2. In order to design a completely secure wireless sensor Multi-hop (Multi-hop) is usually assumed that the
network, security must be integrated into every node of the network involved in the transfer node will be transparent
system. This is due to the possibility that a component to transmit it to the receiver. In the selective forwarding
implemented without any security could easily become a attacks, malicious node may refuse to forward certain
point of attack. This dictates that security must pervade messages and discarding them. The attack is a simple
every aspect of the design of a wireless sensor network form of malicious nodes as a black hole (Black Hole)
application that will require a high level of security [4]. refused to forward the same as it received the packet.
• Sinkhole attack
A. Link Layer Security Movivation Sinkhole in the attack, the attacker's goal is to "mutiny"
In conventional networks, message authenticity, to lure specific nodes in the region of all
integrity, and confidentiality are usually achieved by an communications traffic in the center of the region caused
end-to-end security mechanism such as SSH [5], SSL [6] or by similar "collapse" of the same attack. In fact, the
IPSec [7] because the dominant traffic pattern is end-to-end attackers set up a large "hole" in order to attract node to
communication; intermediate routers only need to view all the communications sent to the base station.
message headers and it is neither necessary nor desirable for • Hello flooding attack
them to have access to message bodies. This is not the case HELLO flooding attacks is a new type of sensor network
in sensor networks. The dominant traffic pattern in sensor for the attack. Many agreements require HELLO packet
networks is many-to-one, with many sensor nodes radio node to node adjacent to its own broadcasting.
communicating sensor readings or network events over a Attacker with enough power to launch route broadcasts
multihop topology to a central base station. To prune these or other information, so that the network each node is
redundant messages to reduce traffic and save energy, sensor believed to attack its neighbors. In order to use HELLO
networks use in- network processing such as aggregation flooding attack the attacker does not need to build a
and duplicate elimination [8,9]. Since in-network processing legitimate communications. An attacker can simply use a
requires inter- mediate nodes to access, modify, and large enough power tapping replay (Overheard) to the
suppress the contents of messages, it is unlikely we can use package, so that each node in the network can be
end-to-end security mechanisms between each sensor node received.
and the base station to guarantee the authenticity, integrity, • Response to deceive
and confidentiality of these messages. Link-layer security As the number of routing protocol relies on a fixed link
architecture can detect unauthorized packets when they are layer response, so an attacker can deceive the link layer
first injected into the network. For the above reasons, response to the "bugging" of the adjacent node packet.
Link-layer security mechanisms guarantee the authenticity, Response to deceive the goals, including the sender to
integrity, and confidentiality of messages between make sure the actual efficiency of low-efficient link, or
neighboring nodes, while permitting in-network processing. that have been suspended or banned node is also
The security goals of a link layer protocol are listed here as effective.
following:
• Access Control and Message Integrity III. SECURITY REQURIEMENT
• Message Confidentiality The goal of security services in WSNs is to protect the
• Data Authenticity information and resources from attacks and misbehavior.
• Data Freshness The security requirements in WSNs include:
• Availability, which ensures that the desired network
B. Routing Security Motivation services are available even in the presence of
In the design of a new security routing protocol, first denial-of-service attacks require configuring the
understand the analysis of the WSN routing attacks. The initial duty cycle carefully.
problems are summarized as follows: eavesdropping, fraud, • Authorization, which ensures that only authorized
tampering or replay (Relay) routing information; selective sensors can be involved in providing information to
forwarding attack; "collapse" (Sink-hole) attacks; Hello network services.
flooding attacks; response to deceive, and so on. • Authentication, which ensures that the
• Eavesdropping, fraud, tampering or replay communication from one node to another node is
information genuine, that is, a malicious node cannot
The most direct route to the agreement of the target node masquerade as a trusted network node.
is the exchange between the routing information. The • Confidentiality, which ensures that a given message
attacker through eavesdropping, fraud, tampering or cannot be understood by anyone other than the
replay routing information, routing loop can be desired recipients.
generated, or refuse to lure traffic, to extend or shorten • Integrity, which ensures that a message sent from
the source route, a false error messages, separated by the one node to another is not modified by malicious
network to increase the end-to-end delay (Latency ) , and intermediate nodes.
so on. • Nonrepudiation, which denotes that a node cannot
• Selective forwarding attack deny sending a message it has previously sent.
494
495
3. • Freshness, which implies that the data is recent and • Attacks on network availability: attacks on
ensures that no adversary can replay old messages. availability are often referred to as denial-of-service
Moreover, as new sensors are deployed and old sensors (DoS) attacks. DoS attacks may target any layer of a
fail, we suggest that forward and backward secrecy should sensor network.
also be considered: • Stealthy attacks against service integrity: in a
• Forward secrecy: a sensor should not be able to read stealthy attack, the goal of the attacker is to make
any future messages after it leaves the network. the network accept a false data value. For example,
• Backward secrecy: a joining sensor should not be an attacker compromises.
able to read any previously transmitted message.
The security services in WSNs are usually centered V. SECURITY BENCHMARKS
around cryptography. However, due to the We suggest using the following metrics to evaluate
constraints in WSNs, many already existing secure whether a security scheme is appropriate in WSNs:
algorithms are not practical for use. • Security: a security scheme has to meet the
requirements discussed above.
