J Supercomput https://doi.org/10.1007/s11227-018-2346-1
SCOUT: a sink camouflage and concealed data delivery paradigm for circumvention of sink-targeted cyber threats in wireless sensor networks Saqib Ubaid1 · M. Farrukh Shafeeq2 · Majid Hussain3 · Ali Hammad Akbar2 · Abdelrahman Abuarqoub4 · M. Sultan Zia3 · Beenish Abbas5
© Springer Science+Business Media, LLC, part of Springer Nature 2018
Abstract In modern epoch of cyber warfare and their countermeasures, wireless sensor networks (WSNs) are highly susceptible to cyber attacks due to their primary reliance over sink. WSNs perform routing and communication to deliver data from sources to sink. In this many-to-one communication paradigm, while some failure
B
Abdelrahman Abuarqoub
[email protected];
[email protected] Saqib Ubaid
[email protected] M. Farrukh Shafeeq
[email protected] Majid Hussain
[email protected] Ali Hammad Akbar
[email protected] M. Sultan Zia
[email protected] Beenish Abbas
[email protected]
1
Department of Computer Science, Khawaja Fareed University of Engineering and Information Technology, Rahim Yar Khan 64200, Pakistan
2
Department of Computer Science and Engineering, University of Engineering and Technology, Lahore 64890, Pakistan
3
Department of Computer Science, COMSATS Institute of Information Technology, Sahiwal 57000, Pakistan
4
Faculty of Information Technology, Middle East University, Amman, Jordan
5
Department of Computing, Universiti Teknologi Malaysia (UTM), Johor Bahru, Malaysia
123
S. Ubaid et al.
might be affordable at the many sources side, the single sink cannot be allowed any downtime, let alone be a failure. In a WSN security attack scenario, an attacker makes efforts to bring a sink down by identifying and capturing it. The current state of the art in sink protection schemes prevents such failures by preserving its privacy through letting it operate in promiscuous and all-the-time listening mode. However, such operation is still vulnerable to privacy divulgence because the attacker detects its all-the-time listening operation and identifies it. Furthermore, listening is an energyexpensive operation in WSNs that makes the sink battery die very quickly. In this paper, we propose a new sink privacy preservation scheme that defines the role of cooperating nodes. These cooperating nodes create a camouflage around the sink such that the location of the sink is never revealed. Such operational dispositioning reduces the susceptibility of WSNs generally and sink, particularly against the sink-targeted cyber attacks. Since the sink adopts sleep schedule, our scheme is energy efficient as well. Keywords SCOUT · Privacy preservation · Security threats · Wireless sensor networks
1 Introduction Wireless sensor networks (WSNs) sense its environment through sensor nodes and deliver data from sensing nodes to the sink. The communication between sources and sink requires data to be routed through the network. Flow of useful data terminates at sink node. Any of the data retrieval schemes (push/pull models) may be followed, but the significance of single sink remains integral. The failure of some of the source nodes can be afforded, but the damage to sink is fatal to the network. Therefore, the safety of sink is of utmost importance. The sensor nodes in the network are considered frail and endangered to failure due to (1) limited resources available and (2) faults occurring in them. These may be the result of some defects or caused by an intruder who has negative intentions of turning down the network. We do not refuse the importance of security of source nodes in WSN, but the security of sink is of more significance. A sufficient research has been performed on source protection in [1–4, 5–7]. Industrial wireless sensor networks (IWSNs) are a hot cake for researchers due to their applications, i.e. extensive variety of businesses including mechanization, observing, process control, input frameworks and automation. Wide extent of IWSNs applications extending from little generation units, vast oil and gas businesses to atomic parting control empowers a quick-paced look into in this field. Despite the fact that IWSNs offer focal points of minimal effort, adaptability, versatility, self-recuperating, simple arrangement and transformation, they represent certain restrictions on accessible potential and present difficulties on numerous fronts because of their vulnerability to exceedingly mind-boggling and questionable modern conditions. In this paper, an itemized dialogue on plan targets, difficulties and arrangements, for IWSNs, are displayed [8].
