无线传感器网络的拒绝服务攻击

在无线传感器网络的应用中,维护网络的可用性是尤为重要的。拒绝服务的攻击(Denial-of-service,DoS) 就是要降低甚至摧毁整个网络的功能,让网络彻底不可用。鉴于传感器节点自身资源的限制,必须要采取一些恰当的安全机制来预防拒绝服务的攻击。文章从传感器网络各层所遭受的各种常见的拒绝服务攻击出发,探讨传感器节点应对DoS 攻击的策略与方法。     

基于相邻区域协作的轻量级无线传感器网络安全认证协议

为资源受限的无线传感器网络节点提供秘钥认证方案是一项具有挑战性的工作。文章提出了一种轻量级的基于相邻区域协作的无线传感器网络安全认证协议,采用对称密钥加密技术以及密钥预分配的策略。每个节点只需要发送两条广播信息,即可完成对网络的密钥分配任务从而达到高效节能的目的。通过与其他传统的安全认证协议进行比较分析可以看出,我们的秘钥分配方案在安全认证、抵御重放攻击以及节能等方面更具优势。     

WSNs中基于秘密共享的身份认证协议

身份认证是无线传感器网络安全的第一道屏障。针对现有无线传感器网络中的身份认证协议的效率和安全问题,基于Shamir门限秘密共享方案提出一种低功耗的身份认证协议。在不降低网络安全性的前提下,通过多个已认证节点对新节点进行身份认证,能够有效的降低认证过程中的计算量。认证过程中使用单向散列函数对通信数据进行加密并且运用时间戳机制抵御重放攻击。分析结果表明协议具有低功耗的特点,并且能够抵御窃听攻击、重放攻击以及少数节点被俘虏的攻击。     

基于可集的无线传感器网络路由切换协议

由于无线传感器网络通常工作在无人值守的环境中，因此容易遭受到各种拒绝服务攻击。如何避开受攻击的网络区域而将数据安全传输至目的地对于减少拒绝服务攻击的危害和维护网络可用性有着至关得要的意义。首先讨论了节点可信集模型的建立，然后基于这个模型研究了在不同的网络区域中节点对下一跳路由的选择。并提出了一种路由的保护机制，最后是对该领域研究的总结和展望。     

基于可信集的无线传感器网络路由切换协议

由于无线传感器网络通常工作在无人值守的环境中，因此容易遭受到各种拒绝服务攻击。如何避开受攻击的网络区域而将数据安全传输至目的地对于减少拒绝服务攻击的危害和维护网络可用性有着至关重要的意义。首先讨论了节点可信集模型的建立，然后基于这个模型研究了在不同的网络区域中节点对下一跳路由的选择，并提出了一种路由的保护机制，最后是对该领域研究的总结和展望。     

ad hoc网络组播对于DoS攻击畦抵抗策略分析

与固定有线网络相比,无线ad hoc网络动态的拓扑结构、脆弱的无线信道、网络有限的通信带宽以及节点兼备主机和路由功能等特点,使得网络容易遭受拒绝服务（DOS）攻击。文章针对ad hoc网络的组播应用在抵御DoS攻击方面的不足,提出外部和内部两种组播DoS泛洪攻击模型,同时针对ad hoc网络组播组内的攻击提出相应的两种抵抗策略和具体实现步骤。     

基于多路径切换的无线传感器网络DoS攻击防御研究

由于无线传感器网络通常工作在无人值守的环境中,因此容易遭受到各种拒绝服务攻击。如何避开受攻击的网络区域而将数据安全传输至目的地对于减少拒绝服务攻击的危害和维护网络可用性有着至关重要的意义。文章首先讨论了传输路径的建立,然后基于这个模型研究了当网络中存在拒绝服务攻击时,节点如何进行传输路径的重建和切换,最后是对该领域研究的总结和展望。     

基于博弈论的无线传感网络节点攻防优化

针对无线传感器网络各节点在安全需求与资源消耗上存在的矛盾,提出一种基于博弈论的无线传感网络节点优化博弈模型.首先,通过分析网络节点中攻击方的攻击代价与防守方的防守开销,基于博弈论分析攻防双方的效用函数并构造攻防博弈模型;其次,根据网络节点中攻防双方选择的不同行动策略,结合信息论技术将攻防双方抽象成随机变量,并设计博弈信...     

防御无线传感器网络Sybil攻击的新方法

在传感器网络中,Sybil 攻击是一类主要的攻击手段.通过随机秘密信息预分配,利用节点身份证人确认机制,提出了防御传感器网络Sybil 攻击的新方案并进行了综合性能分析.在新方案中,基于单向累加器建立了传感器网络节点秘密信息管理和分配方案,在共享密钥建立阶段,提出了传感器网络认证对称密钥建立协议,并在universally composable(UC)安全模型中对该协议进行了可证明安全分析,该协议可建立网络邻居节点之间惟一的对称密钥.     

