Computer Science
CSC 774 Advanced Network Security
Topic 7.3 Secure and Resilient Location
Discovery in Wireless Sensor Networks
Dr. Peng Ning
CSC 774 Adv. Net. Security
1
Background -- Localization
• Data usually combined with locations
– Fire alarm, target tracking
• Traditional GPS
– Expensive; does not work indoors
• GPS-less localization techniques
– AHLoS, APS-AoA, DV-Hop, Centroid, APIT, etc.
Regular node
Beacon node
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
2
Attacks against Localization
Compromise beacon
Impersonate beacon
nodes: Wrong measurement nodes:
Wrong measurement
or wrong location
or wrong location
Replay beacon signals:
Wrong measurement
• Challenges in defending these attacks
–
–
–
–
Resource constraints on sensor nodes
Lack of physical protection
Local collaboration v.s. global threat
Difficulty of authenticating beacon signals
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
3
Range-Based Localization
• A few beacon nodes with
known locations.
• Two phases:
( x1, y1 )
– Phase 1: Estimating distance
(RSSI, TDoA, or ToA)
– Phase 2: Solving equations
by using MMSE
A
( x, y )
 f  d  ( x  x )2  ( y  y )2
1
1
 1 1

2
2
 f 2  d 2  ( x  x2 )  ( y  y 2 )

2
2
 f 3  d 3  ( x  x3 )  ( y  y3 )
min F  f12  f 22  f 32
Computer Science
( x2 , y2 )
B
C
( x3 , y3 )
A, B, C: beacon nodes
Dr. Peng Ning
CSC 774 Adv. Net. Security
4
Location estimation error
Impact of Malicious Attacks
14
e_max=0
e_max=2
e_max=4
12
10
8
6
4
2
0
0
5
10
15
20
25
30
Location error introduced by a malicious beacon
• Obtained through simulation
• MMSE with 1 malicious beacon signal + 9 benign beacon signals
• A single malicious signal  arbitrarily large location error
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
5
Attack-Resistant Location Discovery
• Goal
– Resilient location estimation when there are
malicious location references
• Our approaches
– Attack-resistant MMSE: identify “inconsistency”
among malicious and benign beacon signals
– Voting-based scheme: have each location
reference vote on the location of the non-beacon
node.
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
6
Assumptions
• Use a key management protocol that provides
a unique pair-wise key between any two nodes.
– E.g., TinyKeyMan
• This implies
– Each sensor node is uniquely identified
– Beacon packets can be authenticated
• The content, not the signal
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
7
Assumptions (Cont’d)
• Each sensor node uses at most one beacon
signal from each beacon node
– Represented as a location reference xi, yi, i
– Location of the beacon node and the measured
distance.
• Attacker model
– A malicious beacon node can provide arbitrary
location references
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
8
Attack-Resistant MMSE
• Observation: there is “inconsistency” between
benign and malicious location references
• Intuition: identify the most inconsistent
location references before final estimation
• Consistency metric (2): mean square error of
distance measurement

 


m
2
i
(x˜  x i )  (y˜  y i )
i1
Computer Science
2
m
Dr. Peng Ning
2
 
2
2
CSC 774 Adv. Net. Security
9
Attack-Resistant MMSE (Cont’d)
• Ideally, get the largest consistent set of location
references
– MMSE can achieve more accurate result with more benign
location references
• What we have: check consistency, given a set of
location references and a pre-defined threshold τ
– If 2 > 2  inconsistent; otherwise, consistent
• Two remaining questions
– How to determine the largest consistent set
– How to set an appropriate threshold
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
10
Determining the Largest Consistent Set
• A simple solution
– Try every combination of location references
– Expensive: 10 location references, and 5 of them in
the largest consistent setat least 387 MMSE
operations
• Greedy algorithm
– Multiple rounds
– Remove the most inconsistent location reference in
each round
– Not guaranteed to find the largest consistent set
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
11
Greedy Algorithm
A set of m location references
and a predefined threshold τ
Consistency Test
i=m
Yes
Consistent?
Find consistent set
and output result
No
No
Fail to find consistent set
i>3?
Yes
subsets
with i-1 items
Consistency Test
The one with the
smallest MSE
10 location references, and
5 of them in the largest
consistent set50 MMSE
operations on average
i=i-1
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
12
Threshold τ
• Investigate the distribution of MSE 2 when
there is no malicious attack
• If the measurement errors are independent, we
have
2
m

2
2
0  
lim F[   0 ]  (
)
m

where μi and σi are the mean and variance of ei2 , and

m
    i ,   
i 1
Computer Science
Dr. Peng Ning
m
2

 i
i 0
CSC 774 Adv. Net. Security
13
Theoretical Results v.s. Simulation Results
Cumulative distriubtion
1
0.9
0.8
0.7
0.6
m=4 theoretical
m=5 theoretical
m=9 theoretical
m=4 simulated
m=5 simulated
m=9 simulated
0.5
0.4
0.3
0.2
0.1
0
0
0.2
0.4
0.6
0.8
1
c 
1.2
1.4
1.6
1.8
2

