【作者】 李国瑞；

【导师】 何泾沙；

【作者基本信息】 北京工业大学 ， 计算机应用技术， 2009， 博士

【摘要】 无线传感器网络采用大量集成化的微型传感器协作地监测、感知和采集各种环境或监测对象的信息,利用嵌入式系统对信息进行处理,通过自组织的无线通信网络以多跳中继的方式将所需的信息传送至用户端。它将逻辑上的信息世界与真实的物理世界融合在一起,改变了人与自然交互的方式。在军事国防、环境科学、医疗健康、空间探索、工农业自动化等许多领域有着非常广泛的应用前景。无线传感器网络通常部署在无人值守的区域甚至是敌方阵地,传感器节点之间使用无线通信链路进行数据传输,节点的计算、存储、通信以及能量等性能都十分有限,这些特性使得无线传感器网络很容易受到各种恶意攻击的威胁。本文针对无线传感器网络在战场信息侦察、自然灾害预测、重要设施监控等关键性应用领域中的安全问题,主要围绕适用于不同节点类型和网络结构的静态密钥管理、动态密钥管理、安全多次部署、入侵检测等内容进行了深入的研究,提出了能够确保无线传感器网络安全的保障模型和方法。本文的主要研究成果和创新如下:(1)提出了确保无线传感器网络安全的保障模型。模型主要由密钥管理和入侵检测两大部分组成。其中,密钥管理作为确保无线传感器网络安全的第一道屏障,其目标是为安全的数据传输、安全路由、实体认证、安全的组播多播等提供底层的技术支持,从而能够有效地防御外部攻击。而入侵检测作为确保无线传感器网络安全的第二道屏障,其目标是有效地检测传感器网络中的伪造和篡改消息攻击、选择性转发攻击、采集点漏洞攻击、虫洞攻击、Hello消息广播攻击以及黑洞攻击等一系列异常行为,从而能够有效地防御内部攻击,进一步提高无线传感器网络的安全性。通过把密钥管理和入侵检测系统有机地结合起来,从多方面、多角度地增强了系统的安全性,为无线传感器网络中的正常数据采集和信息处理提供坚固的安全保障。(2)静态密钥管理方案能在确保传感器网络安全性的同时有效减少传感器节点的资源消耗。本文提出了一种静态密钥管理方案——基于正六边形的密钥预分配方案。该方案有效地利用了正六边形来模拟无线传感器节点的信号传输情况,通过构建传感器蜂窝网络来分配密钥多项式,从而提高传感器节点间建立直接或间接对等密钥的概率。(3)为了提高静态密钥管理环境中属于不同部署集的传感器节点之间的连通性和安全性,提出了安全的网络多次部署方案。该方案通过运行自适应密钥选择算法生成部署集中所有预分配密钥的最小生成集,从而在维持较高安全性的同时极大地提高了传感器节点之间的连通概率,并且能很容易地与现有的密钥预分配方案相结合。(4)动态密钥管理方案能够避免静态密钥管理中被捕获节点对网络连通性的影响。针对平面结构无线传感器网络的安全,提出了一种基于分组的动态密钥管理方案。该方案以EBS(Exclusion Basis Systems)系统为基础,在实施时并不需要基站和簇头节点的参与,从而确保了方案的通用性,同时密钥的动态更新特性进一步确保了传感器网络的安全不受被捕获传感器节点的影响。(5)针对层次结构无线传感器网络的安全,提出了一种基于改进密钥链接树的动态密钥管理方案。该方案通过在基于密钥链接树的组密钥管理方案中引入脏密钥路径,并延迟这些脏密钥路径上的密钥更新操作,从而减少密钥链接树中辅助节点上的重复密钥更新。与现有的组密钥管理方案相比,基于改进密钥链接树的组密钥管理方案在节点添加和删除时产生更少的密钥更新消息,进而消耗更少的能量。(6)作为安全保障模型第一道屏障的密钥管理方案可能无法抵御无线传感器网络中的所有攻击。为了能够及时地检测出网络中的异常行为,提出了一种基于分组的分布式入侵检测方案。该方案首先利用δ分组算法将整个无线传感器网络划分成若干个分组,使得组内各传感器节点物理位置临近,并且采集的观察数据值接近;然后利用基于统计的异常识别算法识别出组内的异常节点进而将其隔离。该入侵检测方案同时计算传感器节点所采集的多维数据,因此可以得到更加精确的检测结果。与现有的入侵检测方案相比,该方案具有较低的误报率和较高的检测精度,同时还具有较低的计算和通信开销。更多还原