基于生物特征标识的无线传感器网络三因素用户认证协议

为满足高安全级别场景（如军事、国家安全、银行等）的应用需求,进一步提高无线传感器网络用户认证协议的安全性,提出了基于生物特征识别的三因素用户认证协议.针对Althobaiti协议无法防御节点妥协攻击、模拟攻击、中间人攻击和内部特权攻击的安全缺陷,增加智能卡和密码作为协议基本安全因素,并利用生物特征标识信息生成函数与回复函数处理的生物特征标识作为附加安全因素;在密钥管理中,为每个节点配置了与网关节点共享唯一密钥,保证认证过程的独立性与安全性;实现用户自主选择与网关节点的共享密钥,提高公共信道通信的安全性;在网关节点不参与的情况下,设计密码和生物特征标识更新机制,保证二者的新鲜性.通过Dolev-Yao拓展威胁模型的分析与AVISPA的OFMC分析终端的仿真,结果证明该认证协议克服了Althobaiti协议安全缺陷,且对计算能力的需求小于公钥加密.权衡安全性与计算成本,该协议适用于资源受限且安全需求高的无线传感器网络应用.     

HEAP: A packet authentication scheme for mobile ad hoc networks

In mobile ad hoc networks (MANETs) and wireless sensor networks (WSNs), it is easy to launch various sophisticated attacks such as wormhole, man-in-the-middle and denial of service (DoS), or to impersonate another node. To combat such attacks from outsider nodes, we study packet authentication in wireless networks and propose a hop-by-hop, efficient authentication protocol, called HEAP. HEAP authenticates packets at every hop by using a modified HMAC-based algorithm along with two keys and drops any packets that originate from outsiders. HEAP can be used with multicast, unicast or broadcast applications. We ran several simulations to compare HEAP with existing authentication schemes, such as TESLA, LHAP and Lu and Pooch’s algorithm. We measured metrics such as latency, throughput, packet delivery ratio, CPU and memory utilization and show that HEAP performs very well compared to other schemes while guarding against outsider attacks.     

Access control in wireless sensor networks

Nodes in a sensor network may be lost due to power exhaustion or malicious attacks. To extend the lifetime of the sensor network, new node deployment is necessary. In military scenarios, adversaries may directly deploy malicious nodes or manipulate existing nodes to introduce malicious “new” nodes through many kinds of attacks. To prevent malicious nodes from joining the sensor network, access control is required in the design of sensor network protocols. In this paper, we propose an access control protocol based on Elliptic Curve Cryptography (ECC) for sensor networks. Our access control protocol accomplishes node authentication and key establishment for new nodes. Different from conventional authentication methods based on the node identity, our access control protocol includes both the node identity and the node bootstrapping time into the authentication procedure. Hence our access control protocol cannot only identify the identity of each node but also differentiate between old nodes and new nodes. In addition, each new node can establish shared keys with its neighbors during the node authentication procedure. Compared with conventional sensor network security solutions, our access control protocol can defend against most well-recognized attacks in sensor networks, and achieve better computation and communication performance due to the more efficient algorithms based on ECC than those based on RSA.     

Novel Trusted Hierarchy Construction for RFID Sensor–Based MANETs Using ECCs

In resource‐constrained, low‐cost, radio‐frequency identification (RFID) sensor–based mobile ad hoc networks (MANETs), ensuring security without performance degradation is a major challenge. This paper introduces a novel combination of steps in lightweight protocol integration to provide a secure network for RFID sensor–based MANETs using error‐correcting codes (ECCs). The proposed scheme chooses a quasi‐cyclic ECC. Key pairs are generated using the ECC for establishing a secure message communication. Probability analysis shows that code‐based identification; key generation; and authentication and trust management schemes protect the network from Sybil, eclipse, and de‐synchronization attacks. A lightweight model for the proposed sequence of steps is designed and analyzed using an Alloy analyzer. Results show that selection processes with ten nodes and five subgroup controllers identify attacks in only a few milliseconds. Margrave policy analysis shows that there is no conflict among the roles of network members.     

