Compromise-resilient anti-jamming communication in wireless sensor networks

Jamming is a kind of Denial-of-Service attack in which an adversary purposefully emits radio frequency signals to corrupt the wireless transmissions among normal nodes. Although some research has been conducted on countering jamming attacks, few works consider jamming attacks launched by insiders, where an attacker first compromises some legitimate sensor nodes to acquire the common cryptographic information of the sensor network and then jams the network through those compromised nodes. In this paper, we address the insider jamming problem in wireless sensor networks. In our proposed solutions, the physical communication channel of a sensor network is determined by the group key shared by all the sensor nodes. When insider jamming happens, the network will generate a new group key to be shared only by the non-compromised nodes. After that, the insider jammers are revoked and will not be able to predict the future communication channels used by the non-compromised nodes. Specifically, we propose two compromise-resilient anti-jamming schemes: the split-pairing scheme which deals with a single insider jammer, and the key-tree-based scheme which copes with multiple colluding insider jammers. We implement and evaluate the proposed solutions using Mica2 Motes. Experimental results show that our solutions have low recovery latency and low communication overhead, and hence they are suitable for resource constrained sensor networks.     

An Identity-Based Group Key Agreement Proto col for Low-Power Mobile Devices

In wireless mobile networks, group mem-bers join and leave the group frequently, a dynamic group key agreement protocol is required to provide a group of users with a shared secret key to achieve cryptographic goal. Most of previous group key agreement protocols for wireless mobile networks are static and employ traditional PKI. This paper presents an ID-based dynamic authen-ticated group key agreement protocol for wireless mobile networks. In Setup and Join algorithms, the protocol re-quires two rounds and each low-power node transmits con-stant size of messages. Furthermore, in Leave algorithm, only one round is required and none of low-power nodes is required to transmit any message, which improves the e?-ciency of the entire protocol. The protocol’s AKE-security with forward secrecy is proved under Decisional bilinear in-verse Di?e-Hellman (DBIDH) assumption. It is addition-ally proved to be contributory.     

Capability-Based Defenses Against DoS Attacks in Multi-path MANET Communications

We present the design, implementation, and evaluation of CapMan, a capability-based security mechanism that prevents denial-of-service (DoS) attacks against mobile ad-hoc networks (MANETs). In particular, our approach is designed to mitigate insider attacks that exploit multi-path routing to flood with packets on other participating nodes in the network. CapMan is instantiated on every node and enforces capability limits that effectively regulate the traffic for all end-to-end network flows. Each capability is issued and advertised by the capability distribution module, and is globally maintained via the capability enforcement logic. By periodically exchanging small usage summaries, all cooperating nodes are informed of the global network state in a scalable and consistent manner. The distribution of summaries empowers individual nodes to make informed decisions and regulate traffic as dictated by the per-flow capabilities across multiple dynamic routing paths. We implemented a prototype of CapMan as a module of the NS2 simulator. We conducted extensive simulations with the prototype using AOMDV as the underlying multi-path routing protocol. Both theoretical analysis and experimental results validate that our mechanism can effectively curtail sophisticated DoS attacks that target multi-path routing in MANETs. We can protect the overall network health even when both the initiator and the responder are malicious insiders and collude in an attempt to deprive the network of valuable resources. Finally, our results show that CapMan introduces relatively small and configurable network overhead and imposes minimal impact on non-attacking traffic flows.     

Prevention of DoS Attacks in VANET

Privacy and Security have become an indispensable matter of attention in the Vehicular Ad-Hoc Network, which is vulnerable to many security threats these days. One of them is the Denial of Service (DoS) attacks, where a malicious node forges a large number of fake identities, i.e., Internet Protocol (IP) addresses in order to disrupt the proper functioning of fair data transfer between two fast-moving vehicles. In this paper, a distributed and robust approach is presented to defend against DoS attacks. In this proposed scheme, the fake identities of malicious vehicles are analyzed with the help of consistent existing IP address information. Beacon packets are exchanged periodically by all the vehicles to announce their presence and to become aware of the next node. Each node periodically keeps a record of its database by exchanging the information in its environment. If some nodes observe that they have similar IP addresses in the database, these similar IP addresses are identified as DoS attacks. However, it can be expected that security attacks are likely to increase in the coming future due to more and more wireless applications being developed onto the well-known exposed nature of the wireless medium. In this respect, the network availability is exposed to many types of attacks. A DoS attack on the network availability is being elaborated in this paper. A model of a product interaction for DoS prevention has been developed called “IP-CHOCK” that will lead to the prevention of DoS attacks. The proposed approach will be able to locate malicious nodes without the requirement of any secret information exchange and special hardware support. Simulation results demonstrate that the detection rate increases when optimal numbers of nodes are forged by the attackers.     

