Secure Routing in Wireless Sensor Neworks

Transcription

1 Secure Routing in Wireless Sensor Neworks Authored By (Alphabetically): Ahmed Waliullah Kazi Jianhua Xu Kristov Widak Stony Brook University Department of Computer Science NY, USA May 2009

2 Table of Contents Introduction... 3 Framework for Scrutinizing Secure Routing Protocols... 3 Network Assumption... 3 Trust Requirements... 4 Threat Models... 4 Attacks... 4 Secure Routing Protocols... 7 SIGF A Family of Configurable, Secure Routing Protocols for Wireless Sensor Networks... 7 Support for In-Network Processing in Wireless Sensor Networks... 9 A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks INSENS: Intrusion-Tolerant Routing in Wireless Sensor Networks Conclusion Bibliography... 15

3 1. Introduction Wireless sensor networks (WSNs) comprise of motes interacting with the physical environment and collaborate among each other to provide data to the end-users. These motes are small devices that have limited processing, communication and memory. They are placed in the environment for long periods without any user assistance, hence, they are constrained by the amount of available energy too. Hence, all the operations in the WSNs need to be energy efficient. This technology has a lot of potential in the areas of military, health, environmental monitoring etc. However, one the major obstacle towards realizing the goal of widespread usage of WSNs is security. Security is a difficult problem in networks let alone in wireless networks. As WSNs are a classification of wireless networks, therefore, most of the attacks that are applicable on wireless networks tend to apply on WSNs. However, as WSNs have certain distant characteristics, mainly scarce resources and limited energy supply, the solutions that seem to be viable on wireless networks cannot work on the WSNs. Further, two new additional attacks, namely, HELLO floods and Sinkhole attacks (Karlof & Wagner, 2003), are only applicable on WSNs. The authors in this paper proposed a framework to analyze routing protocols in WSNs. The paper described the security vulnerabilities of prominent routing protocols of the time. We intend to extend the same idea with the focus of our study is to exploit the vulnerabilities of the different secure routing protocols for wireless sensor networks using the same framework. This study will help people decide on which protocols to choose and a methodology on how to choose them by scrutinizing them in the similar way. Our focus will be more on the different attacks that the protocols can sustain in various different scenarios rather than proposing comprehensive countermeasures for them. Nevertheless, we will mention some countermeasures to the possible attacks discussed. The report is organized in the following manner. The next section briefly summarizes the framework used to scrutinize the protocols. The remaining portion of the report analyzes 5-6 protocols individually. Finally, a conclusion is provided at the end which summarizes the report. 2. Framework for Scrutinizing Secure Routing Protocols In this section, we describe the framework used by Karlof et al in In the framework, the authors considered network assumptions that are valid in normal WSN scenarios. They breakdown the threat model into distinct categories: Type of attacker; type of machine used for attack. They identify the attacks that they would consider against the protocols. Lastly, they suggest possible countermeasures against these attacks. The details of the framework are as follows: 2.1. Network Assumption The radio links in the WSNs are insecure. Hence, the attackers can eavesdrop on all radio transmissions and replay previously overheard packets. They can inject bits in the channel and