Security and key management in IoT‐based wireless sensor networks: An authentication protocol using symmetric key

Wireless sensor networks (WSN) consist of hundreds of miniature sensor nodes to sense various events in the surrounding environment and report back to the base station. Sensor networks are at the base of internet of things (IoT) and smart computing applications where a function is performed as a result of sensed event or information. However, in resource‐limited WSN authenticating a remote user is a vital security concern. Recently, researchers put forth various authentication protocols to address different security issues. Gope et al presented a protocol claiming resistance against known attacks. A thorough analysis of their protocol shows that it is vulnerable to user traceability, stolen verifier, and denial of service (DoS) attacks. In this article, an enhanced symmetric key‐based authentication protocol for IoT‐based WSN has been presented. The proposed protocol has the ability to counter user traceability, stolen verifier, and DoS attacks. Furthermore, the proposed protocol has been simulated and verified using Proverif and BAN logic. The proposed protocol has the same communication cost as the baseline protocol; however, in computation cost, it has 52.63% efficiency as compared with the baseline protocol.     

无线传感器网络节点复制攻击和女巫攻击防御机制研究

在无线传感器网络(WSNs)中,节点复制攻击和女巫攻击可扰乱数据融合和阈值选举等网络操作.发起这两种攻击需先通过邻居发现认证过程.考虑到在WSNs中发起邻居认证是不频繁的,提出了一种基于单向密钥链的ID认证防御机制(OKCIDA),降低攻击者在任何时间段发起这两种攻击的可能性.然后基于椭圆曲线离散对数问题,构造对称参数,并组合OKCIDA和利用节点邻居关系,提出了一种无需位置的邻居认证协议(LFNA),以阻止复制节点和女巫节点成功加入网络.最后给出了安全性证明和分析,并在安全和开销方面将LFNA与已有典型防御方案进行了比较,结果表明该方案具有一定的优势.     

A secure broadcasting scheme to provide availability,reliability and authentication for wireless sensor networks

Reliability and security of broadcasting is critical in Wireless Sensor Networks (WSNs). Since reliability and security compete for the same resources, we are interested in jointly solving for error control coding (to achieve reliability) and integrity for a broadcast scenario. We assume Byzantine attacks in which the adversary can compromise nodes and then drop (or modify) the legitimate packets or inject its own packets. For reliable and efficient multihop broadcasting, it is critical to reduce the energy consumption and latency. To prevent the adversary from consuming the scarce network resources by injecting bogus packets, each receiver node should make sure that packets it receives are authentic and it filters out malicious packets immediately. We build our authentication scheme, on top of a reliable and energy efficient broadcasting protocol called Collaborative Rateless Broadcast (CRBcast) to improve efficiency and reliability. On contrary to the previous schemes, our scheme is resilient with respect to Byzantine adversary as well as routing and flooding attacks and protocol exploits. Moreover, we compared our scheme with the previously proposed broadcast authentication schemes and showed that our scheme outperforms them in terms of efficiency and data availability. This is a crucial improvement over the previous schemes that ensure availability by flooding, introducing very large communication overhead and latency.     

A Novel Trust-Aware Geographical Routing Scheme for Wireless Sensor Networks

Wireless sensor networks are vulnerable to a wide set of security attacks, including those targeting the routing protocol functionality. The applicability of legacy security solutions is disputable (if not infeasible), due to severe restrictions in node and network resources. Although confidentiality, integrity and authentication measures assist in preventing specific types of attacks, they come at high cost and, in most cases, cannot shield against routing attacks. To face this problem, we propose a secure routing protocol which adopts the geographical routing principle to cope with the network dimensions, and relies on a distributed trust model for the detection and avoidance of malicious neighbours. A novel function which adaptively weights location, trust and energy information drives the routing decisions, allowing for shifting emphasis from security to path optimality. The proposed trust model relies on both direct and indirect observations to derive the trustworthiness of each neighboring node, while it is capable of defending against an increased set of routing attacks including attacks targeting the indirect trust management scheme. Extensive simulation results reveal the advantages of the proposed model.     

Homomorphic Subspace MAC Scheme for Secure Network Coding

Existing symmetric cryptography‐based solutions against pollution attacks for network coding systems suffer various drawbacks, such as highly complicated key distribution and vulnerable security against collusion. This letter presents a novel homomorphic subspace message authentication code (MAC) scheme that can thwart pollution attacks in an efficient way. The basic idea is to exploit the combination of the symmetric cryptography and linear subspace properties of network coding. The proposed scheme can tolerate the compromise of up to r?1 intermediate nodes when r source keys are used. Compared to previous MAC solutions, less secret keys are needed for the source and only one secret key is distributed to each intermediate node.     

抗DoS攻击的多用户传感器网络广播认证方案

在vBNN-IBS签名基础上提出了一种抗DoS攻击的多用户传感器网络广播认证方案DDA-MBAS,利用散列运算及用户信息进行虚假数据过滤。与现有的多用户传感器网络广播认证方案相比,DDA-MBAS在抵抗节点妥协攻击、主动攻击的基础上,以较低的能耗过滤虚假消息并有效地限制了妥协用户发起的DoS攻击及共谋攻击的安全威胁。