Taxonomy of Security Attacks in Sensor Networks

and Countermeasures
Tanya Roosta Shiuhpyng Shieh Shankar Sastry

Abstract— Ad-hoc sensor networks have become common over has focused on developing extremely optimized protocols at
the past few years and the domain of their application is increasing different layers of networking stack, as well as a specialized
widely. However, the security of these networks poses a great chal- operating system called TinyOs [10]. However, the majority
lenge due to the fact that they consist of tiny wireless devices which
have limited hardware and energy resources. In addition, these of these protocols have not been designed with security
networks are generally deployed and then left unattended. These and privacy in mind resulting in substantial performance
facts coupled together make it impractical to directly apply the degradation if there is a security breach. Security can not be
traditional security mechanisms to the sensor network paradigm. designed as a separate module to be added on top of these
Therefore, there is a need to analyze and better understand the protocols. Rather, security has to be integrated in the design
security requirements of sensor networks. This paper provides a
comprehensive taxonomy of security attacks on sensor networks, of every component of the sensor network.
and gives solutions for each set of attacks. More importantly, it Security in sensor networks has a number of challenges, some
points out the research directions which need to be investigated in of which are: wireless communication among the nodes, lack
the future. of pre-existing infrastructure, dynamic topology changes, and
resource constraints in terms of memory, energy, and low
I. I NTRODUCTION
communication bandwidth.
Ad hoc networks are infrastructure-less, possibly multi-hop The goal of this paper is to provide a taxonomy of attacks
wireless networks where every node can be either a host or on sensor network and outline possible solutions for each
a router, forwarding packets to other nodes in the network. attack. To the best of our knowledge there has not been a
Sensor networks are becoming widely integrated into the comprehensive taxonomy of attacks for sensor networks.
critical physical as well as personal infrastructures. The vision Denial of service attacks have been discussed in [32],
for the future is to integrate sensors into critical infrastructure, however, the authors do not cover a comprehensive list of
such as Supervisory Control And Data Acquisition systems possible security attacks on sensor networks. In this paper we
(SCADA). Some current applications of sensor networks are: attempt to give such a comprehensive taxonomy. The main
providing health care for the elderly, surveillance, emergency contributions of our work are: 1) to describe the possible
disaster relief, detection of chemical or preventing biological attacks on the software (section III), 2) to discuss attacks
threats, and battlefield intelligence gathering. on data aggregation and its consequences on two important
A sensor network consists of anything from a handful to applications in sensor networks (section IX), 3) to show the
thousands of tiny wireless devices with sensors. One very effects of time synchronization attacks in sensor networks
popular type of nodes are the motes developed primarily at (section X). In addition, the paper is meant to give directions
U.C. Berkeley and Intel, Figure 1. Motes are low cost, small for future research in the area of sensor network security.
wireless devices with very constrained resources. An example The rest of the paper is organized as follows. In Section II we
of a sensor mote is the mica2dot. A typical configuration of a discuss the threat model, trust model, and security objectives
mote has a 4MHz, 8-bit processor, with 128KB of instruction in sensor networks. In Section III, physical attacks on the
memory, 4KB of RAM, and 512KB of external flash memory. sensor nodes and attacks on TinyOS are covered. Attacks on
The radio has a frequency of 433 MHz and 38.4 Kbps. the communication stack are explained in Section IV. Traffic
Given the limited resources of these sensor nodes, in terms analysis attacks are described in Section V followed by attack
of both hardware and energy, it is a key technical challenge on key management protocols in Section VI. Sybil attack is
to design secure services. Earlier research on sensor networks covered in Section VII. Attack on reputation schemes are
explained in Section VIII. The attacks on in-network data
This work was supported in part by the Team for Research in Ubiquitous
Secure Technology at UC Berkeley (TRUST), the National Science Council aggregation are covered in Section IX. Finally, we explain
(NSC), the Industrial Technology Research Institute (ITRI), and the Taiwan the attacks on time synchronization protocols and the effect
Information Security Center at NCTU (TWISC@NCTU). S. P. Shieh, is on the higher level application in Section X.
with the University of California, Berkeley, CA 94720 USA on leave from
the Department of Computer Science and Information Engineering, Na-
tional Chiao Tung University, Hsinchu, Taiwan (e-mail: ssp@cs.nctu.edu.tw).
Tanya Roosta is with the University of California, Berkeley, CA 94720
USA (e-mail:roosta@EECS.Berkeley.EDU). Shankar Sastry is Professor of
Electrical Engineering at University of California, Berkeley, CA 94720 (e-
mail:sastry@eecs.berkeley.edu)
 or military applications. Data confidentiality ensures that
this data is protected and will not leak outside of the
sensor network and be used by unauthorized parties. This
task could be accomplished using cryptography.
• Data Authentication: This requirement allows the re-
ceiver to verify that the data was really sent by the
node it claims to be coming from. This is accomplished
using a Message Authentication Code (MAC) on the
Fig. 1. Mica mote family communicated data.
• Data Integrity: This ensures that the data has not been
altered or modified by unauthorized users while in transit.