123
SCOUT: a sink camouflage and concealed data delivery…
To our knowledge, the security of sink has been given less attention. In recent past, [9] suggests a privacy preservation mobility control protocol in WSNs. The authors seem to follow the saying, ‘prevention is better than cure’ and work on its theme by creating a scenario for communication through which sink cannot be identified by an outsider, thus avoiding any malicious attack. Although this is a good idea to keep the sink as much disguised as possible, the proposed strategy has some loopholes. Also, while making the sink undetectable, they have overlooked this fact that energy is the main constraint in WSNs, and it is not feasible to let an on-site battery-operated sink to operate all the time in listening mode. The paper is organized as follows: Sect. 2 comprises related work. Network model is explained in Sect. 3. Section 4 describes the proposed scheme ‘SCOUT’ in detail. In the proposed scheme, we have proposed sink privacy preservation scheme that provides increased anonymity and allows the sink to adopt sleep schedules for energy conservation. In our protocol, sink works in conjunction with the cooperation of some nodes in its neighbourhood. Moreover, this protocol assigns some roles to cooperate nodes to make camouflage around the sink and diverts the packets towards dummy sinks. The proposed scheme is modelled mathematically in Sect. 5. Section 6 examines the scheme under different threat models. Security analysis is expressed in Sect. 7. The paper ends in last Sect. 8 with the conclusion drawn from the work done.
2 Related work The main focus of this research is to provide a scheme that has made sink more secure and invulnerable to the security attacks. State of the art emphasizes more on the security of source nodes. Very few papers have addressed the security of sink. Security has been addressed in sensor networks in different dimensions. To make data communication secure, [1, 2, 9, 10] proposed encryption and authentication schemes. Eschenauer and Gligor [3], Zhu et al. [4], Muhammad et al. [11] and Chen et al. [12] showed establishment and update of keys among sensor nodes. By implementing such techniques, data communicated between source and destination are made secure, but the initiating and terminating ends remained exposed. In [5–7, 13–15] some schemes have been proposed for hiding the location of a source to make the data communication secure. The main theme behind the idea in [5, 13] is to protect the object being monitored. Since the source nodes are around the monitored object, they propose the scheme which makes the source nodes secure by hiding the object being monitored. Therefore, the location of the node which is originating the traffic remains hidden. Also, they propose GROW, a random walk scheme in which every node in the network randomly forwards data to next node with the information of the neighbouring nodes at every location. This is to avoid an eavesdropper intersecting the data path and discovering source nodes by backtracking. Other schemes which address location privacy are [6, 7, 14, 15]. Again, they have addressed locations of sources only. The key features of these schemes are: (1) Actual source nodes are associated with few other nodes (these may be fake or real), all generate packets simultaneously to create confusion for the attacker. (2) Each source node sends packets to destination from different paths so that it could be difficult to
123
S. Ubaid et al.
identify source. (3) To hide the real object, many virtual objects are placed in the field which act like real objects. Although the security of sinks is even more important than sources, there are only a few research works that address this issue. In [11], authors proposed a two-tiered scheme for sink security. Two layers are introduced around the sink for its protection. The inner layer that is close to the sink can communicate with the sink. The outer layer is a wall between the rest of the network and the inner layer. Any node which is not a part of inner layer cannot communicate with the sink directly. Inner layer nodes are selected by sink based on the trust calculation. The concept is merely like that of introducing firewall in the network. The attacker can damage the wall, hence can access the sink. This scheme is pretty straightforward, and no intelligence is involved in it. In [14], the geographical location of base station is concealed through the introduction of fake messages and multi-path routing to defend it against physical attacks. However, it concentrates on the traffic analysis attack, which determines the location of the sink through the measurement of traffic rates at various locations. In [16], authors are also focusing on WSNs multi-hops data delivery, but their primary focus is depletion of energy not on the concealed data delivery. The authors in [17, 18] present a cut-through energy paradigm for inter-node data transmission by proposing asleep, quasi-sleep and active state schedules. It provides an optimal time and energy-efficient solution, but since sink has not been focused on multi-layer security scheme, it remains vulnerable. Similarly, Hussain et al. [19] have presented a linear programming heuristic, in conjunction with Moore’s law of semiconductors and batteries, for multiple gateway deployments to reduce network survivability costs and optimize communication for wireless sensor grids. This research work, through a node scheduler, optimizes collision avoidance, fairness and nearest data connectivity with efficient energy consumption mechanism, but the inter-node (sink node) transmission is not concealed enough to provide sink the requisite security. In [15], Edith Ngai has presented the idea of sink anonymity by omitting the address from the data packets in routing and proposed a randomized routing scheme with hidden addresses. Packets are routed in the network randomly to M number of neighbours to increase their probability to reach the sink, and the packet of interest is identified by the sink when it reaches there. This identification is made possible by the symmetric (encryption) key shared by the source and destination. The paths are controlled by the values of L and M, where L is the pre-defined length of paths and M is some neighbours to which the packet is forwarded. This scheme has some drawbacks. A packet delay increases with the increasing values of M and L. There could be a possibility that packet may not reach the sink. Energy consumption increases with the value of M. In [20], authors represent the security challenges for physical layer in industrial wireless sensors networks (IWSN). In [9], the authors proposed the idea of introducing dummy nodes in the network to hide the location information of the sink, where network traffic would terminate. They put it forward in two steps. When source nodes ask for the sink address (its location), sink replies to them by Gu and Chen [9] selecting a dummy node that lies on the extension to the path from source to the sink and Jianget al. [10] tell the address of that dummy node to the sources. By doing so, it ensures that sink is only
123
SCOUT: a sink camouflage and concealed data delivery…
an intermediate node in the path to the dummy destination. However, this scheme is still vulnerable because sink being the intermediate node makes an intersection since each path to a dummy node would eventually pass through it. This vulnerability makes sink identifiable by a malicious node trying to backtrack the intersection of all these paths. The authors have suggested another variation in the initial scheme that makes the sink more secure. Now, when requests arrive from sources, the sink selects its one-hop neighbours, then calculates the best path to the dummy node and sends the location of the dummy node. Here, the sink is no more an intermediate node in the path; rather, it overhears the information through one-hop neighbours who reside along the paths to the dummy nodes. This scheme is an intelligent idea, but sink remains in an ever-listening mode which makes this algorithm, according to Gu and Chen [9], expensive regarding energy consumption by the sink and, according to Jiang et al. [10], vulnerable to privacy divulgence because the attacker may detect its all-the-time wake-up mode and, hence, identifies it as a sink.
