Attack Detection in Wireless Localization Yingying (Jennifer) Chen - PowerPoint PPT Presentation

Attack Detection in Wireless Localization Yingying (Jennifer) Chen (Jennifer) Chen Yingying Dept. of Computer Science, Rutgers University Dept. of Computer Science, Rutgers University Wireless Information Network Laboratory (WINLAB) Wireless Information Network Laboratory (WINLAB) Alcatel- -Lucent Technologies Lucent Technologies Alcatel Joint work with Prof. Wade Trappe and Prof. Richard P. Martin Joint work with Prof. Wade Trappe and Prof. Richard P. Martin WOCC 2007 WOCC 2007

I ntroduction What is localization? What is localization? Simply to find the position of a wireless device or a sensor Simply to find the position of a wireless device or a sensor node. node. Why wireless localization? Why wireless localization? Public Public Healthcare monitoring Healthcare monitoring Wildlife animal habitat tracking Wildlife animal habitat tracking Emergency rescue/recovery Emergency rescue/recovery Enterprise Enterprise Location- Location -based access control based access control Location- -aware content delivery aware content delivery Location Asset tracking Asset tracking

Motivation: Secure Localization Attention is on Received Signal Strength (RSS)- -based based Attention is on Received Signal Strength (RSS) localization techniques localization techniques Reuse the existing communication infrastructure the existing communication infrastructure Reuse Tremendous cost saving Tremendous cost saving 802.11, 802.15.4, and Bluetooth support the technology 802.11, 802.15.4, and Bluetooth support the technology Reasonable accuracy (median error 1 ~ 5 m) (median error 1 ~ 5 m) Reasonable accuracy The localization infrastructure can become the target of The localization infrastructure can become the target of malicious attacks malicious attacks Location- -based services becoming more prevalent based services becoming more prevalent Location Non- -conventional security threats conventional security threats (non (non- -cryptographic attacks) cryptographic attacks) Non

Outline Introduction and motivation Introduction and motivation Background Background A generalized attack detection model A generalized attack detection model Common features in RSS- -based methods based methods Common features in RSS Test statistic in multilateration multilateration methods methods Test statistic in Experimental evaluation Experimental evaluation Conclusion Conclusion Related work Related work

Background RSS Reading Transmit packets at unknown unknown Transmit packets at location location (x 1 ,y 1 ) Landmarks Receive packets Receive packets Landmarks time t Or the other way around Or the other way around [-35,-68,-56] Modality Modality Received Signal Strength (RSS) Received Signal Strength (RSS) (x?,y?) [(x,y),s1,s2,s3] Time- -Of Of- -Arrival (TOA) Arrival (TOA) Time Angle- -Of Of- -Arrival (AOA) Arrival (AOA) Angle Principle to compute position to compute position Principle Lateration Lateration [(x,y),s1,s2,s3] Angulation Angulation θ angle θ (x 3 ,y 3 ) Scene (fingerprint) matching Scene (fingerprint) matching Training data/radio map Training data/radio map Probabilistic Probabilistic (x 2 ,y 2 ) Return location estimation Return location estimation

Generalized Attack Detection Model Formulate as statistical significance testing Formulate as statistical significance testing Null hypothesis: Null hypothesis: : normal (no attack) 0 : normal (no attack) H 0 H Test statistic T Test statistic T Acceptance region Acceptance region Ω If , no attack If , no attack If , declare an attack is present If , declare an attack is present Significance testing with significance level significance level α Significance testing with α

Effectiveness of Attack Detection Cumulative Distribution Function (CDF) of the Cumulative Distribution Function (CDF) of the test statistic T test statistic T Detection Rate (DR) Detection Rate (DR) Under attack, DR = P Under attack, DR = P d d Under normal, DR = Under normal, DR = P P fa fa Receiving Operating Characteristic (ROC) curve Receiving Operating Characteristic (ROC) curve Plot of attack detection accuracy against the false Plot of attack detection accuracy against the false positive rate positive rate Measure the tradeoff Measure the tradeoff between the false between the false- -positive and positive and correct detections correct detections

