Upload
cargan
View
39
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Corso di Dottorato di Ricerca Ingegneria Elettrica e dell’Informazione XXI Ciclo A.A. 2007-08 SSD: ING/INF 03 Telecommunications. Managing Security Issues in Advanced Applications of Wireless Sensor Networks. PhD Candidate: Ing. Marco Pugliese Advisor: Prof. Fortunato Santucci - PowerPoint PPT Presentation
Citation preview
Doctorate Dissertation LrsquoAquila March 31st 2009
1
Managing Security Issues in Advanced Applications of Wireless Sensor Networks
PhD Candidate Ing Marco Pugliese Advisor Prof Fortunato Santucci
PhD School Coordinator Prof Giuseppe Ferri
Universitagrave degli Studi dellAquilaDipartimento di Ingegneria Elettrica e dellrsquoInformazione
Corso di Dottorato di RicercaIngegneria Elettrica e dellrsquoInformazione
XXI CicloAA 2007-08
SSD INGINF 03 Telecommunications
Doctorate Dissertation LrsquoAquila March 31st 2009
2
bull Data Samplingbull Command Disseminationbull Data Collection
ChallengesExample of WSN-based Health
Monitoring System
Node (Mote + Accelerometer Board)
Battery
Bi-directionalPath Antenna
Node (Mote + Accelerometer Board)
Battery
Bi-directionalPath Antenna
[source Culler D et al ldquoHealth Monitoring of Civil Infrastructures Using Wireless Sensor Networksrdquo SensorNet Architecture meeting Nov 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
3
Link Layer Cryptography
Intrusion Detection System
cross-layer
Secure
Platform
Securing the Monitoring System
Base Station (sink) External server
BS
Monitoring domains
Doctorate Dissertation LrsquoAquila March 31st 2009
4
Objective amp MethodologyO Design and implementation of a comprehensive cross-layer framework to provide WSN-based monitoring services with security (data confidentiality data entity authentication) and reliability (data integrity service availability)
Pilot project WINSOME (WIreless sensor Network-based Secure system fOr structural integrity Monitoring and alErting) developed at DEWS premises
M RampD approachndash Cross-layer domain (link layer + net layer + appl layer) ndash Integration of the ldquotraditionalrdquo security techniques with novel
components and Cost Rebalancing (computation time and memory usage) to comply with WSN resource constraints
ndash Design Optimization (platform-based system design PBD)
ndash Modular SW Development (component-based sw design) ndash Dynamic Distributed Application Architecture (mobile agent-
based)
Doctorate Dissertation LrsquoAquila March 31st 2009
5
Outlinebull WINSOME PBD (I)bull Underlying Physical WSN Deploymentbull Underlying Logical WSN Deployment (ARCHEA)bull Link Layer Cryptographic Scheme (TAKS)bull WPM-based IDSbull WINSOME PBD (II)bull Next steps (near-term)bull Next steps (mid-term)
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
2
bull Data Samplingbull Command Disseminationbull Data Collection
ChallengesExample of WSN-based Health
Monitoring System
Node (Mote + Accelerometer Board)
Battery
Bi-directionalPath Antenna
Node (Mote + Accelerometer Board)
Battery
Bi-directionalPath Antenna
[source Culler D et al ldquoHealth Monitoring of Civil Infrastructures Using Wireless Sensor Networksrdquo SensorNet Architecture meeting Nov 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
3
Link Layer Cryptography
Intrusion Detection System
cross-layer
Secure
Platform
Securing the Monitoring System
Base Station (sink) External server
BS
Monitoring domains
Doctorate Dissertation LrsquoAquila March 31st 2009
4
Objective amp MethodologyO Design and implementation of a comprehensive cross-layer framework to provide WSN-based monitoring services with security (data confidentiality data entity authentication) and reliability (data integrity service availability)
Pilot project WINSOME (WIreless sensor Network-based Secure system fOr structural integrity Monitoring and alErting) developed at DEWS premises
M RampD approachndash Cross-layer domain (link layer + net layer + appl layer) ndash Integration of the ldquotraditionalrdquo security techniques with novel
components and Cost Rebalancing (computation time and memory usage) to comply with WSN resource constraints
ndash Design Optimization (platform-based system design PBD)
ndash Modular SW Development (component-based sw design) ndash Dynamic Distributed Application Architecture (mobile agent-
based)
Doctorate Dissertation LrsquoAquila March 31st 2009
5
Outlinebull WINSOME PBD (I)bull Underlying Physical WSN Deploymentbull Underlying Logical WSN Deployment (ARCHEA)bull Link Layer Cryptographic Scheme (TAKS)bull WPM-based IDSbull WINSOME PBD (II)bull Next steps (near-term)bull Next steps (mid-term)
