}w!"#$%&'()+,-./012345<ya

Transcription

1 MASARYKOVA UNIVERZITA FAKULTA INFORMATIKY }w!"#$%&'()+,-./012345<ya Design, implementation and simulation of intrusion detection system for wireless sensor networks MASTER S THESIS Bc. Lumír Honus Brno, spring 2009

2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: RNDr. Andriy Stetsko ii

3 Acknowledgement I would like to express my thanks to my supervisor RNDr. Andriy Stetsko and to Bc. Barbora Micenková. I am gratefull to Bc. Jana Jourová for moral support. iii

4 Abstract In this master s thesis, a simple intrusion detection system (IDS) for wireless sensor networks is designed and implemented. The proposed IDS is based on watchdog monitoring technique and is able to detect selective forwarding attacks. Besides, the improvements that make watchdog monitoring technique more reliable are described and the results of simulations of the IDS on TOSSIM simulator are presented. iv

5 Keywords Wireless Sensor Networks, Intrusion Detection System, Watchdog Monitoring Technique v

6 Contents 1 Introduction Wireless Sensor Networks Applications Hardware Platforms Security Objectives Attacker model Possible Attacks TinyOS Versions NesC TinyOS Architecture Boot Sequence Concurrency Hardware Abstraction Architecture Intrusion Detection Systems IDS Classification Watchdog Monitoring Regular Collisions Ambiguous Collisions Partial Dropping Receiver Collisions Limiting The Transmission Power Radio Stack Collection Tree Protocol Active Message Layer Hardware Dependent Radio Stack on TMote Sky Receiving Message Transmitting a Message TOSSIM Sending message TOSSIM Shortcomings and Problems Implementation System Overview Tapping communication Scheduler Statistics Manager Detection Manager Selective Forwarding Engine Advanced Selective Forwarding Engines

7 6.6 Response Module Deployment and Simulation Deployment on Tmote Sky Deployment on TOSSIM Simulation Error ratio Advanced selective forwarding engine Simulation with attackers Conclusion

8 Chapter 1 Introduction The wireless sensor networks (WSNs) are often deployed in physically insecure environment where we can hardly prevent attackers from the physical access to the devices. Since making nodes resistant to physical tampering would make them much more expensive, we have to reckon that an attacker may capture the nodes and retrieve the cryptographic material via physical tampering. In this master s thesis we will design and implement a simple intrusion detection system based on watchdog monitoring technique. The intrusion detection system will be deployed on network that uses Collection Tree Protocol (CTP) for gathering data measured on nodes, and will be able to detect selective forwarding attacks. We will focus on problems that are related to watchdog monitoring technique and we will present improvements in this technique that make watchdog monitoring technique more reliable on network with a large number of ambiguous collisions. In the second chapter we will present the wireless sensor networks and describe the security objectives we would like to achive. Besides, the attacker models that should be taken into account in WSN will be presented and the basic attacks that attackers can perform will be described. We have implemented our intrusion detection system for nodes using TinyOS. In the third chapter, we will take a closer look on this operating system. In the fourth chapter, we will give a brief overview over intrusion detection systems and look at watchdog monitoring technique in detail. In addition, we will also describe problems that affect the watchdog monitoring technique accuracy in the real environment and techniques that intruder may use to confuse our intrusion detection system. In the next chapter, we describe the radio stack from the top to the bottom. We also compare hardware dependent radio stack on physical nodes that uses CC2420 radio and radio stack on TOSSIM simulator. At last, we will point out the problems that make simulation of our IDS inaccurate and we will describe the steps that we had to do to improve it. The sixth chapter is devoted to the description of our intrusion detection system. First, we will give a brief overview of system architecture and then we will describe individual components of the system. In the seventh chapter we will give instructions on how to deploy our intrusion detection system and present the results of simulations on revised TOSSIM. 3

9 Chapter 2 Wireless Sensor Networks A wireless sensor network is an ad-hoc network composed of a large number of small inexpensive devices denoted as nodes (motes). These nodes are battery-operated devices capable of communicating with each other without relying on any fixed infrastructure. Base Station (Sink) Internal Node Leaf Node Figure 2.1: Wireless Sensor Network A typical WSN (see Figure 2.1) consists of base station and nodes that sense the enviroment and send data to the base station. The base station (also denoted as sink or gateway) is more powerfull than other nodes and serves as an interface to the outer world. When any node needs to send a message to the base station that is outside of its radio range, it sends it through internal nodes. The internal nodes are the same as others, but besides of local sensing they also provide forwarding service for others. A typical wireless sensor node is equipped with one or more sensors that are capable of monitoring physical or environmental conditions such as temperature, humidity, pressure, vibrations or light intensity. In addition, each node is equipped with a radio transceiver, an energy-efficient microcontroller, and an energy source, usually a battery. Due to energy constraints, the nodes are only capable of limited amount of computation and signal processing. Compared to a conventional approach that deploys a few expensive and sophisticated sensors, the WSN performs networked sensing using a large number of relatively unsophisticated and cheap sensors. We can summarize the advantages of the WSN approach as greater coverage, accuracy and reliability at a possibly lower cost [13]. 2.1 Applications The development of WSNs was originally motivated by military applications. As the predecessor of WSNs we can consider the Sound Surveillance System known as SOSUS. This network consisted from bottom mounted hydrophone arrays connected by undersea communication cables and was used for anti-submarine warfare during the cold war [25]. Military currently uses wireless sensor networks for instance for battlefield surveillance sensors could detect, classify and localize hostile forces 24-hours a day in all weather conditions. 4

