IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS VOL - PDF document

IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005839StatisticalEn-RouteFilteringofInjectedFalseDatainSensorNetworksFanYe,HaiyunLuo,SongwuLu,Member,IEEE,andLixiaZhang,SeniorMember,IEEEInalarge-scalesensornetworkindividualsensorsaresubjecttosecuritycompromises.Acompromisednodecanbeusedtoinjectbogussensingreports.Ifundetected,thesebogusreportswouldbeforwardedtothedatacollectionpoint(i.e.,thesink).Suchattacksbycompromisednodescanresultinnotonlyfalsealarms Fig.1.Compromisednodeinjectsfalsereportsofnonexistent“tanks”events.Suchbogusreportscanmisleadreactions,delay,orblocklegitimatereportsby 840IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005Asareportisforwardedthroughmultiplehopstowardthesink,eachforwardingnodeveriesthecorrectnessoftheMACscar-riedinthereportwithcertainprobabilityanddropsthereportifanincorrectMACisdetected.TheprobabilityofdetectingincorrectMACsincreaseswiththenumberofhopsthereporttravels.Duetothestatisticalnatureofthedetectionmechanism,afewbogusreportswithincorrectMACsmayescapeen-routelteringandreachthesink.However,thesinkcanfurtherverifythecorrectnessofeachMACandrejectfalsereports.Thecontributionofthispaperistwofold.First,weproposeakeyassignmentmethoddesignedforen-routedetectionoffalsereportsinthepresenceofcompromisednodes.Second,wedevelopmechanismsforcollectivedatareportendorsement,en-routereportltering,andsinkverication.Toourbestknowledgethisisthersteffortthataddressesfalsereportdetectionproblemsinthepresenceofcompromisedsensor.Wehaveevaluatedourdesignthroughanalysis,imple-mentation,andsimulations.OurresultsshowthatSEFisabletodropupto70%ofbogusreportsinjectedbyacompromisednodewithinvehops,andupto90%withintenhopsalongtheforwardingpaths.Theen-routelteringaddscomputationcomplexityoflessthan1mstimeandabout75 energyoneachforwardingnode,whilereducingtotalenergyconsumptionby65%ormoreinmanyscenarios.Therestofthepaperisorganizedasfollows.SectionsIIandIIIpresentthemodelanddesignofSEF.SectionIVdis-cussestheparametersettingandanalyzestheeffectivenessandenergysavingsachievedbySEFthroughmeasurementsfromimplementation,andevaluatesthedesignthroughsimulations.AnumberofpracticalissuesandfutureworkarediscussedinSectionV.SectionVIcomparesSEFwiththerelatedworkandSectionVIIconcludesthepaper.II.SODELSANDA.SensorNetworkModelWeconsiderasensornetworkcomposedofalargenumberofsmallsensornodes.Wefurtherassumesthatthesensornodesaredeployedinhighdensity,sothatastimulus(e.g.,atank)canbedetectedbymultiplesensors.Eachofthedetectingsensorsreportsitssensedsignaldensityandoneofthemiselectedasthecenter-of-stimulus(CoS)node.TheCoScollectsandsum-marizesallthereceiveddetectionresults,andproducesasyn-thesizedreportonbehalfofthegroup.Thereportisthenfor-wardedtowardthesink,potentiallytraversingalargenumberofhops(e.g.,tensormore).Thesinkisadatacollectioncenterwithsufcientcomputationandstoragecapabilities,anditmayalsoimplementadvancedsecuritysolutionstoprotectitself.Duetocostconstraintsweassumethateachsensornodeisequippedwithtamper-resistanthardware.However,densede-ploymentenablescross-vericationofareportedeventamongmultiplesensorseveninthepresenceofoneormorecompro-misednodes.SEFdesignharnessestheadvantageoflarge-scale.Ratherthanrelyingonasmallnumberofpowerfulandexpen-sivesensors,SEFutilizeslargenumbersofsmallsensorsforreliablesensingandreporting.Tamper-resistanthardwarecanpreventtheexposureofstoredsecrets[6]evenwhenanodeiscapturedbytheattacker.B.ThreatModelWeassumethattheattackermayknowthebasicapproachesofthedeployedsecuritymechanisms,andmaybeabletoeithercompromiseanodethroughtheradiocommunicationchannel,orevenphysicallycaptureanodetoobtainthesecurityinfor-mationinstalledinthenode.However,weassumethatattackerscannotsubvertthedatacollectionunit,i.e.,thesink,becausetheprotectionatthesinkispowerfulenoughtodefeatsuchsub-versionefforts.Oncecompromised,anodecanbeusedtoin-jectfalsereportsintothesensornetwork.Nodeandmessageauthenticationmechanisms[1][3]preventnaiveimpersonationofasensornode.However,theycannotblockfalseinjectionofsensingreportsbycompromisednodes.Besidesfalsedatainjection,acompromisedsensornodecanlaunchvariousotherattacks.Itcanstallthegenerationofreportsforrealevents,blocklegitimatereportsfrompassingthroughit(whichwecallfalsenegativeattacks),orrecordandreplayoldreports,etc.Asthersteffortintacklingthethreatsfromcompromisedcomponents,thispaperfocusesonthedetectionoffalseeventreports,whichwecallfalsepositivesattacks,in-jectedbycompromisednodes.Weplantoaddressotherattacksinsubsequentefforts.III.STATISTICALILTERINGInthissection,wepresenttheSEFdesign.SectionIII-Agivesanoverviewofthedesign,followedbyamoredetaileddescrip-tionofthethreemajorcomponentsofSEF,keyassignmentandreportgeneration,en-routeltering,andsinkveriinSectionsIII-BIII-D,respectively.FinallywediscusshowtoreduceoverheadwithtwodifferenttechniquesinSectionIII-E(withmoredetailedcomparisoninSectionIV-B).A.OverviewSEFaimsatachievingthefollowinggoals.Earlydetectionoffalsedatareports:bydetectingfalsere-portstheusercanavoidrespondingtofabricatedevents.Althoughthedetectioncanbedoneafterthedatareportsarriveatthesink,en-routeearlydetectionanddroppingoffalsereportscanconserveenergyandbandwidthre-sourcesofsensornodesalongdataforwardingpaths.Lowcomputationandcommunicationoverhead:Giventheresourceconstraintsoflow-endsensornodes,weruleoutsolutionsbasedoncomputation-intensiveasymmetriccryptographyandonlyuseefcientone-wayfunctions.SEFconsistsofthreecomponentsthatworkinconcerttode-tectandlteroutforgedmessages:1)eachlegitimatereportcar-riesmultipleMACsgeneratedbydifferentnodesthatdetectthesamestimulus;2)intermediateforwardingnodesdetectincor-rectMACsandlteroutfalsereportsen-route;and3)thesinkveriesthecorrectnessofeachMACandeliminatesremainingfalsereportsthateludeen-routeInSEF,thesinkmaintainsaglobalkeypool.EachsensorstoresasmallnumberofkeysthataredrawninarandomizedIthasbeenreportedthatencryption/decryptionoperationsbasedonasym-metrickeysconsumetwotothreemagnitudesmoreenergythansymmetricones,sometimessigningabitisevenmoreexpensivethantransmittingabit[7]. etal.:SEFOFINJECTEDFALSEDATAINSENSORNETWORKSfashionfromtheglobalkeypoolbeforedeployment.When-everastimulusappearsinthesensoreld,multiplesurroundingnodescandetecttheeventandaCoSnodeiselectedtogeneratetheeventreport.EachdetectingsensorendorsesthereportbyproducingakeyedMACusingoneofitsstoredkeys.TheCoSnodecollectstheMACsandattachesthemtothereport.ThissetofmultipleMACsactsastheproofthatareportislegitimate.AreportwithinsufcientnumberofMACswillnotbeforwarded.Thekeyassignmentensuresthateachnodecangenerateonlyproofforareport.Onlybythejointeffortsofmultipledetectingnodescanthecompleteproofbeproduced.AsinglecompromisednodehastoforgeMACstoassembleaseeminglycompleteproofinorderfortheforgeddatareporttobefor-warded.Becausenodessharecommonkeyswithcertainprob-abilities,whenthereportwithforgedMACsisforwardedbyintermediatenodes,thenodescanverifythecorrectnessoftheMACsprobabilistically,thusdetectinganddroppingfalseonesThesinkservesasthenalgoal-keeperforthesystem.Whenitreceiveseventreports,thesinkcanverifyalltheMACscarriedinthereportbecauseithascompleteknowledgeoftheglobalkeypool.FalsereportswithincorrectMACsthatsneakthroughlteringwillthenbedetected.Severalquestionsintheabovedesignmustbeanswered.1)Howshouldthekeysbeassignedtonodestopreventacompromisednodefromforgingthecompleteproofwhileenablingvericationbyintermediateforwardingnodes?2)Howarefalsereportsdetectedandlteredouten-routebyforwardingsensors?3)Whatproceduresdoesthesinkfollowtodetectanyre-mainingforgedreports?4)HowcanthesizeofthemultipleMACscarriedinareportbekeptminimaltoreducetheoverhead?Therestofthissectionaddresseseachofthesefourquestionsinorder.B.KeyAssignmentandReportGenerationThereisapregeneratedglobalpoolof keys ,dividedinto nonoverlappingpartitions .Eachpartitionhas keys(i.e., ),andeachkeyhasauniquekeyindex.Asimplewaytopartitiontheglobalkeypoolisasfollows: Beforeasensornodeisdeployed,theuserrandomlyselectsoneofthe partitions,andrandomlychooses keysfromthispartitiontobeloadedintothesensornode,togetherwiththeassociatedkeyindices(seeFig.2,foranexample).Whenastimulusappears,allsurroundingnodesthatdetectthesignalwillprepareaneventreportintheformof ,where isthelocationoftheevent, isthetimeofdetection, isthetypeofevent.Similarto[8],eachdetectingnodesetsarandomtimer,uponthetimerexpirationitbroadcastsitsvaluesof .Ifanothernodendsthedifferencebe-tweenthebroadcastvaluesandwhatitobservesiswithinsomeThereportmayalsocontainotherinformationabouttheevent.Tosimplifypresentation,weonlylisttheabovethree. Fig.2.Exampleofaglobalkeypoolwithpartitionsandfournodes,eachofwhichhaskeysrandomlyselectedfromonepartition.Inarealcanbemuchlarger.nederrorrange,itacceptsthemandcancelsitsowntimer.Otherwise,itbroadcastsitsownobservedvaluesonexpirationofitstimer.ThenodewhosebroadcastvaluesareacceptedbyothersbecomestheCoSnode.Whenrealeventsoccurinthesensoreld,theCoSelectionallowsdetectingnodestogenerateMACsforthesamereportcontentintheabsenceofcompromisednodes.Thepredeerrorrangeisdecidedbasedonthesensingaccuracyofnodesandtheapplicationsrequirementstosuppressduplicatedatare-portgeneration.However,whennorealeventoccurs,well-be-havingsensorswillnotsendoutdetectionresultsandtheasso-ciatedMACs.Therefore,thecompromisednode(s)(inaworstcasescenario,eventheCoSitselfmaybecompromised)areforcedtoforgeMACsinordertogeneratefalsereports,whichcanbesubsequentlydetectedbySEF.However,notethatSEFdoesnotaddressfalsenegativeattacks.Acompromisednodecanstalltheproperreportingofarealeventbysendingmanyincorrectvaluestoblockthecommunicationchannel.Forap-plicationsthatrequiremorecomplexdecisionmakingwherethereportcontainsmorethanthetargettypeandeachsensingnodehasverydifferentdetectingresult,aconsensusneedstobereachedbeforethereportcanbeendorsed,whichisbeyondthescopeofthispaper.Aftertheelectionprocessnishes,adetectingnode domlyselects ,oneofits keys,andgeneratesaMAC (1)where denotesstreamconcatenationand putestheMAC ofmessage usingkey .Manycrypto-graphicone-wayfunctionsmayservethispurpose[9].Thenodethensends ,thekeyindexandtheMAC,totheCoS.TheCoScollectsallthe sfromdetectingnodesandclassifyMACsbasedonthekeypartitions.WedeneMACsgeneratedbykeysofthesamepartitionasonecategory.SupposeCoScol- categories( ).Fromeachcategory,theCoSran-domlychoosesone tupleandattachesittothereport.nalreportsentoutbytheCoStothesinklookslike Thechoiceofparameter tradesoffbetweendetectionpowerandoverhead.Thesinkcansetasystem-widevaluefor sothateachreportcarriesexactly keyindicesofdistinctpartitionsand MACs.Areportwithlessthan MACsorkeyindices,ormorethanonekeyindexinthesamepartition,willnotbeforwarded.Alarger valuemakesforgingreportsmorecultatthecostofincreasedoverhead.Whenmorethan 842IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005 Fig.3.Operationsinen-routecategoriesexist,theCoScanrandomlychoose ofthem.Inareaswithsparsesensordeployment,therecouldbelessthan categories.Thenodedensityshouldbehighenoughsothatsuchcasesrarelyhappen.MoreanalysisonsettingparameterswillbegiveninSectionIV.C.En-RouteFilteringAsaresultoftherandomizedkeyassignment,eachfor-wardingnodehascertainprobabilitytopossessoneofthekeysthatareusedtogeneratetheMACsinadatareport,i.e., ,andverifythecorrectnessofthecorre-spondingMAC,i.e., .AcompromisednodehaskeysfromonlyonepartitionandcanonlygenerateMACsofonecategory.Since MACsofdistinctcategoriesand keyindicesofdistinctpartitionsmustbepresentinalegitimatereport,thecompromisednodeneedstoforgetheother keyindicesandcorrespondingMACs.Thisexplainswhytheglobalkeypoolispartitioned:Hadeachnodecarriedkeyschosenfromtheentirepool,onecompromisednodecanuse ofitskeystogeneratemultipleMACs,whichwouldbeindistinguishablefromthosegeneratedby Whenanodereceivesareport,itrstexamineswhetherthere keyindicesofdistinctpartitionsand MACsinthepacket.Packetswithlessthan keyindices,orlessthan MACs,ormorethanonekeyindexinthesamepartitionaredropped.Thenifthenodehasanyofthe keysindicatedbythekeyindices,itreproducestheMACusingitsownkeyandcomparestheresultwiththecorrespondingMACattachedinthepacket.Thepacketisdroppediftheattachedonediffersfromthereproduced.Onlyiftheymatchexactly,orthisnodedoesnotpossessanyofthe keys,thenodepassesthepackettothenexthop.Thepseudocodeforen-routelteringoperationsisgiveninFig.3.IfanattachedMACdiffersfromtheonelocallyproducedbyaforwardingnode,itindicatesthatthereportwasnotgener-atedwiththecorrectkey.SuchaMACisconsideredforged,andthepacketisdropped.Notethataforwardingnodesendsthereportdownstreamifitdoesnothaveanyofthe keys,be-causethereportmightbealegitimateonewithMACsbykeysnotpossessedbythisnode.ThismaycauseaforgedMACtoescapethescreeningofcertainnode,buttheforgedreportwillbedetectedanddroppedwithhigherandhigherprobabilitiesasittravelsmoreandmorehops.Thedetectionpowerofasinglesensorisconstrained,butthecollectivedetectionpowergrowsasmorenodesdeliverthereport.WewillfurtheranalyzetheperformanceinSectionIV.D.SinkVeriÞcationWhenthesinkreceivesareport,itcancheckthecorrectnessofevery