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
3
Link Layer Cryptography
Intrusion Detection System
cross-layer
Secure
Platform
Securing the Monitoring System
Base Station (sink) External server
BS
Monitoring domains
Doctorate Dissertation LrsquoAquila March 31st 2009
4
Objective amp MethodologyO Design and implementation of a comprehensive cross-layer framework to provide WSN-based monitoring services with security (data confidentiality data entity authentication) and reliability (data integrity service availability)
Pilot project WINSOME (WIreless sensor Network-based Secure system fOr structural integrity Monitoring and alErting) developed at DEWS premises
M RampD approachndash Cross-layer domain (link layer + net layer + appl layer) ndash Integration of the ldquotraditionalrdquo security techniques with novel
components and Cost Rebalancing (computation time and memory usage) to comply with WSN resource constraints
ndash Design Optimization (platform-based system design PBD)
ndash Modular SW Development (component-based sw design) ndash Dynamic Distributed Application Architecture (mobile agent-
based)
Doctorate Dissertation LrsquoAquila March 31st 2009
5
Outlinebull WINSOME PBD (I)bull Underlying Physical WSN Deploymentbull Underlying Logical WSN Deployment (ARCHEA)bull Link Layer Cryptographic Scheme (TAKS)bull WPM-based IDSbull WINSOME PBD (II)bull Next steps (near-term)bull Next steps (mid-term)
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
4
Objective amp MethodologyO Design and implementation of a comprehensive cross-layer framework to provide WSN-based monitoring services with security (data confidentiality data entity authentication) and reliability (data integrity service availability)
Pilot project WINSOME (WIreless sensor Network-based Secure system fOr structural integrity Monitoring and alErting) developed at DEWS premises
M RampD approachndash Cross-layer domain (link layer + net layer + appl layer) ndash Integration of the ldquotraditionalrdquo security techniques with novel
components and Cost Rebalancing (computation time and memory usage) to comply with WSN resource constraints
ndash Design Optimization (platform-based system design PBD)
ndash Modular SW Development (component-based sw design) ndash Dynamic Distributed Application Architecture (mobile agent-
based)
Doctorate Dissertation LrsquoAquila March 31st 2009
5
Outlinebull WINSOME PBD (I)bull Underlying Physical WSN Deploymentbull Underlying Logical WSN Deployment (ARCHEA)bull Link Layer Cryptographic Scheme (TAKS)bull WPM-based IDSbull WINSOME PBD (II)bull Next steps (near-term)bull Next steps (mid-term)
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
5
Outlinebull WINSOME PBD (I)bull Underlying Physical WSN Deploymentbull Underlying Logical WSN Deployment (ARCHEA)bull Link Layer Cryptographic Scheme (TAKS)bull WPM-based IDSbull WINSOME PBD (II)bull Next steps (near-term)bull Next steps (mid-term)
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
6
Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Application Execution Environment (AEE)
Application A1
Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Application A2 Application An
Localmemory
MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
7
Agent-based Distributed Architecture Platform-Based Model
Underlying WSN Deployment
Secure Platform
Mobile Agent Application Execution Environment (MA-AEE)
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
MA-MWservices
Sharedmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
8
WINSOME PBD (I)
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
9
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
Underlying WSN Deployment
Mobile Agent Application Execution Environment (MA-AEE)
IDSAgent comp
Monitoring Applications
IDSCore comp
Link layerCryptography
WSN TopologyManager
Secure Platform
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
IntegrityMonitoring
Agent
otheragents
MA-MWservices
Sharedmemory
Localmemory
WINSOME PBD (I)
AGILLA-basedMA-AEE
ARCHEA(Available Resource Cluster Head Election Algorithm)
TAKS(Topology Authenticated symmetric Key Scheme)
WPM-based IDS (Weak Process Model based Intrusion Detection System)
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
10
Underlying WSNPhysical WSN Deployment
Q Given a set of Sensor Nodes find the class of WSN physical deployments (geometrical nodes distributions) compliant to coverage (redundancy vs reliability) and resource requirements
Coverage-Cost Quality IndicatorsConditions for lossless lossy