II. P ROBLEM S TATEMENT
• Data Freshness and Availability: Given that sensor
A. Threat Model networks are used to monitor time-sensitive events, it is
Attacks on sensor networks can be put into different general important to ensure that the data provided by the network
categories, as outlined below [17]: is fresh and available at all times. This means that an
• A mote-class attacker vs. a laptop-classattacker: A mote- adversary can not replay old messages in the future.
class attacker has access to a few motes with the same • Graceful Degradation: This requirement ensures
capabilities as other motes in the network. A laptop- that the designed mechanisms are resilient to node
class attacker has access to more powerful devices, such compromise, and the performance of the networks
as laptops. This will give the adversary an advantage degrades gracefully when a small portion of the nodes
over the sensor network since it can launch more serious are compromised.
attacks.
• An insider attacker vs. an outsider attacker: An outsider
III. ATTACKS ON THE M OTE
attacker has no special access to the sensor network,
such as passive eavesdropping, but an insider attacker Sensor networks are self-organizing networks which, once
has access to the encryption keys or other code used by deployed, are expected to run autonomously and without
the network. For example, an insider attacker could be human attendance. Sensor nodes are vulnerable to physical
a compromised node which is a legitimate part of the tampering and capture. The physical tampering in term
sensor network . facilitates attacks on the software running on the motes.
• Passive vs. active attacker: A passive attacker is only We will discuss each of these attacks in more detail in the
interested in collecting sensitive data from the sensor following sub-sections.
network, which compromises the privacy and confiden-
tiality requirement. In contrast, the active attack goal is A. Physical Tampering
to disrupt the function of the networks and degrade the
performance. For example, the attacker might inject faulty Current sensor hardware does not provide any resistance to
data into the network by pretending to be a legitimate physical tampering. If an adversary captures a mote, he can
node. easily extract the cryptographic primitives as well as exploit
the shortcomings of the software implementation.
B. Trust Model In the realm of sensor networks, the physical attacks can be
In sensor networks, there are one or more base stations, divided into two types:
such as PCs, which are sinks and aggregation points for the • Invasive Attacks: This type of attack consists of reverse
information gathered by the nodes. Base stations are the engineering followed by probing techniques that require
interface between the sensor network and the users. Since access to the chip level components of the device. As
base stations are often connected to a larger and less resource- a result, the attacker has an unlimited access to the
constrained network, it is generally assumed that a base station information stored on the chip, and can cause substantial
is trustworthy so long as it is available. Besides the base damage to the system.
stations, there are no trust requirements on the sensor nodes • Non-invasive Attacks: In this type of attack the embedded
since they are vulnerable to physical capture and other attacks. device is not opened and physically tampered with. An
example of this type of attack is the side-channel attack.
A side channel attack refers to any attack that is based
C. Security Objectives on the information gathered from the physical implemen-
Security objectives in sensor networks are very similar to tation of a cryptosystem, in contrast to a vulnerability in
security requirements for embedded systems and are summa- the algorithms. For example, the attacker may analyze the
rized below: power consumption, the timing of the software operation
• Data Confidentiality: In many applications, sensor net- execution, or the frequency of the Electro Magnetic (EM)
works gather sensitive data, for example in health care waves.
 Both types of attacks map directly to the sensor network Given the discussion in this section, it is obvious that there
domain. Invasive attack is possible through the physical cap- needs to be more research done to prevent these attack.
ture of a sensor node. As of yet, there is no solution available Some of the countermeasures for side-channel attacks used
to make the sensor nodes resistant to physical tampering; the in traditional and embedded systems are:
sensor nodes’ micro-controllers lack any kind of hardware- • power consumption randomization
based memory protection. Traditionally in embedded systems • randomization of the execution of the instruction set
cryptoprocessors, which are physically secure processors, have • randomization of the usage of register memory
been extensively used to provide some level of physical • CPU clock randomization
tamper resistance. Even though there are known attacks on • using fake instructions
cryptoprocessors, they do provide a first line of defense against • using bit splitting
physical tampering. Therefore, there is a need to develop Future research should look into each of these solutions to
optimized cryptoprocessors that fit the low-cost, low-energy determine their applicability to the sensor node platforms.
requirements of sensor networks. Future sensor node hardware has to be designed so as to
Non-invasive attacks, such as side-channel attacks, are also support the security required by the software.
possible in sensor networks. For example, a recent study has
shown that a side-channel attack on Message Authentication
Codes (MAC), using simple Power Analysis as well as Dif- B. Software Attacks
ferential Power Analysis, is possible in sensor networks [24]. Software-based attacks are concerned with modifying the
Their results suggests that several key bits can be extracted the code, and exploiting known vulnerabilities. A well-known
through the power analysis attack. This leads to the conclusion example of this type of attack is the buffer overflow attack.
that protecting block ciphers against side channel attacks is not Buffer overflow attack refers to the scenario where a process
adequate. The future research has to explore possible security attempts to store data beyond the boundaries of a fixed length
measures for Message Authentication Codes as well. buffer. This results in the extra data overwriting the adjacent
Other side-channel attacks which have not been explored in the memory locations.