3 Network model A homogeneous network model is used in our architecture. Homogeneous network architecture and all the sensor nodes have approximately equal computational, communicational power and battery life. Many applications are using this homogeneous architecture, and hopefully, its popularity will increase. Nowadays, this architecture is being used in research. The data delivery paradigm is event driven (push model). The proposed architecture for providing sink anonymity comprises the sink (D), dummy sinks (D ), active cooperating nodes (ACNs), passive cooperating nodes (PCNs) and one-hop neighbours (H) of active cooperating nodes. These nodes have specific roles to perform to realize the proposed scheme SCOUT. SCOUT uses location-based addressing and traffic routes by Ad hoc On-Demand Distance Vector (AODV) protocol. 3.1 Assumptions We assume that only one sink is in our network to show the sink anonymity. Although the current WSNs use multiple sinks for the sake of generalization, we can argue that the number of sources is considerably large to the sinks. Therefore, the situation becomes synonymous to the vulnerability of a single sink. Whenever sink wakes up, it resets its received packets count. The network is assumed to be a strongly mesh connected. Let, the ith node is two hops a way from the edges of the network, and it has neighbours in grid deployment. The total number of neighbours of neighbouring nodes of ith node except the ith node is n i ∗ (n i − 1) where n i 8.
(1)
If ith node is at any corner, then the number of neighbours is n i ∗ (n i + 2) where n i 3. If ith node is at an edge, then there are two possibilities
(2)
123
S. Ubaid et al.
1. One hop away from the corner then the number of neighbours (n i − 1) ∗ (n i + 1) where n i 5
(3)
2. Else number of neighbours 3 (n i + 2) + 2 (n i − 1) where n i 5.
(4)
By these equations, the neighbours of ith node have more than two nodes which are sufficient for Ad hoc On-Demand Distance Vector (AODV) routing. If ith node is sink, then routing is done by using AODV. We also assume that sink can never be at the edges of the deployed network. We assume that at bootstrap time, sink neighbouring nodes show their willingness for behaviours like as ACNs and PCNs, but sink selects only those nodes which fulfil its criterion. 3.2 Role of sink at bootstrapping At bootstrapping, the sink also broadcasts Cooperation Desired message to its onehop neighbourhood nodes asking them for cooperation. As we show that each node has at least three neighbouring nodes and our sink is not at an edge, it has at least eight neighbours, so it receives multiple responses and maintains a list of cooperating nodes. On receiving positive responses from neighbours, sink chooses active and passive cooperating nodes according to a certain criterion. The selection criterion depends upon the level of compromising of nodes, their remaining clout to perform the functionality, and their number of neighbours must be dense enough so that selection of H (one neighbouring hop node of ACN) can easily be done and notifies them by sending appropriate messages. In our grid deployed network, the neighbours are approximately equal which is not a bone of contention. After selection of ACNs and PCNs, sink also maintains the ACN/PCN behaviour of nodes in the list. Sink transfers ACNs functionality mobile code using OTAP (over-the-air provisioning) to perform the function on behalf of the sink, and also sends the behavioural functionality code of each node (ACN/PCN). Sink also shares its sleeping schedule with these nodes. The sink checks the status of ACNs periodically. If any of the ACNs is found unavailable or compromised, the sink notifies a PCN to replace that ACN and delete the compromised node from the cooperating node list. The sink divides the network into regions using GPS (Global Positioning System) and keeps tracking of all nodes belong to a region. Figure 1 represents timeline diagram of the sink at bootstrap time. 3.3 Role of ACNs After receiving a message to behave as an ACN, knowing the sleep schedule of the sink (D), getting the list of regions and their node IDs, the ACN would start to communicate with sources on behalf of D. Its first task is to broadcast counterfeit information about the dummy sink (D ) ID for each region, so that the traffic of whole region could
123
SCOUT: a sink camouflage and concealed data delivery…
Fig. 1 Sink timeline diagram at bootstrap time
flow towards the dummy sink. On a request for a path to D by a source, the ACN responds by telling two pieces of counterfeit information: (1) it knows the best path to the address of D as the sink and (2) r number of hops to reach the dummy sink (D ). Through H neighbour, ACN acknowledges by gratuitous RREP AODV that it knows the shortest path to reach the destination (D ). All the data from the sources are routed towards the dummy sinks (D ) through Hs, and the ACNs overhear the data sent to D . After overhearing data, ACNs broadcast the data to one hop. Only one ACN is in active mode at a time. After a fixed time interval, other ACNs behave like a sink. te ACNi active timemin .