Choosing a Test Statistic Signal- Signal -strength based algorithms strength based algorithms – – range range- -based and based and scene matching scene matching Common feature: distance in signal space Common feature: distance in signal space Area based Probability (ABP) Area based Probability (ABP) Bayes’ ’ rule to compute the likelihood of an RSS matching a rule to compute the likelihood of an RSS matching a Bayes fingerprint for each area fingerprint for each area Bayesian Networks (BN) Bayesian Networks (BN) Use Bayesian Graphical Model to predict the sampling distribution n Use Bayesian Graphical Model to predict the sampling distributio of the possible location of the possible location Multilateration methods methods – – single and multi single and multi- -hop range hop range- - Multilateration based based Non- -linear Least Squares (NLS) linear Least Squares (NLS) Non Linear Least Squares (LLS) Linear Least Squares (LLS)

Test Statistic: Distance in Signal Space Key advantage - - attack detection before localization attack detection before localization Key advantage Signal Space Physical Space F ( R ) ( D ) distance error D S perturbation distance distance error under attack G true location Localization: estimation under normal estimation under attack

Finding Thresholds as a test statistic S as a test statistic D S D If D ﹥ τ for a given for a given α , RSS readings under attack If α , RSS readings under attack D S S ﹥ τ Choosing a threshold ( Choosing a threshold ( τ τ ): ): empirical methodology vs. statistical modeling empirical methodology vs. statistical modeling

Test Statistic for Multilateration Methods - Using Least Squares Ranging step: Ranging step: Distance estimation between unknown node and Distance estimation between unknown node and landmarks landmarks Various methods available: RSS, TOA, hop count Various methods available: RSS, TOA, hop count Lateration step: step: Lateration Traditional: Non- -linear Least squares (NLS) linear Least squares (NLS) Traditional: Non Linear Least squares (LLS) Linear Least squares (LLS)

Test Statistic: The Residuals Localization with LLS Localization with LLS Linear regression: Linear regression: Location estimation: Location estimation: Define the residuals Define the residuals Follow a Gaussian distribution: ~N( N( μ μ , , Σ Σ ) ) Follow a Gaussian distribution: ~ Choose the residuals as the test statistic T T for for Choose the residuals as the test statistic attack detection attack detection

The Detection Scheme Perform after the localization phase Perform after the localization phase An observed value: An observed value: Model the residuals as multivariate Gaussian Model the residuals as multivariate Gaussian random variables: random variables: Acceptance Region: Acceptance Region: Under attack, if (significance level) Under attack, if (significance level)

Experimental Setup: (Two buildings: CoRE Building and I ndustrial Lab) - Floor plan: Floor plan: 225ft x 144ft (32400 ft 225ft x 144ft (32400 ft 2 ) - 2 ) - Floor plan: Floor plan: 200ft x 80ft (16000 ft 200ft x 80ft (16000 ft 2 ) - 2 ) - 802.11 ( 802.11 (WiFi WiFi) Network ) Network - - 802.11 ( 802.11 (WiFi WiFi) Network ) Network - - 802.15.4 ( - 802.15.4 (ZigBee ZigBee) Network ) Network

Experimental Evaluation - Using Signal Strength Attacks Attenuate or amplify RSS Attenuate or amplify RSS Materials – – easy to access easy to access Materials Attacks – – simple to simple to Attacks perform with low cost perform with low cost Attack the wireless node Attack the wireless node Compromise the landmarks Compromise the landmarks Linear relationship - - linear linear Linear relationship attack model attack model

Comparison Statistical Significance Testing: generic and specific test statistics Performance: similar detection rates!

Receiving Operating Characteristic (ROC) - Using LLS Residuals 802.11 network, α = 0.01 A closer look: CoRE CoRE, , 802.11 network, A closer look: Impact of small attacks: ~ 1.55 ft/dB

Summary Generic approach approach Generic Across algorithms, networks, and buildings Across algorithms, networks, and buildings Effectiveness of our attack detection schemes of our attack detection schemes Effectiveness High detection rates, over 95% (attacks > 15dB) High detection rates, over 95% (attacks > 15dB) Low false positive rates, below 5% Low false positive rates, below 5% Different localization systems have localization systems have similar similar attack attack Different detection capabilities detection capabilities