detection
Min Redundancy Configuration Fundamental
cell
3r
r
Fundamentalcell
r
Max Reliability Configuration
A
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
11
Underlying WSNLogical WSN Deployment (Network
Topology)bull Dynamic Clustered Spanning Tree (DCST) It represents a design
assumption motivated byndash Cluster Heads (CHs) assigned on-demand (by a Cost Function)ndash Support to ldquodata centricrdquo applications (functions rarr data)ndash ldquoTable-lessrdquo routing protocolsndash Support to data aggregation fusion (at CHs)ndash Support the mobile agent propagation from CHs to their CMs
CH
CH
BS
CH
CH CH
BS
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
12
Underlying WSNPlanned Network Topology
bull Planned Network Topology (PNT graph) Defines the graph including the sub-set of DCSTs compliant to the specific constraints defined by the Planner (rarr admissible DCSTs)
ndash Each node knows its admissible neighborsbull How many DSCT in a given PNT Kirchhoffrsquos Theorem
N the nodes in the network lt σ gt average neighbors per node
1NN1
4
7 1
23
5
6
N = 7lt σ gt 34 220
σ(1) = 3σ(2) = 3σ(3) = 6σ(4) = 3σ(5) = 3σ(6) = 3σ(7) = 3
236
145
897
N = 9lt σ gt 44 15600
σ(1) = 3σ(2) = 5σ(3) = 8σ(4) = 5σ(5) = 3σ(6) = 5σ(7) = 3σ(8) = 3σ(9) = 5
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
13
WSN Topology Manager(ARCHEA)
A ARCHEA defines a Cost Function to elect CHs among a set of eligible nodes such that the resulting DCST is the shortest balanced DCST among the possible choices
Q Given a WSN physical deployment and a Planned Network Topology find the class of ldquoshortrdquo and ldquobalancedrdquo admissible DCSTs compliant to resource requirements
Route-Cost Quality Indicators
bull It includes the conditions to preserve spanning trees in WSN [Sec 52]bull It is shown [Sec 54] that the elected CH has minimum Hop Count (hCH) to sink and maximum number of
CM [σ(CH)] respect to the other eligible nodes (rarr balanced cluster sizes)
bull Short and balanced DCST It represents a design assumption motivated byndash Reduced code transmission hops (for mobile agent propagation)ndash Augmented reliability in data aggregation at CHsndash ARCHEA and routing messages can be crypto-secured
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
14
TAKSDriving Ideas amp Tools
Link layer Cryptography provides security against outsider intruders bull TAKS are symmetric pair-wise no pre-distributed (only key
components are pre-distributed)bull TAKS is deterministicbull TAKs are symmetric keys generated using asymmetric mechanisms
(hybrid cryptography)bull Network Topology Authentication as pre-condition for TAK generationbull Cryptographic Entropy per TAK binit 1 bit (for any TAK length)bull Certification Authority is distributed on nodes of the admissible
DCSTsbull Reverse engineering problem more complex than Discrete Logarithm
Problem (DLP)bull Cryptographic information is classified in public restricted
private secretbull Vector algebra on GF(q) with q = 2k and k the TAK length in binit
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
15
TAKSTopology Authentication
bull Network Topology Authentication as pre-condition for TAK generation
bull If the Planner is also Certifierndash Planned Network Topology rarr Certified Network Topologyndash Admissible DCST rarr Authenticated DCST
bull Node in an Authenticated DCST becomes local CA because it knows its admissible neighbors
ndash Centralized CA rarr Distributed CA
TAK can be generated in a node pair only if mutual authentication has been successful therefore the resulting DCST is both admissible and authenticated
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
16TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK = Keyi = Keyi
ni nj
TrKeyCompi
TrKeyCompj
TrKeyCompi
Node nj is authenticated
LocPldTopi
V(TrKey Compj LocPldTopi = 0
YESKeyi = f (LocKey Compi TrKey Compj)
YESKeyj = f (LocKeyCompi TrKeyCompj)
Node ni is authenticatedV(TrKeyCompi LocPldTopj = 0
external server
IntrusionDetectionSystem
NO
NO
LocKeyCompiTrKeyCompjLocPldTopj
LocKeyCompj
TAK Generation
TAK Authentication Theorem [Sec 641]
TAK Generation Theorem [Sec 642]
f() and V() [Sec 64]are public (Kerchoffrsquos principle)
privaterestrictedrestricted
Local Conf Data [Sec 64]
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
17
Security AnalysisQ Is TAK a real cryptographic key Ie which is the cryptographic entropy per binit associated to TAKA It is shown [Sec 651] that TAK Cryptographic Entropy per binit is asymp 1