(5)
Equation 5 depicts that te is an event transmission time and ACNi active time in which an ACN is responsible for establishing the path from source to dummy sink and it will remain in active mode until the event ends. ACNs may change its duty cycle after an event occurred or before an event to occur. If two events occur simultaneously in a region, the ACN will select the different H for both paths depending upon their requests for the same dummy sink. If two events occur simultaneously in different regions, the ACN will select the different H for both paths depending upon their requests for different dummy sinks. The ACN checks if the path is establishing through the sink, then it awakes another PCN/ACN to perform as H to divert the path so that sink never be on the path and sleeping schedule of the sink should not be interrupted. After completion of the event transmission or before starting to report of another event, the ACN may change its
123
S. Ubaid et al.
Fig. 2 Timeline diagram of ACN1 and hand over of duty cycle to ACN2
duty time and can assign its duties (overhearing, the location of D and hop count r) to another ACN to avoid depletion of batteries of the cooperating nodes. Figure 2 depicts the role of ACN. 3.4 Role of PCNs When a message is received at a node, the node behaves as a PCN by knowing the sleep schedule of the sink. All the PCNs are synchronized with the sleep schedule of D. This is to strengthen the security of the sink. When the sink awakes, PCNs also awake and overhear data like D. Whenever ACNs transmit data, leaves the intruder in confusion about the actual location of the sink. When D detects an ACN to be unavailable or compromised, it notifies its neighbouring PCN to change its status from PCN to ACN. All PCNs serve as a hot-standby mode to ACNs. After a meticulous timeout, PCN checks its neighbouring ACN for its status. If the neighbouring ACN compromised or vulnerable, then PCN changes its status from PCN to ACN and sends a change status message to the sink. It also reports about the compromised ACN node to the sink and other ACNs. The new ACN gets into always on state and collaborates with neighbouring ACNs for its time of activation to act as the sink. Figure 3 represents the PCN timeline diagram and periodic check-up of the vulnerability of an ACN.
123
SCOUT: a sink camouflage and concealed data delivery…
Fig. 3 Timeline diagram of a PCN and periodic check-up of vulnerability of an ACN
4 Sink camouflage and concealed data delivery (SCOUT) In this section, we propose a scheme which provides sink anonymity through camouflage and oblivious data delivery. Two-phased cooperation of nodes surrounding the sink ensures that the true location of the sink will never disclose. In the first phase, a camouflage is established that cooperates with the sink to masquerade its location either through active or passive participation. 4.1 Phase I: anonymous topology formation At the time of bootstrapping, D asks its one-hop neighbouring nodes for cooperation. Selection of ACNs is made only for those nodes which fulfil the criterion and response positively. The selection of ACNs and announcement of PCNs are made by D in the topology formation phase (bootstrapping). Others one-hop, willing to cooperate, neighbours of the sink are declared as PCNs. The sink sends mobile code by OTAP to ACNs and PCNs for desired functionality. The sleep schedule of the sink is shared with ACNs as well as PCNs so that they can communicate (by one-hop broadcast) with the sink in its wake-up time. The PCNs are synchronized with the sink’s sleep schedule to create confusion for an intruder if it reaches very close to the sink. Figure 4 represents the arrangement of ACNs, PCNs and Hs surrounding the sink for camouflage to anonym.
123
S. Ubaid et al.
Fig. 4 Arrangement of ACNs, PCNs and Hs around the sink for camouflage
4.2 Phase II: selection of dummy sink Selection of dummy sinks is a repeated process. In our scheme, the number of events is represented by e and rate of change of dummy sink by Rs, whereas some events are less than or equal to the rate of change of dummy sink. e ≤ Rs.