context of sensor networks are timing attacks and frequency- As mentioned earlier, sensor networks have limited re-
based attacks. The timing attack involves algorithms which sources in terms of energy and memory (RAM and flash
have non-constant execution time and this can potentially leak memory). Consequently, a new OS called TinyOS has been
secret information. Non-constant execution time can be caused specifically designed for these networks. TinyOS is a low-
by conditional branching and various optimization techniques. power, event-driven OS which consists of code that can be
As we will outline in the next subsection, the operating system reused. TinyOS is a set of components that can be wired
running on the sensor nodes is event-driven and extremely together as needed by the application, as shown in Figure 2
optimized in terms of memory consumption. This suggests that [12]. The implementation language of TinyOS is NesC, which
the timing side-channel attack is possible. A solution to this is a component based language with event-based execution
attack is to use constant execution time software. However, model [10]. The current implementation of TinyOS does
it is not clear if this is easily achievable in sensor networks. not provide any memory access control, meaning there is
Therefore, searching for countermeasures for the timing attack no function to control which users/processes access which
in sensor networks is an important area for future research. In resources on the system, and what type of execution rights
addition to timing attack, frequency-based attacks to extract they have. In TinyOS the assumption is largely that a single
secret keys of symmetric cryptographic algorithms needs to be application or user controls the system.
further explored in the context of sensor networks. It has been The solution to the access control in traditional Operating
shown in ?? that the frequency-based attack can be carried out System has been to authenticate the processes , and then
on small devices, such as PDA. However, no experiment has mediate their access to different system resources. Another
been carried out to verify whether this attack is plausible in example is to use Protection Ring method. A protection ring
sensor network context. consists of a number of hardware-enforced levels, for example
Another problem that can arise in sensor network is attacks 0, ..., m, of privilege within the architecture of a computer
on the block cipher 1 . TinySec [16] which is the primary CPU. These ring levels are arranged in a hierarchy starting
encryption mechanism in sensor networks uses block cipher. from the most trusted process (usually at level 0) to the least
Attacks on the block cipher are usually accomplished through trusted process (usually at level m). The hardware that uses
linear or differential crypto-analysis. As we mentioned earlier, protection ring greatly restricts the ways in which one ring
this attack is possible in sensor networks by using power passes control to another ring.
analysis techniques. In addition, if the block cipher is used In addition, the hardware enforces restrictions on the types
as a hash function, attacking the block cipher will result in of memory access that can be performed across rings. In order
breaking the hash function. to effectively implement ring architecture, there needs to be a
close cooperation between hardware and software. A possible
1 In cryptography, block cipher refers to a symmetric key cipher that future direction is to design the hardware platform of the
operates on fixed length groups of bits. sensor nodes such that it supports the ring architecture.
 • Using restricted environment such as Java Virtual Ma-
chine. The JVM is already available in TinyOS software
[18] and can be used to restrict the access of unauthorized
users to the kernel.
• Hardware attestation. For example, Trusted Computing
Group and Next Generation Secure Computing Base
provide this type of attestation [25]. A similar model
could be used in sensor networks.
• Dynamic run-time encryption decryption for software:
this is similar to the encryption/decryption of the data
except that the code running on the device is encrypted.
This will prevent a malicious user from exploiting the
software.

Fig. 2. TinyOS component hierarchy IV. ATTACKS ON THE N ETWORK C OMMUNICATION S TACK
As explained in [32], the attacks on the communication layer
of the network can be divided up into the following categories:
A recent work in [28] uses the concept of drawing a red line, • Physical layer
which refers to having a boundary between the trusted and • Link layer
un-trusted code. Their solution, called Un-trusted Extension • Network and Routing layer
for TinyOS (UTOS), uses a concept similar to sandboxing. • Transport layer
It provides an environment in which un-trusted, and possibly
In the following subsections, we explain the attacks on
malicious, code could be run without affecting the kernel.
each layer in more detail.
UTOS creates the sandbox by using extensions which are
the interface between the un-trusted code and the TinyOS
components. The architecture of UTOS is shown in Figure A. Physical Layer
3. Sensor nodes use Radio Frequency (RF) to communicate
In addition to the above problem, i.e. the non-existence of wirelessly among each other. One of the important attacks
kernel and user separation, TinyOS uses the concept of Ac- on the wireless communication is jamming. Jamming is the
tive Messaging (AM). AM is an environment that facilitates interference with the RF used by the nodes in a network. The
message-based communication in distributed computer sys- adversary can use a small number of nodes scattered around
tems. Each AM message consists of the name of a user-level in the network to disrupt the communication in the entire
handler on the target node that needs to be invoked as well network.
as the data that needs to be passed on [11]. This approach Common defenses against the jamming attack is using some
enables the implementation of a TCP/IP like network stack form of the spread spectrum communication. Examples of
on the motes that fits the hardware limitations of the sensor this are frequency hopping and code spreading. Another
nodes. solution to the jamming attack has been proposed in [33].