Q How much a single node is secure Ie how much complex is the inverse problem to break TAK Generators from the cryptographic information available on a single node (security level in a single node) A It is shown [Sec 652] that is harder than Discrete Logarithm Problem
Q How much a network is secure Ie how many nodes should be compromised to derive TAK Generators from the cryptographic information available on the network (security level in the network)A It is shown [Sec 653] that TAKS scheme is N-secure
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
18
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz assuming 20 clock
cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale 312 416 MHz assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bitsqlog)2(3 2
TAK length
Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 4 )
128 bit 1400 5 ms 50 s 300 bytes 256 bit 13000 40 ms 400 s 600 bytes 512 bit 120000 370 ms 37 ms 1200 bytes
1024 bit 1100000 32 s 32 ms 2400 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
19
bull Intrusion Alarm Generation issues alarms according to a predefined Anomaly Detection Logic (ADL) and threat models
bull Intrusion Reaction Logic (IRL) defines the defence strategy (schedule of interventions) and tracks correlated alarms
bull Intrusion Reaction Logic Application (IRLA) reacts to intrusion by applying the suited countermeasures (link release putting compromised nodes in quarantine distributing black lists grey lists hellip)
Reference IDS Macro-functions
IntrusionAlarm
GenerationLocal
Conf DataIntrusionReaction
Logic
IntrusionReaction
Application
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
20
WPM-based IDSDriving Ideas amp Tools
IDS provides security against insider intrudersbull Incoming message Anomaly Rules Observablesbull Behavior is modelled using WPMbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash Deterministic vs stochastic observable-state relationshipsndash ldquo0-1rdquo reachability rules for observable-state relationships
bull Classification of WPM states according to their topological position within the WPM machine (eg LPA HPA states) and according to the associated ldquothreat observablesrdquo (eg UPA states)
bull Threat Observables States Traces Scores Alarm Countermeasuresbull WPM (Weak Process Model) vs HMM (Hidden Markov Model)
ndash ldquopossible states tracesrdquo vs ldquothe most probable states tracerdquo (Viterbi)
ndash Possible states traces are equi-probablebull Alarm generation when at least a states trace contains at least an HPA
ndash Scores (weights) associated to state traces
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
21
WPM-based IDS Micro-functions
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
22
WPM-based IDS Information Flow
DefenceStrategy
AnomalyDetection
Logic
ThreatModel
AlarmTracking
Countermeasure Application
LocalConf Data
Signalling IE
xkok
Al[sk]
cm(s)
Controlmessages
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
23
WPM-based Anomaly Detection Model
010010000000990000010009900100000
S
o6 = 3 1 4 2 5 6
al[01|01]
al[02|00]
1100
99
-100
-100
1100
-100
-100
99
-990
L = 1 H = 100
LPA
HPA
Score Matrix SScore Computation
WPM Algebraic Canonical Form
k=1 k=2 k=3 k=4 k=5 k=6
WPM States Traces
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
24
Threats from insider intruders
57CH
M
5 7
E
ni
nj
1
1CH
M
Eni
nj
1
1CH
M
33
Eni
nj
CH
M
1CH3
31
3
E
M
ni
nj nj
1E
ni1
3
low latencylink
HELLO Flooding SINKHOLE
inter-cluster WORMHOLEintra-cluster WORMHOLE
(HF) (SH)
(WH)
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
25
Examples of Anomaly RulesAR1 If nE has authenticated node nE node nE declares hE lt hi with hi ne 0 (in
other words node nE introduces itself as the new CH of ni but the current CH of ni is still alive) then ok = o1
AR2 If ni is CH and (rule AR1 or rule AR2) in nj is true then ok = o2This AR enables the ldquothreat observablesldquo back-propagation
AR3 If ni has authenticated node nE and node nE declares hE hi (in other words node nE introduces itself as a new cluster member M) then ok = o3This AR produces an ambiguous observable (Undecided Threat Obs)
The observable ok = o9 is produced if no observables for a sequence of K observation steps with K a predefined threshold
hellip
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
26
WPM-based Single Threats Models
HELLO Flooding
SINKHOLE
WORMHOLE(HF)
(SH)
(WH)
(9)
HF_5RESET
HF_6SUCCESSFULLYH FLOODING
99
-1
-100
(56)
HF_11
(65)
HF_3
99
-1
-100
(78)
HF_21
(87)
HF_4
(9)
SH_3RESET
SH_4SUCCESSFULLY
SINKHOLE
99
-1
-100
(12)
SH_11
(12)
SH_2
(9)
WH_5RESET
WH_6SUCCESSFULLY
WORMHOLE
99
-1
-100
