实现位置及时间绑定的密钥分发——防御传感器网络节点复制攻击的新方法

提出了一种新的防御思路:通过使复制节点无法与邻居节点建立成对密钥的方式,来达到消除复制节点攻击威胁的目的,由此设计了一种基于多项式的成对密钥分发方法LTB(location and time binding).LTB把每个节点的密钥信息与其部署位置和时间信息绑定起来,使每个节点只能在其部署位置与邻居节点建立成对密钥.由于复制节点的部署位置不同于原捕获节点,因此LTB能够有效阻止其与邻居节点建立成对密钥.LTB相比现有各种周期性复制节点检测机制的优势是它彻底消除了复制节点攻击隐患而且协议开销更低,通信开销从O(pn3/2)下降到O(n),其中,p是检测周期数,n是网络节点个数.     

无线传感器网络中检测女巫攻击的节点定位方法

为了有效抵制女巫攻击,在攻击存在的情况下提高无线传感器网络节点的定位精度,分析、总结了女巫攻击所固有的薄弱环节,提出了基于接收功率验证的检测女巫攻击的节点安全定位方法。检测机制分为两步,首先检测节点通过比较接收功率,从所接收的全部信标节点中选择出距其距离相同的信标节点,列为可疑Sybil节点,然后通过邻居节点间的信息交互和距离验证,最终检测出攻击节点,利用去除了Sybil节点的信标节点集合实现定位。仿真实验显示,当存在攻击时,检测成功概率能达到95%以上,定位精度提高了9～11.64 m,表明该方法能有效检测女巫攻击,实现节点安全定位。     

ZigBee网络抵御Sybil攻击的自适应链路指纹认证方案

该文针对ZigBee网络中Sybil攻击破坏节点身份唯一性的问题,提出一种抵御Sybil攻击的自适应链路指纹认证方案。方案首先基于无线链路特征设计了链路指纹,在此基础上,提出了反映信道质量的相干时间估测算法和适应子节点数量变化的保护时隙(GTS)动态申请算法,并给出了Sybil攻击认证流程。安全性分析及实验结果表明,方案在通信环境的安全边界条件下节点认证成功率可达97%以上,且链路指纹无需存储,具有较低的资源需求。     

抗DoS攻击的多用户传感器网络广播认证方案

在vBNN-IBS签名基础上提出了一种抗DoS攻击的多用户传感器网络广播认证方案DDA-MBAS,利用散列运算及用户信息进行虚假数据过滤。与现有的多用户传感器网络广播认证方案相比,DDA-MBAS在抵抗节点妥协攻击、主动攻击的基础上,以较低的能耗过滤虚假消息并有效地限制了妥协用户发起的DoS攻击及共谋攻击的安全威胁。     

基于分区的无线传感网节点复制攻击检测方法

 无线传感器网络部署在敌方区域时,节点可能被俘获,其信息被复制并散布到网络中进行破坏活动.这种攻击隐蔽,破坏力较强.本文提出了基于分区的节点复制攻击检测方法,通过将部署区域分区,并建立基于跳数的坐标,可有效检测节点复制攻击.仿真实验表明:本方法耗能少,效率高且无需辅助节点.     

WSN中基于周期性超宽带距离信息的女巫攻击检测

针对无线传感器网络易受多种网络攻击和节点妥协的问题,提出一种基于周期性超宽带距离信息的女巫攻击检测的完整系统。首先进行相邻节点间的测距和hello数据分组的交换,然后采用局部估算方式构建距离估计表格,并使每个节点均含有这种表格。接着,在网络中周期性地对每个节点独立执行多个距离匹配检查。最后,当合法节点在至少2个不同节点之间找到了距离匹配时,就发出警报废除女巫节点。如果不存在距离匹配,节点继续正常操作。模拟实验配备IEEE 802.15.4对等传感器网络,实验结果证明了提出的系统可以容忍并发女巫攻击数量的变化,也可以成功处理同时发生的、可延展的女巫攻击。另外发生假警报的概率非常小,整个网络性能及其一致性没有受到影响。     

