Distributed Detection of Sensor Worms Using Sequential Analysis and Remote Software Attestations

Recent work has demonstrated that self-propagating worms are a real threat to sensor networks. Since worms can enable an adversary to quickly compromise an entire sensor network, they must be detected and stopped as quickly as possible. To meet this need, we propose a worm propagation detection scheme for sensor networks. The proposed scheme applies a sequential analysis to detect worm propagation by leveraging the intuition that a worm’s communication pattern is different from benign traffic. In particular, a worm in a sensor network requires a long sequence of packets propagating hop-by-hop to each new infected node in turn. We thus have detectors that observe communication patterns in the network, a worm spreading hop-by-hop will quickly create chains of connections that would not be seen in normal traffic. Once detector nodes identify the worm propagation pattern, they initiate remote software attestations to detect infected nodes. Through analysis and simulation, we demonstrate that the proposed scheme effectively and efficiently detects worm propagation. In particular, it blocks worm propagation while restricting the fraction of infected nodes to at most 13.5% with an overhead of at most 0.63 remote attestations per node per time slot.

[1]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[2]  C. Karlof,et al.  Secure routing in wireless sensor networks: attacks and countermeasures , 2003, Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003..

[3]  Sencun Zhu,et al.  Improving sensor network immunity under worm attacks: A software diversity approach , 2016, Ad Hoc Networks.

[4]  Ahmad-Reza Sadeghi,et al.  Lightweight Remote Attestation Using Physical Functions , 2011 .

[5]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Xeno Kovah,et al.  New Results for Timing-Based Attestation , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[8]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[9]  DaeHun Nyang,et al.  Software-Based Remote Code Attestation in Wireless Sensor Network , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[10]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  Yang Xiao,et al.  Self-Propagate Mal-Packets in Wireless Sensor Networks: Dynamics and Defense Implications , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[12]  Richard C. Linger Systematic generation of stochastic diversity as an intrusion barrier in survivable systems software , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[13]  Yang Liu,et al.  Defending Sensor Worm Attack Using Software Diversity Approach , 2011, 2011 IEEE International Conference on Communications (ICC).

[14]  Claude Castelluccia,et al.  Code injection attacks on harvard-architecture devices , 2008, CCS.

[15]  Athanasios V. Vasilakos,et al.  Differential Game-Based Strategies for Preventing Malware Propagation in Wireless Sensor Networks , 2014, IEEE Transactions on Information Forensics and Security.

[16]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[17]  Sencun Zhu,et al.  Improving sensor network immunity under worm attacks: a software diversity approach , 2008, MobiHoc '08.

[18]  Daryl J. Daley,et al.  Epidemic Modelling: An Introduction , 1999 .

[19]  Qijun Gu,et al.  Towards self-propagate mal-packets in sensor networks , 2008, WiSec '08.

[20]  Sajal K. Das,et al.  A framework for robust detection and prevention of wide-spread node compromise in wireless sensor networks , 2010 .

[21]  Zhong Chen,et al.  SWORDS: Improving Sensor Networks Immunity under Worm Attacks , 2010, WAIM.

[22]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[23]  Jun-Won Ho Distributed Software-Attestation Defense against Sensor Worm Propagation , 2015, J. Sensors.

[24]  Sencun Zhu,et al.  Distributed Software-based Attestation for Node Compromise Detection in Sensor Networks , 2007, 2007 26th IEEE International Symposium on Reliable Distributed Systems (SRDS 2007).