Analysis of Attack Models via Unified Modeling Language in Wireless Sensor Networks: A Survey Study

Transcription

1 Analysis of Attack Models via Unified Modeling Language in Wireless Sensor Networks: A Survey Study Sunghyuck Hong Office of nternational Affairs Texas Tech University Lubbock, Texas sunghyuck.hong@ttu.edu Sunho Lim t t Dept. of Computer Science Texas Tech University Lubbock, Texas sunho.lim@ttu.edu Abstract-Wireless Sensor Networks (WSNs) are widely used in various environments in monitoring temperature, motion, sound, and vibration. These applications often include the detection of sensitive information from enemy movements in hostile areas or in locations of personnel in buildings. Due to characteristics of WSNs, nodes tend to be exposed to the enemy, and security is a major concern in WSNs. Many researchers have developed various security protocols. However, there is no research paper describing and analyzing security models in WSNs by using a standard notation such as The Unified Modeling Language (UML). Using the UML helps security developers to analyze security attacks and design secure WSNs. n this research, we provide standard models for security attacks by UML Sequence Diagrams to describe and analyze possible attacks in a network and transport layer. ndex Terms-Security, Wireless Sensor Networks, Unified Modeling Language, Standard Attack Models.. NTRODUCTON Wireless Sensor Networks (WSNs) are exploding in popularity. Major application areas include the military battlefield surveillance and civilian applications include industrial process monitoring and control, machine health monitoring, environment and habitat monitoring, health-care applications, home automation, and traffic control [1]. Wireless sensor nodes in WSNs sense temperature, motion, sound, and vibration [2], and most WSNs are deployed in a hostile area or public outdoor area. Because of the well-known constraints of WSNs such as a limited physical size, security algorithms in a conventional networking environment are not applicable in WSNs except adding extra hardware equipment. Recently, many researchers have developed security algorithms to fit into WSNs based on descriptions and analysis of security attacks [3] [4] [5]. To better analyze security attacks and develop counter attacks, a standard security notation must be developed and provided for security developers. The well-known modeling methodology is Unified Modeling Language (UML) [6]. UML is a standard notation for the modeling of real-world objects as a first step in developing This research was supported in part by the Startup Grant in the Dept. of Computer Science at Texas Tech University and National Science Foundation (NSF) under the Grant CNS 083l673. an object-oriented design methodology, and is used as the language for specifying, visualizing and constructing the artifacts of software systems. n addition, UML represents a collection of the best engineering practices that have proven successful in the modeling of large and complex systems. The key benefit of using UML is that it provides security developers standardized methodologies for visualizing security attacks that are present in WSNs. However, no research has been published that uses a standard notation for security attacks. Therefore, in this research paper, we propose and present UML Sequence Diagrams for possible attacks in the network layer. These UML models are designed to help increase security developers' understanding as they build more secure WSNs. The rest of this paper is organized as follows. Various attack strategies are investigated and categorized in terms of network and transport layers in Sections and, respectively. Finally, in Section V we conclude the paper with future directions.. NETWORK LAYER: SPOOFED ROUTNG NFORMATON, SELECTVE, SNKHOLE, WORMHOLES, HELLO FLOOD, AND ACKNOWLEDGEMENT SPOOFNG ATTACKS The network and routing layer is responsible for packet delivery including routing through intermediate nodes, and it provides the functional and procedural means of transferring variable length data sequences from a source to a destination node while maintaining the quality of service and error control functions [7]. A. Spoofed, Altered, or Replayed Routing nformation Attack Most attacks in a network layer are to target the routing information while it is being transferred between nodes. The main goal of attacks in the network layer spoofs, alters, or replays the routing information, resulting in the creation of routing loops, generating fake error messages, partitioning the network, increasing transmitting latency, and exhausting the power of nodes [3]. The assumption in the spoofed, altered, or replayed routing information attack is that each packet has a full routing path and each node faithfully forwards received messages. Attack scenario is described in Fig /10/$ EEE 692