Another vulnerability with the current implementation of The authors suggest a mechanism by which a jammed region
TinyOS is that it is possible to open a port to a remote sensor can be mapped by the surrounding nodes. The goal of the
node using the USB port and a PC. The serial forwarder, protocol is to cope with the jamming attack, and isolate the
which is one of the most fundamental components of TinyOS jammed region from the rest of the network.
software, is called to open a port to a node. There is no security
check to authenticate the user who is attempting to open the
port. This could lead to an attack on the software where the B. Link Layer
adversary opens a port to the nodes and uploads software, or Link layer protocol provides means for neighboring nodes to
downloads information from the nodes. access the shared wireless channel, for example Carrier Sense
Some of the solutions that should be considered to secure the Multiple Access (CSMA). Examples of attack on the link layer
TinyOS software and protect the software from being exploited protocol are:
by malicious users are: • Causing collision with packets in transmission
• Defining rigorous trust boundaries for different compo- • Exhaustion of the node’s battery due to repeated retrans-
nents and users mission
• Software authentication and validation. For example, a • Unfairness in using the wireless channel among neigh-
new line of research in sensor network has started looking boring nodes
into the problem of remote software-based attestation A number of solutions have been suggested for detecting
[29]. these attacks, such as using collision detection techniques,
 attacks. However, the technical details of the solution are
beyond this paper.
• Spoofed, altered, replayed packets: This attack targets the
routing information used by nodes. As a result, it could
lead to creating routing loops, or increase the end to end
delay.
• Selective forwarding: in this attack the compromised node
only forwards a fraction of the packets it receives and
drops the rest. Denial-of-Message attack on broadcast in
sensor networks is an example of the selective forward-
ing.
• Sinkhole attack: in this attack the adversary tries to attract
most of the traffic toward the compromised nodes.
• Acknowledgement spoofing: The goal of the adversary
in this attack is to spoof a bad link or a dead node
using the link layer acknowledgement for the packets it
overhears for those nodes.
Fig. 3. UTOS architecture [28]

D. Transport Layer
modifying the MAC code so as to limit the rate of requests, The transport layer is used for managing the end-to-
and using smaller frames for each packet [32]. end connections for different applications in the network.
Transport layer protocols are usually simplified to fit the
C. Network and Routing Layer requirements of sensor networks, such as energy-efficiency.
STCP [14] is an example of a generic transport layer protocol
The goal of this layer is to provide reliable end-to-end specifically designed for sensor networks.
transmission. As mentioned earlier, all the nodes in the sensor Flooding and desynchronization are two types of attack
network act as routers. This introduces a new complexity di- targeted at the transport layer protocols. The goal of the
mension to the design of routing protocols for sensor networks. flooding attack is to exhaust the memory of a node through
The routing protocols have to be energy and memory efficient sending many connection establishment requests. In the
but at the same time they have to be robust to security attacks desynchronization attack the adversary forges packets to
and node failures. There have been many power-efficient one or both ends of a connection using different sequence
routing protocols proposed for sensor networks. However, number on the packets. This will cause the end points of
most of them suffer from different security vulnerabilities as the connection to request retransmission of the ’perceived’
discussed by authors in [17]. Here we briefly mention a few missed packets. Authentication and using client puzzles
of the attacks on the routing protocols. The complete list can are two possible solutions to guard against these attacks
be found in [17]: [32]. The question that needs to be answered is whether
• Black holes: This attack is launched against distance these solutions can be implemented in sensor networks, and
vector routing protocols. A compromised node advertises what modifications need to be made to make these schemes
a zero or a very low cost to its neighbors. As a result, a plausible in the realm of sensor networks.
large number of packets get routed toward this node.
• Wormhole attack: in this attack the adversary node tun-
nels the messages to another part of the network through V. T RAFFIC A NALYSIS ATTACKS
a low latency link, and then replays them. This attack is Given the nature of the sensor network, the traffic through
particularly challenging to deal with since the adversary the network has a specific pattern, i.e. it is a many-to-one
does not need to compromise any nodes and can use pattern or many-to-a-few. Most of the nodes in the network
laptops or other wireless devices to send the packets on send their observations back to the base station, as shown
a low latency channel. In [34] the authors propose using in Figure 4. This gives an adversary an extra dimension of
packet leashes. Packet leashes are additional information vulnerability to exploit.
added to the packet whose purpose is to restrict the An adversary is able to gather a lot of information on the
maximum distance the packet can travel in a given topology of the networks as well as the location of the base
amount of time. Another solution has been proposed in station and other strategic nodes by observing the traffic
[27] where a graph theoretic framework for modeling volume and pattern. For example, the adversary might observe
wormhole links is given. The authors derive necessary the traffic and deduce the nodes that are on the vertex cut-
and sufficient conditions, based on the graph theoretic set. Then he can attack and compromise those nodes which
framework, for detecting and defending against wormhole will result in breaking the network into two disconnected
 VI. K EY M ANAGEMENT P ROTOCOLS
Nodes in a sensor network use either pre-distritbuted keys
or use some form of keying material to generate the keys
dynamically. The cryptographic keys are either group-wise or
pair-wise. In addition, each node has to discover its neighbors
with which it shares a secret key. If two nodes do not share a
secret key directly, then they have to find a path that connect
the two of them in a secure fashion. The goal of the key
management protocol is to pre-distribute cryptographic keys
among the nodes prior to the deployment, revoke keys if nodes
leave the network, and assign new keys to the nodes joining
the network or when some of the keys expire.