10 2. WIRELESS SENSOR NETWORKS Nowadays the WSNs are used in many industrial, civilian, environmental and commercial areas. Most of the current WSN applications fall into one of the following classes [13]: Event Detection and Reporting Applications that fall into this class have a common characteristic: the occurrence of the events of interests is not regular. A WSN of such type is expected to be inactive most of the time and activates only when the event occurs. Typical applications of this class are intrusion detection systems or forest fire detection systems. Data Gathering and Periodic Reporting These applications are often used to monitor environmental conditions such as temperature, humidity or lighting. These applications usually periodically sense the environment and send measured values to a base stations. Sink-initiated Querying Application of this type, rather than periodically reporting its measurements, waits for a base station (sink) query. That enables the base station (sink) to extract information at a different resolution or granularity, from different regions of space. Tracking-based Application In many application areas we are interested in tracking the movements of some object. WSNs for this purpose combine some characteristics of the above three classes. For instance, when target is detected, the base station has to be notified promptly (event detection). Then, the base station may initiate queries to receive time-stamped location estimates of target, so it can calculate trajectory (sink-initiated query) and keep querying the appropriate set of sensors [13]. 2.2 Hardware Platforms There are many types of sensor node hardware platforms. The platforms differ from each other, but we can find several common denominators. First, it is a slow processor. With a few exceptions, contemporary sensor nodes contain a processor that operates on the frequency of order of megahertz. Second, it is a limited size of memory for the program and usually only few or tens kilobytes of RAM. Although Moore s law, that is also applicable to WSN, predicts that hardware for sensor networks will be smaller, cheaper, and more powerful, there always will be compromises: nodes will have to be faster or more energy-efficient, smaller or more capable, cheaper or more durable [7]. Recently we can see two trends: first, more powerful platforms such as IMote2 are introduced [33], and on the other hand we can see an effort to further miniaturization and price reduction [24]. Figure 2.2: Tmote Sky sensor mote [23] For the purposes of the work a present-day node was used Tmote Sky. The Tmote Sky has 8MHz Texas Instruments MSP430 F1611 microprocessor, and is equipped with 10kB RAM and 48kB of flash 5

11 2. WIRELESS SENSOR NETWORKS memory. This 16-bit RISC ultra low power processor features extremely low active and sleep current consumption. The processor is in a sleep mode most of the time in order to minimize power consumption [23]. The TMote platform features the Chipcon CC2420 radio, which is an IEEE compliant radio. The radio operates on the 2.4GHz unlicensed band and is capable of data rate of 250kbps [23]. The mote has integrated humidity, temperature and light sensors. This platform fully supports the TinyOS operating system. 2.3 Security Objectives In WSNs we would like to provide similar security mechanisms as in other types of (wireless) networks, such as [27]: Data Confidentiality: Sensor networks are often used for gathering sensitive data. We would like to ensure that the data is protected and will not leak outside of the sensor network. Data Authentication: We would like to have an opportunity to verify that received data really was sent by the claimed sender. Data Integrity: Data integrity property ensures that data has not been modified or altered by unauthorized party during transmission. Data Availability and Freshness: Sensor networks are often used to monitor time-sensitive data events, therefore it is crucial to ensure that the data provided by the network are fresh and available at all times. Graceful Degradation: We would like the sensor network mechanisms to be resilient to node compromise. When a small portion of nodes become compromised, the performance of network should degrade gracefully. In conventional computer networks, the message authentication, confidentiality, and integrity are usually achieved by end-to-end security mechanisms such as SSH or SSL. The reason is that in conventional networks end-to-end communication is the dominating traffic pattern [13]. By contrast, in sensor networks, many nodes are usually sending data to the single base station. In-network processing such as data aggregation, duplicate elimination, or data compression is very important to be run in an energy-efficient manner. To achieve efficient in-network processing, the internal nodes need to access, modify, and possibly suppress the contents of messages. For this reason, it is often not possible to use the end-to-end security mechanisms between a sensor node and a base station [13]. 2.4 Attacker model According to the [14], we can distinguish mote-class and laptop-class attackers. A mote-class attacker can have access to one or several sensor nodes with similar capabilities as other nodes in the network. Contrariwise, a laptop-class attacker has access to much more powerful devices, for example laptops, which may have more capable CPU, longer battery life or high-power radio transmitter. It allows him to perform some attacks that are hardly feasible for a mote-class attacker (such as wormhole attack, see 2.5). He can also perform some mote-class attacks much more effectively, for example a single attacker might be able to jam the whole network. 6