4 jam the radio links. As the WSNs are most likely in the open, the attackers can place their own nodes with similar capabilities as legitimate nodes. Moreover, most WSNs do not have tamperresistant nodes, hence, the attackers can physically access a few nodes and compromise them. Malicious nodes deployed can collude among themselves to compromise the network. Moreover, these nodes can have hidden channels for collusion which is not accessible by legitimate nodes Trust Requirements WSNs have base station and aggregation nodes. In the framework, the base stations are assumed to be 100% secure and cannot be compromised. If they are compromised then in essence the entire network is compromised. However, as the aggregation nodes can be normal nodes in the network, hence, they may be compromised Threat Models Inside and Outside Attackers The inside attackers will have compromised nodes in the network that are running malicious code. These attackers can have access to the key information, code running and data in the network. On the other hand, an outside attacker does not have any such access to the network Mote-class Attacker and Laptop-class Attacker The mote-class attackers will have a similar hardware to the one running on the WSNs. Hence, they have the same limitations as the nodes in the WSNs. However, the laptopclass attackers have much powerful machines with much greater resources such as battery power, transmission power which helps eavesdrop over a larger area and overpower the transmission of motes, better CPU, high bandwidth connection and low latency connections Attacks In WSNs, the attacker mainly has two objectives: To access the data as it might be of great value as would be the case in a military application; to disrupt the service this network is providing by depleting of the energy of all the nodes. Here we outline the different types of possible attacks on the WSNS: Spoofed/Altered/Replayed routing information These are used to create routing loops, redirect network traffic away from or toward certain nodes (usually toward compromised nodes), extend or shorten source routes (usually to accomplish the previous goal), generate false error messages, partition the network and increase latency among other things Selective Forwarding In the literature, this attack is also known as black-hole attack. The malicious nodes drop all/some packets that they receive. A protocol is highly susceptible to this attack if it cannot detect: selective forwarding is occurring somewhere in the network and it is not

5 just typical data loss; a particular node is forwarding selectively and thus can be identified as malicious. A more complex form of this attack is when a malicious node can emulate selective forwarding by eavesdropping and then selectively jamming the transmission of particular packets, effectively forcing other nodes who are not colluding to selectively forward. This style of forcing participation can make it quite difficult to isolate which node is the malicious one. However, this is mechanically tricky, so the classical form of selective forwarding in which the attacker is included on the data path is more common. A possible countermeasure against this type of attack is to use multiple paths to transmit the data to reduce the chances of having the malicious node in the data path Sinkhole Attack The objective of the attackers is attracting all the traffic in the neighborhood through the malicious node. This can be made possible when a malicious node broadcasts information that makes it an attractive choice for next-hop choice to other nodes. This information can be such as; it has least number of hops to the base station, it has a lot of battery life (energy) and low latency links to the base station. All the nodes hear such a broadcast message select this malicious node as their choice for next-hop. Hence, this creates a ripple effect across the network to the other nodes in the neighborhood and most of the nodes start using this along their path to the base station. This is how a sinkhole attack is created as all the traffic gets directed through his node which is similar to a sink (base station). In figure 1, we see two malicious nodes which are laptop-class machines. The nodes in neighborhood of the malicious named 2 are under a sinkhole attack in which all the traffic is directed through the malicious node. This is due the fact that is has advertized that is just two hops away from the base station as it will send the packets to the malicious node 1 which is one-hop from the base station. In this case, the sinkhole attack is launched with a wormhole attack. 1 2 Figure 1: Wormhole and Sinkhole Attack (Karlof & Wagner, 2003) Worm Holes

6 In this attack, the attackers use laptop-class machines to tunnel packets from one part of the WSN to another part over a low latency link. In figure 1, we can see a wormhole attack with two malicious nodes 1 and 2 are exchanging packets on an out-of-bound channel. Wormhole attacks can used to create sinkholes as explained in the previous section. Moreover, the nodes use wormholes to understate their distance to the base station HELLO Floods In this type of attack asymmetric links are formed on the legitimate nodes. The attackers use laptop-class machines to transmit HELLO messages with high transmission power that will be heard across a large area of the network. The legitimate nodes will consider that this HELLO transmission was from a neighboring node which is one-hop away and close to the base station. Therefore, they will choose that as their next-hop node. However, when they actually send the packet it will not be received by the malicious node as it will not be transmitted with the same power. Hence, the nodes will continue to use this malicious node as next-hop and waste its energy. In figure 2, we have a malicious node which broadcasts the HELLO message which is received by all nodes, however, some nodes further away cannot reach it creating a asymmetric link. A simple countermeasure to this type of attack is to check for bi-directionality of each link that is used for transmission. Figure 2: HELLO Flood Attack (Karlof & Wagner, 2003) Sybil Attack In the Sybil attacks, the attackers create multiple identities (imaginary nodes) which may not exist. The attackers basically perform all the operations (participating in the protocols message passing) on behalf of these imaginary nodes and to the other nodes they seem to be real. By using these attacks, confusion can be creating in routing of the network. Geographical routing protocols are highly susceptible to these attacks as they use coordinates to route packets. The attacker can create multiple nodes with false coordinates which do not exist but will be used by the legitimate nodes to route the packets. When an imaginary node is selected as the next-hop, in essence, the message is actually based to the malicious node that has created this imaginary node. A countermeasure to this attack will be that each node has a symmetric key with the base