In sensor networks the key management protocols fall into one
of the following categories:
Fig. 4. An example of traffic pattern in sensor networks. • Deterministic: In this case the processes that generate the
key pools and the key chains are deterministic.
• Probabilistic: The key chains are selected randomly from
components, and any path from one component to the other a given key pool and distributed among the nodes.
has to go through the compromised nodes. Alternatively, the • Hybrid: This approach uses a combination of the proba-
attacker might launch a Denial of Service attack against the bilistic and deterministic solutions to increase resilience
nodes on the vertex cut-set in order to drain their energy. As and scalability.
a result, the overall lifetime of the network is decreased 2 . Examples of the key management protocols can be found in
There are two ways in which traffic analysis attacks can be [5], [7], [19], [35]. The problem with some of the probabilistic
performed by an adversary: approaches such as [7] is that the scheme is not resilient to
physical capture attack. Since nodes share pair-wise keys,
• In the first attack, the adversary observes the packet-
capturing a small number of nodes is enough to break the
sending rate of the nodes that are close to it, and then
protocol.
moves towards nodes that have a higher packet sending
Most of the key management protocols, however, are not
rate.
resilient to an attacker who observes the nodes during the
• In the second attack, the adversary observes the time
’discovery’ process of the shared keys. The attacker can
between consecutive packet-sendings among neighboring
use the information he has obtained to attack some of the
nodes. Then he tries to follow the path of the packet that
nodes, and break the key management protocol. This has
is being forwarded until it reaches the base station.
been shown through simulation in [26]. A possible solution
The possible solutions to the traffic analysis attack are to is to use public key cryptography. However, it is generally
use randomness and multiple paths in routing, using proba- believed that implementing a public key protocol on the
bilistic routing 3 , and the introduction of fake messages in sensor nodes with their limited power and memory resources
the network. Probabilistic geographic routing scheme (PGR) is not feasible. It remains to be seen if the security gain from
has been explored by the authors in [30], where the next hop having a public key cryptography algorithm outweighs the
is chosen based on the link quality and residual energy of a energy consumed in the extra overhead.
subset of the neighbors of a node. It has been shown through
simulations that PGR is energy efficient and performs well in
terms of throughput. VII. S YBIL ATTACK
A cautionary note on using fake messages is in order. Fake Sybil attack refers to the scenario when a malicious node
messages will introduce additional overhead in terms of pretends to have multiple identities. For example, the mali-
energy-consumption and in-network traffic. In order for the cious node can claim false identities (fabricated identities),
fake messages to be effective in preventing the adversary from or impersonate other legitimate nodes in the network (stolen
learning any information, they have to look like real messages. identities).
Therefore, we can not use any optimization on these fake As the authors point out in [25], the Sybil attack can affect a
messages. number of different protocols:
• Distributed Storage
2 Lifetime of the networks is generally defined as the time it takes for the • Routing Protocols
network to become partitioned. • Data Aggregation (used in query protocols)
3 In deterministic routing, the next hop is selected based on a known rule,
• Voting (used in many trust schemes)
such as shortest path. In contrast, in probabilistic routing, the next hop is
chosen at random from among a number of candidate nodes. Therefore, the • Fair Resource Allocation
next hop can not be determined ahead of time. • Misbehavior Detection
 The proposed solutions to Sybil attack include: 1) radio
resource testing which relies on the assumption that each
physical device has only one radio, 2) random key pre-
distribution which associates the identity of the node to the
keys assigned to it and validate the keys to see if the node
is really who it claims to be, 3) registration of the node
identities at a central base station, 4) position verification
which makes the assumption that the sensor network topology
is static.
Each of these solutions has its own drawbacks. For example,
there is no guarantee that every physical device is going to
have only one radio. In fact some of the MAC protocols Fig. 5. The white nodes are sensor nodes, and the black circles are the
aggregate nodes.
rely on each node having more than one radio. The key
pre-distribution is challenging as mentioned in the previous
section. The problem with the last proposition is that there
main assumption behind reputation systems in general is that
is no guarantee that the network topology is static,and the
the information available on an entity of the network is correct.
nodes do not change their location. Many sensor network
However, there are a number of problems that arise in the
deployment require mobile nodes. Therefore, this solution is
reputation-based systems. The following is a short list of the
likely to fail in the case of dynamic topologies.
security issues [22]:
• Ballot stuffing
VIII. ATTACKS ON R EPUTATION -A SSIGNMENT S CHEMES • Bad-mouthing
Reputation or recommendation systems have proven useful • Reputation transitivity: if a node can not directly observe
as a self-policing mechanism to address the threat of com- another node and assign a reputation, should it trust its
promised entities. They operate by identifying selfish nodes, neighbors and take their reputation for the unobserved
and isolating them from the network. They help the users, node into account, and how should it combine this
i.e., the nodes in the network, to decide which nodes they can second-hand information with its own first-hand infor-
trust and communicate with. Centralized reputations systems mation.
were popularized by the internet. An example of this system • The Sybil attack
is Ebay’s rating system. • Measuring the performance of the network: how should
Decentralized methods were then created for use in ad hoc one assign a reputation value to a node so as to get the
networks [15]. The CORE reputation system [21] and the desired outcome.
