium on Mobile Ad Hoc Networking and Computing, New York, USA, Sept. 9-14, 7, pp [5] Zhu B, Addada V G K, Setia S, Jajodia S, Roy S. Efficient distributed detection of node replication attacks in sensor networks. In Proc. the 3rd Annual Computer Security Applications Conference, Miami Beach, USA, Dec. 1-14, 7, pp [6] Bekara C, Laurent-Maknavicius M. A New protocol for securing wireless sensor networks against nodes replication attacks. In Proc. the 3rd IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, White Plains, USA, Oct. 8-1, 7, pp [7] Xing K, Liu F, Cheng X, Du D H C. Real-time detection of clone attacks in wireless sensor networks, In Proc. the 8th International Conference on Distributed Computing Systems, Beijing, China Jun. 17-, 8, pp.3-1. [8] Brooks R, Govindaraju P Y, Pirretti M, Vijaykrishnan N, Kandemir M T. On the detection of clones in sensor networks using random key predistribution. IEEE Trans. Systems, Man, and Cybernetics, 7, 376): [9] Fu F, Liu J, Yin X. Space-time related pairwise key predistribution scheme for wireless sensor networks. In Proc. Int. Conference on Wireless Communications, Networking and Mobile Computing, Shanghai, China, Sept. 1-5, 7, pp [1] Yu C, Lu C, Kuo S. Mobile sensor network resilient against node replication attacks. In Proc. the 5th Annual IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks, San Francisco, USA, Jun. 16-, 8, pp [11] Johnson D B, Maltz D A. Dynamic source routing in ad hoc wireless networks. Mobile Computing, 1996, 353: [1] Sichitiu M L, Veerarittiphan C. Simple, accurate time synchronization for wireless sensor networks. In Proc. Wireless Communications and Networking, New Orleans, USA, Mar., 3, pp [13] Kyoung-lae N, Serpedin E, Qaraqe K. A new approach for time synchronization in wireless wensor networks: Pairwise broadcast synchronization. IEEE Trans. Wireless Communications, 8, 79): [14] Blundo C, Suntis A D, Herzbeg A, Kutten S, Vaccaro U, Yung M. Perfectly secure key distribution for dynamic conferences. In Proc. the 1th Annual Int. Cryptology Conference on Advances in Cryptology, Santa Barbara, USA, Aug. 16-, 199, pp [15] Blom R. An optimal class of symmetric key generation systems. In Proc. EUROCRYPT 1984 Workshop on Advances in Cryptology: Theory and Application of Cryptographic Techniques, 1985, pp [16] Blundo C, Santis A D, Herzberg A, Kutten S, Vaccaro U, Yung M. Perfectly-secure key distribution for dynamic conferences. In Proc. the 1th Annual Int. Cryptology Conference on Advances in Cryptology, Santa Barbara, USA, Aug. 16-, 199, pp [17] Perrig A, Szewczyk R, Tygar J D, Wen V, Culler D E. SPINS: Security protocols for sensor networks. Wirel. Netw., Sept.,, 85): [18] Bloom B H. Space/time trade-offs in hash coding with allowable errors. Commun. ACM, 197, 137): [19] Bonomi F, Mitzenmacher M, Panigrahy R, Singh S, Varghese G. An improved construction for Counting Bloom Filters. In Proc. the 14th Conference on Annual European Symposium, Zurich, Switzerland, Sept , 6, pp [] Fan L, Cao P, Almeida J, Broder A Z. Summary cache: A scalable wide-area Web cache sharing protocol. IEEE/ACM Trans. Networking,, 83): [1] Huffman D A. A method for the construction of minimumredundancy codes. Proc. I.R.E., September, 195, 49): [] Lin G, Noubir G, Rajaraman R. Mobility models for ad hoc network simulation. In Proc. the 3rd Annual Joint Conf. IEEE Computer and Communications Societies, Hong Kong, China, Mar. 7-11, 4, p.463. [3] Bettstetter C, Hartenstein H, Pérez-Costa X. Stochastic properties of the random waypoint mobility model: Epoch length, direction distribution, and cell change rate. In Proc. the 5th ACM Int. Workshop on Modeling Analysis and Simulation of Wireless and Mobile Systems, Atlanta, USA, Sept. 8,, pp [4] Karlof C, Wagner D. Secure routing in wireless sensor networks: Attacks and countermeasures. In Proc. the 1st IEEE Int. Workshop on Sensor Network Protocols and Applications, Anchrorage, USA, May 11, 3, pp [5] Deng H, Li W, Agrawal D P. Routing security in wireless ad hoc networks. Communications Magazine, IEEE,, 41): [6] Brooks R R, Iyengar S S. Multi-Sensor Fusion: Fundamentals and Applications with Software. Upper Saddle River: Prentice-Hall, NJ, [7] Watts D. Small Worlds. Princeton: Princeton Univ. Press, NJ, Xiao-Ming Deng received the B.S. degrees in information security from University of Science and Technology of China in. He is currently pursuing his Ph.D. degree in computer science at University of Science and Technology of China. His research focuses on information security, distributed computing and trust computing. Yan Xiong received the B.S., M.S. and Ph.D. degrees in computer science from University of Science and Technology of China in 1983, 1986 and 1988, respectively. He is currently a professor in Science and Technology of China. His research interests include computer networks, distributed system, mobile computing, information security and trust computing.