IV. THREAT MODEL AND ATTACKS • Resiliency: in case a few nodes are compromised, a
In WSNs, it is usually assumed that an attacker may security scheme should still protect against the
know the security mechanisms that are deployed in a sensor attacks.
network; they may be able to compromise a node or even • Energy efficiency: a security scheme must be energy
physically capture a node. Due to the high cost of deploying efficient so as to maximize node and network
tamper resistant sensor nodes, most WSN nodes are viewed lifetime.
as non tamper- resistant. Further, once a node is • Flexibility: key management needs to be flexible so
compromised, the attacker is capable of stealing the key as to allow for different network deployment
materials contained within that node. methods, such as random node scattering and
Base stations in WSNs are usually regarded as predetermined node placement.
trustworthy. Most research studies focus on secure routing • Scalability: a security scheme should be able to
between sensors and the base station. Deng et al. considered scale without compromising the security
strategies against threats which can lead to the failure of the requirements.
base station [10]. • Fault-tolerance: a security scheme should continue
Attacks in sensor networks can be classified into the to provide security services in the presence of faults
following categories: such as failed nodes.
• Outsider versus insider attacks: outside attacks are • Self-healing: sensors may fail or run out of energy.
defined as attacks from nodes which do not belong The remaining sensors may need to be reorganized
to a WSN; insider attacks occur when legitimate to maintain a set level of security.
nodes of a WSN behave in unintended or • Assurance: assurance is the ability to disseminate
unauthorized ways. different information at different levels to end-users
• Passive versus active attacks: passive attacks include [12]. A security scheme should offer choices with
eavesdropping on or monitoring packets exchanged regard to desired reliability, latency, and so on.
within a WSN; active attacks involve some
modifications of the data steam or the creation of a VI. SECURITY RESEARCH FORMS
false stream. • New, more efficient cryptographic algorithms and
• Mote-class versus laptop-class attacks: in mote-class security protocols. Efficient versions of public key
attacks, an adversary attacks a WSN by using a few cryptography (such as the NTRU algorithms [13])
nodes with similar capabilities to the network nodes; and broadcast authentication protocols (such as
in laptop-class attacks, an adversary can use more μTESLA [14]) have been devised.
powerful devices (e.g., a laptop) to attack a WSN. • Asymmetric algorithms and protocols. Security
These devices have greater transmission range, services have been designed to place the primary
processing power, and energy reserves than the computational and communication burden on
network nodes. external entities and/or relay devices rather than on
WSNs are vulnerable to various types of attacks. sensor nodes.
According to the security requirements in WSNs, these • Integration of security into applications. The
attacks can be categorized as [11]: computing infrastructure of miniaturized devices is
• Attacks on secrecy and authentication: standard often much flatter than conventional devices,
cryptographic techniques can protect the secrecy avoiding layers of networking protocols and
and authenticity of communication channels from application functionality for performance reasons.
outsider attacks such as eavesdropping, packet This approach requires security to be deployed at
replay attacks, and modification or spoofing of higher abstraction levels, since a generic security
packets. service is too costly.
495
496
4. [4] Perrig, A., Stankovic, J., Wagner, D. (2004), “Security in Wireless
VII. CONCLUSION AND FUTURE SCOPE Sensor Networks”, Communications of the ACM, 47(6), 53-57.
Security in wireless sensor networks has attracted a lot [5] OpenSSL. http://www.openssl.org.
of attention in the recent years. The severe energy [6] Security architecture for the Internet Protocol. RFC 2401,
November 1998.
constraints and demanding deployment environments of
[7] http://www.ssh.com
wireless sensor networks make computer security for
[8] Samuel R. Madden, Michael J. Franklin, Joseph M. Hellerstein,
these systems more challenging than for conventional and Wei Hong. TAG: A tiny aggregation service for ad-hoc sensor
networks. Components designed without security can networks. In The Fifth Symposium on Operating Systems Design
easily become a point of attack. So it is critical to and Implementation (OSDI 2002),2002.
integrate security into every component to pervade [9] Samuel R. Madden, Robert Szewczyk, Michael J. Franklin, and
security and privacy into every aspect of the design. David Culler. Supporting aggregate queries over ad-hoc wireless
sensor networks. In Workshop on Mobile Computing and Systems
While each of the security solutions could be used go Applications, 2002.
part of the way to effectively securing a WSN, there is [10] J. Deng, R. Han, and S. Mishra, “Enhancing Base Station Security
currently no one solution that can be “plugged-in” to an in Wireless Sensor Networks,” Department of Computer Science,
application to provide all the necessary security University of Colorado, Tech. Report CU-CS-951-03, 2003.
primitives. [11] B. Deb, S. Bhatnagar, and B. Nath, “Information Assurance in
Sensor Networks,” Proc. 2nd ACM Int'l. Conf. Wireless Sensor
Networks and Applications (WSNA '03), New York: ACM Press,
2003, pp. 160–68.
[12] E. Shi and A. Perrig, “Designing Secure Sensor Networks,”
REFERENCES Wireless Commun. Mag., vol. 11, no. 6, Dec. 2004 pp. 38 43.
[1] I. F. Akyildiz,W. Su, Y. Sankasubramaniam, and E. Cayirci. [13] J. Hoffstein, J. Pipher, J. H. Silverman, “NTRU: A Ring-Based
“Wireless Sensor Networks: A Survey”, Computer Networks, Public Key Cryptosystem,” in Algorithmic Number Theory (ANTS
38:393–422, 2002. III), J.P. Buhler (ed.), Lecture Notes in Computer Science 1423,
[2] Defence Advanced Research Projects Agency (13 Oct 2006) Springer-Verlag, Berlin, 1998.
Defence Advanced Research Projects Agency Home [online], [14] A. Perrig, R. Szewczyk, V. Wen, D. Cullar, and J. D. Tygar,
available: “SPINS: Security protocols for sensor networks,” in Proceedings
[3] http://www.darpa.mil/index.html [accessed 13 Dec 06] of MOBICOM, 2001.
496
497