2 Exte rnal otto cker «U» «U» :l j'e :L1P=Te «U» :Malicious N0<<03 otto ker 1: initiateattacko ( 2, Evenl ) 3: send(date, R) 4: send(date, R) [ S, Spooled. ahered, or replaced R. 6: send(date, R) J 3, send(dale) 7: send(date, R) Fig.. UML Sequence Diagram for Spoofed, Altered, or Replaced Routing nformation Attack. for a selective attack on the malicious node 3. 2) Node 1 detects an event, and then forwards the event data to node 2 that is on the routing path: node 1 node 2 node 3 (malicious) node 4. 3 according to the routing path. 4) Malicious node 3 alters the routing path as node 3 node 2 node 1; creating a routing loop. 5) Node 2 forwards the received data from node 3(malicious) to node 1 according to the altered routing path. 6) Node 1 forwards the received data from node 2 to node 1 according to the altered routing path. Repeat steps 3 thru 5. B. Selective Attack Each node faithfully forwards received messages to its neighbors. However, a malicious node in a selective attack may refuse to forward certain messages and simply drop them, ensuring that they are not propagated any further. The detailed procedures are as follows below in Fig. 2. for a selective attack on the malicious node 3. 2) Node 1 detects an event and then forwards the event data to node 2 that is on the routing path (node 1 node 2 node 3 (malicious) node 4). 3 (malicious) according to the routing path. 4) Malicious node 3 may refuse to forward certain messages and simply drop them, ensuring the cessation of propagation. C. Sinkhole Attack n a sinkhole attack, a laptop-class adversary with a powerful transmitter can actually provide a high quality route by transmitting with enough power to reach the base station in a single hop [3]. An adversary could spoof or replay an advertisement (routing information or neighbor information) for an extremely high quality route to a base station. Each neighbor node of the adversary will forward packets destined for a base station through the adversary, and it also propagates Fig. 2. Exte mal aha eker Fig. 3. UML Sequence Diagram for Selective Attack (Black Hole). 1: initioteattacko «U» :Legitimate Node -.l v 3, send(dale) «U» «U» «U» :Legitimate :Maliclous :L te Node 2 Node 3 4: send(dote) 7.1: send(hello) 7.2: send(hello) l8c j forwarded data drops messages, and no Acks. UML Sequence Diagram for Sinkhole Attack. 6, send(dale) 7.3: send(hello) 5: Event the attractiveness of the route to its neighbors. The detailed procedures are as follows below in Fig. 3. a sinkhole attack on the malicious node 3. 2) Node 1 detects an event and then forwards the event data to node 2, which is on the routing path (node 1 node 2 node 3 (malicious) node 4). 3 according to the routing path. 4) Malicious node 3 can refuse to forward messages and simply drop them, ensuring that they are not propagated any further. 5) Node 4 detects an event and forwards the event data to node 3, which is on the routing path (node 4 node 3 (malicious) node 2 node 1). 6) Malicious node 3 receives data from node 4 and then does not respond to the sender node 4. 7) Malicious node 3 keeps sending its neighbors Hello messages to update their routing information with the altered final destination as the malicious node 3. D. Sybil Attack n a Sybil attack, a malicious node illegitimately takes on multiple identities. There are two ways to perform a Sybil attack. One is for the Sybil node to communicate directly with legitimate nodes; the other one is that messages sent to a Sybil node are routed through one of these malicious 693

3 attacker 1: nitlcteattccko attacker 1.1: initiateahacko 1.2: inltiateanocko Fig : send(hello, Rl) UML Sequence Diagram for Sybil Attack..3: send(helio. R3) nodes that pretends to pass on the message to a Sybil node [8]. To prevent the Sybil attack, any node could check the list of "known-good" identities to validate another node as legitimate. The other solution is position Verification: the network verifies the physical position of each node. Sybil nodes can be detected using this approach because they will appear to be at exactly the same position as the malicious node that generates identities. The detail procedures are follows below in Fig. 4. 1) An attacker initiates for a Sybil attack on the malicious node 3. 2) A malicious node 3 assigns each of its n neighbors a different channel as R1, R2, and R3 to broadcast some message on. The malicious node 3 can generate identities with a random value or steal one of the legitimate nodes. 