7 station for communication. Needham-Schroeder (reference) or similar protocol can then verify identity so that attackers on compromised nodes can only use the identities of those compromised nodes and no outside attacker can create multiple identities. 3. Secure Routing Protocols 3.1. SIFG: A Family of Configurable, Secure Routing Protocols for Wireless Sensor Networks (Wood, Fang, Stankovic, & He, 2006) This paper was published in 2006 at ACM Workshop on Security of Ad Hoc and Sensor Networks. It received the best paper award. We will outline the summary and the possible attacks against it within the framework discussed in the previous sections Summary Most secure routing protocols do not give details of the efficiency of the protocols in terms of energy. This protocol is a bit different as it does address the issue of energy efficiency of the entire network, however, it does not delve into the details. The philosophy of the protocol is quite simple. A protocol with no security measures requires less energy as it will not have to perform overhead communication and computation which are required by protocols that try to deal with most possible attacks. The authors propose a technique in which the WSN can switch between the proposed routing protocols based on the state of the network. Each routing protocol offers different levels of security. Moreover, the WSN is not always under attack so it can run the most basic routing protocol which consumes the least amount of resources to conserve energy. The configurable, secure routing protocols are built using a layering approach with Implicit Geographical Forwarding (IGF) being the base protocol that merges the MAC layer handshaking (ORTS and CTS messages) and routing into one layer. IGF determines the best forwarding candidate during the MAC layer handshaking which is independent of network topology. IGF offers no measures against any attack. SIFG-0 is the first configurable, secure routing protocol which is an extension over IGF. In SIFG-0, the sender does not have to choose the next-hop based on the first CTS reply message from a node like in IGF but rather from a group of nodes that have send the CTS reply message within a time period based on some probabilistic measure. SIFG-1 is an extension over SIGF-0 that stores some state information at a node pertaining to the reputation of the other neighboring nodes in the network. It is note that this information is solely computed by the node and is not transmitted in the network. Further, the decision to choose the next-hop depends on the reputation of the node. SIG-2 is an extension over SIGF-1 which supports encrypting the ORTS, CTS and data messages. Moreover, it also supports sequence number of messages to help differentiate between old and new messages Possible Attacks Inside/Outside Attacks: In case of SIGF-0 and SIGF-1, both inside and outside attacks are equally possible as no encryption is used. However, SIFG-2 provides encryption for