CONFIDANT protocol [1] use a watchdog module at each In addition to these difficulties, there are other problems
node to monitor the forwarding rate of the neighbors of the that can arise within the reputation system framework. For
node. If the node does not forward the message, its reputation example, as mentioned earlier, in [1] the authors propose
is decreases, and this information is propagated throughout the using a watchdog mechanism that determines if nodes are
network. Each node also uses the second hand information forwarding their packets properly. Since the medium of
from other nodes to find the overall reputation of a node. transmission is wireless, all the nodes in the neighborhood
Over time the bad behaving nodes are less trusted and will of a transmitting node can hear the communication. This
not be used in forming reliable paths for routing purposes. overhearing property is used by the watchdog mechanism
These two protocols differ in how they use the second hand to determine misbehavior. However, in a number of other
information, how to punish bad behavior and how to instill applications in sensor network, we can not utilize the
trust for the node which misbehave temporarily. A formal overhearing property. For example, if the network is used to
model for trust in dynamic networks is introduced by Carbone monitor an event, such as a moving object, then the watchdog
et. al [2]. The most relevant work for sensor networks is mechanism has to be designed in a way to take into account
presented in [8]. The authors suggest a high level reputation the physical correlation among neighboring nodes’ signal
system frame work for sensor networks. However, they only strengths (observations) to detect misbehavior. Currently,
suggest a watchdog mechanism to determine the reputation there are no available analytical models for signal strength
of each node. The purpose of the watchdog mechanism is to correlation based on distance in sensor networks.
monitor the neighbors of a node, and determine if any of the Given the security problems facing reputation systems along
nodes deviate from their expected behavior. The authors in with the lack of analytical models for designing watchdog
[8] state that there is no unified way to design the watchdog mechanisms, the design of a reliable reputation system for
mechanism, i.e. the mechanism to assign reputation to each sensor networks has proven to be a very challenging problem.
node has to be context dependent and varies based on the Future research needs to focus on designing reputation-
application at hand. assignment mechanisms that are resilient to most of the above
Distributed reputation systems face a great challenge since the security attacks. At the same time these mechanisms have to
 500 compromised nodes, 26 of them leaders
be simple enough to be implemented on the limited memory 50
of a sensor node.
45

IX. ATTACKS ON I N -N ETWORK P ROCESSING 40

In-network processing, also called data aggregation, is a 35

key feature of sensor networks. Given the limited resources

30
of the sensor nodes, it is nearly impossible for all the nodes
to send back their data to the base station. In addition, the 25
rate of packet collision will significantly increase if all the
nodes report their observed data. Therefore, some of the 20

intermediate nodes fuse the data from their neighborhood,

15
and send the aggregated data back to the base station. It is
possible to have multiple levels of hierarchy among nodes, 10
and in each level one node fuses the data from the nodes at
the level directly below it. An example of the aggregation 5

process is shown in Figure 5. 0

As one can immediately see, if a few nodes are compromised, 0 5 10 15 20 25 30 35 40 45 50

they can inject faulty data into the network. This will result Fig. 6. The blue lines are the tracks formed at the base station. The red line
in a corrupted aggregate. For example, assume that the is the actual track of the moving object.
nodes are monitoring the temperature of the environment,
and the fusion process is simply to take the average of all
the sensors’ readings. Now if one node is compromised and if the reputation is high enough and discarded otherwise.
gives a high or a low reading, it will affect the average and However, using this solution requires having a robust and
pull in one direction. Other, more fundamental, applications attack-resistant reputation system. A second possibility is to
that use data aggregation are multi-object tracking [23] use robust statistical methods for estimation that are not as
and directed diffusion routing [13]. Here we will give an prone to errors as averaging.
example of how a hierarchical multi-object tracking can
be affected by attacks on the aggregation. In hierarchical
tracking, there are hierarchies of nodes. At each level, a X. ATTACKS ON T IME S YNCHRONIZATION P ROTOCOLS
leader is selected and the nodes in the its neighborhood send Time synchronization protocols provide a mechanism for
their observations to the leader. The leader uses an averaging synchronizing the local clocks of the nodes in a sensor
scheme to fuse the observations. The leader nodes, then, network. There are several time synchronization protocols
send their fused observations to the base station. Base station for the internet, such as Network Time Protocol (NTP).
forms the object’s track bases on the received aggregated However, given the non-determinism in transmissions in
data. However, if a fraction of the nodes are compromised sensor networks, NTP cannot be directly used in wireless
and send faulty observations to the leader nodes, the fused sensor networks. Time synchronization implementations have
observation will be skewed. As a result, the track formed by been developed specifically for sensor networks. Three of
the base station is either wrong, or in some cases non-existent the most prominent are Reference Broadcast Synchronization
in reality. Figure 6 shows a scenario were a fraction of the (RBS) [6] Timing-sync Protocol for Sensor Networks (TPSN)
nodes are compromised. The compromised nodes send a [9], and Flooding Time Synchronization Protocol (FTSP)
constant faulty observation. As a result the tracks formed by [20]. However, none of these protocols were designed with
the base station, shown in blue, are severely different from security as one their goals. An adversary can easily attack
the real track of the object, shown in red. any of these time synchronization protocols by physically
There have been a few solutions suggested in the literature to capturing a fraction of the nodes and have them inject faulty
secure the in-network processing [3], [4], [31]. Wagner [31] time synchronization message updates. In effect, the nodes in
suggests using statistical properties, such as median, to reduce the entire network will be out-of-sync with each other.
