2012 Fourth International Conference on Intelligent Networking and Collaborative Systems

Adaptive Security Framework for Wireless Sensor Networks

Laura Gheorghe, Razvan Rughinis, Nicolae Tapus
Department of Computer Science and Engineering University Politehnica of Bucharest
Bucharest, Romania {laura.gheorghe, razvan.rughinis, ntapus}@cs.pub.ro

an environment [1].
AbstractWireless Sensor Networks are placed in harsh used in a large number of tracking and environments and monitoring applications. The level ofoperate unattended. security required by an application Therefore, they are depends on the threat level, availableexposed to attacks and resources, and security requirements. In failures [2]. A certain this paper, we present a modular andlevel of security must be extensible framework, called Adaptiveassured for each network. Security Framework (ASF) that adjustsThe appropriate level of depends on security to the detected threats, available security energy and memory, and applicationmany factors that can requirements. The framework includeschange over time. This three types of components: the Contextcreates the need for modules, the Security Adaptation module, adaptive security. and the Security layer. The security level is In this paper, we modified according to the output of the present Adaptive Security Context modules, and it is then used to Framework (ASF), a enable the appropriate security primitivesmodular and extensible available in the Security layer. We evaluate framework that adapts our solution in multiple attack scenarios, security based on detected we determine its resource consumption and threats, available energy we compare it to other State of the Art and memory and security solutions. Our framework has the followingrequirements. The advantages: it takes into consideration the framework includes three context, but also allows for manualcomponents: the Security reconfiguration; it has a global, aggregated Adaptation module, the view of the context; it provides different Context modules and the layer. Each authentication and encryption algorithmsSecurity associated to each security level; it is Context module produces results that may modify extensible and modular.

WSNs

are

often

Section IV details implementation and evaluation, and Section V presents the conclusions and future work. II. REL
ATE D

WO
RK

Security Adaptation is required in dynamic scenarios, where security should be adjusted according to requirements, resources, and security context.
Adaptive Security Provision (ASP) is a routing protocol for Wireless Sensor Networks that includes an optimized strategy for increasing energy efficiency and security [3]. The route cost is computed based on trust and energy levels. The level of encryption used for data packets depends on the trust in the route from source to destination. When trust goes beyond a certain threshold, encryption is not required anymore. A path rotation mechanism is used in order to prevent the attacker from determining the used encryption scheme, and to provide load balancing. The solution uses a single

the security level. The security level is used for Keywords-Wireless Sensor Networks, enabling the appropriate adaptive security, resource consumption, security threats, encryption, authentication security primitives. The paper is structured as follows: Section II N presents related work, 2A Wireless Sensor NetworkSection III describes the (WSN) is composed of small sensorframework architecture,

9.

INTRODUCTIO

nodes with low resources and capabilities that are organized in a network and perform sensing and communicating tasks in order to monitor

encryption algorithm - RC5 - and differentRC5 with 16 bytes keys, key sizes (32-128 bytes). but it does not exclude

other encryption Adaptive Security Systemalgorithms. ADAPSEC (ADAPSEC) is a reconfigurable security also includes a resource architecture for Wireless Sensormanager that it used for Networks [4]. The architecture achievesrule enforcement. dynamic reconfiguration of link and component layer at runtime. It allows the Cross Layer Integrated definition of policies that describeFramework For security application behavior and determines the(CLIFFs) includes an appropriate security level for thatAdaptive Secure application, enforcing the associatedCommunication Protocol mechanisms and rules. ADAPSEC[5]. The protocol is able to includes two components: 1) policydynamically adjust itself definition and resolution modules, and 2) in relation to a security policy enforcement. The solution uses

level appropriate for the current state of the network. Intelligent Security Agent (ISA) is used for determining the security level, based on policies and application requirements, available energy, memory, and neighbors trust level. As encryption algorithm, CLIFFs uses only RC5 with a key of 80 bytes, for a different number of rounds (4, 8, and 12).

978-0-7695-4808-1/12 $26.00 2012 IEEE 636 DOI 10.1109/iNCoS.2012.94

III.