becauseithasallthekeys.AnyforgedMACthateludestheen-routelteringbychancewillbecaught.Whenthesinkreceivesareport,itrstexamineswhetherthereportcar- keyindicesofdistinctpartitionsand MACssimilarly.Itthenrecomputeseachofthe MACsandcomparesthemwiththeattachedones.Ifonemismatchhappens,thepacketisAnyforgedMACthatpassesen-routelteringcanbede-tectedbythesink.Thesinkservesasthenaldefensethatcatchesfalsereportsnotlteredoutbyforwardingnodes.AslongasaMACisforged,thesinkcandetectanddiscardthereport.Therefore,SEFcandetectbogusreportsforgedbyanat-tackercompromisingkeysinupto partitions.WefurtheranalyzeSEFsdetectionpowerinSectionIV.E.ReducingtheMACSizeInadditiontosensingdata,eachreportcarries keyindicesandMACs,bothofwhichincreasethepacketlengthandtrans-missionenergyconsumption.Somesensornetworksmayalsohavestringentlimitonthepacketlengthduetohardwareorsoft-wareconguration(e.g.,TinyOS[10]useslessthan36-bytepackets),orpotentiallyhigherrorrates.InSEFMACposesamainsourceofpacketsizeincrease.However,wecannotreducetheMACsizebydecreasing ,becauseatoosmall valuere-ducesSEFsfalsedetectionpower.Inthefollowing,wepresenttwotechniquesforreducingtheoverheadwhileretainingcer-tainsecurityprotectionstrength.Thisraisesaninterestingques-tion,whichtechniqueisbetter?WewillcomparetheirstrengthinSectionIV-Bandpointoutunderwhatconditionswhichisbetter.1)ShorterMACs:OnemethodistouseMACsofshorterlengths.Thisreducestheoverheaddirectly,atthecostofin-creasingthechancethatanattackercantheMACcor-rectly,butitstillrequiresmultiplenodestocollectivelyendorseanevent.2)BloomFilters:Weproposeasecondtechnique,Bloomlter,whereweuseamuchshorterbit-string,insteadofalistofMACs,toreducepacketsizewhileretainingthefalsedatadetectingpower.lterisawell-knowndatastructurethatcanbeusedforefcientmembershipchecking,i.e.,givenanelement,whetheritisinapredenedset.ABloomlterismadeofaset usingastringof bitsand denthashfunctions [11].Each mapsanitem uniformlytotherange ,eachofwhichcor-respondingtoabitinthe -bitstring.(Notethatweuse , , , fordifferentmeaningsinthissection).The -bitstringisinitiallysetto0.Foreachelement ,wehashitwithallthe hashfunc-tionsandobtaintheirvalues .Thebitscor-respondingtothesevaluesarethensetto1inthestring.Note etal.:SEFOFINJECTEDFALSEDATAINSENSORNETWORKS Fig.4.Bloomlterthatrepresentselementsusingastringofbitsandhashfunctions,eachmapsanyelementtorange (s )andh (s bothmaptobit6.thatmorethanoneofthe valuesmaymaptothesamebitinthestring(seeFig.4,foranexample).Tondwhetheranitem ,bits arechecked.Ifallofthemare1, iscon-sideredtobelongto ; isdenitelynotin ifatleastoneofthemis0.ltermayyieldfalsepositives,i.e.,anelementisnot butitsbits arecollectivelymarkedbyotherelements .Ifthehashisuniformlyrandomoverthe values,theprobabilitythatabitis0afterallthe elementsarehashedandtheirbitsmarkedis .Therefore,theprobabilityforafalsepositive(i.e.,the bitsofanelement alreadymarked)is CertainchangesareneededtouseBloomlterforSEF.TheCoSapplies system-widehashfunctionstomapthe MACs(eachwith bits)toa -bitstring wherewehave toreducepacketsizeand retainen-routelteringcapability.These functionsareknownbyeverynodeandthesink.Foreach ,wehave if , s.t. otherwise nalreportsentbytheCoStothesinkis Now,weneedtomodifyboththeen-routinglteringandsinkvericationprocedurestoaccommodatetheuseofBloomlter.Whenaforwardingnodereceivesthereport,itcheckswhetherthereare keyindicesofdistinctpartitionsandan -bitBloom withatmost s.Ifithasoneofthekeys,itrepro-ducesthe hashvaluesandverieswhetherthecorrespondingbitsares.Thedetailsoftheforwardingprotocolforanin-termediatesensornodeareasfollows.1)Checkthat keyindices andan -bitstring existinthepacket,andthereareatmost sin ;dropthepacket,otherwise.2)Checkthe keyindices belongto distinctpartitions;dropthepacket,otherwise.3)Ifithasonekey ,itcomputes asin(1).Then,itcomputes andseeifthecorrespondingbitis Thepacketisdroppedifatleastoneofthemisitisforwardedtothenexthopifallofthemare4)Ifitdoesnothaveanyofthekeysin sendsthepackettothenexthop.Whenthesinkreceivesthereport,itcheckswhetherthereare keyindicesofdistinctpartitionsanda -bit withatmost sinthepacket.ItthenregeneratestheBloomlterandcompareswiththatcarriedinthepacket.Specically,thesinkpreparesan -bitstring ,withallbitssettoForeachkey ,itcomputestheMAC andmarksthecorrespondingbits Thepacketisacceptedonlyif isidenticalto BothshorterMACsandBloomltercangreatlyreducethepacketsize.Asanexample,assumethateachkeyindexis10bits,eachMACis bits, keyindices, MACsarerequiredforeachreport.Theytake370bits(about46bytes).UsingeithershorterMACs,oralterof hashfunctions,whichmap5MACsto bitstring,thetotalrequiredspaceisreducedto30%(about14bytes).Ontheotherhand,theymaintainreasonablelevelsofsecuritystrengthanddetectingpower,aswewillcompareandanalyzeinSectionIV-B.IV.PVALUATIONInthissection,werstquantifytheeffectivenessofen-routelteringinSectionIV-A,andcomparethesecuritystrengthsofshorterMACsandBloomlter,inSectionIV-B.Basedontheresults,wediscussinSectionIV-ChowtochooseappropriateparameterstooptimizethedetectingpowerofSEF.WethendescribeitsimplementationinSectionIV-DandanalyzeSEFenergysavingsthroughdroppingbogusdatainSectionIV-E.Finally,weprovidesimulationresultsinSectionIV-F.SinceSEFreliesonthe carriedMACstodetectfalsere-ports,anattackerthatcompromiseskeysin ormoredistinctpartitionscansuccessfullyfabricatereports.SEFcannotdetectordropsuchforgedreports,whichisalimitationofthecurrentdesign.Intherestofthissection,weanalyzecaseswheretheattackerhaskeysin ( )distinctpartitions.A.En-RouteFilteringEffectivenessTheattackercannotgeneratecorrectMACsofother distinctcategories.Tohavehisdatareportsforwarded,theat-tackerhastoforge keyindicesofdistinctpartitions MACs.Werstcomputetheprobabilitythatafor-wardingnodehasoneofthe keys,thus,beingabletodetectanincorrectMACanddropthereport.WeanalyzethescenariosthatusetheoriginalMACshere;SectionIV-Bexam-inesthescenariosusingshorterMACsorBloomlterandshowsthattheresultsarealmostthesame.Iftheattackerrandomlychooses otherpartitionsandrandomlychoosesakeyindexineachpartition,thentheprob-abilitythatanodehappenstohaveoneofthe keys,denotedby is (2) 844IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005 Fig.5.Portionofdroppedfalsereportsasafunctionofthenumberoftraveledhops.Thethreecurvesarefor ,0.1,0.05,wheretheattackerhaskeysin1,3,and4distinctpartitions,respectively.EachreportcarriesMACs. isthenumberofkeyseachnodepossesses, isthenumberofkeysapartitionhas,and isthenumberofkeyTheexpectedfractionoffalsereportsbeingdetectedanddroppedwithin hopsis Theaveragenumberofhopsthataforgedreporttraversesisgivenas Fig.5illustrateshowthedetectedfractionincreasesasthenumberofhops grows.Consideranexampleof partitions, keysperpartition,eachnode keys,andeachpacketcarries MACs. ,3,and4,wehave ,0.1,0.05,respec-tively.Fig.5showsthat90%falsereportsaredroppedwithintenhopsiftheattackerhaskeysinonepartition,and80%aredroppedwithin15hopsiftwopartitions.Intheworstcase,onlyoneMACisincorrect,80%falsereportsaredroppedin32hopsandtheytravel20hopsonaverage.B.SecurityStrengthsofShorterMACsandBloomFilter1)FalsePositiveattheSink:Now,weanalyzeandcom-parethefalsepositiveprobabilities(i.e.,afalsereportisnotdetectedandnallyacceptedbythesink)ofthetwooverhead-reducingtechniques:shorterMACsandBloomlter.Thisisimportanttocheckwhethertheymaintainsufcientsecurityprotectionagainstfalsiedreports,andidentifyunderwhatcon-ditionswhichisbetter.Weassumebothtechniquesuse inMACsoraBloomlter.EachshorterMACisof bits,thus,thechancethatanattackercansuccessfullyguessoneMACis .Thechanceheguessesallthe remainingMACsinadditiontothe MACshealreadyknows,thuscheatingthesinksuccessfully, WithBloomlter,theattackerhastwowaystoattack.Heknowsthe hashingresultsof correctMACs,thus,at sofan -bitBloomlter(notethatmorethanoneresultmaymaptothesamebit).Therefore,heneedstoguesstheremaining bitpositionsofthe forgedMACs.Sincedifferenthashingsmaymaptothesamebit,the hashresultsofforgedMACsmaptoatleastoneandatmost distinctbitpositions.Thetotalnumberofbitpatternsby hashresultsis Randomlyguessingoneofthemhas chanceofsuccess.Asecondwayofattackisnottomarkanyadditionalbit,buttosendtheBloomlterofthe correctMACsdirectly.GiventhefalsepositiveofBloomlters,itispossiblethatthebitsoftheremaining MACsarealreadymarked.Theprobabilityisgivenby .Given ,and ,theaboveprobabilitycanbeminimizedas Undertherstattack,BloomlterisalwaysbetterthanshorterMACs.Thisisbecausetheattackerneedstoguessinalargerspace( versus ).Asanexample,withthesameoverheadof64bits,eachreportcarrying MACs,inBloom hashfunctionsareused,whereaseachshorterMACisof12.8bit.Iftheattackerhaskeysinonepartition,thechancesofsuccessare2 and2 ;intheworstcasewhenhehaskeysof distinctpartitions, and2 Underthesecondattack,Bloomlterisbetterwhen small,butnotasgoodwhen islarge.Bycomparing(3)and(5),wendthatwhentheattackercompromiseskeysin partitions,itisfarmoredifculttosucceedinforgingtheBloomlter.Inthesameexample,when theprobabilitiesare2 and2 Thus,theconclusionisthatneitherofthetwooverhead-re-ducingtechniquesisalwaysbetterthantheother;theyeachex-celsundercertainconditions.Notethattheaboveprobabilitiestheprobabilityofsuccessfullyguessingthevalueofakey,whosestrengthisdecidedbyitslengthandindependentoftheBloomsorshorterMACssize.2)FalsePositiveatForwardingNodes:Anattackermayalsotrytofoolintermediatenodesinordertoatleastwasteenergyofsensorsalongthedatadeliverypaths.WithshorterMACs,thechancethatanattackercansuccessfullycheatafor-wardingnodewithouthavingthecorrectkey,is .Theprobabilityofdetectingfalsereportsbecomes (6) etal.:SEFOFINJECTEDFALSEDATAINSENSORNETWORKS istheone-hoplteringprobabilityin(2).Since ,theone-hopdetectingprobabilityisalmostunaffected.WithBloomlter,theattackermaymarkasmanybitsaspos-sible,tryingtocoverallthemarkedbitsinacorrectBloomlter.Whenintermediatenodesndthatthebitstheycalculateareal-readymarked,theywillforwardthemessage.Sincethereare MACsandeachishashed times,thereareatmost bitsinacorrect .Ifmorethan bitsareanintermediatenodecansimplydropsthereport.Thus,theattackersstrategyis:markthe(atmost) bitsofthe correctMACs,thenrandomlymarkother bitsasNow,wecalculatetheprobabilitythataforwardingnode withoneofthe keysndsallitsbitsmarked,thusfailingtodetectsuchafalseSincethehashfunctionsmapaMACtoeachofthe uniformly,theprobabilitythat ’s bitsallfallinthe markedbythecompromisednodeis .When ,thisprobabilitycanbeminimizedas .Forexample,when and ,then .Thus,theprobabilityofdetectingthefalsereportataforwardingnodeis reducedbymerely1%.When ,wehave Thisimpliesthat89.0%falsereportsarelteredoutwithintheinitialtenhopsandtheytravel5.05hopsonaverage.ComparedwiththecorrespondingresultsofSectionIV-A,thedifferencesarealmostnegligible.Therefore,bothshorterMACsandBloomlterretainthelteringpower.Thedifferenceintheirdetectingpowerisalmostnegligibleandtheyarebotheffectiveindefeatinganadversarysattackincheatingintermediateforwardingnodes.C.ParameterSelectionInthissectionwediscusstheimpactofparameterchoicesonSEFeffectiveness.1)GlobalKeyPoolParameters:Themainimpactofglobalkeypoolstructureandkeyassignmentisonen-routeFrom(2), and shouldbelargetoincreasetheone-hopdetectionprobability .Inpractice, isconstrainedbythesstorage.Ifeachkeyis64bits,storing50keysneeds400bytes.Thiscantakeacertainportionoflow-endnodes shouldnotbetoobig,either.Becauseeachcom-promisednoderevealsaportionoftheglobalkeypool.Withtoobiga ratio,afewcompromisednodescanrevealasignicantportionofthekeypool.Thechoiceof islimitedbyhowmanybitsthepacketcanhold.Onsomelow-endnodes,packetscannotbetoolong,e.g.,morethan36bytes. shouldbedecidedbasedontheavailablespaceexcludingthereportcontent,headers,etc., alsoaffectsenergyconsumptioninforwarding.Longerpacketsconsumemoreenergy.Weshouldchoose suchthatitprovidessuflteringpower,whilestillsmallenoughtoconserveen-ergy.WewillstudyitsimpactonenergyinSectionIV-E.Thepartitionnumber affectstheen-routelteringproba-bility.Asmaller givesahigher (2).Ontheotherhand, Fig.6.Averagenumberofpartitions nodes.Thethreecurvesare=10,20,and30,whereisthetotalnumberofpartitions.shouldbelargerthan .Alarger makesitmoredifcultfortheattackertogatherkeysfromallthepartitions.Theabsolutenumbersof , affecttheprobabilitythattwonodeshavethesamesetofkeys.Weshouldavoidsuchcases,wherecompro-misingoneeffectivelycompromisestheother.Theprobabilityforsuchcasesisdeterminedbytheabsolutenumbersof , ,and ,givenas .Larger and leadtosmallerprob-abilities,eventhoughtheratio ,thus,thelteringproba- ,remainsthesame.Inpractice,afewthousandkeysarecienttogiveverysmallprobabilitiesoftwonodescarryingthesamesetofkeys.2)DeploymentDensity:Anotherfactorwemustconsideristhenodedeploymentdensity .Sincewerequire MACsfromdistinctcategoriesforeachlegitimatereport,thenumberofdetectingnodesforthesamestimulusshouldbelargeenoughtopossesskeysfromatleast