LEDS: Providing Location-Aware End-to-End Data Security in Wireless Sensor Networks

Providing desirable data security, that is, confidentiality, authenticity, and availability, in wireless sensor networks (WSNs) is challenging, as a WSN usually consists of a large number of resource constraint sensor nodes that are generally deployed in unattended/hostile environments and, hence, are exposed to many types of severe insider attacks due to node compromise. Existing security designs mostly provide a hop-by-hop security paradigm and thus are vulnerable to such attacks. Furthermore, existing security designs are also vulnerable to many types of denial of service (DoS) attacks, such as report disruption attacks and selective forwarding attacks and thus put data availability at stake. In this paper, we seek to overcome these vulnerabilities for large-scale static WSNs. We come up with a location-aware end-to-end security framework in which secret keys are bound to geographic locations and each node stores a few keys based on its own location. This location-aware property effectively limits the impact of compromised nodes only to their vicinity without affecting end-to-end data security. The proposed multifunctional key management framework assures both node-to-sink and node-to-node authentication along the report forwarding routes. Moreover, the proposed data delivery approach guarantees efficient en-route bogus data filtering and is highly robust against DoS attacks. The evaluation demonstrates that the proposed design is highly resilient against an increasing number of compromised nodes and effective in energy savings.     

BSMR: Byzantine-Resilient Secure Multicast Routing in Multihop Wireless Networks

Multihop wireless networks rely on node cooperation to provide multicast services. The multihop communication offers increased coverage for such services but also makes them more vulnerable to insider (or Byzantine) attacks coming from compromised nodes that behave arbitrarily to disrupt the network. In this work, we identify vulnerabilities of on-demand multicast routing protocols for multihop wireless networks and discuss the challenges encountered in designing mechanisms to defend against them. We propose BSMR, a novel secure multicast routing protocol designed to withstand insider attacks from colluding adversaries. Our protocol is a software-based solution and does not require additional or specialized hardware. We present simulation results that demonstrate that BSMR effectively mitigates the identified attacks.     

一种认证协议防御拒绝服务攻击的设计方法

拒绝服务(DoS)攻击是一种阻碍授权用户正常获得服务的主动攻击,大量认证协议和密钥建立协议存在着不同程度的DoS隐患.本文提出一种新的解决方法,用于无可信第三方认证协议和密钥建立协议防御DoS攻击,该方法可动态调整DoS防御的强度,并可减少并行会话攻击,增强协议的安全性.     

A Novel Robust Routing Scheme Against Rushing Attacks in Wireless Ad Hoc Networks

Standard on-demand routing protocols in wireless ad hoc networks were not originally designed to deal with security threats. Because of that, malicious users have been finding ways to attack networks. Rushing attacks represent one of such possibilities. In these attacks, malicious nodes forward the Route Request (RREQ) packets, asking for a route, to the destination node quicker than the legitimate nodes do. This is possible because the legitimate nodes only forward the first received RREQ packet for a given route discovery. Besides, the attackers can tamper with either the Medium Access Control or routing protocols to get faster processing. As a result, the path through the malicious nodes is chosen, which renders throughput degradation. We propose here a novel, robust routing scheme to defend ad hoc networks against rushing attacks. Our scheme utilizes the “neighbor map mechanism” to establish robust paths as far as rushing attacks are concerned. The proposed scheme also improves path recovery delay by using, whenever it is possible, route maintenance rather than route discovery. Yet, it is energy efficient. The simulation results show that our proposal is indeed viable.     