8 messages and data packets, hence, it does protect against outside attacks. Nevertheless, SIGF-2 is similar to SIGF-1 if there is an inside attack as in this case all the shared keys are known to the attacker. Spoofed/Altered/Replayed routing information: SIGF-0: The attackers can replay the old ORTS and CTS messages and create confusion in the network. For example, the old ORTS message captured by a malicious node can cause other nodes to reply to it unnecessarily. SIGF-1: Same as above. It has no protection against such an attack. SIFG-2: The ORTS and CTS messages are given sequence numbers, hence, now, it is possible to differentiate between old and new messages. Hence, a malicious node cannot simply replay and old message to confuse the other nodes to replying unnecessarily. Selective Forwarding Attack: SIGF-0: It primarily resolves the most trivial attack against IFG which is when the attacker sends the first CTS reply message to an ORTS send by the source. Hence, SIGF-0 deters the chances of falling to a simple selective forwarding attack. SIGF-1: It considers the node reputation and probabilistic measures (SIFG-0) to select the best candidate for forwarding the packets. It further reduces the chance of selecting a malicious node for the next-hop. SIGF-2: It operates in a similar fashion to SIGF-1 to deal with this type of attack. Sinkhole Attack: This type of attacks is almost not possible against these protocols. The main reason is that there is no way to create an attractive malicious node. Further, even if one is created the chances of it being selected each time is not trivial. Further, even though the attackers can use jamming to effect the reputation of other nodes and in effect increase their own but again this type of attack is not trivial too. Wormhole Attack: This type of attack is possible using a laptop-class attacker. However, as with Sinkhole attacks, in this attack which take advantage of transmitting over larger area to attract other nodes to use them as favorable forwarding candidates does not work well. The main reason is that the nodes are selected based on a probabilistic measure along with node reputation and not on other metrics such as transmission power. However, as in Sinkhole attacks, we can use jamming, but again it is not a trivial technique. HELLO Flood Attack: This attack is not at all possible against these protocols. HELLO floods tend to create asymmetric links in the routing tables of the legitimate nodes. In these protocols, we do not forward based on the routing tables but each time we use probabilistic measures and reputation neighboring nodes. Hence, HELLO flood attacks are in a network running these protocols.

9 Sybil Attack: This attack is the most logical choice for an attacker against these protocols. Normally, a Sybil attack will be followed by Selective forwarding or wormhole attack. SIGF-0: As SIFG-0 chooses the forwarding candidates based on probabilistic measures so an attacker can increase its chances of being selected by creating imaginary nodes so that the chances of the malicious nodes to be selected increases. SIGF-1: Since, SIFG-1 selects nodes based on reputation and probabilistic measures, hence, it further reduces the chances of malicious node to be selected. Further, even if it is selected overtime its behavior will decrease its reputation and it will not be selected anymore. SIGF-2: It is uses the functionality of SIGF-1 and does not build anything more to deal with these attacks Security Support for In-Network Processing in Wireless Sensor Networks (Deng, Han, & Mishra, 2003) Summary The notion of aggregation is from the inception of WSNs. As the data collected it redundant, therefore, to have certain nodes to aggregate this information which cost a little in terms of computational power but saves a lot of transmission power. The nodes that assist in aggregation are called Aggregation points (APs). The APs are a crucial component of WSNs and are prone to attacks. In this paper, the authors propose a secure mechanism which is used between the interaction of APs and sensor nodes in both directions. The base station is assumed to be trusted and cannot be compromised. Moreover, sensor nodes do not trust APs so they want to leverage base station as a 3 rd party. The security mechanism proposed in this paper is: Delegation of authorization; Lightweight shared secret key establishment; Efficient secure broadcast in group which we will not discuss as it is not required for our study. The base station sends commands to the sensor nodes through the APs. The sensor nodes must be able to tell between authentic commands from APs and forged commands from malicious nodes. The delegation of authorization lets the base station to briefly delegate authority to the APs which loosely authenticate to sensor nodes when sending commands. The base station use One-way Hash Chains (OHC) and here is detail of this process: 1. OHC is a sequence of numbers: Kn, Kn-1,..., K0 st: forall j : 0 < j <= n : Kj-1 = F(Kj) i.e. we compute some Kn, then Kn-1 = F(Kn), Kn-2 = F(F(Kn)).. 2. Base station computes separate OHC s where OHCi : O^i_m, O^i_m-1,..., O^i_0 for each sensor group SGi. 3. Base station sends O^i_m to APs of SG_i, and O^i_0 to all sensor nodes of SGi. 4. AP, namely, APi can use OHCi to loosely authenticate itself in the commands it sends to group members. For example, for any kth packet sent by APi, O^i_k is included. The receiving sensor node authenticates source of packet by verifying that F^k(O^i_k) = O^i_0 where F^k is applying the function F k times. This