(6)
Whenever the dummy sink needs to be changed, an ACN broadcasts a message through Hs for the destination (sink/dummy sink) to all the nodes of each region. Now, all the sources request for new selected dummy sink (D ) considering as a sink (D). When a source sends a request for its path to deliver data at the sink (dummy sink), the ACN sends two information by H (1) address of dummy sink and (2) number of hops which are incremented by one at each relay node. Let c be the number of hops between an H and a source. Once the request RREQ for path establishment is overheared by the ACN through one of its neighbouring node, it selects the H from its neighbours and coerces H into response (tellinglies) with two fake information (1) telling that it knows the best path towards the sink and sends address of dummy sink D as destination and (2) r numbers of the hops to reach D , where r > c. The address of dummy sink is selected by an ACN by keeping the log of requests or path establishment where c and addresses of sources are maintained from each direction. Each time when an ACN turns on for duty cycle, it broadcasts new dummy sinks for each region. ACNs share their log with other ACNs for the selection of dummy sinks (D ) so that each time same node should not be declared as dummy sink, that is, a different node should be a nominated destination. In such a way, selection of a dummy sink becomes complicated (in the
123
SCOUT: a sink camouflage and concealed data delivery…
sense of calculation) and path convergence becomes more difficult. This requires some overhead, but it is more significant in the essence of path convergence. In our scheme, sink (D) should never be on the path. ACNs are at one hop of D, and path is at one hop of ACNs. So the sink is at least two hops away from the path. The sink accumulates information when ACNs perform one-hop broadcast by setting time-to-live (TTL) to 1. 4.3 Phase III: selection of H Then select an H if the following inequality is satisfied L ACN − L H < R,
(7)
where R is communication range between the ACN and the H, L ACN is the location of corresponding ACN, and L H is the location of H. 4.4 Phase IV: data delivery to sink The data delivery phase is a normal data delivery operation from the viewpoint of source. SCOUT provides sink anonymity with the cooperation of the nodes in the sink’s neighbourhood. Sources deliver data to the dummy sinks (D ). ACNs respond through Hs to sources about the address of D and r (number of hops from D to the source), such that a one-hop neighbour of a cooperating node lies in the path to ensure that at a time at least one ACN can overhear the traffic which always remains in listening mode. After overhearing the traffic, ACNs perform one-hop broadcast only when D wakes up, by setting time-to-live (TTL) to 1. ACNs take turns to broadcast in order to prevent from collisions and to avoid overflow of data at D. Such regulated broadcast can be done by implementing any MAC layer scheduling scheme [17]. When ACNs broadcast data to sink, PCNs change their mode from sleeping to listening mode along with D, and these are deemed as ‘receiving data’. This is deliberately done in order to prevent sink from being singled out as the only receiving node at the time of broadcast. It further reduces the possibility of detection of D by sniffing the intruder. The scenario is represented in Fig. 5. 4.5 Phase V: avoid conjunction When a source sends a request for the path, the ACN gets a response from one hop. There are multiple requests from the network if multiple events occur concurrently. For each path establishment, the ACN responds with a different number of hops (r) for the dummy sink to reduce the probability of conjunction of paths (intersection with each other). As we have described already that if a group of traffic analysers attacks the network and wants to destroy the sink, then there is an expectation that sink is at the intersection point. Regarding our proposed scheme, we divide whole network into regions, that is, for giving a glance of multiple sinks instead of a single sink in the network and misguiding the traffic analysers to focus on multiple sinks instead of
