Secure, Reliable, and Resilient Design of Wireless Sensor Networks via Random Graph Modeling. Osman Yağan

Transcription

1 Texas A&M University, October 20th, Secure, Reliable, and Resilient Design of Wireless Sensor Networks via Random Graph Modeling Osman Yağan Dept. of ECE and CyLab Carnegie Mellon University oyagan@ece.cmu.edu Joint work with: V. Gligor, A. M. Makowski, F. Yavuz, J. Zhao, R. Eletreby Supported by NSF CCF #

2 Texas A&M University, October 20th, Wireless sensor networks (WSNs) Distributed collection of sensors Sensors are small-size, low-cost Limited capability for computations and wireless communications Applications Military (Battlefield surveillance) Health (Patient monitoring) Home ( Smart systems, home automation) Environment (Monitoring fires in forests)

3 Texas A&M University, October 20th, WSNs and security WSNs are usually deployed in hostile environments Communications are monitored, and nodes are subject to capture and surreptitious use by an adversary. Cryptographic protection is needed to ensure secure communications (as well as to enable sensor-capture detection). Scalable solutions with very low storage, management, and computational load are required. Proposed solution: Key predistribution & Symmetric key encryption modes

4 Texas A&M University, October 20th, Key predistribution Each sensor stores a set of cryptographic keys in its memory before the deployment. Σ i = key ring of sensor i, i = 1,...,n. Sensors i and j can communicate securely if i) They have a wireless communication link available, and ii) They have at least one key in common, i.e. Σ i Σ j. The common key is used to encrypt and decrypt the exchanged messages. Q: How to generate & distribute Σ 1,...,Σ n?

5 Texas A&M University, October 20th, Trivial cases 1. Universal key: Σ i = 1, i = 1,...,n. Even if just one sensor is captured, the whole network will be compromised. Not resilient against sensor-caputure attacks! 2. A unique key for any pair of sensors: Σ i = n 1 If a node is captured, only the communication through that node will be compromised. Perfectly Resilient! But, each node has to keep n 1 keys in its memory. Not feasible due to the memory & management constraints! Something in between these two extremes would work!

6 Texas A&M University, October 20th, Random key predistribution schemes (Eschenauer & Gligor 2002)

7 Texas A&M University, October 20th, Eschenauer-Gligor (EG) scheme n(# of nodes), P(key pool size), K(size of each key ring). Each sensor is randomly assigned a set of K distinct keys from a (very large) pool of P keys. Σ 1,...,Σ n iid and uniform in P K. P K : Collection of all subsets of {1,...,P} with size K.

8 Texas A&M University, October 20th, Pairwise scheme of Chan, Perrig and Song Each sensor is paired (offline) with K distinct nodes which are randomly selected from amongst all other nodes. For each sensor and any sensor paired to it, a unique (pairwise) key is generated and assigned only to those two nodes. Key ij = [Id i Id j k ij ] With K = 1, S a = {b}, S b = {c}, and S c = {b}

9 Texas A&M University, October 20th, Research agenda: Coping with randomness Q1. How do we adjust scheme parameters so as to ensure the connectivity of the resulting network? EG vs. Pairwise? - i.e., that a secure communication path exists between any pair of sensors Q2. Under different wireless communication models? Q3. How reliable is the network w.r.t. sensor and link failures? Q4. How resilient is the network w.r.t. adversarial attacks? Q5. Is the network scalable? Internet of Things?

10 Texas A&M University, October 20th, Progress thus far The Eschenauer-Gligor (EG) scheme Connectivity under full visibility IT 2012, ISIT 2008, ISIT 2009 CISS 2010 Connectivity under an on-off channel model IT 2012 Reliability (k-connectivity) under full-visibility and under on-off channel IT 2015, ISIT 2013, ISIT 2014 Diameter, clustering coefficient, and robustness TAC 2016, Allerton 2009, GraphHoc 2009, CDC 2014