Power-aware routing protocols in ad hoc wireless networks

An ad hoc wireless network has no fixed networking infrastructure. It consists of multiple, possibly mobile, nodes that maintain network connectivity through wireless communications. Such a network has practical applications in areas where it may not be economically practical or physically possible to provide a conventional networking infrastructure. The nodes in an ad hoc wireless network are typically powered by batteries with a limited energy supply. One of the most important and challenging issues in ad hoc wireless networks is how to conserve energy, maximizing the lifetime of its nodes and thus of the network itself. Since routing is an essential function in these networks, developing power-aware routing protocols for ad hoc wireless networks has been an intensive research area in recent years. As a result, many power-aware routing protocols have been proposed from a variety of perspectives. This article surveys the current state of power-aware routing protocols in ad hoc wireless networks.     

Distributed detection of mobile malicious node attacks in wireless sensor networks

In wireless sensor networks, sensor nodes are usually fixed to their locations after deployment. However, an attacker who compromises a subset of the nodes does not need to abide by the same limitation. If the attacker moves his compromised nodes to multiple locations in the network, such as by employing simple robotic platforms or moving the nodes by hand, he can evade schemes that attempt to use location to find the source of attacks. In performing DDoS and false data injection attacks, he takes advantage of diversifying the attack paths with mobile malicious nodes to prevent network-level defenses. For attacks that disrupt or undermine network protocols like routing and clustering, moving the misbehaving nodes prevents them from being easily identified and blocked. Thus, mobile malicious node attacks are very dangerous and need to be detected as soon as possible to minimize the damage they can cause. In this paper, we are the first to identify the problem of mobile malicious node attacks, and we describe the limitations of various naive measures that might be used to stop them. To overcome these limitations, we propose a scheme for distributed detection of mobile malicious node attacks in static sensor networks. The key idea of this scheme is to apply sequential hypothesis testing to discover nodes that are silent for unusually many time periods—such nodes are likely to be moving—and block them from communicating. By performing all detection and blocking locally, we keep energy consumption overhead to a minimum and keep the cost of false positives low. Through analysis and simulation, we show that our proposed scheme achieves fast, effective, and robust mobile malicious node detection capability with reasonable overhead.     

Securing Wireless Sensor Networks Against Denial‐of‐Sleep Attacks Using RSA Cryptography Algorithm and Interlock Protocol

Wireless sensor networks (WSNs) have been vastly employed in the collection and transmission of data via wireless networks. This type of network is nowadays used in many applications for surveillance activities in various environments due to its low cost and easy communications. In these networks, the sensors use a limited power source which after its depletion, since it is non‐renewable, network lifetime ends. Due to the weaknesses in sensor nodes, they are vulnerable to many threats. One notable attack threating WSN is Denial of Sleep (DoS). DoS attacks denotes the loss of energy in these sensors by keeping the nodes from going into sleep and energy‐saving mode. In this paper, the Abnormal Sensor Detection Accuracy (ASDA‐RSA) method is utilized to counteract DoS attacks to reducing the amount of energy consumed. The ASDA‐RSA schema in this paper consists of two phases to enhancement security in the WSNs. In the first phase, a clustering approach based on energy and distance is used to select the proper cluster head and in the second phase, the RSA cryptography algorithm and interlock protocol are used here along with an authentication method, to prevent DoS attacks. Moreover, ASDA‐RSA method is evaluated here via extensive simulations carried out in NS‐2. The simulation results indicate that the WSN network performance metrics are improved in terms of average throughput, Packet Delivery Ratio (PDR), network lifetime, detection ratio, and average residual energy.     

LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks

Because of the requirements of stringent latency, high‐connection density, and massive devices concurrent connection, the design of the security and efficient access authentication for massive devices is the key point to guarantee the application security under the future fifth Generation (5G) systems. The current access authentication mechanism proposed by 3rd Generation Partnership Project (3GPP) requires each device to execute the full access authentication process, which can not only incur a lot of protocol attacks but also result in signaling congestion on key nodes in 5G core networks when sea of devices concurrently request to access into the networks. In this paper, we design an efficient and secure privacy‐preservation access authentication scheme for massive devices in 5G wireless networks based on aggregation message authentication code (AMAC) technique. Our proposed scheme can accomplish the access authentication between massive devices and the network at the same time negotiate a distinct secret key between each device and the network. In addition, our proposed scheme can withstand a lot of protocol attacks including interior forgery attacks and DoS attacks and achieve identity privacy protection and group member update without sacrificing the efficiency. The Burrows Abadi Needham (BAN) logic and the formal verification tool: Automated Validation of Internet Security Protocols and Applications (AVISPA) and Security Protocol ANimator for AVISPA (SPAN) are employed to demonstrate the security of our proposed scheme.     