10 verification guarantees that APi must have generated O^i_k in that packet. Moreover, F^-1 is infeasible as no other node in the group can determine the next number in OHC_i. 5. utesla used to send out O^i_0 to all sensor nodes The advantages of using this approach are that if an attacker wanted to spoof the next packet it would have to know O^i_2, but F(O^i_2) = O^i_1 i.e. attacker would have to compute F^-1(O^i_1) which is not possible. If APs is compromised, it can only affect its subgroup since it can't predict other hash chains. Each hash chain has a finite length, thus authorization is only delegated for m messages for a hash chain of length m. The delegation by authority is a security mechanism for communication from base station to sensor nodes through the APs. The lightweight shared secret key establishment mechanism is used to authenticate that the sensor node sending the message to the APs is a member of the group. All the sensor nodes and APs are preconfigured with a shared key with the base station only. The base station creates pair-wise keys for each sensor node and its associated AP using the shared keys and a random nonce. Here are the properties of this function G (Pair-wise K s, r, number): 1. Given G() and r, cannot compute G(Ks, r) without Ks. Hence, cannot forge ciphertext without key 2. Given G(Ks, r0),..., G(Ks, ri) cannot compute G(Ks, rj) wthout rj. Hence, eavesdropper cannot predict future values from past ones 3. Given G(Ks, r0,..., G(Ks, ri) cannot compute Ks. Hence, eavesdropper cannot break key from ciphertexts. To summarize and collect all these operation, here how the entire solution operates: 1. Round 1: Base station discovers topology and does some initialization 2. Round 2: Base station securely broadcasts group id and AP id to all the groups using utesla 3. Round 3: Base station sends unicast to each AP indicating topology of its group and delegate trust for limited time meaning sending the OWCi 4. Round 4: Each AP sends unicast to each sensor node in the group to establish keys and forwarding tables for in-network processing Possible Attacks Outside Attacks: Routing topology is decided upon initialization, so outsiders must join the topology later as a fake sensor node or fake aggregator of fake or nonexistent sensor nodes. The paper does not prescribe how to handle routing but provides some primitives that could be used to increase security of routing against outsider attacks. Moreover, outside attacks are not possible as these nodes will require preconfigured keys. Hence, the following discussion is related to inside attacks unless stated otherwise.

11 Selective Forwarding Attack: AP Compromised: The compromised APs can selectively forward data to sensor nodes, but only within its own group; not necessarily detectable by base station. The sensor nodes need to maintain state which is the used O^i_0 (K0: last element in the hash chain) so that the compromised APs cannot use older OWC. Another situation can arise if O^i_0 (K0: last element in the hash chain) was sent from base station to sensor node unencrypted (no auth/integrity check), then a node along this unicast path (if multihop) could collude with aggregator to provide a false O^i_0 to give false appearance that some node has been delegated authorization from base station which is not actually the case. Sensor Node Compromised: Sensor nodes along data path can selectively forward data from sensor node to aggregator. This is not a big problem as other nodes in the group will be forwarding the redundant data in the same locality. However, if a sensor node has been compromised along the data-path and decided to selectively forward data in this case the sensor nodes further down the path will detect suspicious behavior as they will be skipping sequences in the OHC. Moreover, they can report this behavior to other nodes and eventually the base station. Sinkhole/Wormhole Attacks: This paper does not address routing issues, so sinkholes are still possible as long as the node can join the network. However, outsider attacks may not be possible if the process of building routes relies on the preconfigured keys. HELLO Flood Attacks: Insider laptop-class attackers that have a compromised key can most likely perform HELLO floods. However, outsiders may not if routing is similar to data sharing; in this case malicious aggregators need keys to get a hash chain from the base station, and malicious sensor nodes need keys to impact routing topology upon joining. A possible countermeasure is to verify the bidirectionality of the link. Sybil Attacks: AP Compromised: Each AP only gets one hash chain at a time, so it would have to convince the base station that it has multiple aggregator identities. Hence, this depends on how the protocol chooses APs which is not defined in the paper. No reason to try to sybil sensor nodes unless there is more than one aggregator per group (atypical).