123
S. Ubaid et al.
Fig. 5 Data delivery to sink
one common sink. The ACN selects one dummy sink for a region, and the selection of dummy sink is always in cross-region, i.e. the dummy sink never belongs to that region in which event occurs, so that all traffic passes through Hs because the sink and its cooperating nodes are at the conjunction with all regions. For example, two events occur at a same time and multiple traffic analysers allow the packets hop-by-hop along the paths. They have an interest to find out the intersection point and end point of paths as their ultimate goal is to find the sink, but our scheme keeps them in illusion. In our scheme, point of intersection is at least two hops away from the sink which always prevents the conjunction near the sink. In Fig. 6, two paths are intersecting at the distance of four hops. We have already assumed c < Rs, which means the rate of change of dummy sink for each region is greater than the number of events occurring in the region. If pi is probability of intersection of two paths and et is a number of events occurred at time, then pi ∝ et
(8)
Though we cannot avoid the intersection of two paths, if two events occur concurrently or before the ending of one event, another event occurs then the CAN intelligently selects the Hs and dummy sinks to become far away from the intersection point, and hence the anonymity increases. During path establishment, if the sink is at one hop then the ACN selects another node as H instead of taking the sink as H or the ACN compulsively invokes other ACN/PCN to behave like H so that path can be diverted to avoid disturbing the sink sleeping schedule. There may be physical topologies in which the graph connectivity is weak. Therefore, paths from multiple sources might converge. Consequently, simultaneous requests to send data to D may arrive at a single ACN as shown in Fig. 6. In such a scenario, the ACN calculates two disjoint paths by picking two different nodes as H, each of which is a one-hop neighbour to the ACN. The CAN replies with the locations of two different dummy nodes. If path request (RREQ) is from different regions of the net-
123
SCOUT: a sink camouflage and concealed data delivery…
Fig. 6 Multiple sources request for path to one CAN
work, then the conjunction is approximately at least two hops away. If the path request (RREQ) is from the same region of the network, the conjunction may or may not occur. The communication between sources and cooperating nodes is explained in Fig. 6. Firstly, the ACN1 chooses a dummy node (D ) for each region and broadcasts the IDs of these dummy sinks in their respective regions. Here, S 1 requests for path establishment to its respective dummy sink, and the ACN1 overhears the request and selects an H which is within its radio range. Now, the ACN1 overhears the traffic, such that one of its single-hop neighbour node H 1 lies along that path and forwards the packet towards the dummy sink. Similarly, the path may also be established between S 2 and D . When data are communicated between the sources and dummy sinks, the ACNs which are always in the listening mode overhear the communication and broadcast it at the time of sink schedule. D being a single hop away from the cooperating nodes receives the data.
5 Secure scheme algorithm 1. At bootstrapping time, the sink divides the network into regions and selects cooperating nodes after conforming by Cooperation Desired message. 2. Synchronizes passive cooperating one-hop neighbours of sink with its sleeping schedule. 3. Cooperating node ACNi receives a list of each region nodes, calculates optimum dummy sink for each region, broadcasts dummy sink ID (destination) in that region, at the time of path establishment calculates the best path and sends hop count r between the source and dummy sink along with the location of dummy sink (L D i ) towards source S i . 4. If two requests (for path establishment with sink) from two different sources arrive at a cooperating node ACNi simultaneously from different regions, then cooperating node first selects two different one-hop nodes H i and H j and sends different dummy sinks ID i and ID j to each requesting source.
123
S. Ubaid et al.
Fig. 7 Two sources from the same region and simultaneously reporting different events
Fig. 8 R is radio range of a node
5. If two requests (for path establishment with sink) from two different sources arrive at an ACN simultaneously from same regions, then cooperating node first selects two different one-hop nodes H i and H j and sends same dummy sink IDi to each requesting source. 6. According to this scheme, if two sources are reporting simultaneously from the same region and so close to sink as shown in Fig. 7, then ACN intelligently selects other two different Hs so that intersection of paths occurs only at dummy sink, still there does remain the distance of 2R between paths of them which makes it more difficult for sink identification. Here, R is the radio range of a node as shown in Fig. 8. As we have already assumed that whole network is homogeneous, R will remain constant for all nodes. Two paths which are catered by cooperating different source nodes for the same region are at least 2R distance away from sink. Two paths which are catered by cooperating different source nodes for different regions are at more than 4R distance away from the sink. This implementation of the security scheme has made it extremely difficult to identify the sink. Thus, the conjunction of paths can never be at the sink.
6 Threat model Wireless networks are more susceptible to various security threats. Wireless sensor networks are deployed mostly in hostile, combat and hazardous region. In such vicinity, attackers are well equipped, well funded and highly motivated. They aim to obtain
123
SCOUT: a sink camouflage and concealed data delivery…
Fig. 9 A flow chart of sink camouflage and concealed data delivery (SCOUT)
sensitive information, i.e. the location of the sink. We try to analyse the most common attacks [21–23] in networks.
6.1 Strength of an adversary An adversary, which is well equipped, has the computational power and battery manifold to the nodes in the network; however, the transceiver has the same Tx-power and Rx-sensitivity (Fig. 9).
6.2 Damage type The adversary tries to get the location of the sink and destroy it either by DoS attack or even physical destruction.
123
S. Ubaid et al. Fig. 10 a Traffic analysis uses packet header, node capture uses (b)
6.3 How the adversary does it? If the ID of sink is known to it, the adversary may either employ traffic analysis (such as looking for destination ID) (Fig. 10). By node capturing which can be done through mobile code transferring using OTAP to read routing table entries (Destination ID, Next Hop). If the ID of the sink is not known to the adversary, the adversary is left with no option but to look for the node which is receiving maximum traffic. To do that, the adversary has to move in a hop-by-hop fashion to measure the received packets per unit time at every sensor node. We consider that adversary can attack by traffic analysis (TA) or by node capturing (NC). In each case, it will measure the number of packets received per unit time according to Eq. 9: Attacks (TA ∨ NC) ∧ Rxrate .