12 2. WIRELESS SENSOR NETWORKS Furthermore, attackers can be outsiders or insiders. An outsider attacker has no special access to a network. In contrast, an insider attacker can have access to cryptographic keys or other code used by network and is a part of the network. For example, the insider can be a compromised node or a laptopclass adversary who stole cryptographic keys, code, and data from the legitimate nodes [27]. We assume that the attacker can easily become an insider because the wireless networks are usually deployed in physically insecure environment and the adversary is easily able to capture nodes and then extract cryptographic primitives using the physical tampering [27]. Furthermore, we assume that the intruder can capture any node in the network, but generally only a limited number of them. 2.5 Possible Attacks There are many types of attacks on WSNs, which have been described in [27, 5], but we focused particularly on selective forwarding attacks. In the case of wormhole attack, an attacker establishes a tunnel between two nodes, usually using more powerful communication channel. Afterwards he is able to convince two nodes that they are neighbors or can offer a better route to a base station to the others. In the sinkhole attack, a malicious node tries to draw as much as possible traffic from the particular area by making itself look attractive with respect to the routing metric. As a result, the malicious node attracts all the traffic that is destined to a base station [15]. In the selective forwarding attack, a malicious node may refuse to forward some or all packets. This attack is most effective when the malicious node performs routing operations for a large part of the network, therefore this attack is often preceded by sinkhole or wormhole attacks in order to increase the malicious node attractiveness. 7

13 Chapter 3 TinyOS TinyOS is an open-source operating system designed for wireless embedded sensor networks [30]. It is a component-based, event-driven operating system, written in nesc programming language. The core of the operating system has a very small memory footprint and is expandable through various components. TinyOS has component library that includes frequently used components such as network protocols or sensor drivers. An application connects components that needs through wiring specifications. Thus we can compile the minimal-size operating system just with those components that applications really need. TinyOS is not the only operating system applicable in wireless sensor networks, there are several others such as SOS [3], Contiki [6] or MANTIS [2], but it is probably the most popular, particularly in the academic sphere. It has been adopted by thousands of developers worldwide and supports many platforms [4]. 3.1 Versions TinyOS 1.0 was released in September This first generation became very successful, but experience revealed some shortcomings in design. In particular, there were problems with reliability of larger applications that stem from the component composition and also porting applications to new platforms was very difficult. Because TinyOS was well established and major changes had to be done, it was decided to create a fresh start, rather than try to make changes in current mostly stable code. To avoid many problems that were in the first generation, TinyOS 2 have used a component hierarchy based on four design principles [19]: Telescoping Abstractions The abstractions are logically split across hardware devices and have a spectrum of fine-grayed layers. The highest layers are most simple and portable, while the lowest allow hardware specific optimizations. Partial Virtualization Some abstractions, usually the top layers of telescoping abstraction, are virtual or shared, while others, such as buses, are not. The virtualization simplifies application development. Static Binding and Allocation Every resource and service is bound at compile time and all allocation is static. This means that components allocate all of the state they might possibly need. Service Distributions A service distribution is a collection of components that are intended to work together, providing unified and coherent API. An application wires only to the service components, leaving internal components to ensure that underlying implementations work properly. 8

14 3. TINYOS The first stable version of TinyOS 2, which is also referred to as T2, was released in November When we refer to TinyOS in this work, we mean the second generation. 3.2 NesC NesC is a programming language designed to facilitate the structuring concepts and execution model of TinyOS. It is an extension of C which guarantees the code will be efficient on the target microcontrollers that are used in sensor networks [9]. NesC applications are built by writing and assembling components. The components are software units that consist of a specification and an implementation. The specification states which interfaces the component uses and which provides. In implementation, there is the logic behind the interfaces programmed. Interfaces define a bidirectional relationship between components [19]. To connect two components, first of them has to provide an interface while the second has to use it. The connection is called wiring. For example lets have two components ApplicationC and TimerC (see Figure 3.1). These components are connected (wired) through Timer interface. Figure 3.1: Example of Cooperating Components The interfaces contain commands and events. The component, which provides an interface, has to implement interface s commands and the component, which uses an interface, has to implement its events. In the example (see Figure 3.1), the Timer interface contains an fired event and a start command. TimerC provides the Timer interface, so it has to implement start command, ApplicationC uses the Timer interface, thus it has to implement fired event. The components then communicate between themselves by calling commands and signaling events. In our very simple example, the ApplicationC may call Timer.start in order to execute Timer.start command in TimerC and TimerC may signal Timer.fired to execute event Timer.fired implemented in ApplicationC. NesC also supports following features that are widely used in TinyOS: Generic components may be instantiated more than once and can take type types or constants as arguments. 9