12 Sensor Node Compromised: Such a node may be able to impact topology with sybil, but the acquisition process for aggregator-sensor node key may thwart this attempt A Practical Secure Neighbor Verification Protocol for Wireless Sensor Networks (Shokri, Poturalski, Ravot, Papadimitratos, & Hubaux, 2009) This paper was published in 2009 at ACM Conference on Wireless Security. We will outline the summary and the possible attacks against it within the framework discussed in the previous sections Summary This paper focuses on securing the neighbor discovery (ND) mechanism in WSNs. The assumption is that if the only correct neighbors exist in routing tables then we will have no attacks. The main phases of the secure ND protocol are: ranging; neighbor table exchange; link verification. In the ranging phase, the physical distance between the neighboring nodes is determined using Ultrasound and Radio frequency messages. Moreover, they use pre-installed symmetric keys on the nodes to send messages between two nodes, hence, outside attackers cannot participate. Those nodes which can verify that no delay longer than the propagation delay was introduced when the nodes were exchanging messages will be considered as neighbors. The neighboring nodes will exchange their tables with their neighbors and update them. After this, all the links in a neighboring node are subject to the following tests: link symmetry; quadrilateral test. The links that are verified only they will be used for forwarding packets Possible Attacks Inside/Outside Attacks: In this case, based on the framework, the inner nodes are compromised. Hence, we have the symmetric keys and these compromised nodes will participate like any other node in the ND secure protocol. Once, they have established as having a legitimate link they can perform the Selective Forwarding and Sinkhole attacks. The protocol does not propose any particular mechanism of selecting the next-hop candidate from the neighboring table. Hence, if there is a criterion then the compromised nodes can leverage that to their advantage and get selected all the time. Outside attacks are not possible when using encryption. The only possibility is that the malicious relay packets without seeing their content. Wormhole is a possible type of attack which is discussed later. HELLO Flood Attack: This type of attack is not possible as the ND secure protocols checks for a bi-directional link between two neighbors before appending them to the table. Hence, a false link is detected and ignored.

13 Sybil Attack: This type of attack is also not possible as the ND secure protocols uses time synchronization. As stated earlier, if a node takes more time than the propagation delay to exchange messages, the node will not be considered legitimate link. To launch a Sybil inside attack, a malicious node needs to transmit messages on behalf of all the false identities it wants to create. Hence, it will need more time to generate these messages and will eventually not have succeeded in verifying the false nodes with false links. Wormhole Attack: In a wormhole attack, the compromised node creates a false link between two legitimate nodes (A and B) so that they assume that they are neighbors. Hence, this is usually, an outside attack and a relay type of attack. The ND secure protocol performs a quadrilateral test. For a wormhole attack to succeed, the compromised nodes needs to verify that four false links exist which will make a quadrilateral. As proved by the authors, it is almost impossible to have such a situation except when one of the relay (compromised node) is placed on top of one of the legitimate node INSENS: Intrusion-Tolerant Routing in Wireless Sensor Networks (Deng, Han, & Mishra, 2006) Summary (In this case, most of the text is adapted from the paper) The basic INSENS includes route discovery and data forwarding. Route discovery is divided into three phases. In the first phase, the base station sends out a request message. The format of the request message is BS * : REQ BS OHC MAC(Kbs; REQ BS OHC) where REQ is the message type, BS is the ID of the base station, OHC is a one-way hash chain sequence number, and denotes concatenation. When receiving a request message for the first time, it adds information to it and rebroadcasts it. A node x replaces the ID in the received REQ message with its own ID x and re-computes a new MAC based on its own pair-wise key shared only with the base station, as well as on the previous MAC in the received REQ message. The format of the modified request message is x * : REQ IDx OHC MAC(Kx; IDx OHC MAC_of_parent) Each node selects the first neighbor that it hears the REQ message from as its parent, and ignores repeated messages. After forwarding request messages, nodes wait for a fixed time before starting the second phase. In the second phase, nodes unicast a feedback message, containing MAC and neighborhood information. A base station can verify a node s neighborhood information by computing the MACs and get the topology of nodes. In the third phase, base stations compute multipath forwarding tables of each node in the network based on the topology constructed earlier. On receiving a data packet, a node searches for a matching entry <destination, source, immediate sender> in its forwarding table. If it finds match, it forwards (broadcasts) the data packet.