partitions.Wecancalculate ,theexpectednumberofnodesneededtocollectivelypossesskeysfrom distinctpartitions,asfollows(detailsomittedduetospacelimit): where isthetotalnumberofpartitions.Supposenodessensingradiusis ,thenumberofnodesdetectingthesamestimulusis .Weshouldset suchat isat orlargertoensuresufcientnumberofdetectingnodes.Fig.6illustrateshowmanynodesareneededtocollec-tivelypossesskeysinagivennumberofdistinctpartitions.3)BloomFilterParameters:Afterthekeypoolparametersaredecided,theBloomlterparameterscanbesetaccordingly.Thekeyindexlengthis ,thus, keyindicesandan ltertake bitsforeachpacket.Withintheallowedpacketsize, shouldbelargeenoughtoreducethefalsepositiveprobabilities,asshownin(4)and(7).Thenumberofhashfunctions usedinBloomltercanbechosenbasedontheanalysisof(7)tominimizethechanceofafalsedatareporttoescapeen-route 846IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005D.ImplementationTohelpevaluatetheperformanceandcomplexitiesofSEFonrealsensors,weimplementedthecommunicationandcryptog-raphymodulesofSEF,aswellasitsAPIs,ontheMICA2motesproducedbyX-Bow[12].Thecommunicationmoduleprovidesaninterfacethatcanbeusedtoefcientlysendandreceiveapacketofanylength.ThecryptographymodulefacilitatesSEFwithcryptographicprimitives,suchascomputingtheMACforagiveneventreport,orhashingaMACforgeneratingBloomEachMica2sensorisequippedwithan8-bit4MHzmi-crocontrollerrunninganevent-drivenoperatingsystem,calledTinyOS[10],fromitsinternalashmemory.Thememorysizeavailableateachnodeisratherlimited:128kBofprogrammemoryand4kBofdatamemory.Thesestringentresourceconstraintsclearlyrequireacompactimplementationthatcanintotheunderlyingplatform.Therefore,wedonotintendtopro-videgeneral-purposecodesinourimplementation.Instead,mo-tivatedbytheapplication-drivenfeatureofsensornetworks,weoptimizedourcodesbasedonthespecicneedsofSEFwhen-everpossible.1)WirelessCommunicationModuleandAPI:TheAPIex-portedbythecommunicationmoduleconsistsof re- primitiveswhosemeaningsareself-evident.AlthoughTinyOSprovidesainterfacethatcantransmitandreceivepackets,wedonotuseitandchoosetoimplementourownmodulesfortworeasons.First,themaximumpayloadsizeperpacketthatcanbetransmittedusingthisinterfaceisonly29bytes.Anymessagethatislongerthan29byteshastobefragmented.Wedonotwanttoconstrainthescenariosforourexperiments.Second,eachpacketthatgoesthroughthisin-terfaceisaddedwithanextra7-byteheader,whichincurssig-cantcommunicationoverheadifthepayloadsizeissmall.SomeoftheeldsintheheaderarenotusefulforSEF,either.Therefore,wedevelopedacommunicationmodulespecitailoredtoSEF.Ourcommunicationmoduledirectlyreadsandwritesthebufferthatisassociatedwiththelow-levelradiodevice.Itcantransmitandreceiveapacketofanylength,thoughthechanceofcorruptionincreasesasthepacketbecomeslongerandlonger.Moreover,eachpacketonlyhasa1-byteheader,whichcontainsone.Notethatthepacketlengthinformationistheminimumrequirementthatshouldbecarriedinthepacketheader,asitisusedbythereceivertodelimitatethepacket.Althoughthisisnotappropriateforgeneral-purposewirelesscommunications,itprovidesanefcientsolutioninthecontextofSEF.Basedonthelengthofareceivedpacket,anodecaninferwhichtypeofpacketitis,andtheninterpretthepacketcontentaccordingly.2)CryptographyModuleandAPI:Wedonotintendtoimplementacompletesetofcryptographicprimitivesinthismodule.Instead,itprovidesasimpleAPI,aMAC(plaintext,key)callthatallowstheapplicationtocomputethemessageauthenticationcodeforanypacket,givenaspecicsymmetrickey.SimilartoTinySec[13],ourimplementationofmessageauthenticationisbasedonasingleblockcipherusingRC5algorithm[14].RC5issimpleandefcientasitinvolvesTABLEIREAKDOWNMICA2PLATFORM addition,XOR,andbitshiftingoperationsonly,andhaslowmemoryrequirement.Hence,itiswellsuitedforprovidingsecurityintheresource-stringentsensornodes.Wefurtheroptimizeourcodesbytakingadvantageoftheap-plicationsemantics.InSEF,themessageauthenticationcompu-tationisperformedsolelyontheeventcontentthathasaxedsize.Therefore,weneednotimplementgeneral-purposeMACcomputationschemes,suchastheCBC-MAC[15],toaccom-modateinputstreamswitharbitrarylengths.Infact,theeventcontentinourimplementationhasasizeof8bytes,whichissuf-cienttoholdtheeventtype,locationanddetectiontime,andisexactlythelengthofablockina32-bitRC5blockcipher.Thisway,asingleencryptionoperationsufcestogeneratetheMAC.Toreducecodesize,wemaximizecodereusebyusingthesameRC5cryptoforhashcomputations.Implementingcon-ventionalhashfunctionssuchasMD5needsseparatecodeandmemorytostoretables.Whatweneedhereisalightweightfunc-tionthatmapsan8-byteinputtoarange(e.g.,063).Wetakerstseveral(e.g.,6)bitsoftheRC5outputasthehashvalue.Usingthesame keys,eachnodehavethesamesetofhashfunctionsforBloom3)CodeBreakdown:TableIshowsabreakdownoftheimplementationcodesintheMICA2platform.Thecryptog-raphymoduletakesabout0.5%ofROMand2.8%ofRAM,thegenericradiocommunicationstackconsumesabout3.2%ofROMand2.8%ofRAM.Theyleaveabout124kBinROMand3.8kBinRAMforothercomponentssuchasapplications.E.EnergySavingsSEFsavesenergyofsensorsalongthedatadisseminationpathsthroughitsearlydetectionanddroppingoffalsedatare-ports.Ontheotherhand,SEFrequiresthateachreportcarry keyindicesandMACs(oraBloomlter),inadditiontotheeldsofareport.Suchextraeldsincurenergycon-sumptionintransmission,receptionandcomputation.WeusethefollowingmodeltoquantifySEFsenergysavings.LetthelengthoftheMACsorBloomlter,andkeyindexbe and respectively.Thelengthofanormalreportwithoutanyextraeldisdenotedas .Then,thelengthofanSEFreportbe- .Wenormalizethepacketlengthto andlet ,where Letthenumberofhopsareporttravelsbe ,andtheamountoflegitimatedatatrafcandfalseinjectedtrafcbe1and respectively.WithoutSEF,everyreport(includingthoseforgedones)travelsall hops.WithSEF,afalsereportwith forgedMACshasprobability totravelexactly etal.:SEFOFINJECTEDFALSEDATAINSENSORNETWORKS Fig.7.EnergyconsumptionasafunctionofthenormalizedamountofinjectedandthenumberofcarriedMACistheenergyamountwithoutaretheamountswithSEFandtheattackerhaskeysin1and4distinctpartitions,respectively.SEFusesmuchlessenergywhentheamountofinjectedtrafcexceedsthatoflegitimatetraf .Therefore,theenergycon-sumedtodeliverallthetrafc,denotedby withoutSEFand withSEF,willbe (8) wheretheenergyconsumedintransmitting,receivingonebyte and AnotherpartofenergyofSEFisincomputations.Weim-plementRC5[14]blockcipherinMica2anduseitforbothMACandhashcomputations.DenotetheenergyinonehashorMACcomputation ,thenumberofhashfunctions ,andthenumberofdetectingnodesforthesamestimulus .Thecomputationenergyforallthetrafcis ThetotalenergyconsumedforSEFis .Mea-surements[12]showthatMica2nodesconsumes10mAcurrentwhenidlingorreceiving,13mAtransmitting.Basedonthebat-teryvoltage(3V)anddatarate(19.2kb/s),wecancalculatethatittakes , totransmit/receiveabyte.EachRC5computationtakesabout0.5ms[16]andcon-sumesabout .SincetheimplementationusesthesameRC5cryptoforbothMACandhashcomputations,ittakes0.5mstonishoneMACcomputation(2.5mstonishthehashcomputationsfortheBloomFig.7plotshow and changeasfunctionsofdifferent and ,when ,theoverheadofBloomlter( hashfunctionsareused)orshorterMACsis bits,keyindexis bits,originalpacketsizeis bytes,theglobalkeypoolhastenpartitions,andanodehas50%ofthekeysinapartition nodesdetectthesamestimulus.SEFenergyisplottedfortwocases,theattackerhaskeysin ,4distinctpartitions.Theactualperhopdetectingprobabilityshouldbe =p (1p .Since isverysmall(SectionIV-B),weignoreitinthecomputation.ThisisforSEFwithBloomlter.ForshorterMACs,thereisnohashcom-putation,thus,theenergyisevenless.Weomititduetospacelimit. Fig.8.Percentageofdroppedfalsereportsgrowsasthenumberofhopsincreases.Theattackerhaskeysin0and1partition,respectively.ndthat growsmuchfasterthan ,andSEFsavesen-ergyinmostcases.Forexample,when ,ifthepacket MACsandtheattackerhaskeysinoneparti-tion,withSEFmorethan80%energycanbesavedcomparedwiththecasewithoutSEF.Evenwiththeworstcaseof wheretheone-hoplteringprobability ismerely0.05,stillabout65%ofthetotalenergycanbesavedbydroppingfalseInreality,anattackermayinjectfalsedatareportsthatareordersofmagnitudemorethanlegitimatetrafc,toinictseveredamagetothenetwork.SEFsavessignicantamountofenergyinthesescenarios.Whenthenumberoffalsereportsislow,SEFmaynotsaveasmuchenergy,butitstillenablesthesinktodetectboguseventsandreducefalsealarms.Wealsondthat dominatesSEFstotalenergyconsump-tion,whichisconsistentwiththeobservationthatitsavesenergytotradeoffcomputationforlesscommunication.Anadditionaldiscoveryisthat shouldnotbetoosmalltoreduceenergyconsumption.Otherwise,theone-hoplteringprobabilityisde-creasedandinjectedreportswilltravelmorehopsandconsumemoreenergy.F.SimulationResultsWeusesimulationstofurtherverifyouranalysis.Duetospaceconstraint,weonlypresentresultsforen-routeandenergyconsumptionincasesof ,1.Weuseaeldsizeof200 20 ,where340nodesareuniformlydis-tributed.Onestationarysinkandonestationarysourcesitinop-positeendsoftheeld,withabout100hopsinbetween.Thepowerconsumptionsoftransmissionandreceptionare60mWand12mW,respectively.Thetransmissiontimeforapacketis10ms.Thesourcegeneratesareportevery2s.Weuseaglobalkeypoolof1000keys,dividedinto10partitions,with100keysineachpartition.Eachnodehas50keys.Theresultsareaveragedovertensimulatedtopologies.1)En-RouteFiltering:Fig.8showsthepercentageofdroppedfalsereportsasafunctionofthenumberoftraveledhops,for0and1compromisedkeypartition,respectively.Thesourcegenerates1000bogusreportsineachrun.Whentheattackermimicswirelesstransmissiontoinjecttraf 848IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005 Fig.9.EnergyconsumptionasafunctionofinjectedtrafcratioandthenumberofMACeachreportcarries.Theattackerhaskeysinonepartition.SEFsavesenergywhentheamountofinjectedtrafcexceedsthatoflegitimateabout90%falsereportsaredroppedwithintenhops.Withonecompromisednode,about80%aredroppedwithintenhops.Asthereportstravel,moreandmorearedetectedanddropped:lessthan5%reportscangobeyond20hopsandnonereachesthesinkallofthemaredetectedanddroppedbeforetheynishhalfofthe100hops.Theseresultsareconsistentwiththetheoreticalanalysis.TheyshowthatSEFturnsthenetworkscaleintoanassettoachievegreaterdetectionpowerwithalargernodepopulation.2)EnergyTradeoff:WeusesimilarparametersasthoseinSectionIV-Eandtheattackerhaskeysinonepartition.Thesourcegenerates100reports.Thenumberofforgedreportsis ,where istheinjectedtrafcratio.Fig.9conrmsourpreviousanalysis(SectionIV-E):whentheinjectedtrafcismorethanthelegitimatetrafc,SEFsavesenergy.V.DISCUSSIONSANDA.OtherNetworkFactorsSEFturnsthescaleintoanassetbyaccumulatingdetectingpoweroverdatadeliverypaths.Itworksthebestinlarge-scalenetworkswherereportsneedtotravelmanyhopstoreachthesink.Thelongerthedatadeliverypath,themorepowerfultheltering.SEFmaynotlterreportsinjectedfromlo-cationsclosetothesinkeffectively.Insuchcasestheenergysavingsmightnotbesignicant.However,thesinksdetectingpowerisnotaffected.AnyforgedreportswithincorrectMACsarestilldetectedanddonottriggerfalsealarms.SEFdesignisnottiedtoanyparticulardataforwardingprotocol.TheprobabilistickeyassignmentallowsanynodetoverifyMACsregardlessofitslocationorfunctionality.AslongassensorscanstoresomekeysandperformtheMACcomputations,injectedfalsereportscanbedetectedanden-route.Itworkswithexistingdataforwardingprotocolssuchasdirecteddiffusion[17],GRAB[8],andTTDD[18].SEFrequiresthatdatareportsbegeneratedcollaborativelybydetectingsensorsofthesamestimulus.Ifthenodeden-sityislow,detectingnodesmaynotgeneratesufcientnumbersofMACs.WeexpecttheguidelinesinSectionIV-Ctohelpset-tingappropriatedeploymentdensitiestoavoidsuchsituations.Thetopologyofasensornetworkmaychangedynamicallyduetoenergyconservingprotocolssuchas[19]and[20],orun-expectednodedeathsinaharshenvironment.SEFdoesnotneedanyextramechanismtodealwithtopologychanges,becausethestateusedfordetection,keyindicesandMACs,iscarriedinpackets,notbysensors.B.FutureWorkWhennodesaredenselydeployed,thedetectingnodesofastimuluscancollectivelyholdkeysofallthe partitions.Inthisscenario,iftheattackerhaskeysbelongingto ormore,butlessthan partitions,wemaystilldetecttheirfalsereportsovertime.SinceCoScanchoosetoloadconsecutivedatareportswithMACsfromdifferentsetsof categories,afewsuccessivereportswillcollectivelycarryMACsofall categories.ThesinkcanthenrejectthosestimuliwhosereportshaveMACsoflessthanathreshold ( )ofdistinctcategories.Furtherexploringthetemporalredundancyofsensornetworkdatareportsinadditiontothespatialredundancy,SEFcande-tectfalsedatareportsinjectedbyattackersholdingkeysofup