the effect of attacks on the aggregation process. Authors in Time-synchronization attacks have great effects on a set of
[4] propose a solution based on forming secure hierarchies of sensor network applications and services since they heavily
node clusters. Cryptographic keys are used at each level of rely on accurate time synchronization to perform their
the hierarchy to establish secure communication among the respective functions. To illustrate the effects of corrupted
nodes in a cluster. The solution proposed in [3] also relies time synchronization, we describe the effect on estimating the
on cryptographic key establishment to ensure security of the state based on sensor readings from a sensor network. The
fused data. state estimation is the foundation of any tracking algorithm.
One possibility to secure in-network data aggregation is to We give a simple example using the Kalman filter, which is
use a reputation system. A node’s data is only considered used extensively in tracking. The Kalman filter estimates the
 XI. C ONCLUSION
Sensor networks are a promising technology with many
important applications, such as environment monitoring, health
care, surveillance. They are the way of the future, and it is
envisioned that the senor networks will be used in critical
infrastructure.
The nodes that comprise these networks have very limited
resources in terms of memory and power. The reason for these
constraints is that the driving force behind sensor network’s
success is the small dimension, which facilitates non-intrusive
deployment, and the cheap price of the hardware.
The protocols designed for sensor networks have to be
simple and efficient both memory-wise and energy-wise to
accommodate the resource constraints of the sensor nodes.
Fig. 7. The y axis shows the norm of the difference between the results
However, given the unattended nature of sensor networks, they
from the Kalman filter before and after de-synchronization. The x axis is the are vulnerable to a number of security attacks which could
time of the corresponding observation. substantially degrade the performance of the network.
The goal of this paper is to give a comprehensive taxonomy
of the security attacks on sensor networks and their effect on
the performance of the network. We gave some of the possible
state of a discrete-time controlled process that governed by a solutions that should be considered. In addition, we gave future
linear stochastic difference equation. directions for extending research in the area of sensor network
security.
xk = Axk−1 + Buk−1 + wk−1 x ∈ <n (1)
R EFERENCES
given the measurement zk ∈ <m , where
[1] S. Buchegger and J. L. Boudec. Performance analysis of the
zk = Hxk + vk (2)
confidant protocol: Cooperation of nodes - fairness in dynamic
The random variables w and v represent process and mea- ad-hoc networks. IEEE/ACM Symposium on Mobile Ad Hoc
surement noise and are assumed to be independent random Networking and Computing, June 2002.
variables with normal distribution, [2] M. Carbone, M. Nielsen, and V. Sassone. A formal model for
trust in dynamic networks. IEEE International Conference on
p(w) ∼ N (0, Q) p(v) ∼ N (0, R)
Software Engineering and Fromal Methods, 2003.
[3] J. Deng, R. Han, and S. Mishra. Security support for in-network
The Kalman filter estimates the state at every time step.
processing in wireless sensor networks. First ACM Workshop
We simulated the movement of an object using equation,
where the state is position and velocity of the object in two on the Security of Ad Hoc and Sensor Networks (SASN), 2003.
[4] T. Dimitriou and D. Foteinakis. Secure and efficient in-network
dimensions. We then used the Kalman filter to estimate the
position and velocity of the object before and after modifying processing for sensor networks. Workshop on Broadband Ad-
the time of some of the position observations, as might vanced Sensor Networks(BroadNets), October 2004.
occur in an attack on the time synchronization in the sensor [5] W. Du, J. Deng, Y. Han, and P. Varshney. A pairwise key
network. We simulated on moving object in our experiment. pre-distribution scheme for wireless sensor networks. In 10th
The norm of the error is shown in Figure 7, and we began ACM Conference on Computer and Communications Security
the de-synchronization at time 10. The y axis shows the norm (CCS03), October 2003.
of the difference between the results from the Kalman filter [6] J. Elson and D. Estrin. Fine-grained network time synchroniza-
before and after de-synchronization. The x axis is the time of tion using reference broadcast. The fifth symposium on Oper-
the corresponding observation.
ating Systems Design and Implementation (OSDI), December
As this example shows, an accurate time synchronization
2002.
protocol is essential to guaranteeing correct performance of
[7] L. Eschenauer and V. Gligor. A key-management scheme for
different algorithms in sensor network. Future research needs
to asses the effect of security attacks on different applications distributed sensor networks. In Conference on Computer and
in sensor networks by running experiments on real testbeds. Communications Security, November 2002.
In addition, designing secure time synchronization protocols [8] S. Ganeriwal and M. B. Srivastava. Reputation-based framework
for sensor networks is of great importance. for high integrity sensor networks. ACM Security for Ad-hoc and
Sensor Networks, 2004.
