A Lightweight Secure Scheme for Detecting Provenance Forgery and Packet Drop Attacks in WSN(2015)

Note: Please Scroll Down to See the Download Link.



Sensor networks are used in numerous application domains, such as cyber physical infrastructure systems, environmental monitoring, power grids, etc. Data are produced at a large number of sensor node sources and processed in-network at intermediate hops on their way to a Base Station (BS) that performs decision-making. The diversity of data sources creates the need to assure the trustworthiness of data, such that only trustworthy information is considered in the decision process. Data provenance is an effective method to assess data trustworthiness, since it summarizes the history of ownership and the actions performed on the data. Recent research [1] highlighted the key contribution of provenance in systems where the use of untrustworthy data may lead to catastrophic failures (e.g., SCADA systems). Although provenance modeling, collection, and querying have been studied extensively for workflows and curated databases [2], [3], provenance in sensor networks has not been properly addressed. We investigate the problem of secure and efficient provenance transmission and processing for sensor networks, and we use provenance to detect packet loss attacks staged by malicious sensor nodes. In a multi-hop sensor network, data provenance allows the BS to trace the source and forwarding path of an individual data packet. Provenance must be recorded for each packet, but important challenges arise due to the tight storage, energy and bandwidth constraints of sensor nodes. Therefore, it is necessary to devise a light-weight provenance solution with low overhead. Furthermore, sensors often operate in an untrusted environment, where they may be subject to attacks. Hence, it is necessary to address security requirements such as confidentiality, integrity and freshness of provenance. Our goal is to design a provenance encoding and decoding mechanism that satisfies such security and

performance needs. We propose a provenance encoding strategy whereby each node on the path of a data packet securely embeds provenance information within a Bloom filter that is transmitted along with the data. Upon receiving the packet, the BS extracts and verifies the provenance information. We also devise an extension of the provenance encoding scheme that allows the BS to detect if a packet drop attack was staged by a malicious node. As opposed to existing research that employs separate transmission channels for data and provenance [4], we only require a single channel for both. Furthermore, traditional provenance security solutions use intensively cryptography and digital signatures [5], and they employ append-based data structures to store provenance, leading to prohibitive costs. In contrast, we use only fast Message Authentication Code (MAC) schemes and Bloom filters (BF), which are fixed-size data structures that compactly represent provenance. Bloom filters make efficient usage of bandwidth, and they yield low error rates in practice. Our specific contributions are: We formulate the problem of secure provenance transmission in sensor networks, and identify the challenges specific to this context;

We propose an in-packet Bloom filter provenance encoding scheme; We design efficient techniques for provenance decoding and verification at the base station; We extend the secure provenance encoding scheme and devise a mechanism that detects packet drop attacks staged by malicious forwarding sensor nodes; We perform a detailed security analysis and performance evaluation of the proposed provenance encoding scheme and packet loss detection mechanism. The rest of the paper is organized as follows: Section 2 sets the problem background and describes the system, threat and security models. Section 3 introduces the provenance encoding scheme, whereas Section 4 outlines the scheme extension and the mechanism for identification of malicious nodes that stage packet drop attacks. Section 5 presents the security analysis of our methods. Section 6 provides  n analytical performance evaluation, whereas Section 7 presents the experimental evaluation results for the proposed scheme. We survey related work in Section 8 and conclude with directions for future research in Section 9.




Node Configuration

Link Configuration

In this module Nodes are configured based on number of nodes in need of packet requisition. We create the network group by connecting nodes to sink. Link configuration means connecting the nodes and intermediate nodes to the sink.


Sender Node

Packet Splitting

In this module, Sender selects the file which is to be sent. And then it split into the number of packets based on the size for adding some bits in it.

Send Packets to Intermediate

And then it encrypts all the splitted packets. And then sender adds some bits to each encrypted packets before sending that. Bit Addition for each packet is identification for sender. After adding of bits to each packet, it sends the packets to the nearest node or intermediate node.


Intermediate Node(Router)

Send Packets to Sink

In this module, the intermediate node receives Packets from the sender. After receiving all packets from sender, it encrypts all packets again for authentication. Before sending to sink, intermediate add some bits to each packet for node identification. After adding some bits from intermediate, it sends all packets to the sink.


Modify or Drop

Before sending all packets to sink, packets dropping or packets modifying may be occur in intermediate.






In this module, Sink receives all packets from the sender node, and it verifies all packets which are dropped or not. And it also verifies the packets which are modified or not and it can identify the modifiers in the process based on the bit identification.

Merge Packets

After receiving all packets in sink, it decrypts all packets. After the decryption if there is no modified or dropped packets, it merge all packets. After merging, Sink can receive the original file.

Categorization And Ranking

In this module Categorization and Ranking will be performed based on the node behavior. If there is any modification or drop of packets in node it assumes negative value for modifier or dropper. Sink performs Ranking for each node based on the Category of nodes. Sink gives ranking like Good, Temporarily Good, Suspiciously Bad, Bad based on the node behavior in the process




Click here to download A Lightweight Secure Scheme for Detecting Provenance Forgery and Packet Drop Attacks in WSN(2015) documents