物理层认证的中间人导频攻击分析

现有物理层认证机制依赖合法信道状态信息(CSI)的私有性,一旦攻击者能够操控或窃取合法信道,物理层认证机制就会面临被攻破的威胁。针对上述缺陷,该文提出一种中间人导频攻击方法(MITM),通过控制合法双方的信道测量过程对物理层认证机制进行攻击。首先对中间人导频攻击系统进行建模,并给出一种中间人导频攻击的渐进无感接入策略,该策略允许攻击者能够顺利接入合法通信双方;在攻击者顺利接入后,可对两种基本的物理层认证机制发起攻击:针对基于CSI的比较认证机制,可以实施拒绝服务攻击和仿冒接入攻击;针对基于CSI的加密认证机制,可以实现对信道信息的窃取,从而进一步破解认证向量。该攻击方法适用于一般的公开导频无线通信系统,要求攻击者能够对合法双方的导频发送过程进行同步。仿真分析验证了渐进无感接入策略、拒绝服务攻击、仿冒接入攻击、窃取信道信息并破解认证向量等多种攻击方式的有效性。     

一种抵制Ad Hoc泛洪攻击的方法

移动Ad Hoc网络的节点常被安装在无人看护的地方,并且缺乏对物理窃听的防范.因此,移动网络节点容易受到安全威胁.当受到拒绝服务攻击的时候,Ad Hoc网络表现的特别脆弱.在这篇文章中,我们分析了一种新的DoS攻击――Ad Hoc泛洪攻击,在Ad Hoc网络中当使用按需路由的协议时,很容易受到这种泛洪攻击的威胁.它能使整个网络处于一种拒绝服务的状态.入侵者广播大量的路由请求分组,或者发送大量的攻击数据包以耗尽带宽和节点的资源,从而使正常的通信被拒绝.而后提出了泛洪攻击预防方法(Flooding Attack Prevention FAP).这种方法能够有效地防止移动自组织网络中的Ad Hoc泛洪攻击.FAP方法是由邻居抑制和路径切断两个方面组成.当入侵者广播大量的路由请求分组时,它的邻居就会察觉到高频的路由请求,它会根据收到的查询率来降低它和入侵者之间通信的优先级,而且,无服务的低优先级查询最终会被丢弃.当入侵者发送大量的攻击数据包给一个目标节点时,这个节点可能会切断这条路径并且不再和入侵者建立路径.因此,在移动自组织网络中,可以通过FAP来防止Ad Hoc泛洪攻击.     

防御无线传感器网络Sybil攻击的新方法

在传感器网络中,Sybil 攻击是一类主要的攻击手段.通过随机秘密信息预分配,利用节点身份证人确认机制,提出了防御传感器网络Sybil 攻击的新方案并进行了综合性能分析.在新方案中,基于单向累加器建立了传感器网络节点秘密信息管理和分配方案,在共享密钥建立阶段,提出了传感器网络认证对称密钥建立协议,并在universally composable(UC)安全模型中对该协议进行了可证明安全分析,该协议可建立网络邻居节点之间惟一的对称密钥.     

物理层认证的中间人导频攻击分析

现有物理层认证机制依赖合法信道状态信息(CSI)的私有性,一旦攻击者能够操控或窃取合法信道,物理层认证机制就会面临被攻破的威胁.针对上述缺陷,该文提出一种中间人导频攻击方法(MITM),通过控制合法双方的信道测量过程对物理层认证机制进行攻击.首先对中间人导频攻击系统进行建模,并给出一种中间人导频攻击的渐进无感接入策略,该策略允许攻击者能够顺利接入合法通信双方;在攻击者顺利接入后,可对两种基本的物理层认证机制发起攻击:针对基于CSI的比较认证机制,可以实施拒绝服务攻击和仿冒接入攻击;针对基于CSI的加密认证机制,可以实现对信道信息的窃取,从而进一步破解认证向量.该攻击方法适用于一般的公开导频无线通信系统,要求攻击者能够对合法双方的导频发送过程进行同步.仿真分析验证了渐进无感接入策略、拒绝服务攻击、仿冒接入攻击、窃取信道信息并破解认证向量等多种攻击方式的有效性.     