distinctpartitions.Acompromiseddetectingnodemaylaunchfalsenegativeat-tacksagainstthecollaborativereportgenerationprocess.Thus,alegitimateeventmaynotbereportedproperly.Thisisadif-ferentproblemfromfalsepositivesthatSEFaddresses.Besides,beingelectedastheCoSisnontrivial.Unlessthecompromisednodebroadcastsvaluesthatareconsistentwithotherdetectingsensornodesobservation,effectivelyreportingthetruth,theywillnotfollowandendorsethecompromisednodesdatareport.Anotherlegitimatedetectingnodewillannounceitsvaluesandbeelected.OnewaytoimprovetheresilienceoftheCoSelectionagainstattacksanddetectincorrectMACsistoaddpairwisekeyssharedbetweeneachpairofneighborsandrequireeachmessagebeauthenticated.ThusonecompromisednodecansendatmostoneincorrectMACtotheCoS,butcannotimpersonateothernodes.TheprobabilistickeyassignmentofSEFalreadyallowscertaindegreesofkeysharingbetweenneighborstoestablishpairwisekeysduringnetworkbootstrapping.Currently,SEFdoesnotaddressidentifyingcompromisednodesorreplacingcompromisedkeys,whichmaybeneededforthecontinuousoperationofanetwork.Foridentineighbornodesmayoverhearthechanneltodetectunusualac-tivitiesofcompromisednodessuchashightrafcvolumeandnotifythesink.Afterthenodesareidentied,thesinkshouldoodinstructionstorevokecompromisedkeysandpropagatenewones.Thesinksinstructionscanbeauthenticatedbyhashchainsasproposedin[1].Asmorenodesarecompromisedordepleteenergy,newnodesshouldbedeployed.Toworkwithex-istingnodes,theycancarrysomekeysfromthesameglobalkeypool.However,thosekeysthatarealreadycompromisedshouldbeavoided.Finally,SEFisnotdesignedtoaddressotherattacksacom-promisednodemaylaunch,suchasdroppinglegitimatereportspassingthroughit,recordingandreplayinglegitimatereports,orinjectingfalsecontrolpacketstodisruptotherprotocols.Certaintechniquescanbeapplied.Theauthorsin[21]pointoutmul-tipathforwardingcanalleviatedroppingoflegitimatereports. etal.:SEFOFINJECTEDFALSEDATAINSENSORNETWORKSEachsensorcanuseacache[8],[17]tostorethesignaturesofrecentlyforwardedreports,thusreplayedpacketsarenotfor-wardedagain.SolvingthesevariousproblemsrequiresdifferentWearecurrentlyexploringalocationdependentkeyman-agementschemetoconnetheimpactofacompromisedsensornodetoitslocality.Inthenewscheme,keysareonlyvalidinen-dorsingdatareportsregardingeventsincertainlocations.There-fore,anattackerhastocompromisesensornodesandac- ormorepartitionsinordertohaveitsinjectedfalsedatareportsforwardedbythesensornetwork.VI.RELATEDSensornetworksecurityhasbeenstudiedinrecentyearsinanumberofproposals.Karlofetal.[21]analyzesattacksagainstsensornetworkroutingprotocolsandpointsoutpossiblewaysofdefense.Woodetal.[22]studiesDoSattacksagainstdif-ferentlayersofsensorprotocolstackandconcludesthatsecu-rityshouldbeconsideredatthedesignphase.Sashaetal.al.proposestotradeoffoverheadandsecuritystrengthbasedontheimportanceofdata.Linetal.[24]studieshowtoreduceen-ergyconsumptionincryptographicalgorithmsusingdynamicvoltagescaling.Carmanetal.[7]comparestheenergycon-sumptionsofdifferentpublickeyalgorithmsonvarioussensorhardware.SEFaddressesadifferentproblemofdetectingandlteringinjectedfalsedata.SPINS[1]implementssymmetrickeycryptographicalgo-rithmswithdelayedkeydisclosureonmotestoestablishse-curecommunicationchannelsbetweenabasestationandsen-sorswithinitsrange.Basagnietal.[6]usesasinglefortheentiresensornetworkassumingthattamper-resis-tanthardwareisavailablesothatnosecretcanbecompromised.Theydonotaddressthefalsedatainjectionprobleminthepres-enceofcompromisedsensornodes.SEFkeyassignmentbearssimilaritieswith[2],[3],whichuseprobabilistickeysharingtoestablishtrustbetweenneighboringnodes.Chanetal.[3]furthertradesofftheunlikelihoodoflarge-scaleattacksforhigherstrengthagainstsmallerones,butSEFsolvesadifferentproblem,anditassignskeysdifferently:eachnodehaskeysfromonlyonepartitionoftheglobalpool.Thisistoensureeachnodecanonlygeneratepartoftheproofforthetruthfulnessofareport.Onlythroughthejointeffortofmultiplenodescanthecompleteproofbegenerated.Eschenaueretal.al.doesnotimposesuchaconstraintandnodescanchoosekeysfromthewholekeypool.Finally,[2]requiresanytwonodeshaveveryhighprobabilitiesofsharingkeystobuildaconnectednetwork;theprobabilityinSEFcanbemuchlowersinceweexploitthenetworkscaletomakeen-routelteringeffective.Inprinciple,thejointgenerationofMACsbymultiplenodesissimilarto[4]whereseveralnodescollectivelyissueacer-cateforanewnodeinmobileadhocnetworks,but[4]usespublickeyalgorithms,whichareinfeasibleonsmallsensorsofconstrainedcomputing,energy,andmemoryresources.Canettietal.[25]proposesmultipleMACstoensuresourceauthentica-tioninmulticastsothatagroupoflessthanathresholdnumberofcolludingreceiversdonothaveallthekeysneededtocheatotherreceivers.SEFhasmanydatasourcesbutonesinkandonlythesinkhasallthekeys.Thepurposeistopreventcompro-misednodesfromcheatingthesink.Reference[25]assumesonesourcebutmanyreceiversandthepurposeistopreventcheatingeachindividualreceiver.Also,packetsizeisnotabigconcernintheInternetbutitisaseriousissueforlow-endsensors.Thereisalsoarichliteratureonsecureroutinginmobileadhocnetworkssuchas[26]and[27].Yangetal.[28]proposesself-organizedalgorithmsandprotocolstosecurehomogeneousadhocwirelessnetworks,andKongetal.[29]forheteroge-neousmobileadhocnetworks.SEFworksforlarge-scalesensornetworks,whosecommunicationisusuallyfrommanytooneandtheresourcesareseverelyconstrained.SEFdesignisalsorelatedtointrusiondetection[30]andInternetpacketlteringagainstDoSattacksthroughforgedsourceIPaddresses[5].However,thesedesignseitherrelyonthenetworkinfrastructurethatdoesnotexistinaself-organizedwirelesssensornetwork,orinvolvecomplexandsophisticatedmechanismsthatarebeyondthecapabilitiesoflow-endsen-sors.SEFonlyrequiresthatsensornodesstoretensofkeysandperformefcientkeyedMACcomputations.VII.CLarge-scalesensornetworksmaybedeployedinapotentiallyadverseorevenhostileenvironment.Duetotheunattendedop-erationsofthenetworkandtherelativelysmallsizesofthesen-sors,sensornodesmayhaveahighriskofbeingcapturedandcompromised.Insteadofrelyingon,andcomplementingtheeffortsof,tamperingprevention,inthispaper,wefocusedondetectingfalsesensingreportsthatcanbeinjectedbycompro-misednodes.WehavedevelopedSEFforfalsereportdetection.Authen-ticatingeventreportsrequiresthatnodessharecertainsecurityinformation,however,attackerscanobtainsuchinformationbycompromisejustasinglenode.Toovercomethisdilemma,SEFdesigndividesaglobalkeypoolintomultiplepartitionsandcarefullyassignsacertainnumberofkeysfromonepartitiontoindividualnode.Giventhatanysinglenodeknowsonlyalim-itedamountofthesystemsecret,compromisingoneorasmallnumberofnodescannotdisabletheoverallnetworkfromde-tectingbogusreports.SEFdesignharnessestheadvantageoflarge-scalebyrequiringendorsementofaneventreportfrommultipledetectingnodesandbydetectingfalsereportsthroughcollaborativelteringofallforwardingnodesalongthepath.OuranalysisandsimulationsshowthatSEFcandropupto70%ofbogusreportsinjectedbyacompromisednodewithinhops,andupto90%withintenhopsalongtheforwardingpaths.Whentheamountofinjectedtrafcishigh,itsavesmorethan80%ofenergybydroppingfalsedataen-route.Althoughseveralrecentresearcheffortshaveaddressedsensornetworksecurityissuessuchasnodeauthentication,datasecrecy,andintegrity,theyprovidenoprotectiononceanynodeiscompromised.SEFrepresentstherststeptowardbuildingresilientsensornetworksthatcanwithstandcompromisednodes.SEFachievesthisgoalbybalancingthetradeoffbetweentheamountofsecurityinformationassignedtoindividualnodesandthefalsedetectionpowerofthenodes.Themoresecurityinformationeachforwardingnodehas,the 