[9] S. Ganeriwawal, R. Kumar, and M. Srivastava. Timing-sync International Conference on Decision and Control, December
protocol for sensor networks. The first ACM Conference on 2004.
Embedded Networked Sensor Systems (SenSys), November 2003. [24] K. Okeya and T. Iwata. Side channel attacks on message
[10] D. Gay, P. Levis, and D. Culler. Software design patterns for authentication codes. 2nd European Workshop on Security and
tinyos. Proceedings of the ACM SIGPLAN/SIGBED Conference Privacy in Ad hoc and Sensor Networks, July 2005.
on Languages, Compilers, and Tools for Embedded Systems [25] A. Perrig, J. Newsome, E. Shi, and D. Song. The sybil attack
(LCTES’05), June 2005. in sensor networks: Analysis and defenses. Third International
[11] J. Hill, P. Bounadonna, and D. Culler. Active message com- Symposium on Information Processing in Sensor Networks,
munication for tiny network sensors. UC Berkeley Technical 2004.
Report, Berkeley, January 2001. [26] R. Pietro, L. Mancin, and A. Mci. Efficient and resilient
[12] J. Hill, R. Szewczyk, A. Woo, S. Hollar, D. Culler, and K. Pister. key discovery based on pseudo random key pre-deployment.
System architecture directions for network sensors. ASPLOS International Parallel and Distributed Processing Symposium,
2000, November 2000. April 2004.
[13] C. Intanagonwiwat, R. Govindan, and D. Estrin. Directed diffu- [27] R. Poovendran and L. Lazos. A graph theoretic framework for
sion: A scalable and robust communication paradigm for sensor preventing the wormhole attack in wireless ad hoc networks. in
networks. In Proceedings of the Sixth Annual International ACM Journal on Wireless Networks, 2005.
Conference on Mobile Computing and Networking (MobiCOM [28] J. Regehr, N. Cooprider, W. Archer, and E. Eide. Memory safety
’00), August 2000. and untrusted extensions for tinyos. In submission, April 2006.
[14] Y. Iyer, S. Gandham, and S. Venkatesan. A generic transport [29] M. Shaneck, K. Mahadevan, V. Kher, and Y. Kim. Remote
layer protocol for sensor networks. Proceedings of 14th IEEE software-based attestation for wireless sensors. In Proceedings
International Conference on Computer Communications and of the 2nd European Workshop on Security and Privacy in Ad
Networks, October 2005. Hoc and Sensor Networks, July 2005.
[15] a. J. L. B. J. Mundinger. Analysis of a robust reputation system [30] S. S. Tanya Roosta. Probabilistic geographic routing in ad hoc
for self-organized networks. University of Cambridge,Statistical and sensor networks. In proc. of International Workshop on
Laboratory Research Report, January 2004. Wireless Ad-hoc Networks (IWWAN), May 2005.
[16] C. Karlof, N. Sastry, and D. Wagner. Tinysec: A link layer [31] D. Wagner. Resilient aggregation in sensor networks. ACM
security architecture for wireless sensor networks. Proceedings Workshop on Security of Ad Hoc and Sensor Networks, October
of the Second ACM Conference on Embedded Networked Sensor 2004.
[32] A. Wood and J. Stankovic. Denial of service in sensor networks.
Systems, November 2004.
[17] C. Karlof and D. Wagner. Secure routing in sensor networks: IEEE Computer pages 5462, Oct. 2002.
[33] A. Wood, J. Stankovic, and S. H. Son. Jam: A jammed-area
Attacks and countermeasures. Ad Hoc Networks, vol 1, issues 2–
mapping service for sensor networks. In Real-Time Systems
3 (Special Issue on Sensor Network Applications and Protocols),
Symposium, 2003.
pp. 293-315, Elsevier, September 2003. [34] H. Yih-Chun and D. Johnson. Wormhole attacks in wireless
[18] P. Levis and D. Culler. Mate : a virtual machine for tiny
networks. IEEE Journal on Selected Areas in Communications
networked sensors. ASPLOS, October 2002.
[19] D. Liu and P. Ning. Establishing pairwise keys in distributed (JSAC).
[35] S. Zhu, S. Setia, and S. Jajodia. Leap: Efficient security
sensor networks. In Computer Communication Society, October
mechanisms for large-scale distributed sensor networks. In 10th
2003.
[20] M. Maroti, B. Kusy, G. Simon, and A. Ledeczi. The flooding ACM Conference on Computer and Communications Security,
synchronization protocol. Proc. Of the Second ACM Conference October 2003.
on Embedded Networked Sensor Systems, November 2004.
[21] P. Michiardi and R. Molva. Core: A collaborative reputation
mechanism to enforce node cooperation in mobile ad hoc
networks. Conference on Communications and Multimedia
Security, September 2002.
[22] S. Moloney and P. Ginzboorg. Security for interactions in
pervasive networks: Applicability of recommendation systems.
1st European Workshop on Security in Ad-Hoc and Sensor
Networks, 2004.
[23] S. Oh, S. Russell, and S. Sastry. Markov chain monte carlo data
association for general multiple-target tracking problems. IEEE