ADAPTIVE SECURITY FRAMEWORK

In this paper, we propose an adaptive security solution for Wireless Sensor Networks, called Adaptive Security Framework (ASF). A. Assumption and notations A Wireless Sensor Network can be defined as a directed graph , where V is the collection of sensor devices and A is the collection of links between them. A link from node N1 to node N2 signifies that N2 can receive packets from N1. The network may be heterogeneous, it may include nodes with different capabilities, resources and roles. Some of the nodes perform routing and intrusion detection tasks. We assume that the nodes are randomly deployed and are able to self-organize in order to communicate and perform sensing and processing tasks. The data collected by the sensor nodes is sent to a centralized location called Application Server, through a device called Gateway (or Base Station) that mediates the communication between the sensor network and the associated server. The attacker may be an external device or an internal compromised node. The malicious device can be a low-power sensor node or a more powerful device like a laptop. The attacker can be passive (involved in eavesdropping) or active (for example injecting packets, altering packets, deploying DoS attacks). B. Architecture ASF includes three components: the Security Adaptation module, the Security Layer and the Context modules. The general architecture is represented in Figure 1. The Security Adaptation module receives information from the Context modules. It uses this information to determine the security level and class appropriate for the current context. Then it reconfigures the Security Layer according to the new security class. The module resides on the Application Server because it needs to centralize the security level and class for the whole network.

have a counterpart on the server that centralizes and analyzes the data received from the sensor nodes. The Security Adaptation module receives centralized information only from the server-based Context modules. The Security layer includes the implementation of several security primitives that may be enabled or disabled based on the specific security class. The Security layer resides only on the sensor nodes and receives configuration commands from the Security Adaptation module on the Server. Based on these commands, it enables and disables specific modules that implement security primitives. C. Security Adaptation module
The Security Adaptation module manages the security level (SL) and the security class (SC) values. The SL is a number between 0 and 100 that is modified using information from the Context modules. The SC is a number between 0 and 4 that is determined based on the SL, as represented in Table I. Initially,

.
TABLE I.
ASSOCIATION BETWEEN SECURITY LEVEL AND CLASS

When the Security Adaptation module receives a Security Level Difference (SLD) value from one of the Context or decrease the SL.

modules, it adds the SLD to the current SL: . The SLD may be positive or negative, so it may increase

The Security Adaptation module can also be configured directly by the user. Using configuration commands, the user can set a new value for the SL. The SC is recomputed only when the SL goes beyond one of the limits (20, 40, 60, 80); in such a case, it is sent to the Security layer. These thresholds are useful in order to avoid sending the SL every time it is updated, for energy efficiency reasons. The workflow of this module is represented in Figure 2.

Figu re 1. Gen eral archi tectu re

etc. Therefore, the The context canContext be defined bymodules may include: several factors, suchEnergy as: theManagement, Memory available energy andManagement, Intrusion memory, Detection, security and threats, application Requirements requirements, Control

modules. Other Context modules can be easily integrated in the framework. The Context modules can reside on both sensor nodes and the Server. For

example, the Energy and Memory Management and Intrusion Detection modules run on the sensor nodes, and

637

Fi g ur e 2. S ec ur it y A da pt at io n w or kf lo w

D. Context Modules
Any type of context information can be used: from userdefined application requirements to detected security threats. Within the scope of this paper, we propose the use of four Context modules: Energy Management, Memory Management, and Intrusion Detection and Requirements Control. Each

module generates a negative or a positive value that is used by the Security Adaptation module to modify the security level.

1) Energy Management module The Energy Management module gathers energy level values from all nodes and determines the average energy available on sensor nodes. The energy values can be included in data packets that are already delivered periodically to the Application Server. When enough values are received from nodes, the module computes the average.
The average value can then be used in order to compute the SLD, as in Table II. When the average energy drops below x% ( J), the SLD is computed using the ??$ formula: and sent to the Security Adaptation
?

identifies abnormal behavior and detects attacks. A cooperative Intrusion Detection solution designed for Wireless Sensor Networks should be used [6]. The Intrusion Detection module on the Application Server receives alerts from the network, computes the appropriate SLD based on the alert severity and sends it to the Security Adaptation module.

module. The SLD values computed by the Energy Management module are negative, because their purpose is to decrease the SL in order to determine the use of more lightweight security primitives as the average energy decreases. The workflow of this module is represented in Figure 3.

1'

11'

Figure 3. Energy Management workflow

2) Memory Management module The Memory Management module gathers the available memory values from nodes and computes an average value. The memory values are delivered using data packets. The average available memory is used for determining the SLD. When the average available memory drops below x% ( the SLD is computed: J ), s a e n n to Security Adaptation module. d t the An ??$
?

average available memory of 80% is considered lightweight; therefore, SL is not decreased in this case. The Memory Management module computes negative SLD values because it aims to decrease the SL when the average available memory is decreased. A more lightweight security primitive occupies less memory than a stronger one. 3) Intrusion Detection module The Intrusion Detection module inspects network traffic,

When an alert with a y severity ( % &J ) is ' received, the SLD is determined using the formula: % . The SLD value is added to the security level. The SLD values computed by the Intrusion Detection module are positive because their purpose is to increase the SL in order to provide better security protection. 4) Requirements Control module The Requirements Control module receives requirements from the user and translates them into information that can be used by the Security Adaptation module.
The user specifies the security requirements for the specific application. For example, the application may not need encryption, just some lightweight authentication, or it may need the strongest authentication and encryption available.