(12)
WH_11
(34)
WH_3
99
-1
-100
(34)
WH_21
(12)
WH_4
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
27
Al[sk]
Al[sk ]
Al[sk ]Aggregated Threat Model (I)
Al[sk](9)
X_9RESET
X_10SUCCESSFULLY
THREAT
99 99
-1
-100
(12)99
(87)
X_8
(34)
X_3
99
(56)
X_51
(78)
X_61
X_4
(34)
X_21
(65)
X_7
(12)
X_11
99
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
28
8886678555586775
(HF)
21221112112221
(SH)
312213342342244
(WH)
Security Analysis
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(HF)
0
100
200
300
400
500
600
700
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
0
100
200
300
400
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(SH)
ATMSTM
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
29
1
3
2
E
E
3 1
4
3
15 0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
Security Analysis
1
3 E
E
3 1
4
3
15
E
21
6
1
0
100
200
300
400
500
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31obs
scor
e
(WH)
(WH)
(WH)
(WH)
(SH)
(SH)
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
30
(9)
X_9RESET
X_10SUCCESSFULLY
THREAT
991 990
-10
-1000
(12)990
(87)
X_8
(34)
X_3
990
(56)
X_510
(78)
X_610
X_4
(34)
X_210
(65)
X_7
(12)
X_110
990
-1001
Aggregated Threat Model (II)
UPA state
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
31
Cost Analysisbull MICA2 8-bit processor ATMega128L 74 MHz) and assuming 20
clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 3 s
bull IMOTE 32-bit processor PXA271Xscale312 416 MHz) and assuming 5 clock cycles per arithmetic logic operation the average computation time per 32-bit operation is 003 s (assuming a conservative 300 MHz clock)
bull Memory usage is bytes2n3WMLn
nWML Number of 32-bit
operations
Estimated computation
time (assuming
MICA2 motes)
Estimated computation
time (assuming
IMOTE motes)
Estimated memory usage
(assuming 10n )
50 30000 100 ms 1 s 350 bytes 100 60000 200 ms 2 s 400 bytes
1000 600000 2 s 20 s 1300 bytes
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
32
AGILLA MA-AEEbull AGILLA is a mobile agent-based MW running on TinyOSbull Inter-agent communication via Tuple Space (rarr threat obs aggregation) bull Agents migrates via MOVE or CLONE (rarr agent propagation across DCST)bull STRONG or WEAK agent migrationbull Neighbor List (rarr admissible neighbors according to PNT graph)
TinyOS
Node (11)
Tuplespace
Agilla Middleware
Agents
TinyOS
Node (21)
Tuplespace
Agilla Middleware
Agentsmigrate
remote accessNeighbor
ListNeighbor
ListMiddleware Services Middleware Services
migrate
clone
MA-
AEE
[source Fok C-L et al ldquoAgilla A Mobile Agent Middleware for Sensor Networksrdquo Tech Report WUCSE-2006-16 2006]
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
33
Enhanced AGILLA MA-AEE
Underlying WSN Deployment
Secure Platform
AGILLA MA-AEE
Agent-based Applications
SWcomponent
SWcomponent
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Agent A1 AgentA2 AgentAn
Localmemory
AGILLAservices
Tuple space
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
34
IDS Functions Mapping
IRA
DefenseStrategy
AnomalyDetection
Logic
AlarmTracking
Countermeasure Application
Controlmessages
ThreatModel
LCD
IDSCore comp IRA
IDSMA comp
Intrusion Reaction Agent
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
35
IRA forward-propagation vs
Threat Observables back-propagation
IRA
Al[s] ok
IRAclone
1AGILLA MA-AEE
4AGILLA MA-AEE
5AGILLA MA-AEE
Al[s] ok
Al[s] ok Al[s] okAl[s] ok
3AGILLA MA-AEE
6AGILLA MA-AEE
2AGILLA MA-AEE
IRAclone
This mechanism avoids the injections of new IRA instances from the sink
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
36
WINSOME PBD (II)
Underlying WSN Deployment
AGILLA MA-AEE
IRAMonitoring Applications
SensorNode
SensorNode
SensorNode
SensorNode
SensorNode
Integrity Monitoring
Agent
otheragents
AnomalyDetection
LogicThreatModel TAKS ARCHEA
Secure Platform
NetManagerLCDTuple Space
AGILLAservices
IDS core comp
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
37
Secure Platform internal Structure
AGILLA MA-AEEcm[s]
ok
al[sk]
al[sk]
Comms
NetManager
al[sk]
cm[s]
ok
Secure Platform
Control Msgs
Tuple Space
IRA
AGILLA MA-AEE
Remote Tuple Space
IRA
TMok
Hp_xk
ok
ADL
IRLIRLA
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
38
Next steps (near-term)bull Finalization of WINSOME components development
ndash on-going implementations of AGILLA enhancements bull 2 theses finalized 1 thesis in on-going
bull Extensions of WPM-based IDS to data messages ndash on-going jointly with UC Berkeley
bull Enhancements of WPM technique to reduce false positivesbull Extension of TAKS to cluster keys
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