SSDHT：基于社交网络的DHT安全增强机制

P2P系统在文件共享等领域中得到了广泛的应用,但DHT（distributed hash table）网络无中心、无认证、缺乏节点身份验证机制,使得现有的基于DHT的P2P系统易受到Sybil攻击等外部攻击。提出一种基于社交网络的DHT安全增强机制,将社交网络中节点的信任关系引入DHT网络中提高对Sybil节点的识别能力。以KAD（Kademlia）算法为例进行了实验验证,基于Facebook和Twitter数据集的实验结果表明本文提出的安全机制适用于大规模动态的网络,能够有效防御Sybil攻击。     

抵抗Sybil攻击的无线传感网中网络分布式密钥管理方案

Wireless sensor network nodes (WSN nodes) have limited computing power, storage capacity, communication capabilities and energy and WSN nodes are easy to be paralyzed by Sybil attack. In order to prevent Sybil attacks, a new key distribution scheme for wireless sensor networks is presented. In this scheme, the key information and node ID are associated, and then the attacker is difficult to forge identity ID and the key information corresponding to ID can not be forged. This scheme can use low-power to resist the Sybil attack and give full play to the resource advantages of the cluster head. The computing, storage and communication is mainly undertaken by the cluster head overhead to achieve the lowest energy consumption and resist against nodes capture attack. Theoretical analysis and experimental results show that compared with the traditional scheme presented in Ref. [14], the capture rate of general nodes of cluster reduces 40% , and the capture rate of cluster heads reduces 50% . So the scheme presented in this paper can improve resilience against nodes capture attack and reduce node power consumption.     

A Robust Mutual Authentication Protocol for Wireless Sensor Networks

Authentication is an important service in wireless sensor networks (WSNs) for an unattended environment. Recently, Das proposed a hash‐based authentication protocol for WSNs, which provides more security against the masquerade, stolen‐verifier, replay, and guessing attacks and avoids the threat which comes with having many logged‐in users with the same login‐id. In this paper, we point out one security weakness of Das' protocol in mutual authentication for WSN's preservation between users, gateway‐node, and sensor nodes. To remedy the problem, this paper provides a secrecy improvement over Das' protocol to ensure that a legal user can exercise a WSN in an insecure environment. Furthermore, by presenting the comparisons of security, computation and communication costs, and performances with the related protocols, the proposed protocol is shown to be suitable for higher security WSNs.     

SybilBF: Defending against Sybil Attacks via Bloom Filters

Distributed systems particularly suffer from Sybil attacks, where a malicious user creates numerous bogus nodes to influence the functions of the system. In this letter, we propose a Bloom filter‐based scheme, SybilBF, to fight against Sybil attacks. A Bloom filter presents a set of Sybil nodes according to historical behavior, which can be disseminated to at least n·(e–1)/e honest nodes. Our evaluation shows that SybilBF outperforms state of the art mechanisms improving SybilLimit by a factor of (1/e)· at least.     

WSNs中基于秘密共享的身份认证协议

身份认证是无线传感器网络安全的第一道屏障。针对现有无线传感器网络中的身份认证协议的效率和安全问题,基于Shamir门限秘密共享方案提出一种低功耗的身份认证协议。在不降低网络安全性的前提下,通过多个已认证节点对新节点进行身份认证,能够有效的降低认证过程中的计算量。认证过程中使用单向散列函数对通信数据进行加密并且运用时间戳机制抵御重放攻击。分析结果表明协议具有低功耗的特点,并且能够抵御窃听攻击、重放攻击以及少数节点被俘虏的攻击。     

Node ID based detection of Sybil attack in mobile wireless sensor network

Security is the major issue in wireless sensor networks and many defence mechanisms have been developed to secure the network from these alarming attacks by detecting the malicious nodes which hinder the performance of the network. Sybil attack can make the network vulnerable. Sybil attack means a node which illegitimately claims multiple identities. This attack threatens wireless sensor network in routing, voting system, fair resource allocation, data aggregation and misbehaviour detection. Hence, the research is carried out to prevent the Sybil attack and improve the network performance. The node ID-based scheme is proposed, where the detection is based on node registration, consisting of two phases and the assignment of ID to the node is done dynamically. The ID's corresponding to the nodes registered is at the base station and the node active time is monitored, any abnormalities in the above phases confirm the presence of Sybil nodes in the network. The scheme is simulated using NS2. The energy consumed for this algorithm is 2.3?J. The proposed detection scheme is analysed based on the network's PDR and found that the throughput has improved, which prove that this scheme may be used in the environment where security is needed.     