Analysis of tree‐based multicast routing in wireless sensor networks with varying network metrics

Wireless ad hoc and sensor networks are emerging with advances in electronic device technology, wireless communications and mobile computing with flexible and adaptable features. Routing protocols act as an interface between the lower and higher layers of the network protocol stack. Depending on the size of target nodes, routing techniques are classified into unicast, multicast and broadcast protocols. In this article, we give analysis and performance evaluation of tree‐based multicast routing in wireless sensor networks with varying network metrics. Geographic multicast routing (GMR) and its variations are used extensively in sensor networks. Multicast routing protocols considered in the analytical model are GMR, distributed GMR, demand scalable GMR, hierarchical GMR, destination clustering GMR and sink‐initiated GMR. Simulations are given with comparative analysis based on varying network metrics such as multicast group size, number of sink nodes, average multicast latency, number of clusters, packet delivery ratio, energy cost ratio and link failure rate. Analytical results indicate that wireless sensor network multicast routing protocols operate on the node structure (such as hierarchical, clustered, distributed, dense and sparse networks) and application specific parameters. Simulations indicate that hierarchical GMR is used for generic multicast applications and that destination clustering GMR and demand scalable GMR are used for distributed multicast applications. Copyright © 2012 John Wiley & Sons, Ltd.     

Design and analysis of a denial-of-service-resistant quality-of-service signaling protocol for MANETs

Quality-of-service (QoS) signaling protocols for mobile ad hoc networks (MANETs) are highly vulnerable to attacks. In particular, a class of denial-of-service (DoS) attacks can severely cripple network performance with relatively little effort expended by the attacker. A distributed QoS signaling protocol that is resistant to a class of DoS attacks on signaling is proposed. The signaling protocol provides QoS for real-time traffic and employs mechanisms at the medium access control (MAC) layer, which serve to avoid potential attacks on network resource usage. The key MAC layer mechanisms that provide support for the QoS signaling scheme include sensing of available bandwidth, traffic policing, and rate monitoring, all of which are performed in a distributed manner by the mobile nodes. The proposed signaling scheme achieves a compromise between signaling protocols that require the maintenance of per-flow state and those that are completely stateless. The signaling scheme scales gracefully in terms of the number of nodes and/or traffic flows in the MANET. The authors analyze the security properties of the protocol and present simulation results to demonstrate its resistance to DoS attacks.     

ad hoc网络组播对于DoS攻击畦抵抗策略分析

与固定有线网络相比,无线ad hoc网络动态的拓扑结构、脆弱的无线信道、网络有限的通信带宽以及节点兼备主机和路由功能等特点,使得网络容易遭受拒绝服务（DOS）攻击。文章针对ad hoc网络的组播应用在抵御DoS攻击方面的不足,提出外部和内部两种组播DoS泛洪攻击模型,同时针对ad hoc网络组播组内的攻击提出相应的两种抵抗策略和具体实现步骤。     

An Experimental Study of the Performance Impact of Path-Based DoS Attacks in Wireless Mesh Networks

Wireless mesh networks (WMNs) are considered as cost effective, easily deployable and capable of extending Internet connectivity. However, one of the major challenges in deploying reliable WMNs is preventing their nodes from malicious attacks, which is of particular concern as attacks can severely degrade network performance. When a DoS attack is targeted over an entire communication path, it is called a path-based DoS attack. We study the performance impact of path-based DoS attacks by considering attack intensity, medium errors, physical diversity, collusion and hop count. We setup a wireless mesh testbed and configure a set of experiments to gather realistic measurements, and assess the effects of different factors. We find that medium errors have significant impact on the performance of WMNs when a path-based DoS attack is carried out, and the impact is exacerbated by the MAC layer retransmissions. We show that due to physical diversity, a far attacker can lead to an increased performance degradation than a close-by attacker. Additionally, we demonstrate that the joint impact of two colluding attackers is not as severe as the joint result of individual attacks. We also discuss a strategy to counter path-based DoS attacks which can potentially alleviate the impact of the attack significantly.     