Table III includes our proposal of associations between security class and security primitives.
TABLE III. ASSOCIATION BETWEEN SC AND SECURITY PRIMITIVES

\ '( '+

%&'

%&' *

%&'

The keys for each security primitive have different lengths, and are all deployed on the sensor nodes during the network initialization process.
6 3 8

Table II represents how SLD is computed based on the security requirements and the current SL.
TABLE II. REQUIREMENTS COMPUTING SLD BASED ON SECURITY # ! "

The SLD values computed by the Requirements Control module can be either positive or negative. For example, if the required security is stronger than the current one, SLD is positive. E. Security Layer The Security layer implements several security primitives and stores credentials. The design allows the primitives to be enabled and disabled on demand. For each security class, several security primitives are enabled. The research of Lee et al. [7] concludes that HMAC consumes the least energy (in comparison with CMAC, XMAC, CBC-MAC) and occupies the least RAM. They also determined that Skipjack is the least energy consuming block cipher (in comparison to AES, RC5 and XXTEA).
Liu and Ning proposed the use of Elliptic Curve Cryptography (ECC) in Wireless Sensor Networks [8]. ECC is much more lightweight than RSA, therefore, it is appropriate for sensor networks. We use 2 algorithms from TinyECC: 1) the digital signature algorithm called Elliptic Curve Digital Signature Algorithm (ECDSA), and 2) the encryption scheme called Elliptic Curve Integrated Encryption Scheme (ECIES).

When the Security Layer receives a different SC from the Security Adaptation module, it disables the current security primitives and enables the ones associated with the new SC.
The Security Layer processes the packet received from the upper layers: it uses the enabled encryption algorithm to compute the ciphertext and the enabled authentication algorithm to compute the Message Authentication Code(MAC) / Digital Signature (DS). Subsequently it includes them in the packet and it sends the updated packet to the lower layer.

Figure 4. ASF implementation

The implementation consists of nesC components [10]. Most security primitives are ported from C to nesC, and for ECDSA and ECIES, the TinyECC implementation with all optimization switches enabled is used. For the implementation of the Intrusion Detection module, any IDS solution can be used. We implemented our own IDS based on rules. The implementation of the IDS is out of scope for this paper.
The implementation of the Security Adaptation is very simple and straightforward because it receives SLD values, computes the SL and SC, and sends the SC to the sensor nodes.

When it receives a packet from the lower layers, it verifies the MAC/DS using the enabled authentication algorithm. If the MAC/DS is valid, it decrypts the packet using the enabled encryption algorithm. Then it passes the decrypted message to the upper layers. IV. IMPLEMENTATION AND EVALUATION

We implemented the Adaptive Security Framework in TinyOS, an operating system for Wireless Sensor Networks [9]. Our implementation of ASF is represented in Figure 4.
1 1

The Energy Management and Memory Management modules add the available energy and memory values to data packets. We test our framework using TOSSIM, a simulator for TinyOS applications [11], using various test scenarios. A. Evolution of SL and SC during attack scenarios First, we want to determine the evolution of security level and class in time during several attack scenarios.

! !

! !
1'

1'

1 1

' 1 '

_# 1

1'

"' "' !

We consider the collect period (CP) to be the time unit for this evaluation. The period of time between attacks (attack period) is a multiple of CP (( (. We evaluate the evolution of SL and SC during a time period of 300xCP. The CP may range from 1 minute to 1 hour, depending on the application. We vary the AP 10xCP to 40xCP. We consider five attack scenarios, in which the attacker generates a large number of attacks that are detected by the Intrusion Detection module, with severity 1, 2, 3, 4 and 5. The evolution of the security level in the case when AP=10xCP is represented in Figure 5.

Figure 5. Evolution of SL when AP=10xCP

From these results, we can conclude that a higher severity determines the SL to be increased more rapidly than a lower severity. The SC in each attack scenario is increased to 4, except for severity=1 case in which SC is 3 at the end of the scenario. This means that the critical attacks will increase the security level to the maximum when they are generated frequently. When we double the attack period (20xCP), we obtain the results represented in Figure 6.