11 Texas A&M University, October 20th, Progress cont d. The pairwise scheme of Chan, Perrig and Song Connectivity under full visibility IT 2013, ISIT 2012 Connectivity under an on-off channel model IT 2013, ICC 2011 Reliability (k-connectivity) under full-visibility and under on-off channel IT 2015, IT 2016, ISIT 2014, ICC 2015 Scalability (gradual deployment) Perf Eval 2012, WiOpt 2011 Resiliency (unassailability, unsplittability) ToN 2016, PIMRC 2011

12 Texas A&M University, October 20th, The punch line

13 Texas A&M University, October 20th, EG Scheme Pairwise Scheme Connectivity (Full Visibility) (k-) Connectivity (On-Off Channel, p n ) Gradual Deployment Σ = O(logn) Σ n,avg = O(1) Σ n,max = O( logn loglogn ) Σ = O( logn p n ) Σ n,avg = O( logn p n ) Σ n,max = O( logn p n ) Σ n,avg = O(logn) Σ n,max = O(logn) Unassailability Σ = O(logn) Σ n,avg = O(1) Σ n,max = O( logn loglogn ) Unsplittability Σ = O(logn) Σ n,avg = O(w n ) Σ n,max = O( logn loglogn ) Σ : # of keys required per sensor node n : # of sensors

14 Texas A&M University, October 20th, TODAY EG scheme: connectivity under full visibility EG scheme: connectivity under on-off channel model Summary of results under the pairwise scheme Connectivity under a new key predistribution scheme for heterogeneous sensor networks

15 Texas A&M University, October 20th, General Approach: Random graph modeling Random graphs = Graphs generated by a random process. Communication graph: E.g., the disk model. i j if χ i χ j ρ tx range Key graph: Induced by the key predistribution scheme. i j if Σ i Σ j System model: Communication graph Key graph i j iff Σ i Σ j and χ i χ j ρ Links in the intersection model represent pairs of nodes which can securely communicate

16 Texas A&M University, October 20th,

17 Texas A&M University, October 20th, The EG scheme and Random Key Graphs

18 Texas A&M University, October 20th, Random Key Graphs K(n;K,P): Key graph induced by the EG scheme. Vertex set, V = {v 1,...,v n } Each vertex v i is assigned a set Σ i of K distinct keys selected uniformly at random from a pool of size P. Edge set, E = {v i v j : Σ i Σ j } P[v i v j ] = 1 (P K K ) ( P K) K2 P

19 Texas A&M University, October 20th, Connectivity of the EG graph (IT 2012) Theorem 1 Consider a scaling K,P : N 0 N 0 such that for some c > 0. Then, [ lim P n K 2 P clogn n K(n;K,P) is connected ] = 0 if c < 1 1 if c > 1. If mean degree = (1+ǫ)logn, then the network is connected a.a.s. If mean degree = (1 ǫ)logn, then network is not connected a.a.s.

20 Texas A&M University, October 20th, Sharper Results If Mean degree = logn+γ where γ (,+ ), then lim P[K(n;K,P) is connected] = e e γ n If Mean degree = logn+(k 1)loglogn+γ, then lim P[K(n;K,P) is k-connected] = e e n γ (k 1)! k-connectivity: network remains connected if any set of k 1 edges or nodes are deleted. Available in Zhao, Yağan, Gligor, WiOpt 2015, IT 2016.

21 Texas A&M University, October 20th, Why sharp zero-one laws are useful? Connectivity is at odds with other network properties. Recall that P[i j] K2 P To increase the chances of connectivity; Increase K Larger key rings, larger memory req. Decrease P Larger K/P ratio, less resiliency against node capture attacks. Sharp zero-one laws provide a precise threshold of connectivity and reliability. Knowing the exact minimum requirements for ensuring connectivity, one can dimension the scheme without suffering performance losses in other properties.