850IEEEJOURNALONSELECTEDAREASINCOMMUNICATIONS,VOL.23,NO.4,APRIL2005moreeffectivetheen-routelteringwillbe,butalsothemoresecrettheattackercanobtainfromacompromisednode.Ourplanforthenextstepistoconductsystematicevaluationofthetradeoffsbetweenthesetwoconictgoals,andtogainfurtherinsightinhowtobuildasensornetworkthatcanbeatonceresilientagainstmultiplecompromisednodes,aswellaseffectiveindetectingfalsedatareportsthroughcollaborative[1]V.Wen,A.Perrig,andR.Szewczyk,SPINS:Securitysuiteforsensornetworks,Proc.ACMMobiCom,2001,pp.189[2]L.EschenauerandV.D.Gligor,Akey-managementschemefordis-tributedsensornetworks,Proc.ACMCCS,2002,pp.41[3]H.Chan,A.Perrig,andD.Song,Randomkeypredistributionschemesforsensornetworks,Proc.IEEESymp.Security.Privacy,May2003,pp.197[4]H.Luo,J.Kong,P.Zerfos,S.Lu,andL.Zhang,URSA:Ubiquitousandrobustaccesscontrolformobileadhocnetworks,Proc.IEEE/ACMTrans.Netw.,vol.12,no.6,pp.10491063,Oct.2004,tobepublished.[5]K.ParkandH.Lee,Ontheeffectivenessofroute-basedpacketfordistributedDoSattackpreventioninpower-lawInternets,Proc.ACMSIGCOMM,2001,pp.15[6]S.Basagni,K.Herrin,E.Rosti,andD.Bruschi,Securepebblenets,Proc.ACMMOBIHOC,2001,pp.156[7]D.W.Carman,P.S.Kruus,andB.J.Matt,Constraintsandapproachesfordistributedsensornetworksecurity,NAILaboratories,Tech.Rep.010,2000.[8]F.Ye,G.Zhong,S.Lu,andL.Zhang,GRAdientbroadcast:Arobustdatadeliveryprotocolforlargescalesensornetworks,ACMWirelessNetw.(WINET),vol.11,no.2,Mar.2005.[9]M.Bellare,R.Canetti,andH.Krawczyk,Keyinghashfunctionsformessageauthentication,Proc.Crypto,pp.115,1996.[10]TinyOSOperationSystem[Online].Available:http://millennium.berkeley.edu[11]B.Bloom,Space/timetrade-offsinhashcodingwithallowableerrors,Commun.ACM,vol.13,no.7,pp.422426,1970.[12]XbowSensorNetworks[Online].Available:http://www.xbow.com/[13]C.Karlof,N.Sastry,U.Shankar,andD.Wagner,TinySec:TinyOSLinkLayerSecurityProposalVersion1.0,2002.[14]R.Rivest,TheRC5encryptionalgorithm,Proc.WorkshoponFastSoftwareEncryption,Jun.1995,pp.423423“DataEncryptionStandard(DES),U.N.I.standardsandtechnology,DraftFederalInformationProcessingStandardsPublication463,1999.[16]C.Karlof,N.Sastry,andD.Wagner.(2002)TinySec:SecurityforTinyOS.[Online].Available:www.cs.berkeley.edu/~nks/tinysec/TinySec.ppt[17]C.Intanagonwiwat,R.Govindan,andD.Estrin,Directeddiffusion:Ascalableandrobustcommunicationparadigmforsensornetworks,Proc.ACMMOBICOM,2000,pp.56[18]F.Ye,H.Luo,J.Cheng,S.Lu,andL.Zhang,Atwo-tierdatadissem-inationmodelforlarge-scalewirelesssensornetworks,Proc.ACM,2002,pp.148[19]C.Schurgers,V.Tsiatsis,S.Ganeriwal,andM.B.Srivastava,mizingsensornetworksintheenergy-latency-densitydesignspace,IEEETrans.MobileComput.,vol.1,no.1,pp.7080,Jan.-Mar.2002.[20]F.Ye,G.Zhong,S.Lu,andL.Zhang,PEAS:Arobustenergycon-servingprotocolforlong-livedsensornetworks,Proc.ICDCS,May2003,pp.28[21]C.KarlofandD.Wagner,Secureroutinginwirelesssensornetworks:Attacksandcountermeasures,Proc.IEEESPNA,May2002,pp.[22]A.WoodandJ.Stankovic,Denialofserviceinsensornetworks,,vol.35,no.10,pp.5462,Oct.2002.[23]S.Slijepsevic,M.Potkonjak,V.Tsiatsis,S.Zimbeck,andM.Srivastava,Oncommunicationsecurityinwirelessad-hocsensornetworks,Proc.11thIEEEInt.WorkshopsEnablingTechnol.:InfrastructureforCollaborativeEnterprises,Jun.2002,pp.139[24]L.YuanandG.Qu,Designspaceexplorationforenergy-efcientse-curesensornetworks,Proc.IEEEInt.Conf.Appl.-SpecicSyst.,Ar-chitectures,Processors,Jul.2002,pp.88[25]R.Canetti,J.Garay,G.Itkis,D.Micciancio,M.Naor,andB.Pinkas,Multicastsecurity:Ataxonomyandsomeefcientconstructions,Proc.INFOCOM,Mar.1999,pp.708[26]Y.-C.Hu,A.Perrig,andD.B.Johnson,Ariadne:Asecureon-demandroutingprotocolforadhocnetworks,Proc.ACMMOBICOM,2002,pp.12[27]B.Awerbuch,D.Holmer,C.Nita-Rotaru,andH.Rubens,Anon-de-mandroutingprotocolresilienttobyzantinefailures,Proc.ACMWorkshoponWirelessSecurity(WiSe),2002,pp.21[28]H.Yang,X.Meng,andS.Lu,Self-organizednetworklayersecurityinmobileadhocnetworks,Proc.WiSe,pp.1120,2002.[29]J.Kong,H.Luo,K.Xu,D.L.Gu,M.Gerla,andS.Lu,Adaptivesecurityformulti-layeradhocnetworks,WirelessCommun.MobileComput.,SpecialIssueonMobileAdHocNetworking,vol.2,pp.547,2002.[30]W.R.CheswickandS.M.Bellovin,FirewallsandInternetSecu-.Reading,MA:Addison-Wesley,1994. FanYereceivedtheB.E.degreeinautomaticcontrolandtheM.S.degreeincomputersciencefromTsinghuaUniversity,Beijing,China,in1996and1999,respectively,andthePh.D.degreeincomputersciencefromtheUniversityofCalifornia,LosAngeles,in2004.HeiscurrentlywiththeIBMT.J.WatsonResearchCenter,Hawthorne,NY.Hisresearchinterestsareinwirelessnetworks,sensornetworks,andsecurity. HaiyunLuoreceivedtheB.S.degreefromtheUniversityofScienceandTechnologyofChina,Hefei,andtheM.S.andPh.D.degreesincomputersciencefromtheUniversityofCalifornia,LosHeiscurrentlyanAssistantProfessorintheDepartmentofComputerScience,UniversityofIllinoisatUrbanaChampaign,Urbana.Hisresearchinterestsincludewirelessandmobilenetworkingandcomputing,security,andlarge-scaledistributedSongwuLu00)receivedtheM.S.andPh.D.degreesfromtheUniversityofIllinoisatUrbanaChampaign,Urbana.HeiscurrentlyanAssistantProfessorofComputerScienceattheUniversityofCalifornia,LosAngeles.Hisresearchinterestsincludewirelessnetworking,mobilecomputing,wirelesssecurity,andcomputernetworks.Dr.LureceivedtheNationalScienceFoundation(NSF)CAREERAwardinLixiaZhang94)receivedthePh.D.degreeincomputersci-encefromtheMassachusettsInstituteofTechnology,Cambridge.ShewasaMemberoftheResearchStaffattheXeroxPaloAltoResearchCenter,PaloAlto,CA,beforejoiningthefacultyoftheDepartmentofComputerScience,UniversityofCalifornia,LosAngeles,in1995.Dr.ZhanghasservedontheInternetArchitectureBoardandwasCo-ChairoftheIEEECommunicationSocietyInternetTechnicalCommittee.Sheservedontechnicalprogramcommitteesformanynetworking-relatedconferencesincludingSIGCOMMandINFOCOM.SheiscurrentlyservingastheViceChairofACMSIGCOMM.ShewasontheEditorialBoardoftheIEEE/ACMRANSACTIONSONETWORKING