39
Next steps (mid-term)
Anomaly Detectionapplied to sensed
data
Agent basedSW design
Further WPM-based
Threat Modeling
DetectionProcess
Threat Identification Mechanisms
Applications to Hybrid Systems
Control
MonitoringTheory
MWService SupportEnhancement
CooperativeCommunication
s
WINSOME Project
DefenceStrategies
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
40
Scientific Contributions[1]M Pugliese and F Santucci ldquoPair-wise Network Topology Authenticated
Hybrid Cryptographic Keys for Wireless Sensor Networks using Vector Algebrardquo in 4th IEEE International Workshop on Wireless Sensor Networks Security (WSNS08) Atlanta 2008
[2]M Pugliese A Giani and F Santucci ldquoA Weak Process Approach to Anomaly Detection in Wireless Sensor Networksrdquo in 1st International Workshop on Sensor Networks (SN08) Virgin Islands 2008
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
41
In preparationbull M Pugliese A Giani and F Santucci ldquoWeak Process Models for
Attack Detection in a Clustered Sensor Network using Mobile Agentsrdquo submitted to the 1st International Conference on Sensor Systems and Software (S-Cube 2009)
bull M Pugliese and F Santucci ldquoA Comprehensive Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
bull M Pugliese L Pomante and F Santucci ldquoAgent-based Design and Implementation of a Cross-Layer Framework for Secure Monitoring Applications based on WSNrdquo
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
42
AcronymsADL Anomaly Detection LogicAR Anomaly RulesAGILLA AGile bombILLAARCHEA Available Resource Cluster-Head Election AlgorithmDCST Dynamic Clustered Spanning TreeDLP Discrete Logarithm ProblemGF Galois FieldHMM Hidden Markov ModelHPA High Potential AttackIDS Intrusion Detection SystemIRA Intrusion Reaction AgentIRL Intrusion Reaction LogicLCD Local Configuration DataLPA Low Potential AttackTAKS Topology Authenticated Key SchemeTGMP TAK Generation Management ProtocolWINSOME WIreless sensor Network-based Secure system fOr
structural integrity Monitoring and alErtingWML WPM Memory LengthWPM Weak Process ModelWSN Wireless Sensor Network
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
43
Grazie per lrsquoAttenzione
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
44
BACKUP SLIDES
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
45
Underlying WSNPhysical WSN Deployment
bull Metricsndash Sensor Node Density (SND) It is defined as the ratio between
the number of sensor nodes and the aggregated coverage (supposing circular areas r = 1) generated by each sensor node
ndash Overlapping Detection Spot Percentage (ODSP) It is defined as the percentage of the aggregated overlapped coverage generated by all SND respect to the coverage area generated by a generic sensor node
bull Coverage-cost criteriandash Minimize SNDODSP to mimimize coverage redundancy for a
given SND ndash Minimize SNDODSP to maximize coverage reliability for a given
SND
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
46
Underlying WSNCoverage-cost Quality Indicators
bull The minimum for the product SNDODSP returns the physical node distribution which minimizes coverage redundancy (fundamental cell with SNs at the centre of an hexagon)
bull The minimum for the ratio SNDODSP returns the physical node distribution which maximizes coverage reliability (fundamental cell with SNs at the centre of an hexagon)
Fundamental Cell SND ODSP SNDODSP SND ODSP SNs at the centre of hexagon 033 034 011 097 SNs at the centre of square 033 072 024 046 SNs at the vertices of hexagon 036 234 084 015 SNs at the vertices of square 036 156 056 023
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
47
18
23
5
11
4
17
8
1
20
15
9
21
24
19
25
16 6 13 10 22
12 3 2 7 14
Underlying WSNDCST Deployment
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
48
11
4
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
49
11
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
18
23
5
16
12 3
4
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
50
17
8
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
51
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
52
17
1
20
15
9
21
24
19
25
6 13 10 22
2 7 14
16
12
5
18
23
3
4
11 8
Underlying WSNDCST Self-Organization
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
53
Underlying WSNRoute-cost Quality Indicators
ltCHgtThe ratio between the number of deployed Cluster Heads and the deployed nodes in the network
lt σ gt The ratio between the number of deployed neighbors per node and the number of logical ldquoplannedrdquo neighbors per node applied to the deployed Cluster Heads