22 Texas A&M University, October 20th, Other Applications of Random Key Graphs Common-interest relationship network - Zhao et al., 2013 Modeling the small world effect - Yağan and Makowski 2009 Recommender systems using collaborative filtering - Marbach 2008 Clustering and classification analysis - Godehardt & Jaworski 03 Cryptanalysis of hash functions - Blackburn et al., 2012 A.k.a. uniform random intersection graphs

23 Texas A&M University, October 20th, Connectivity under Non-full visibility

24 Texas A&M University, October 20th, A simple communication model Assume that communication channels are mutually independent, and each channel is either on or off. With p in (0,1), consider i.i.d. {0,1}-valued rvs with success probability p. The channel between nodes i and j is available with probability p and unavailable with the complementary probability 1 p. Also known as ON-OFF Fading Channel. Can be modeled by an Erdős-Rényi (ER) graph G(n;p). The overall system model is the intersection K(n;K,P) G(n;p).

25 Texas A&M University, October 20th, Connectivity of EG scheme under on-off channel Model: K G(n;K,P,p) P[i j] = p(1 (P K K ) ) := p(1 q) ( K) P Theorem 2 (Yağan, IT 2012) Consider scalings K,P : N 0 N 0 and p : N 0 (0,1) such that for some c > 0. Then we have [ lim P n p n (1 q n ) c logn n, n = 1,2,... K G(n;K n,p n,p n ) is connected ] = 0 if c < 1 1 if c > 1. Critical scaling: E[degree] logn

26 Texas A&M University, October 20th, Connectivity under the disk model? Nodes are distributed over a bounded region D of the plane Disk model: Nodes i and j located at x i and x j, respectively, in D are able to communicate if ρ : transmission range of sensors x i x j < ρ (1) Random geometric graph, H(n; ρ): Induced under (1) when nodes are independently and uniformly distributed over D If D is unit torus, then P[i j] = πρ 2 Model of interest: The intersection K(n;K,P) H(n;ρ)

27 Texas A&M University, October 20th, A natural conjecture Conjecture 1 (Yağan, IT 2012) Consider scalings K,P : N 0 N 0 and ρ : N 0 (0,1/ π) such that for some c > 0. Then we have [ lim P n πρ 2 n (1 q n ) c logn, n = 1,2,... (2) n K H(n;K n,p n,ρ n ) is connected ] = 0 if c < 1 1 if c > 1. Still open! Despite several attempts and despite that each graph is well-studied

28 Texas A&M University, October 20th, Supporting evidence Prob. of connectivity on/off model K p = 0.2 p = 0.4 p = 0.6 p = 0.8 Prob. of connectivity disk model K πρ 2 = 0.2 πρ 2 = 0.4 πρ 2 = 0.6 πρ 2 = 0.8 (a) (b) a) Probability of connectivity under the on-off channel model. b) Probability of connectivity under the disk model with πρ 2 = p. Figures are almost indistinguishable!

29 Texas A&M University, October 20th, A tale of connectivity results for intersection of random graphs

30 Texas A&M University, October 20th, Partial results on the conjecture Yi et al. established the zero-law; i.e, under (2), they showed [ ] lim P K H(n;K n,p n,ρ n ) is connected = 0 if c < 1 n Di Pietro et al. showed that [ lim P K H(n;K n,p n,ρ n ) is connected n ] = 1 if c > 20π Krzywdzinski and Rybarczyk showed that [ ] lim P K H(n;K n,p n,ρ n ) is connected = 1 if c > 8 n No result exists for the connectivity when 1 < c 8 An important gap given the trade-offs vs. security and memory

31 Texas A&M University, October 20th, A related conjecture by Gupta & Kumar Model: Random geometric graph with randomly deleted links. G H(n;p,ρ) P[i j] = p(πρ 2 ). Conjecture 2 (Gupta & Kumar, 1998) Consider scalings p : N 0 (0,1) and ρ : N 0 (0,1/ π) such that for some c > 0. Then, we have p n πρ 2 n c logn n, n = 1,2,... lim P[G H(n;p n,ρ n ) is connected] = n 0 if c < 1 1 if c > 1. Remained open for 18 years (till Penrose 16)

32 Texas A&M University, October 20th, Connectivity of soft random geometric graphs Gupta & Kumar s conjecture is true if p n = Ω(1/logn) However, the conjecture fails when ( ) 1 p n = o and p n = ω logn ( ) n 1/3 logn Complicated proof combining geometric and combinatorial arguments. It would be interesting to try to extend our results to these random key graphs