Figure 6. Evolution of SL when AP=20xCP

In this case, the attacks are generated less frequently. Therefore, the security level is increased less often. Only cases
639

with severity 3, 4, and 5 increase the SL to the maximum. In the first scenario (severity=1) the SC remains 2, while in the other scenarios, the SC reaches the maximum value. We further decrease the attack frequency (AP=40xCP), and obtain the results represented in Figure 7.

TelosB platforms (5% of the total available RAM). They occupy 18.5KB of ROM on TelosB, (38.5% from the total ROM). A security class SC=1 enables only HMAC for authentication and occupies approximatively 0.1KB RAM (1% from the total RAM). It occupies 11KB of ROM (23% from the total ROM). A security class SC=3 enables AES for encryption and HMAC for authentication, that occupy 2.15KB RAM (21.5% from the total RAM). They occupy 20KB of ROM, (41.6% from the total ROM). A security class SC=4 enables ECDSA for authentication and ECIES for encryption. Together, they occupy approximatively 3.4KB RAM (34% from the total RAM). They occupy 29KB ROM (60.4% of the total ROM). We can observe that RAM and ROM consumption is increased with the security level, as represented in Figure 8.

e F i g u r 7 . E v

o l u t i o n

o f S L w

h e n A P = 4 0 x C P

The low attack frequency determines a slow increase in the security level. The security level reaches maximum value only in scenarios 4 and 5. The SC remains 2 in the first scenario, is increased to 3 in the second scenario and reaches maximum in the other scenarios. From the test results, we conclude that the security level and security class are increased more rapidly when the attack severity and attack frequency are higher. When considering a simple application, the memory consumption on TelosB when no security primitives are enabled is 3%. When security primitives are enabled,

A larger memory usage isamount of increased. packets However, would cause when thethe decrease most of SL. memory consuming A security network primitives administrator are enabled,is able to the averagemanually memory decrease the available isSL when 63%. threats have Therefore, been we observeeliminated. that the SL isAn not automatic decreased byredeeming enabling procedure security can also be primitives. used: when When no threats considering are detected a more during a memory period of consuming application time, the SL be or complexcan communicati decreased. on protocols,B. memory Resource consumption may dropconsumption

Figur e 8. Mem ory cons umpt ion for each secur ity class

the network, and to energy and memory consumption . ASP allows the possibility to manually configure the security requirements for the application running on top of the WSN. It also provides multiple

encryption ary and can and be integrated authenticatio in order to n algorithms enhance associated security. with In different comparison security to Adaptive levels. Security However, our solution System does not (ADAPSEC) our provide a [4], solution also routing into mechanism. takes We consider consideration that the two the solutions are requirements complement

of the application, but also considers threats, energy, and memory when reconfiguring the security layer. Another advantage is that our solution uses a different encryption and
640

below 60%, The determining TelosB the decreasehardware of the SL. platform, used as Along the reference, same line, thehas 10KB of average RAM and energy 48KB of consumption ROM.

determined The by securing default and sending 300 datasecurity level packets is(SC=2) much lessenables than 20%Skipjackfor (maximum 9JCBC encryption when considering and HMACfor the mostMD5 authenticatio energy The consuming n. security primitives). primitives Therefore, during theseused in this test scenarioscase occupy of the SL is not0.5KB RAM on decreased because of energy consumption.

As regards energy, consumption increases with the security level: when SC=1, 57J are consumed; when SC=2, 64J; when SC=3, 100J are consumed; when SC=4, 26.2mJ are consumed. C. Comparative evaluation We analyze our solution in comparison with Adaptive Security Provision (ASP) [3]. Our solution has the advantage that it adapts security provision to the threats detected in

authentication mechanism for each security level. However, our solution does not include a resource manager. When compared with Cross Layer Integrated Framework For security (CLIFFs) [5], our solution has the advantage of taking into consideration the detected threats as an input in adapting security. Our solution has a global view of the context, because it centralizes detected threats, available energy, and memory on the Application Server, where it computes the security level. In contrast, CLIFFs performs local analysis through the Intelligent Security Agent. Our solution also has the comparative advantage of being easily extended by adding new Context modules and by associating new security primitives to the security classes. An increase of the security level means a stronger security, but also an increase in resource consumption (memory and energy). An increase in resource consumption determines a decrease of the security level. Therefore, our solution balances security and resource consumption. This feedback loop is an important advantage of ASF over other similar solutions.

security level. Therefore, ASF allows for a balanced design of security policies.
We compared our solution with several other state-of-the-art solutions. ASF has the comparative advantages of taking into account multiple elements of the context (detected threats, available energy and memory, application requirements), in a global, aggregated view, and of providing different authentication and encryption algorithms associated with each security class. Our solution also provides high modularity and extensibility, balancing security and resource consumption.