lt h gt The ratio between the sum of all hop counts to reach all nodes in the network and the minimum hop count to reach the most distant ldquoplannedrdquo node applied to the deployed nodes in the network
ltCHgt ltσgt lthgt036 033 080
down 3 038 032 084down 3-4 039 031 087down 3-4-11 045 026 103down 3-4-11-8 048 025 117rearrange 12 048 025 110
DCST-Deployment
DCST-SO
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
54
bull Let GF(q) with q = 2k be an extended Galois Field where p is a prime and k is an integer for which q gtgt N where N is the total number of nodes in the network and q-1 has a suitable large prime divisor (1)
bull Let U be a vector field over GF(q) Any uU is a 3-pla where ux uy uz are elements in GF(q)
bull Let a function satisfying the following requirementsR1 Be a one-way function R2 must hold for
where is an arbitrary commutative operatorbull Let V() a 2-variable function satisfying the following requirements
R3 Be a one-way functionR4 V(vvrsquo) = 0 only for a particular sub-set of values vvrsquo V U
The explicit expressions for and are public (Kerchoffrsquos principle)
TAKS Definitions (12)f() and V()
(1) This restriction on the values for q is not mandatory but when applied any reverse engineering technique for TAK becomes harder
()f
const)u(f)u(f)u(f)u(f Uuu
()f ()V
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
55
a Let A U M U Elements in A are defined as follows a arsquo A if mM exists such that m(atimes arsquo) ne 0 A and M are secret
b Let b B GF(q) not a generator) in B B is secretc Let c C U C is secretd Let the explicit expression for where mM satisfied Ass (a)
and kGF(q) is an arbitrary constant The definition for f() is compliant to R1 and R2 because
for where (hereafter omitted) is the mod q product
e Let kl krsquol KL U (private) and kt krsquot KT U (restricted) be the LocKeyComp and TrKeyComp for node ni and nj respectively
f Let t T U (restricted) be the LocPldTop such that for the generic kt KT is tbullkt = 0
The explicit expressions for kl and kt are public (Kerchoffrsquos principle)
TAKS Definitions (22)Local Configuration Data
()mkb()f ()f
uum2uum2umumumum bkbkkbkbkbkb
Uuu )q(GFk
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
56
TAK Generation Theorem
2tjlii kkTAK
2tiljj kkTAK
kti kli
2)aa(m2ji aamkbTAKTAKTAK
ktj kljktj
kti
s = mf(a) srsquo = mf(arsquo)
askkba)a(fak
t
aml
askkba)a(fak
tj
amlj
()mkb()f
CBMA
cmbk
222ji aamafafTAKTAKTAK
For any f() compliant to R2
ni nj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
57
TAK Authentication Theorem
In a node pair ni and nj if t σ(i) exists such that g(t ktj) = t bullktj = 0 then node nj is authenticated by node ni Viceversa if t σ(j) exists such that g(t kti) = t bullkti = 0 then node nj is authenticated by node ni (mutual authentication)
Suppose the pair ni-nj
bull LocPldTopi = σ(i) = ti where each vector ti (Topology Vector for node i) corresponds to each logical ldquoplannedrdquo neighbors for node ibull TAK authentication needs of
ndash TrKeyCompj vector ktj from node nj (the prover) ndash LocPldTopi vector t for node ni (the verifier) ndash If ktj ti = 0 then node nj is admissible ie included in the Planned Network Topology
bull The verification function g() is defined as the scalar product between t and kt this choice for g() is compliant to requirements R3 and R4
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
58
WPM-based Threat ModelDefinitions
bull States set is X = (x1 x2 hellip xn) X is n times 1bull Individual state x at step k is defined by xk = x1 x2 hellip xk xi X with
x0 (k=0) the initial statebull Observables set is O = (o1 o2 hellip oq) O is q times 1bull Individual observable at step k is defined by ok = o1 o2 hellip ok with oi
O
bull State Transition Distribution Matrix A (n times n) aij=1 if p(xk+1=xj|xk=xi)=1 aij=0 otherwise
bull Emission Distribution Matrix B (q times n) bij=1 if p(ok=oj|xk=xi)=1 bij=0 otherwise
bull Hypothetic Engaged States at step k is the sub-set of possible (hidden) states associated to the observable ok Hp_xk = BT ok
bull Hypothetic Free States at obs step i Free_xi = xi - (xi Hp_xi)bull Hypothetic States Trace at obs step k Trk =i=1 (xk A bull Free_xi)
k-1
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
59
WPM-based Threat Model Algebraic Canonical Form
0110000010010010100100000
A
100010100000110110100010010001
B
00001
x0
kk
k1k
BxoAxx
10000
xF
i-th column gives the states reachable from the i-th state i-th column gives the
observables of the i-th state
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
60