3) f the channels are legitimate, then node 1, node 2, and node 3 listen and update their. n this case, some identities are dead or unreachable. However, these neighbor nodes of the malicious node 3 notice that all surrounded nodes are alive and reachable. E. Wormholes Attack n Wormholes attack, an attacker receives packets at one point in the network, "tunnels" them to another point in the network, and then replays them into the network from that point. For tunneled distances longer than the normal wireless transmission range of a single hop, it is simple for the attacker to make the tunneled packet arrive sooner than other packets transmitted over a normal multi-hop route [5]. The detailed procedures are as follows below in Fig. 5. 1) An attacker initiates Wormholes attack on the malicious node 4 & 5. 2) A malicious node 4 sends its n neighbors Hello messages in order to update their, changing the final destination to the malicious node 4. 3) The neighbor nodes of the node 4 sends the malicious node 4 data whenever an event happens. 4) Node 4 receives data from the neighbors and then forwards node 5 (another wormhole node), establishing a tunnel between two wormhole nodes to send data to a malicious device as a gateway. Fig. 5. : send(hello) 2.2: send(hello).. "", d(oeta l ''"",,,, d(oeta l : lorward(dafa) F==--\' l : forward(data} - ri: folward(data) 12: forword(data} 10: forward(data) 13: lorword(dafa l. 14:, 1 forward(data) :o",a.d(oo UML Sequence Diagram for Wormholes Attack. cttacker 1: initiateattacko Fig : send(hello) AHac ' rna,.: 2.2 : send(hello) r----;::=±= =12.3: send(helio) 2.4: send(helio) UML Sequence Diagram for Hello Flood Attack. F Hello Flood Attack tunneled pocket sooner and transmh packets 10 malicious davlce n the Hello flood attack, the assumption is that each node uses a static routing information table, and the nodes update this table periodically by sending or receiving Hello and ACK messages. f a laptop-class adversary with a powerful transmitter broadcasts Hello packets to its neighbors, then a node receiving such a packet may assume that it is within normal radio range of the sender. Therefore, an adversary can broadcast Hello packets to its neighbors, and receiving nodes will update their s. The detailed procedures are as follows and also noted in Fig. 6. 1) An attacker initiates for a Hello attack on the malicious node 3. 2) Malicious node 3 broadcasts Hello messages to all its neighbors and neighbors more than -hop away. 3) Receiving nodes update their s. G. Acknowledgment Spoofing Attack Each node uses a static routing information table, and it updates this periodically by sending or receiving Hello and ACK messages. Meanwhile, an attacking node can spoof the acknowledgments of overheard packets destined for neighboring nodes in order to provide false information to those nodes. An example of such false information is claiming that a node is alive when in fact it is dead [9]. The detailed procedures are as follows and also in Fig

4 «U» 3:: Exts mal aae ker 1: nltloteahocko «U» :legllimate Node Node 2 :legillmale «U.. «U.. «U.. Node 3 Node 4 Node 5 :Mollclous :leglllmo& :Legltimate 3:: ahacker 1: nitioteattocko [ 1 4, update the 2: send(hello) 3: send(ack) 2: send(syn) 3: send(syn+ac ) 2: send(ack) 5: send(syn) 5: send(hello) [ 7 1 update the 6: send(ack) 6: send(syn+ack 7: send(ack) 8: send(syn) 9, end(syn+ack) [ 11, 1 update l1e 8: send(hello) 10, send(ack) 9: send(ack) to, send(ack),,, send(syn) t2, nd(syn+ack) t3, send(ack) Fig : send (Hello) [ S, update l1e J 14, send(ack) 13, send(ack) UML Sequence Diagram for Acknowledgment Spoofing Attack. 1) An attacker initiates an acknowledgement spoofing attack on the malicious node 3. 2) Node 1 broadcasts its neighbors Hello messages to update their s. 3) The received nodes respond and send back to the sender node an ACK message. 4) f the link between node 4 and node 1 is weak, then the ACK message of node 4 is not reachable. 5) f the link between node 5 and node 1 is weak, then the ACK message of node 5 is not reachable. 6) f the malicious node 3 notices weak ACK signals from node 4 and 5, then it sends ACK messages to node 1 so that the node 1 realizes that node 4 and 5 both are reachable.. TRANSPORT LAYER: FLOODNG AND DESYNCHRONZATON The transport layer is primarily responsible for managing end-to-end connections, and it optimally provides services including reliable data communication, flow control, congestion control, etc. Most attacks in the transport layer target the TCP/P protocol, which is popularly deployed in current networks. There are two major attacks: flooding and desynchronization. A. Flooding Attack Flooding attacks primarily exploit weaknesses in communication protocols, where connection information must be maintained at both ends of a connection. These protocols become vulnerable when a malicious node repeatedly transmits connection request packets and attempts to exhaust resources. For example, the transmission control protocol (TCP) is a connection oriented communication protocol, which requires Fig. 8. UML sequence diagram of flooding attack. that