As future work, we plan to integrate new Context modules with our solution, including, for example, the Trust Management module. We also, want to test the functionality and performance of our security solution in real-world scenarios. ACKNOWLEDGEMENTS
This work has been partially funded by the European Commission under grant agreement FP7-ICT-258280 TWISNet project and partially by the Sectoral Operational Programme Human Resources Development 2007-2013 of the Romanian Ministry of Labour, Family and Social Protection through the Financial Agreement POSDRU/88/1.5/S/60203.

22.

CONCLUSIONS

2A multiplicity of factors should be taken into consideration when securing a network. These factors may also change during the lifetime of the network. Ideally, security must be adapted every time one of the relevant factors is changed.
We propose Adaptive Security Framework, a modular and extensible framework for adapting security taking into account the threat level, the available resources, and the application requirements, while allowing direct user configuration.

REFERENCES

[1] J. Yick, B. Mukherjee, and D. Ghosal, Wireless sensor network survey,

Computer Networks, vol. 52, no. 12, pp. 2292-2330, Aug. 2008.

[2] Y. Wang, G. Attebury, and B. Ramamurthy, A survey of security issues

in wireless sensor networks, IEEE Communications Surveys & Tutorials, vol. 8, no. 2, pp. 2-23, 2006.

The framework includes three types of components: the Security Adaptation module, the Context modules, and the Security Layer. The following Context components have been developed: Intrusion Detection, Energy Management, Memory Management, and Requirements Control. Each module may modify the security level based on their results. The new security level is computed by the Security Adaptation module, and then the security class is determined and sent to the Security layer on sensor nodes. The security level can also be configured directly by the user. The Security layer receives the security class and enables the appropriate security primitives (authentication and encryption algorithms). We propose the use of different security primitives for each security class. We implemented ASF in TinyOS and tested it in multiple attack scenarios. We determined experimentally that the security level increases more rapidly when the attack severity and frequency is higher. We evaluated the memory and energy consumption for each security class. We determined that in order to assure stronger security, by using a higher security class, more resources are consumed on sensor nodes. At the same time, resource depletion activates a feedback loop by decreasing the

[3] M. Younis, N. Krajewski, and O. Farrag, Adaptive Security Provision

for Increased Energy Efficiency in Wireless Sensor Networks, in 9th IEEE International Workshop on Wireless Local Networks (WLN 2009), 2009, pp. 999-1005.

[4] K. Shi, X. Qin, Q. Cheng, and Y. Cheng, Designing a Reconfigurable

Security Architecture for Wireless Sensor Networks, in World Congress on Software Engineering, 2009, pp. 154158.

[5] K.

Sharma and M. K. Ghose, Cross Layer Security Framework for Wireless Sensor Networks, International Journal of Security and Its Applications, vol. 5, no. 1, pp. 39-52, 2011. Cooperative intrusion detection in wireless sensor networks, Wireless Sensor Networks, pp. 263278, 2009.

[6] I. Krontiris, Z. Benenson, T. Giannetsos, F. Freiling, and T. Dimitriou, [7] J. Lee, K. Kapitanova, and S. H. Son, The price of security in wireless
sensor networks, Computer Networks, vol. 54, no. 17, pp. 2967-2978, Dec. 2010.

[8] A. Liu and P. Ning, TinyECC: A configurable library for elliptic curve
cryptography in wireless sensor networks, in International Conference on Information Processing in Sensor Networks, 2008, pp. 245-256.

[9] P. Levis [10]

et al., TinyOS: An operating system for sensor networks, Ambient Intelligence, pp. 115-148, 2004. D. Gay, P. Levis, R. Von Behren, M. Welsh, E. Brewer, and D. Culler, The nesC language: A holistic approach to networked embedded systems, in Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation, 2003, vol. 35, no. 11, pp. 1-11. P. Levis, N. Lee, M. Welsh, and D. Culler, TOSSIM: accurate and scalable simulation of entire TinyOS applications, in Proceedings of the first international conference on Embedded networked sensor systems SenSys 03, 2003, pp. 126-137.
6 4

[11]

PDF to Wor