The threshold should not be too small or too large.
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
14
Voting-Based Scheme
• Partition the target
field into grid with M
small squares (cells)
• Each location
reference votes on the
possible locations of
node
• Identify the cell (or
cells) with the largest
vote

Computer Science
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
1
1
1
2
2
1
1
2
2
2
2
1
1
B
2
3
3
2
2
1
2
3
3
2
2
1
2
1
1
1
C 1
1
1
1
1
1
1
A
1
1
1
2
2
1
1
1
1
2
2
1
1
2
2
1
1
1
1
1
2
1
1
2
2
1
1
1
1
1
1
1
1
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
D
 
max(0,   )

Dr. Peng Ning
CSC 774 Adv. Net. Security
15
Overlap Test
• No overlap between the cell and the ring iif
– The maximum distance from A to a point in the cell dmax(A)
< max(0,δ-ε), or
– The minimum distance from A to a point in the cell dmin(A)
> δ+ε
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
16
Granularity M
• Fine granularity (large M) results in high accuracy but
high computation and storage cost,
• Coarse granularity (small M) results in low accuracy
but low computation and storage cost
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
17
Iterative Refinement
• Idea
– Repeat the basic voting
algorithm on the result of
the last voting round
•
Stop conditions
– Achieve the required
accuracy (size of cells)
– Size of the cell cannot be
reduced anymore
• We use the second stop
condition in our
experiments
Computer Science
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
2
1
1
1
2
2
1
1
2
2
2
2
1
1
B
2
3
3
2
2
1
2
3
3
2
2
1
2
1
1
1
C 1
1
1
1
1
1
1
A
1
1
1
2
2
1
1
1
1
2
2
1
1
2
2
1
1
1
1
1
2
1
1
2
2
1
1
1
1
1
1
1
1
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Dr. Peng Ning
D
CSC 774 Adv. Net. Security
18
Simulation Evaluation
• Evaluate the ability of the proposed methods to
tolerate malicious attacks
• Three attack scenarios
– One malicious location reference (9 + 1)
– Multiple non-colluding malicious location references (9 +
3)
– Multiple colluding malicious location references (9 + 3)
• Configuration:
– 30m X 30m target field
– Radio signal range 22m
– Distance error evenly distributed in (4, 4)
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
19
Evaluation of Attack-Resistant MMSE
Location estimation error
100
MMSE without malcious
MMSE with 1 malicious
MMSE with 3 non-colluding
MMSE with 3 colluding
AR-MMSE with 1 malicious
AR-MMSE with 3 non-colluding
AR-MMSE with 3 colluding
10
1
0
10
20
30
40
50
60
70
80
90
100
Location error introduced by malicious beacons
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
20
Location estimation error
Evaluation of Voting-Based Scheme
100
MMSE-1 Malicious
MMSE-3 Malicious
MMSE-3 Collusion
Voting-1 Malicious
Voting-3 Malicious
Voting-3 Collusion
10
1
0
10
20
30
40
50
60
70
80
90
100
Location error introduced by malicious beacons
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
21
100
AR-MMSE-1 Malicious
AR-MMSE-3 Malicious
AR-MMSE-3 Collusion
Voting-1 Malicious
Voting-3 Malicious
Voting-3 Collusion
Due to the
non-optimal
solution
given by
greedy
algorithm.
10
1
Location estimation error
Comparison
0
10
20
30
40
50
60
70
80
90
100
Location error created by malicious beacon
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
22
Implementation
• Target at MICA2 motes running TinyOS
Code Size (byte)
ROM
RAM
MMSE
2,034
286
AR-MMSE
3,226
396
Voting-Based
4,488
174
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
23
Execution Time
10
MMSE
AR-MMSE
Voting
Time (sec)
1
0.1
0.01
0.001
4
6
8
10
12
14
16
18
20
22
24
26
Number of location references
1 malicious location reference   4, e  10
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
24
Field Experiment
0
Use RSSI
to measure
distance
  4feet
1
2
3
4
5
6
7
8
9
10
0
1
Beacon
ID=1
(1,3)
2
Beacon
ID=2
(2,6)
3
4
Beacon
ID=3
(4,4)
4feet
5
Beacon
ID=4
(4,9)
Sensor
ID=0
6
7
8
Beacon
ID=6
(7,1)
Beacon
ID=7
(8,8)
9
Beacon
ID=5
(9,5)
10
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
25
100
10
1
MMSE
AR-MMSE
Voting
0.1
Location estimation error
1 Malicious Beacon
0
20
40
60
80
100
120
Location error created by malicious beacon
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
26
3 Non-Colluding Malicious Beacons
10
1
0.1
Location estimation error
100
MMSE
AR-MMSE
Voting
0
20
40
60
80
100
120
Location error created by malicious beacon
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
27
3 Colluding Malicious Beacons
10
1
0.1
Location estimation error
100
MMSE
AR-MMSE
Voting
0
20
40
60
80
100
120
Location error created by malicious beacon
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
28
Conclusion
• We have been investigating various techniques
to secure localization in sensor networks
– Prevention
– Toleration
– Detection and response
• Future work
– Light-weighted secure and resilient solutions
– Secure and resilient localization for dynamic
sensor networks
Computer Science
Dr. Peng Ning
CSC 774 Adv. Net. Security
29