(9)
In all cases, the adversary has to move hop by hop. If he will not follow all above, then he has to define the observation set (O). Regarding adversary, each node is an observation point, so it will try to find all possible optimal paths to reach the sink which can be expressed through Delannoy numbers. O
iβ iα 1 ia ib
if α a and β b , D (α − 1, β) + D (α − 1, β − 1) + D (α, β − 1) else
(10)
where (a , b ) is an observation point and (α, β) is the destination (sink assumed by adversary). Mostly, two types of methods are applied by the intruder to detect the location of the sink, namely traffic analyser [9] and global eavesdropper [10]. Traffic analysers are well equipped, and they may monitor the traffic flow and can detect the movement of packets. So they can find out the sink because all the traffic terminates at the sink and the sink is at the conjunction of traffic or most of the traffic conjunction is nearby of the sink (within receiving arrange of sink to overhear [9, 24]). In our scheme, there are two benefits: (1) Traffic ends on dummy nodes, and each time dummy node is different for different sources. So traffic analyser fails to find out the exact position of the sink. (2) Traffic analysers want to know about the traffic conjunction within the receiving range of any particular node; then, it fails because most of the traffic passes through two times of receiving arrange of sink. On the other hand, we suppose that eavesdropper can read the header of the packet and find out the location of the
123
SCOUT: a sink camouflage and concealed data delivery…
sink and number of hops to determine the location of the sink. In our scheme, packet header carries the location of dummy sink and hop count r which diverts eavesdropper from the original sink. So by reading the packet header eavesdropper cannot find out the location of the sink. Instead of sink identification, such types of attacks remain unsuccessful, and sink remains anonymous.
7 Security analysis In our proposed scheme, addressing is location based. We consider sink location is at (0, 0) regarding whole network. We divided the network into regions. If two sources are positioning at (x1 , y1 ) and (x3 , y3 ) in different regions and selection of dummy sinks for each source is (x2 , y2 ) and (x4 , y4 ), respectively, which are not part of their own regions (Fig. 11). Their paths intersect each other at a point (x, y) which is at least two hops away from the sink and can be calculated by the following pair of Eq. 11: x1 y1 x1 − x2 x2 y2 x3 y3 x3 − x4 x4 y4 y x x1 − x2 y1 − y2 x3 − x4 y3 − y4 x1 y1 y1 − y2 x2 y2 x3 y3 y3 − y4 x4 y4 (11) x1 − x2 y1 − y2 x3 − x4 y3 − y4 Because all paths are passing through H which is at two hops distance away from the sink, θ is angle between the paths calculated in Eq. 12: ⎫ ⎧ y2 −y1 y4 −y3 ⎬ ⎨ − x2 −x1 x4 −x3 θ tan−1 (12) y4 −y3 ⎭ ⎩ 1 − y2 −y1 x2 −x1 x4 −x3 By Eq. 12, angle θ depends upon source locations and selection of dummy sinks. As long as θ increases, the distance of point of intersection from the sink (Dsi ) decreases and vice versa. As the sources come closer to each other,θ decreases, and resultantly distance (Dsi ) increases. If both sources belong to same region and ACN intelligently selects H neighbour, then point of intersection will be dummy sink; thus, Dsi will be the distance between the sink and dummy sink: ∞ if sources are at one hop and in different region . (13) Dsi 2 2 x + y otherwise
123
S. Ubaid et al.
Fig. 11 Two paths intersecting, angle between them and distance between point of intersection and sink
In the end, a threat model is also given, which shows the possible ways that an intruder may try to locate the sink. The intruder cannot find the sink exactly to destroy/capture it, because the sink location can only be guessed when multiple data sources are sending data towards the sink simultaneously. Thus, the intruder may only destroy/capture the sink by destroying/capturing a large number of nodes.
8 Conclusion In this research work, we have proposed a secure scheme to save sink from security threats, especially in modern-day cyberspace. This security plan is implemented by the involvement and cooperation of the one-hop neighbours of sink and division of networks into regions. The sink remains undisclosed to the network, and the data are reached to the sink indirectly. The scheme is advantageous in multiple ways than the previously proposed schemes. The battery of sink is not at risk of early depletion, as a sleep schedule is defined for the sink. Sink location is more secure because of the presence of cooperating nodes, and the work load is divided into the cooperating nodes. If one cooperating node gets down, the network remains operational. After a regular period, sink checks the status of its cooperating nodes. If any of the cooperating nodes is down and unavailable, then the sink will ask for active cooperation from a PCN. In the end, a threat model is also given, which shows the possible ways an intruder may try to locate sink. The intruder cannot find the sink exactly and destroy it, even the sink location cannot be disclosed/guessed when multiple data sources are sending data towards sink simultaneously. Thus, an intruder cannot destroy the sink even if he gets the point of intersection of paths because the point of intersection is at least two hops away from the sink that ultimately makes SCOUT a secure scheme as compared to the contemporary schemes, particularly against any cyber attack principally focused over sink.