33 Texas A&M University, October 20th, A tale of connectivity results for intersection of random graphs ER graph Random Geometric Graph Conjecture by Gupta & Kumar, 1998: Penrose 2016 Random Key Graph Random Geometric Graph Conjecture by Yağan, 2012: Open for 1 < c 8 Random Key Graph ER Graph A sharp zero-one law is available, Yağan, IT Random K-out Graph ER Graph A sharp result is available, Yağan & Makowski, IT Theorem 2 is the first complete zero-one law established for the connectivity of the intersection of random graphs.

34 Texas A&M University, October 20th, The Pairwise scheme and Random K-out Graphs

35 Texas A&M University, October 20th, Connectivity under the pairwise scheme The random K out graph, H(n;K) := Key graph induced by the pairwise scheme. Vertex set, V = {1,...,n} Γ 1,...,Γ n iid and uniform in {1,...,n} i with Γ i = K Edge set, E = {i j : i Γ j j Γ i } P[i j] = 1 (( n 2 K ( n 1 K ) ) ) 2 = 2K n 1 K2 (n 1) 2

36 Texas A&M University, October 20th, Connectivity under full visibility P(n;K) := P[Random K-out graph is connected] Theorem 3 (Yağan&Makowski, IT 2013) With K a positive integer, it holds that 0 if K = 1 lim P(n;K) = (3) n 1 if K 2. Moreover, for any K 2, we have P(n;K) 1 155, n 16. (4) n3

37 Texas A&M University, October 20th, Numerical examples n 1 155/n With K = 2, we get connected a.s. and Mean degree 4 Mean number of keys per sensor 4

38 Texas A&M University, October 20th, An instantiation of H(n; K) n=50, K=2 The graph is connected!

39 Texas A&M University, October 20th, Stronger results under on-off channel model Theorem 4 (Yavuz et al. IT 2016) Consider {K n,p n } n 1 such that limsup n p n < 1. With γ : N 0 R defined through ( p n K n 1 log(1 p n) K ) n = logn+(k 1)loglogn+γ n p n n 1 we have lim P[H G(n;K n,p n ) is k-connected ] = n 0 if lim γ n = n 1 if lim γ n = +. n E[node degree] p n K n ( 1 log(1 p n) p n ) K n n 1

40 Texas A&M University, October 20th, An heterogeneous key predistribution scheme

41 Texas A&M University, October 20th, Heterogeneous Wireless Networks Many military and commercial WSN applications consist of heterogeneous devices Sensors with varying level of resources; computational, memory, power Varying level of security and connectivity requirements. Assigning the same number/type of keys to all nodes is not sensible! Initial Approach: Modify the EG scheme for heterogeneous sensor networks

42 Texas A&M University, October 20th, Set-up Sensors are divided into r priority classses according to some probability distribution {µ 1,...,µ r }. For any sensor v x, P[v x is class i] = µ i, i = 1,...,r A class-i sensor is assigned K i keys randomly from a common key pool of size P; e.g., K 1 K 2 K r. Two sensors x and y can securely communicate if Σ x Σ y Q: How should K 1,...,K r and µ 1,...,µ r be selected to ensure secure connectivity?

43 Texas A&M University, October 20th, Inhomogeneous Random Key Graphs G(n;µ,K,P) with K = {K 1,...,K r } and µ = {µ 1,...,µ r } p ij : Edge probability between a class-i and class-j node. ( P Ki ) K p ij = 1 ( j P ) K ik j i,j = 1,...,r. P K j Allows a hierarchical structure: larger key rings will amount to larger connectivity Homogeneous case: all sensors have K keys and p ij K2 P and critical scaling for connectivity is K 2 P clogn n

44 Texas A&M University, October 20th, The inhomogeneous case? Let K avg = r j=1 µ jk j : the mean key ring size. Q: Do we get a zero-one similar to the homogeneous case with Kavg 2 P clogn n i.e., c > 1 connected and c < 1 not connected Q: Or, do we have the result with Kmin 2 P clogn n or K 2 max P c logn n where K min : min{k 1,...,K r } and K max : max{k 1,...,K r }?