a connection be established through the three-way handshake process l. n the TCP SYN attack [10], a malicious node can send the server multiple connection establishment requests with spoofed source addresses. This causes the server to keep allocating resources for bogus connections. When the maximum half-open connection limit is reached, any successive legitimate connection request is refused. One of defense mechanisms is that each node demonstrates its legitimacy of connection request by solving a puzzle [11]. The server generates and verifies the puzzle, and clients should solve and show it before establishing a connection. Although this approach prevents the malicious node from quickly wasting the resource, it requires a non-negligible computational power and thus it should not be directly applied to WSN, which is a resource-limited network. B. Desynchronization Attack A malicious node can interrupt an on-going connection by repeatedly transmitting forged packets containing sequence numbers or control flags to the victims, resulting in a desynchronization between the two ends of the nodes. Then the node requests the retransmission of missed frames, resulting in resource exhaustion. f the malicious node can maintain correct timing, it can even prevent the exchange of any further packets between two ends of the nodes. This can be avoided all the packets exchanged being authenticated so that the malicious node cannot spoof the packets. n addition, packet authentication also requires a non-negligible computational power. V. CONCLUDNG REMARKS AND FUTURE WORK Applications in WSNs are widely spreading to surveillance operations in military or industrial process monitoring and control. n miliary applications, security is a major concern due to the characteristics of WSNs, whose wireless sensor 1 n the process, a sender sends a SYN packet to initiate a connection. A receiver replies with a SYN+ACK packet indicating that the receiver agrees the connection. Finally, the sender replies an ACK packet indicating that the connection has been established. 695

5 nodes tend to be exposed by enemies. To protect WSNs from attackers, security attacks must be well analyzed so that countermeasures can be found. f we can better understand and analyze the attacks, we have a good chance of finding solid solutions. However, there is no current research that describes and analyzes the current attacks with standard notations. Therefore, in our research, we proposed using UML as a standardized modeling language to describe and analyze the current attacks and countermeasures. These standard models of current attacks and countermeasures are able to help increase security developers' understanding and pave the way for building more secure WSNs. n the future, we will analyze attack models in other network layers such as a physical and data link layer with using various UML diagrams - an activity diagram, state machine diagram, class diagram, composite structure diagram, and interaction diagram - to analyze the current attacks and countermeasures in a sophisticated way. Security measurements of the countermeasures in WSNs are still under investigation. REFERENCES [] s. Hadim and N. Mohamed, "Middleware: Middleware Challenges and Approaches for Wireless Sensor Networks," EEE Computer Society, vol. 7, no. 3, March [2] K. Romer, F. Mattern, and E. Zurich, "The Design Space of Wireless Sensor Networks," EEE Wireless Communications, vol., no. 6, pp , Dec [3] C. Karlof and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures," in Proc. of the 1st EEE nternational Workshop on Sensor Network Protocols and Applications, May [4] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. Tygar, "SPNS: Security Protocols for Sensor Networks," Wireless Networks, vol. 8, no. 5, pp , Sept [5] Q. Hu, D. L. Lee, and W. Lee, "Performance Evaluation of a Wireless Hierarchical Data Dissemination System," in proc. ACM MOBCOM, 1999, pp [6] M. Fowler, UML Distilled: A Brief Guide to the Standard Object Modeling Language (3rd ed.). Addison-Wesley, [7] H. Zimmermann, "OS Reference Model-The SO Model of Architecture for Open Systems nterconnection," EEE Trans. on Communications, vol. 28, no. 4, pp , Apr [8] J. Newsome, E. Shi, D. Song, and A. Perrig, "The Sybil Attack in Sensor Networks: Analysis & Defenses," in PSN Third, Apr. 2004, pp [9] Y. Wang, G. Attebury, and B. Ramamurthy, "A Survey of Security ssues in Wireless Sensor Networks," EEE Communications Surveys & Tutorials, vol. 8, no. 2, [10] C. L. Schuba,. V. Krsul, M. g. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, "Analysis of a Denial of Service Attack on TCP," in Proc. EEE Symposium on Security and Privacy, 1997, pp [] T. Aura, P. Nikander, and J. Leiwo, "DOS-Resistant Authentication with Client Puzzles," in Proc. Security Protocols Workshop, 2000, pp