15 3. TINYOS Tasks are pieces of code whose execution takes some significant time, but which are not timecritical. Posted tasks are executed later by the TinyOS scheduler when the processor is idle. Atomic sections are time-critical pieces of code. They are implemented by disabling interrupts, therefore they should be as short as possible. 3.3 TinyOS Architecture TinyOS is a component-based operating system. There is always a top-level configuration component 1. In this top-level component it is defined which components will be used. Usually it includes the MainC component, which is responsible for the hardware initialization and the boot sequence (see Section 3.3.1), and main application component. Besides these, the top-level component can also initialize needed service components, sensors, timers or radio abstractions and wire them to the application component. The components initialized at a top-level configuration are able to further initialize other components that they need, and there is always a path from the top-level component to any used component. This allows us to compile the minimal-size system only with components that have been referenced. configuration TopLevelComponentC{ } implementation{ components MainC, AppC; components new TimerMilliC() as Timer0; AppC > MainC.Boot AppC.Timer0 > Timer0; } Figure 3.2: Example of top level component For example (see Figure 3.3), let s have very simple top-level configuration component that defines three components to be used MainC, AppC and an instance of generic component TimerMilliC() that reffered as Timer0. Furthermore this configuration defines that AppC component should use Boot interface provided by MainC component and Timer0 interface provided by Timer Boot Sequence Compiled TinyOS is a binary program that is programmed into the mote. When programming is done, the mote is restarted. After the restart, the mote begins executing main() function, that is implemented in the RealMainP component. This component is responsible for performing TinyOS boot sequence. The system interface to the boot sequence is provided by the MainC component components that need to wire to the boot sequence should wire the MainC component. The standard boot sequence consists of five steps : 1. Configuration components are special components that are used to assemble other components together 10

16 3. TINYOS 1. Platform Bootstrap: First, the very low-level hardware initialization is performed, such as setting processor mode. On most platforms there is no low-level initialization needed and platform bootstrap is just an empty function. 2. Scheduler Initialization: The scheduler is initialized in order to provide applications with possibility to post their tasks. 3. Platform Init: Now TinyOS performs platform initializations that are specified in PlatformC component. These initializations must usually follow in a very specific order due to hidden hardware dependencies. After the platform init is done, the scheduler performs all tasks that could have been posted during the platform init. 4. Software Init: The software init is now on. This means that all components (applications) that are wired to the MainC.SoftwareInit perform their initialization function. At the end, the scheduler performs the posted tasks again. 5. Start Main Loop: Before the main loop is started, the system interrupts are enabled and the Boot.booted is signaled to the applications Concurrency There are two types of code in TinyOS, synchronous and asynchronous. The asynchronous code is initiated by the hardware interrupts and runs preemptively. It means that whenever an interrupt is caught, the current code execution is interrupted and interrupt handler instantly begins its execution. The interrupt can preempt tasks or other interrupts, but cannot preempt atomic section. The functions called by asynchronous code must be asynchronous as well. The only way that an asynchronous code can execute a synchronous function is to post a task. The synchronous code is only reachable from tasks. Because the tasks are not preempted by other tasks and run atomically with respect to each another, we can rely that no other task executes suddenly and modifies our data. Tasks are executed by the task scheduler. The task scheduler runs the posted tasks and switches processor to sleep mode when all tasks are done. The standard scheduler has nonpreemtive FIFO scheduling policy, but it can be replaced for custom one. In order to improve reliability, the scheduler has reserved slot for each possibly postable task. Thus the task queue can never overflow and task posting will fail if and only if the task has already been posted [31] Hardware Abstraction Architecture The hardware abstraction architecture (HAA) [10] is used in TinyOS to promote easy portability of applications over a dozen of platforms. The hardware abstraction functionality is organized in three distinct layers (see Figure 3.3). Each layer has defined responsibilities and is dependent on interfaces provided by lower layers the lower layers are specific for each platform and serve for handling with the underlying hardware. The hardware-independent top layer is then directly used by applications. Hardware Presentation Layer The components in this layer are positioned directly over the HW interface. They access hardware by memory or by port mapped I/O and contrariwise hardware can request servicing by signaling an interrupt. The components in this layer hide the most hardware-dependent code and provide more usable interface simple functions calls for the rest of the system. On the other hand components in this layer are stateless and do 11