LEDS: Providing Location-Aware End-to-End Data Security in Wireless Sensor Networks

Providing desirable data security, that is, confidentiality, authenticity, and availability, in wireless sensor networks (WSNs) is challenging, as a WSN usually consists of a large number of resource constraint sensor nodes that are generally deployed in unattended/hostile environments and, hence, are exposed to many types of severe insider attacks due to node compromise. Existing security designs mostly provide a hop-by-hop security paradigm and thus are vulnerable to such attacks. Furthermore, existing security designs are also vulnerable to many types of denial of service (DoS) attacks, such as report disruption attacks and selective forwarding attacks and thus put data availability at stake. In this paper, we seek to overcome these vulnerabilities for large-scale static WSNs. We come up with a location-aware end-to-end security framework in which secret keys are bound to geographic locations and each node stores a few keys based on its own location. This location-aware property effectively limits the impact of compromised nodes only to their vicinity without affecting end-to-end data security. The proposed multifunctional key management framework assures both node-to-sink and node-to-node authentication along the report forwarding routes. Moreover, the proposed data delivery approach guarantees efficient en-route bogus data filtering and is highly robust against DoS attacks. The evaluation demonstrates that the proposed design is highly resilient against an increasing number of compromised nodes and effective in energy savings.     

Defense against Sybil attacks and authentication for anonymous location-based routing in MANET

In MANET, providing authentication and security to location-based routing is a big task. To overcome this problem, in this paper, we proposed a defense against Sybil attacks and authentication for anonymous location-based routing in MANET. Each random forwarder has a table of RSS values estimated from the previous message exchanges across a zone to detect the Sybil attack. The difference in RSS values of two neighboring nodes is estimated based on which the node’s arrival angle into the zone is detected. Depending on the arrival angle, the nodes can be categorized as safety zone and caution zone. The messages exchanged between the RFs and senders can be protected by means of group signature. Finally, misrouting packet drop attack is detected and eliminated by using ant colony optimization technique. By simulation results, we show the proposed technique reduces the packet drop due to attacks, thereby increasing the delivery ratio.     

基于洗牌策略的Sybil攻击防御

 洗牌策略从理论上解决了分布式哈希表(DHT)的Sybil攻击问题.为克服敌手作弊,引入受信节点构成分布式认证系统,由受信节点对新加入节点进行认证,保证节点签名和ID不能伪造;同时引入记录洗牌加入过程的票据来判定节点合法性,杜绝了敌手积累过期ID.由于保存票据的数量决定了论文提出算法的应用效果,通过理论分析和仿真实验证实设计的算法需要保存的票据数量不大,保证了算法的可行性.     

Simple,secure, and lightweight mechanism for mutual authentication of nodes in tiny wireless sensor networks

Wireless sensor networks (WSNs) are widely used in large areas of applications; due to advancements in technology, very tiny sensors are readily available, and their usage reduces the cost. The mechanisms designed for wireless networks cannot be implied on networks with tiny nodes due to battery and computational constraints. Understanding the significance of security in WSNs and resource constraintness of tiny WSNs, we propose a node authentication mechanism for nodes in wireless sensor networks to avoid security attacks and establish secure communication between them. In the proposed mechanism, a base station (BS) generates a secret value and random value for each sensor node and stores at the node. The sensor node authenticates using secret value and random number. Random nonce ensures freshness, efficiency, and robustness. The proposed mechanism is lightweight cryptographic, hence requires very less computational, communication, and storage resources. Security analysis of the proposed mechanism could not detect any security attack on it, and the mechanism was found to incur less storage, communication, and computation overheads. Hence, the proposed mechanism is best suitable for wireless sensor networks with tiny nodes.