14 Possible Attacks: Outside Attacks: Spoof, selective forwarding, sinkhole, wormhole, Sybil, and hello flood attacks are not possible since INSENS uses a shared key and MAC with neighborhood information. But we can attack the system by rushing attack. A malicious node generates a fake ROUTE REQUEST message and employs methods to have that message reach other sensor nodes before the legitimate ROUTE REQUEST message reaches there. This can result in those nodes setting the malicious node as their parent node. Insider Attacks: Even if some nodes are compromised, we can still eliminate most attacks. Sinkhole and selective forwarding can be detected and thus eliminated since we have multiple paths. HELLO flood is also not possible, since only the base station can initiate the ROUTE REQUEST message. 4. Conclusion In this study, we adapted the framework proposed by Karlof et al in 2003 to scrutinize four different secure routing protocols for wireless sensor networks. It was observed that all suffered from different attacks and it is difficult to claim that one performed better than other. Hence, it is worthwhile to consider a few things before choosing one. WSNs are application-specific in nature. The above finding reinforces the same idea. When choosing a secure routing protocol, it is more on the requirements of the application and the environment in which it will be deployed that need to be taken into account. One protocol can suit you better than the other simply because your requirements are different. For example, if you are deploying sensor nodes in a volcano you can certainly eliminate the fact that anyone can replace them or tamper with them. This information can assist you in selecting a secure protocol that assumes that nodes cannot be tampered or physically compromised. Another important perimeter to consider when choosing a secure routing protocol is energy efficiency. You will not want to choose a protocol that provides 100% security but consumes all the energy of the network. In the framework we adapted the authors did not discuss the cost of the operations to countermeasure and their effect in terms of energy efficiency. It is worth mentioning that most of the secure routing protocols do not get into the details of energy efficiency or the additional cost of running these protocols as compared to not having security at all. The papers under study did mention energy efficiency but it was superficial such as INSENS (Deng, Han, & Mishra, 2006) pushes the expensive operations to base station and SIFG (Wood, Fang, Stankovic, & He, 2006) shifts between different modes of operations to save the cost of running an expensive secure protocol when the network is not under threat. It seems that even though energy efficiency is a big issue in WSN, when it comes to security, it costs too much to implement, hence, people are not mentioning it too much to discount their effort. Lastly, we have provided a mechanism to scrutinize secure routing protocols. This approach can be used to identify which protocols are vulnerable to which type of attacks before choosing them for your application.

15 Bibliography Deng, J., Han, R., & Mishra, S. (2006). INSENS: Intrusion-tolerant routing for wireless sensor networks. Computer Communications, Deng, J., Han, R., & Mishra, S. (2003). Security support for in-network processing in Wireless Sensor Networks. SASN '03: Proceedings of the 1st ACM workshop on Security of ad hoc and sensor networks (pp ). Fairfax: ACM. Karlof, C., & Wagner, D. (2003). Secure Rouing in Wireless Sensor Networks: Attacks and Countermeasures. Ad Hoc Networks, Shokri, R., Poturalski, M., Ravot, G., Papadimitratos, P., & Hubaux, J.-P. (2009). A practical secure neighbor verification protocol for wireless sensor networks. Second ACM conference on Wireless network security (pp ). Switzerland: ACM. Wood, D., Fang, L., Stankovic, J., & He, T. (2006, 10 30). SIGF: a family of configurable, secure routing protocols for wireless sensor networks. SASN '06: Proceedings of the fourth ACM workshop on Security of ad hoc and sensor networks, pp