17 3. TINYOS Figure 3.3: Hardware Abstraction Architecture [10] not provide any substantial abstraction over the hardware beyond automating frequently used command sentences [10]. Hardware Abstraction Layer The components in abstraction layer use the interfaces provided by HPL components. They try to build useful abstractions hiding the complexity associated with the use of hardware resources. In contrast to HPL they are allowed to maintain state so they can be used for performing arbitration and resource control. Abstractions at the HAL level are tailored to the concrete device class and platform. To maintain the effective use of resources, HAL interfaces are rich and expose the specific hardware features [10]. Hardware Independent Layer The highest tier of HAA takes the platform specific abstractions provided by HAL and convert them to hardware independent interfaces. These interfaces can be used by cross-platform applications [10]. 12

18 Chapter 4 Intrusion Detection Systems It has become clear that we cannot achieve the satisfactory level of security only by using cryptographic techniques as these techniques fall prey to insider attacks in which the attacker has compromised and retrieved the cryptographic material of a number of nodes [15]. In order to counter this threat some additional techniques such as intrusion detection system has to be deployed. Intrusion detection system (IDS) is defined as a system that tries to detect and alert on attempted intrusions into a system or network [11]. IDS is composed of IDS agents that runs on some or all nodes. The IDS solutions developed for ad-hoc networks cannot be applied directly to sensor networks because the WSN has several specificities. In particular, the computing and energy resources are more constrained on WSN, thus there is not possible to have an active full-powered agent inside of every node. Also, the IDS must be simple and highly specialized to the specific WSN s protocols and threats [26]. 4.1 IDS Classification There are three basic approaches in intrusion detection systems according to the used detection techniques [12]. Misuse detection technique compares the observed behavior with known attack patterns (signatures). Action patterns that may pose a security threat have to be defined and stored in the system. The advantage of this technique is that it can accurately and efficiently detect instances of known attacks, but it lacks an ability to detect an unknown type of attack. Anomaly detection The detection is based on monitoring changes in behavior, rather than searching for some known attack signatures. Before the anomaly detection based system is deployed, it usually must be taught to recognize normal system activity (usually by automated training). The system then watches for activities that differ from the learned behavior by a statistically significant amount. The main disadvantage of this type of system is high false positive rate. The system also assumes that there are no intruders during the learning phase. Specification based The third technique is similar to anomaly detection it is also based on deviations from normal behavior, but the normal behavior is specified manually as a set of system constraints. Thus there is no learning phase which is particularly difficult in WSNs. Furthermore, we can divide WSN s networks into three categories according to IDS topology. Stand-alone Each node operates an independent IDS agent that is responsible for detecting attacks. Individual agents do not cooperate with others and do not share any information. The advantage of this approach is its simplicity and the fact that an attacker is not able to forge any misinformation because nodes don t rely on others. 13

19 4. INTRUSION DETECTION SYSTEMS Cooperative Each node still runs its own IDS, but the individual IDSs cooperate between themselves. Generally the main challenge of this approach is the question of how to deal with compromitted neighbors. We don t want malicious node to be able to confuse others with some misinformation. In [16], the authors presented the voting algorithm which is based on the presumption that an attacker is not able to outnumber the legitimate nodes. The solution requires establishing of key management in order to achieve votes authentication. Hierarchical The network is divided into clusters with cluster head nodes. The cluster head has the responsibility for communication with other cluster heads or base stations. The cluster heads can be more powerful or less energy constrained devices than the other nodes. The IDS then only runs on the cluster head node. 4.2 Watchdog Monitoring Watchdog monitoring technique [21, 26] is the way how to detect misbehaving nodes. It is based on the broadcast concept of communication in sensor networks, where each node hears the communication of surrounding nodes even if it is not intended. This technique depends on sufficient density of deployed nodes. In case of wireless sensor networks the density of deployed sensors is usually high enough because of the requirements for graceful degradation the network must continue to work even if a small portion of nodes fails. A B C Figure 4.1: Possible watchdogs Suppose that node A wants to send a message to node C which is outside of its radio range. So it sends this message to the intermediate node B and node B forwards it to node C (see Figure 4.1). Let S A be a set of all nodes that hear the message from A to B and S B be a set of nodes that hear a message from B to C. We can define a set of possible watchdogs of the node B as an intersection of S A and S B. This means that any node that lies in the intersection region is able to hear both messages and is able to decide whether node B forwards messages from node A. 14