WPM-based Threat ModelGeneration of Hypothetic States Traces
x2=Ax1
o2 = 1x2 = 1
x2 = 5
x2=Bto2
x4=Ax3x3=Ax2
o1 = 3x1 = 4
x1 = 5
x1=Bto1
4
5
x6=Ax5x5=Ax4
3Tr1
6=1245Tr2
6=1351
5
o3 = 4x3 = 2
x3 = 3
x3=Bto3
o4 = 2x4 = 3
x4=Bto4
o5 = 5x5 = 4
x5=Bto5
o6 = 6x6 = 1
x6 = 5
x6=Bto6
2
34
1
5
k1k
kTk
AxxoBx
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
61
bull Assuming a WPM-based threat model (A B x0) 2 hazard levels for an attack can be defined
ndash Low Potential Attack (LPA) An attack is considered low potentially dangerousrdquo (or in a LPA state) if the threat is currently in a state xj which is at least 2 hops to the final state
ndash High Potential Attack (HPA) An attack is considered high potentially dangerous (or in a HPA state) if the threat is currently in a state xj which is 1 hop to the final state
bull Alarms al[sk] are issued when the attack has reached an HPA state
WPM-based Threat ModelHazard levels in an attack
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
62
WPM-based Threat ModelScore Matrix S
Score Computation Theorem [Sec ] states thatbull if node nj is an LPA state the total score in nj is sj = L bull if node nj is an HPA state the total score in nj is sj = H bull If node nj is neither LPA nor HPA or is a final state the total score in nj is sj = 0
and if
]nWMLint[log1010LH
ji)ss(ajiHL0s
jiijij
with and A State Transition Distribution matrix
klpa
khpa
k LnHns then
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
63
Hypothetic Free States (Free_xk)
kobs
WM
LThreat Score Computation
k
1i
iTi0T0kWMLk x_FreeSTrxSxx_Hps
WML
1i
iTi0T0kWMLkWMLkWMLk x_FreeSTrxSxx_Hpsss
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
64
Security Analysis Entropy associated to TAK
)k|k(H)k(H)kk(H jtiljtjtil qlog3 2
0)k(H jt
)k(H)k|k(H iljtil
Nqqlog3)k(H 2il
qlog)kk(H31H 2jtilTAK
Theorem on TAK Entropy TAK entropy per binit is asymp 1
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
65
Security AnalysisSecurity Level in a single node
The cryptographic robustness of TAK generation scheme is based on the difficulty on computing discrete logarithms (the well-known Discrete Logarithm Problem (DLP))
bull In this case the problem is harder to solve than the classic DLP because equations are not pure exponentials
amt
)ca(ml
bamkbak
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
66
Security AnalysisSecurity Level in a network
In case a node has been captured the following non-algebraic equations system should be solved for a m c b which are the secret components to generate all TAK keys in the network
amt
)ca(ml
amt
)ca(ml
bamkbak
bmsask
bak 6 equations (=3+3)10 variables (a m c b)
bull It can be shown that even capturing all N nodes in the network the attacker gets ~ q4 ndash Nq free solutions for (a m c b) which are still ~ q4 if is N ltlt q
bull Thus the scheme is N-secure
rarr ~ q4 solutions
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
67
WML
okHp_xkTuple Space
AG
NetManager
Comms
ok
ok
AR
Remote Tuple Space
al[sk]
ADL
TGMP msgsARCHEA msgs
TM
ADL Component
LCD
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
68
al[sk]
Hp_xk
Hp_xk
Free_xiltkFree_xk
Tuple Space
AG
WML
ScoreComputation
Trace Estimation
TM
AG sub-Component
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
69
Hp_xk
TM A B x0 xF
ok
AGAR
Remote Tuple Space
ADL
TM Component
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
70
NetManager Component
LCD
Comms
TGMP msgs RELEASE_ind(niCH)
cm[s]
Tuple Space
ARCHEA msgs
TAKS
ARCHEA msgs
ARCHEA msg
TGMP msgs
TGMP msgs
ARCHEA
NetManager
AR TAKgen okko
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
71
NetworkTopology
Authentication
KeyGeneration
LCD
klj
cm[s]Tuple Space
TAKS
ARCHEA
ktj σ(j)AR
TAKgen okko
ReplaceKeyRevokeKey
TinySec
Comms
TGM
P
TGMP msgs
TGMPmsgs
RELEASE_ind(niCH)
TAKS Component
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
72
Route CostComputation
ARCHEA
TAKS
Comms
ARCH
EA M
anag
er ARARCHEA
msgs
RELEASE_ind(niCH)
ARCHEA msgs
ARCHEA Component
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
73
TAK Gen Management Prot(TGMP)
nj
TAK-ciphered link TAK j=f (kljkti)
(1)
(2)
tjmiddot ktj=0
timiddot kti=0SETUP(kti)
SETUP(ktj)
TAK i=f (kliktj)
RELEASE(kti ktj)
ni
RELEASE_ind(niCH)ARCHEA
LCDi LCDj
TinySecRevokeKey(TAK)
TinySecReplaceKey(TAK)
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj
Doctorate Dissertation LrsquoAquila March 31st 2009
74
ARCHEA Protocol
ni nj
(1) EVALUATE_RC(hi σi)
ni=CH = minRCiUDPATE_H(hj)
RESET_H
UDPATE_H(hl)
UDPATE_H(hj)RESET_H
RESET_H
hj = hl+1
nl
(2)RELEASE_ind(niCH)TAKS
TAK-ciphered linkσi=AN[σ(ni)]hi
LCDihj
LCDj