45 Texas A&M University, October 20th, The answer: Neither Theorem 5 (Yağan IT 2015) Consider a distribution µ = (µ 1,...,µ r ) with µ i > 0 ( i), K n = K 1,...,K r and P n s.t. K min K avg P n c logn n, (5) for some c > 0. Under mild assumptions, we have 0 if c < 1 lim P[G(n;µ,K n,p n ) is connected ] = n 1 if c > 1. Minimum mean degree = (1±ǫ)logn connected/disconnected

46 Texas A&M University, October 20th, Conclusions K min has a dramatic impact on connectivity. If the minimum key ring size is reduced by half, the average key per sensor needs to be increased by twice. Homogeneous case is the most efficient w.r.t total key usage. Let P = nlogn. For connectivity, we need Homogeneous: K n = (1+ǫ)logn for some ǫ > 0. Heterogeneous: If K min = O(1), then K avg = Ω((logn) 2 ) Flexibility comes at a price!

47 Texas A&M University, October 20th, Thanks! Visit for references..

48 Texas A&M University, October 20th, Alternative/Additional Ideas for Heterogeneous WSNs A Multi-layer Key Predistribution Scheme

49 Texas A&M University, October 20th, EG scheme vs. Pairwise Scheme Advantages of the EG scheme Can be deployed gradually over time Does not require a central authority Advantages of the Pairwise scheme Small overhead for connectivity Node-to-node authentication Perfect resiliency Can we combine the benefits of the two schemes?

50 Texas A&M University, October 20th, A multi-layer key predistribution approach Assume that a certain number of nodes are of higher priority and need to carry out highly classified/critical communication. The multi-layer approach Use the pairwise key predistribution protocol only among these high-rank nodes; e.g., distribute K p pairwise keys per high-priority node Use the EG scheme network-wide, with K c symmetric keys per node

51 Texas A&M University, October 20th, Advantages Highly classified traffic can be routed securely/efficiently among the high-priority nodes Requires only four keys per high-priority node Pairwise scheme induces a sparse topology with each high-rank node connected to only few other high-rank nodes Sensible design With the EG scheme widely used in the network, it is possible to deploy low-rank nodes gradually over time Highly classified communication will be extremely resilient against random attacks

52 Texas A&M University, October 20th, Future Work Resiliency against node capture when the adversary is aware of high-class nodes Achieving connectivity/reliability under various wireless communication/mobility constraints Quantifying the trade-off between the number of pairwise keys K p and standard keys K c used. Incorporating pairwise scheme with the heterogeneous scheme introduced here

53 Texas A&M University, October 20th, Property of interest: k-connectivity k-vertex-connected: Network remains connected despite the deletion of any k 1 nodes. k-edge-connected: Defined similarly for the deletion of edges Min. node degree k: All nodes have at least k neighbors Additional benefits: Efficient Routing. k-connectivity implies that any two nodes are connected by k mutually independent paths. Achieving consensus. Let m : # of adversarial nodes. Consensus can be reached if the network is (2m + 1)-connected Mobile sensor networks. If k-connected, can assign any k 1 sensors as mobile nodes.

54 Texas A&M University, October 20th, Useful implications 1. Social networks Think of an online social network; say Facebook. Assume that all users add just 2 people (which are selected uniformly at random amongst all other users) as a friend. Theorem 3 shows that the resulting network will be connected with very high probability. Indeed, with only 100 users involved, we have P[connectivity] 99.9%

55 Texas A&M University, October 20th, Trust establishment PGP web of trust. In a group, each member verifies two other members and signs their public keys. Now, with high probability the whole group is connected, so any member can verify the public key of any other member of the group. 3. Routing Total number of edges in in the pairwise graph Kn It is a sparse graph as E V constant. By Theorem 3, the pairwise graph gets connected very easily. Sparse connected graphs are considered to be a useful routing infrastructure in distributing the traffic evenly. Efficient spread of a gossip.