20 4. INTRUSION DETECTION SYSTEMS Regular Collisions When two nodes that are close to each other transmit packets at the same time, they will cause a collision. In result, the signals from both nodes interfere and none of these packets is successfully received. In order to avoid this collisions, wireless sensor networks often follow Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) protocol for Media Access Control (MAC). Following this protocol, a node listens to a traffic on medium before trying to send own packet. Thus if two nodes that are close enough want to send packet at the same time, the CSMA algorithm will prevent the one, who wants to start sending little bit later, to send it. The collision occurs only when both nodes begin transmit exactly at the same time Ambiguous Collisions Let the node D be the watchdog for the node B (see Figure 4.2). The ambiguous collision [21] occurs at the node D when the node B transmits a packet at the same time as the node E. The nodes B and E are far apart enough to be able to send packets at the same time. This means that the node B considers channel to be clear (the radio signal is below its clear channel threshold) despite the node E is transmitting a packet and vice versa the node E considers the channel to be free although the node B is transmitting. As a result, the node D (that is between them) do not hear any of these packets, because the signals interfere. E F D A B C Figure 4.2: Abmiguous collision Particularly the node D do not hear packet that has been forwarded and it may suspect the node B that performs a selective forwarding attack. Therefore the node D cannot decide whether the node B is misbehaving or not on the basis of a single observation. We can distinguish two types of ambiguous collisions: At first, there are collisions where both signals (on Figure 4.2 from the node B and the node E) are similarly strong, and when they occur, the watchdog is unable to receive even one packet due to radio interference. We can hardly fight against this type of collision. At second, there are collisions where the signal from the first node (B) is much stronger than the signal from the second one (E). If the first node (B) begins transmitting first, the watchdog successfully captures the beginning bytes of the packet frame and starts receiving. It successfully receives the whole packet although the second node (D) interferes it during the transmission, 15

21 4. INTRUSION DETECTION SYSTEMS because the signal-to-noise 1 ratio is high enough during the whole transmission. On the other hand, when the second node (E) starts transmitting first, the watchdog begins receiving its packet. Then a stronger signal from the first node (B) interferes with the second one (E) and causes that signal-to-noise ratio becomes too low for successful reception. As a result, the watchdog (D) does not receive the packet from second node (E) due to radio interference and neither does not receive the packet from first node (B), because it did not capture the beginning bytes of the packet frame. The number of ambiguous collisions in network exponentionally grows with a number of packets that are transmitted in network. That makes the watchdog technique unreliable in networks with more traffic. We can never completely avoid ambiguous collisions, but we can try to reduce the occurence of ambiguous collisions of second type. We have proposed a novel technique that is based on suppressing weak signals. Suppressing Weak Signals Let the node D be the watchdog for node B (see 4.3). The node B forwards traffic from the node A and from the node G. The node E sends messages very often 2 to node F. Although the node E is very far from node D, it often causes ambiguous collisions with node B and prevent the node D from eavesdropping on the node B. E F D A B C G Figure 4.3: Suppressing weak signals Thus considering that watchdog monitors the node with strong signal, we could improve the probability of successful eavesdropping on the target node by suppressing weak signals coming from distant nodes. In we show that we can achieve suppressing weak signals on CC2420 chip by lowering the receiver sensitivity on the watchdog (D) node. Then the watchdog node (D) does not detect the beginning of the packet frame from distant nodes (E) and thus they do not block packets from closer nodes (B). To detect selective forwarding attack on node B, the watchdog node D needs to hear both incoming and outgoing packets to this node. The negative effect of this technique is that by lowering the receiver sensitivity we may also inadvertently supress incoming packets to the node B (for example from the node G, see Figure 4.3). 1. We consider the weaker signal to be part of the noise 2. This can easily occur when the node F forwards a messages from a large part of network. 16

22 4. INTRUSION DETECTION SYSTEMS Early Packet Dropping We could also limit the occurrence of ambiguous collisions of the second type by early dropping the packets from the nodes we don t want to monitor. On CC2420 we could achive early dropping packets by enabling hardware address recognition. When hardware address recognition is enabled, the node rejects the packet that does not match its address immediately after reading the address header. Thus the node does not have to receive the whole packet. Unfortunately, CC2420 cannot be configured to have more than one hardware address. Therefore we would have to change the watchdog hardware address to be the same as the address of the monitored node Partial Dropping A malicious node can also circumvent watchdog by dropping packets at lower rate than watchdog s configured minimum misbehaving threshold. We cannot set the minimum misbehaving threshold too low because due to ambiguous collisions the watchdog never hears all messages and false alarms would be raised too often Receiver Collisions In the receiver collision problem, node B forwards a packet, but the watchdog node D 1 is not able to verify whether node C successfully received it or not (see Figure 4.4). When B is malicious, it can delay forwarding the packet until C is transmitting, and purposefully cause a collision [21]. We can try to detect this type of attack by monitoring the forwarding delays that are introduced by the malicious node. The malicious node may know when C starts transmitting but usually it has to wait until it happens. Unfortunately, the forwarding delays may be also caused by other factors, such as a local CSMA collision. Generally, by this attack, the attacker can only confuse a subset of all possible watchdogs, particularly he cannot confuse watchdogs that are close to node C (the node D 2 ). D1 D2 A B C Figure 4.4: Receiver collisions Limiting The Transmission Power A malicious node can control the transmission power in order to confuse the watchdog (see Figure 4.5). The malicious node B can lower the transmitting power such that the signal is strong enough to be heard by watchdog D 1, but too weak to be successfully received by the target node (C). 17

