2. BACKGROUND
In this section, we first describe the problem of report fabrication attacks in sensor networks, then review the general en-route filtering framework as a countermeasure.
2.1 Report Fabrication Attacks
We consider a large-scale sensor network that monitors a vast geographic terrain using a large number of static sensor
nodes. An approximate estimation on the size and shape of the terrain being monitored is known a priori. Each sensor
node is battery-powered and has limited sensing, computation and wireless communication capabilities. The sensor
deployment is dense enough to support fine-grained collaborative sensing and provide robustness against node failures.
For simplicity, we assume that the node distribution is uniform. Once deployed, each node can obtain its geographic
location via a localization scheme. In a sensor network that serves mission-critical applications such as battlefield surveillance and forest fire monitoring,prompt detection and reporting of each relevant event in the field is critical. When an event occurs, the detecting nodes generate a report message and deliver it over multihop wireless channels to the sink, the data collection unit that is typically a resource-abundant computer. In our model, the sink is static and its location is known when sensors are deployed. Once the sink receives an event report, response actions such as sending personnel and facilities to the event’s location, can be taken subsequently. Unfortunately, the above event detection operations can
be severely disrupted by report fabrication attacks. In such attacks, the adversary compromises a single or multiple nodes,then uses them to inject forged sensing reports that describe non-existent events. The compromised node(s) can pretend to have “detected” a nearby event or “forwarded” a report originated from a remote location. Therefore, the forged events could “appear” not only where nodes are compromised,but also at arbitrary locations. Such bogus reports
can deceive the user into wrong decisions and result in the failure of mission-critical applications. They can also induce
congestion and wireless contention, and waste a significant amount of network resources (e.g., energy and bandwidth),
along data delivery paths. In the worst case, a large number of forged reports can disrupt the delivery of legitimate
reports and deplete the energy of forwarding nodes. In this paper, we consider the following threat model. The
attacker may compromise multiple sensor nodes in the network,and we do not impose any upper bound on the number
of compromised nodes. However, the attacker cannot compromise the sink, which is typically resourceful and wellprotected. Once a sensor node is compromised, all secret keys, data, and code stored on it are exposed to the
attacker. The attacker can load a compromised node with secret keys obtained from other nodes. We term this as collusion among compromised nodes. The compromised nodes can launch many other attacks, such as dropping legitimate
reports, to disrupt the network operations. However, these threats are addressed in other related work [20, 21] and are
not the focus of this paper. We will study the impact of a few of them upon our design in Section 5. We also assume
that the attacker cannot successfully compromise a node during the short deployment phase, i.e., the interval of
tens of seconds when each sensor bootstraps itself (including obtaining its location and deriving a few keys). Some existing work has made similar assumptions and argued that such attacks can indeed be prevented in real-life scenarios
when appropriate network planning and deployment keep away attackers during the bootstrapping process. We
will revisit this aspect in Section 8.
2.2 General En-route Filtering Framework
We follow the general en-route filtering solution framework in defending against report fabrication attacks. The framework has three components that work in concert:report generation using Message Authentication Codes (MACs), en-route filtering, and sink verification. To be forwarded and accepted downstream, a legitimate report must carry m (m > 1) distinct MACs from the sensing nodes. Each node stores a few symmetric keys and endorses any event it has observed by using its keys to generate a MAC on the report. Each key has a unique index, and the sink knows all the keys. When a real event occurs, multiple detecting nodes jointly generate a complete report with the required m MACs and the associated key indices. The intermediate nodes detect and discard bogus reports injected by compromised nodes. When a node receives a report,it verifies the report as follows: It first checks whether the report carries m distinct MACs. It then searches its own stored keys for matched key indices. When a match is found,it checks whether the carried MAC is the same as the MAC it computes via its locally stored key. It drops the report when any of these checks fails. Otherwise (i.e., it does not have any of the keys or the MACs are correct), it forwards the report as usual. Even though the filtering power (i.e,the detection percentage for forged reports) at each node may be limited, the collective filtering power along the forwarding path can be significant. The more hops a forged report traverses, the higher chance it is dropped en-route.
Consequently, one can effectively exploit the sheer scale of the sensor network in filtering the forged reports.
The en-route filtering performed by sensor nodes may be probabilistic in nature, thus cannot guarantee to detect and
drop all forged reports. The sink serves as the final guard in rejecting any escaping ones. Because the sink knows all the
keys, it can verify each MAC carried in a report. Note that there might be multiple reports for the same event. The
sink decides whether to accept the event based on the total number of correct MACs it has received. If this number
reaches m, the event is accepted; otherwise it is rejected. Three designs, including Statistical En-route Filtering (SEF)
, Interleaved Hop-by-hop Authentication (IHA) and our design in this paper, are all specific instances within the
above framework.