An improved key distribution mechanism for large-scale hierarchical wireless sensor networks

Wireless sensor networks are often deployed in hostile environments and operated on an unattended mode. In order to protect the sensitive data and the sensor readings, secret keys should be used to encrypt the exchanged messages between communicating nodes. Due to their expensive energy consumption and hardware requirements, asymmetric key based cryptographies are not suitable for resource-constrained wireless sensors. Several symmetric-key pre-distribution protocols have been investigated recently to establish secure links between sensor nodes, but most of them are not scalable due to their linearly increased communication and key storage overheads. Furthermore, existing protocols cannot provide sufficient security when the number of compromised nodes exceeds a critical value. To address these limitations, we propose an improved key distribution mechanism for large-scale wireless sensor networks. Based on a hierarchical network model and bivariate polynomial-key generation mechanism, our scheme guarantees that two communicating parties can establish a unique pairwise key between them. Compared with existing protocols, our scheme can provide sufficient security no matter how many sensors are compromised. Fixed key storage overhead, full network connectivity, and low communication overhead can also be achieved by the proposed scheme.     

Energy Efficiency Routing with Node Compromised Resistance in Wireless Sensor Networks

For the energy limited wireless sensor networks, the critical problem is how to achieve the energy efficiency. Many attackers can consume the limited network energy, by the method of capturing some legal nodes then control them to start DoS and flooding attack, which is difficult to be detected by only the classic cryptography based techniques with common routing protocols in wireless sensor networks (WSNs). We argue that under the condition of attacking, existing routing schemes are low energy-efficient and vulnerable to inside attack due to their deterministic nature. To avoid the energy consumption caused by the inside attack initiated by the malicious nodes, this paper proposes a novel energy efficiency routing with node compromised resistance (EENC) based on Ant Colony Optimization. Under our design, each node computes the trust value of its 1-hop neighbors based on their multiple behavior attributes evaluation and builds a trust management by the trust value. By this way, sensor nodes act as router to achieve dynamic and adaptive routing, where the node can select much energy efficiency and faithful forwarding node from its neighbors according to their remaining energy and trust values in the next process of data collection. Simulation results indicate that the established routing can bypass most compromised nodes in the transmission path and EENC has high performance in energy efficiency, which can prolong the network lifetime.     

Node cooperation in hybrid ad hoc networks

A hybrid ad hoc network is a structure-based network that is extended using multihop communications. Indeed, in this kind of network, the existence of a communication link between the mobile station and the base station is not required: A mobile station that has no direct connection with a base station can use other mobile stations as relays. Compared with conventional (single-hop) structure-based networks, this new generation can lead to a better use of the available spectrum and to a reduction of infrastructure costs. However, these benefits would vanish if the mobile nodes did not properly cooperate and forward packets for other nodes. In this paper, we propose a charging and rewarding scheme to encourage the most fundamental operation, namely packet forwarding. We use "MAC layering" to reduce the space overhead in the packets and a stream cipher encryption mechanism to provide "implicit. authentication" of the nodes involved in the communication. We analyze the robustness of our protocols against rational and malicious attacks. We show that-using our solution-collaboration is rational for selfish nodes. We also show that our protocols thwart rational attacks and detect malicious attacks.     

Provable analysis and improvement of smart card–based anonymous authentication protocols

Nowadays, authentication protocols are essential for secure communications specially for roaming networks, distributed computer networks, and remote wireless communication. The numerous users in these networks rise vulnerabilities. Thus, privacy‐preserving methods have to be run to provide more reliable services and sustain privacy. Anonymous authentication is a method to remotely authenticate users with no revelation about their identity. In this paper, we analyze 2 smart card–based protocols that the user's identity is anonymous. However, we represent that they are vulnerable to privileged insider attack. It means that the servers can compromise the users' identity for breaking their privacy. Also, we highlight that the Wen et al protocol has flaws in both stolen smart card and stolen server attacks and the Odelu et al protocol is traceable. Then, we propose 2 modified anonymous authentication protocols. Finally, we analyze our improved protocols with both heuristic and formal methods.