23 4. INTRUSION DETECTION SYSTEMS The countermeasures against this type of attacks are relatively simple. First, we can monitor the signal strength and compare it with the average signal strength of messages from this node. Moreover, the attacker never knows who is the watchdog he doesn t know how much he must lower the transmission power (He doesn t know if the watchdog is the node D 1 or the node D 2. D2 D1 A B C Figure 4.5: Limiting transmission power 18

24 Chapter 5 Radio Stack The essential prerequisite for an implementation of an efficient intrusion detection system is to fully understood how a network communication works. In this chapter, we will describe in detail the radio stack from the highest to the lowest layers. In particular, we will focus on time delays introduced by individual layers. Figure 5.1: Radio Stack We will also compare the implementations of radio stack on the TMote Sky sensor nodes [23] and on the TOSSIM simulator [32], we will point out the differences between them and show that the current simulator implementation is not sufficiently precise for the purposes of accurate simulation of IDS that uses a watchdog monitoring technique. We can split the radio stack into three parts (see 5.1): we will consider the network protocol to be the first one in the work we will consider Collection Tree Protocol (CTP) [8], the second part will be Active Message Layer, and the third and the lowest part, the platform dependent implementation of the radio stack. Generally, the applications can be wired directly to Active Message Layer that only allows them to broadcast messages to their neighbors. The network protocol usually incorporates an advanced network logic such as multi-hop delivery or routing support. In this work we assume that the applications use Collection Tree Protocol [8]. 5.1 Collection Tree Protocol The Collection Tree Protocol (CTP) is now probably the most common network protocol in TinyOS. It is used in an environment where one needs to collect data from a large number of nodes to one or more base stations. CTP builds one or more collection trees, which are rooted at the base stations. Each node picks a neighbor node to be its parent and in this way they form a tree. Whenever a node wants to send a message to the base station, it simply sends it to its parent. The CTP packet is shown in Figure 5.2. Together, the origin, seqno, collect_id, and THL fields denote a unique packet instance within the network [8]. 19

25 5. RADIO STACK P C THL ETX origin seqno collect_id data Figure 5.2: CTP Packet, P - routing pull bit, C congestion bit, THL time has lived, also referred as hop counter, ETX ETX of last transmitter (see Routing Engine), origin originating adress of the packet, seqno origin sequence number, collect_id specific application id The inner nodes serve as forwarders. When they receive a message from descendants, they just increment the message hop counter and forward the message towards the root of the tree. CTP is best suitable for relatively low traffic rates. For bandwidth-limited systems or high rate applications it is better to deploy a more sophisticated protocol, which can perform an aggregation function and pack multiple small frames into a single packet [8]. Moreover CTP provides sufficiently elaborated congestion control, when node becomes congested it just set congestion bit in outgoing packets. The major CTP components are: Collection Sender: The collection sender is a virtualized sender abstraction. An application that intends to send packets using the CTP has to explicitly wire to this component. The wiring is parametrized by collect_id, which then can be used to identify packets originated at this application. Link Estimator: CTP uses the link expected transmissions (ETX) value to assess the link quality. The link ETX is computed by LinkEstimator component, and should represent the expected number of transmissions needed to successfully deliver packet by the specific link. Current implementation of LinkEstimator derives the link ETX from the number of lost beacon packets. Routing Engine: The CTP routing engine uses the ETX value as a routing metric. The node s ETX represents the expected number of transmissions that would have to be done to deliver a packet to the root if we used this node as our parent. The root ETX is defined as 0. The routing engine computes the node s ETX for each neighbor as a sum of the neighbor s ETX and the assessment of the link quality to this neighbor (link ETX). The tree is proactively maintained by periodic beacons sent by the nodes. The beacon contains the node s parent, current hop count and its ETX value. Beacons are transmitted periodically with a random jitter every seconds as a messages of AM type 0x70 [8]. Each node keeps the best candidates for its parents the nodes with the best ETX in its routing neighbor table and updates this table every time a beacon is received. Before the node sends its beacon packet, it reselects its parent. CTP avoids changing the network topology unless it is necessary, therefore a new parent is picked only when the new parent has much better ETX then the current one (it has to have ETX better by PARENT_SWITCH_THRESHOLD, by default it is 15) or when the current parent is congested and the new parent s ETX is at least as good as the current one. The last condition is worth emphasizing, CTP never allow to choose worse new parent. On the one hand it prevents node of selecting new parent that is descendant of the current congested one (the current parent would have to forward this packet after next hop), on the other hand this leads to 20