123
SCOUT: a sink camouflage and concealed data delivery…
References 1. Karlof C, Sastry N, Wagner D (2004) Tinysec: a link layer security architecture for wireless sensor networks. In: International Conference on Embedded Networked Sensor Systems, pp 162–175 2. Drissi J, Gu Q (2006) Localized broadcast authentication in large sensor networks. In: ICNS 3. Eschenauer L, Gligor VD (2002) A key-management scheme for distributed sensor networks. In: ACM CCS, pp 41–47 4. Zhu S, Xu S, Setia S, Jajodia S (2003) Establishing pairwise keys for secure communication in ad hoc networks: a probabilistic approach. In: IEEE ICNP, pp 326–335 5. Xi Y, Schwiebert L, Shi W (2006) Preserving source location privacy in monitoring-based wireless sensor networks. In: Proceedings of Parallel and Distributed Processing Symposium 6. Mehta K, Liu D, Wright M (2007) Location privacy in sensor networks against a global eavesdropper. In: Proceedings of IEEE International Conference on Network Protocols 7. Kamat P, Zhang Y, Trappe W, Ozturk C (2005) Enhancing source location privacy in sensor network routing. In: Proceedings of IEEE ICDCS, pp 599–608 8. Raza M et al (2017) A critical analysis of research potential, challenges and future directives in industrial wireless sensor networks. IEEE Commun Surv Tutor 20(1):39–95 9. Gu Q, Chen X (2008) Privacy-preserving mobility control protocols in wireless sensor networks. In: The International Symposium on Parallel Architectures, Algorithms, and Networks, IEEE, pp 159–164 10. Jiang Z, Wu J, Kline R (2007) Mobility control for achieving optimal configuration in mobile networks. Technical Report, Department of Computer Science, West Chester University 11. S. Muhammad, Z. Furqan, R. Guha, “Wireless sensor network security: a secure sink node architecture” IEEE International Conference on Performance, Computing, and Communications Conference, IPCCC 2005 12. Chen X, Jiang Z, Wu J (2007) Quick convergence mobility control schemes in wireless sensor networks. Technical Report, Texas State University 13. Golden Berg C, Lin J, Morse A, Rosen B, Yang Y (2004) Towards mobility as a networks control primitive. In: Proceeding of 5th ACM International Symposium on Mobile Ad Hoc Networking and Computing (Mobihoc’ 04), pp 163–174 14. Deng J, Han R, Mishra S (2005) Countermeasures against traffic analysis attacks in wireless sensor networks. In: Proceedings of IEEE/Create NetInternational Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm) 15. Ngai E (2009) On providing sink anonymity for sensor networks. In: International Conference on Wireless Communications and Mobile Computing 2009 16. Prathima EG et al (2017) DAMS: data aggregation using mobile sink in wireless sensor networks. In: Proceedings of the 5th International Conference on Communications and Broadband Networking. ACM 17. Jabbar S et al (2014) VISTA: achieving cumulative vision through energy efficient Silhouette recognition of mobile targets through collaboration of visual sensor nodes. EURASIP J Image Video Process 1:32 18. Hussain M et al (2016) CRAM: a conditioned reflex action inspired adaptive model for context addition in wireless sensor networks. J Sens. https://doi.org/10.1155/2016/6319830 19. Hussain M et al (2016) A gateway deployment heuristic for enhancing the availability of sensor grids. Int J Distrib Sens Netw 12(8):7595038 20. Zhu J, Zou Y, Zheng B (2017) Physical-layer security and reliability challenges for industrial wireless sensor networks. In: Proceedings of IEEE, pp 5313–5320 21. Bartariya S, Rastogi A (2016) Security in wireless sensor networks: attacks and solutions. Int J Adv Res Comput Comm Eng 5(3) 22. Muhammad T, Ferzund J, Jabbar S, Shahzadi R (2017) Towards designing efficient lightweight ciphers for internet of things. KSII Trans Internet Inf Syst 11(8):4006–4024 23. Malik KR, Ahmad T et al (2016) Big-data: transformation from heterogeneous data to semanticallyenriched simplified data. Multimed Tools Appl 75:12727 24. Jabbar S, Naseer K, Gohar M, Rho S, Chang H (2016) Trust model at service layer of cloud computing for educational institutes. J Supercomput 72:58
123