26 5. RADIO STACK Forwarding Engine: The forwarding engine is responsible for the forwarding traffic as well as the traffic generated on the node. It maintains the send queue of pending packets and schedules their transmitting. The forwarding engine is also responsible for detecting routing loops. Packets in the send queue are sent out in FIFO order. The forwarding engine does not distinguish between packets, the packets generated on the node are treated identically as packet being forwarded. When the forwarding engine wants to send a packet, it takes the first packet from the send queue and sends it to the parent. It does not remove the packet from the queue. If the link layer supports packet acknowledgments, the forwarding engine enables them, and retransmits the packet that has not been acked for maximum MAX_RETRIES times (default is 30 times) and drop packet only after all these attempts fail. This feature significantly improves delivery reliability. The packet is dequeued from the send queue only after the sending has been successful or when all transmission retries have been exhausted. The forwarding engine controls the transmission scheduling. When the forwarding engine receives a packet to forward, and the send queue is empty, and there is no any previous transmit back-off scheduled, the packet is sent out immediately. When the packet is successfully delivered (has been acked), the forwarding engine starts the back-off timer and does not allow to send next packet for milliseconds. If the previous transmission wasn t successful and the packet was not acked, the forwarding engine waits for 8 15 milliseconds and then tries to retransmit. 5.2 Active Message Layer The active message layer is the basic network HIL. Each platform must provide the ActiveMessageC component. Active message communication is virtualized through four components AMReceiverC, AMSnooperC, AMSnoopingReceiverC, and AMSenderC. These components are generic and each of them takes an active message ID (AM type) as a parameter. The parameter distinguishes different applications (usually each application has a unique AM type), and allows applications to communicate on separate channels. Figure 5.3: Application Wiring Example For example, lets have two application (see Figure 5.3). First application wires to AMReceiverC and AMSenderC and parametrizes these wirings with value of 0x01. Thus messages from this application will be sent out with AM type of 0x01 and messages coming from network with AM type of 0x01 will be 21

27 5. RADIO STACK forwarded to this application. Similarly messages from the second application will have AM type of 0x02 and Active Message Layer will forward incoming messages with AM type of 0x02 to this application. There are three reception abstractions: 1) AMReceiverC is signaled when received messages is destined to this node, 2) AMSnooperC is signaled when received is signaled to other node in network, 3) AMSnoopingReceiverC, that is signaled every time a message is received. Applications wire only to abstractions that they needs, in our example the Application 1 wires only to AMReceiverC because it does not need snooping messages destined to other nodes. The AMSenderC is an abstraction for sending messages out. Each application that wires to this abstraction has reserved slot in the sending queue implemented in AMQueueP. The AMQueueP component implements the sending queue and is responsible for the exact order in which outgoing messages are serviced. By default, it goes in the round-robin fashion through messages from the AMSenderC clients and forwards them to the underlying layer. AMPacket Although it is not defined how the Active Message Packet should exactly be formatted (each hardware dependent implementations internally uses diferent format), each ActiveMessageC component has to provide AMPacket interface. Using these interface we can access Active Message Packet headers. There are following headers: 1) destination that defines the destination node, 2) source states source node of this message, 3) AMType states message Active Message type, 4) group refers to logical network identifier (there may exist a logical subnets in WSN, where nodes communicate only with nodes in the same subnet) [18]. 5.3 Hardware Dependent Radio Stack on TMote Sky The TMote Sky sensor node is based on the TMote platform. In the TMote platform, the Chipcon CC2420 chip for radio communication is used [23]. The CC2420 is a 2.4 GHz IEEE compliant RF transceiver. It was designed for low-power and low-voltage wireless applications [1]. The CC2420 radio stack is organized in several layers: Active Message Layer On the TMote platform, the Active Message Layer is provided by CC2420ActiveMessageP component. When sending a message, some details are filled in the packet header within this layer (packet type, destination address, packet source and destination pan group address) and the packet is passed down onto the stack. When receiving a message, this layer decides if the message is destined for the node and signals it to the corresponding ReceiverC or SnooperC component. Unique Send/Receive Layer When sending a message, this layer supplies each outgoing message with a unique data sequence number (dsn). The layer keeps an internal counter that increments by one for each packet and writes it into dst byte in the packet header. The data sequence numbering is utilized during packet receiving. The layer keeps the history of the data sequence numbers of the last RECEIVE_HISTORY_SIZE received messages. If the newly received message matches a message in a recent history, it is dropped. This layer ensures that higher layers never hear a single message twice. Particularly in the context of watchdog monitoring, the watchdog never hears a packet that is being retransmitted because it was not delivered on the first try. 22