【Abstract】 Wireless sensor networks are used to inspect and collect various kinds of environmental and surveillant object information collaboratively through integrated micro sensors. They process the information using embedded system and transmit the processed data to the user terminal by wireless ad hoc network in a self-organized, multi-hop way. The logical information world and the real physical world are merged together. They change the way of people interacting with nature and have prospected applications in military, environmental science, medical and health care, space exploration and automation in industry and agriculture.However, due to wireless sensor networks usually deployed in unattended or even hostile areas, sensor nodes communicate with each other using wireless links, and the computational, storage, communication and energy capacity of sensor nodes are limited, wireless sensor networks are susceptible to various kinds of malicious attacks. This dissertation focuses on the security of wireless sensor networks in critical circumstances, such as military reconnaissance, disaster prediction and equipment monitor. A security assurance model and several security schemes are proposed in it. The proposed model includes static key management scheme, dynamic key management scheme, secure multiple deployment scheme and intrusion detection scheme, which are designed according to the types of sensor nodes and the underlying network structure. The major contributions of this dissertation are stated as follows:(1) A security assurance model is proposed in this dissertation. It includes key management schemes and intrusion detection scheme. Key management scheme works as the first barrier against the outside attacker’s attack. Its major object is to provide basic technical support for secure data transmission, secure routing, entity authentication and secure multicast. Furthermore, intrusion detection scheme works as the second barrier against the insider attacker’s attack. Its major object is to detect abnormal behaviors in the network effectively, such as modify message attack, selective forwarding attack, sinkhole attack, wormhole attack, hello flood attack and black hole attack etc. It enhances the security of wireless sensor network further. A solid security assurance model is provided for secure data collection and information processing by combining key management schemes and intrusion detection scheme together.(2) Static key management scheme can reduce the resource consumption of sensor nodes effectively while maintaining the security of wireless sensor networks. The proposed hexagon-based key predistribution scheme belongs to static key management schemes. It makes use of hexagon to simulate the signal propagation area and builds cell network of sensors to distribute the key polynomials. This scheme increases the probability of pair-wise key establishment and decreases the cost of key establishment simultaneously.(3) In order to improve the connectivity and security of wireless sensor nodes among different deployment sets in static key management scheme, the secure multiple deployment scheme is proposed. This scheme selects the minimal span set of all predistributed keys by running the adaptive key selection algorithm. It can maintain the security of the network and improve the connectivity among sensors simultaneously and integrate with the existed key predistribution schemes very easily.(4) Dynamic key management scheme can avoid the influence of compromised sensor nodes to the connectivity of sensor networks. The proposed group-based dynamic key management scheme is suitable for flat wireless sensor networks. This scheme is based on the exclusive basis systems and can be implemented without the participation of base station and cluster heads. And the dynamic key update feature ensures that the security of the wireless sensor network is not influenced by the compromised sensor nodes.(5) In order to ensure the security of hierarchical wireless sensor networks, the refined key link tree based group key management scheme is proposed. By incorporating dirty key paths into the key link tree based group key management scheme and delaying the key update operations in dirty key paths, the number of duplicate key update messages for auxiliary nodes can be reduced, which also brings down the energy cost. It requires fewer rekeying messages and costs less power than those in the existing group key management schemes.(6) Working as the first barrier against malicious attacks in wireless sensor networks, key management schemes are not able to defend all of them. In order to detect attacks in wireless sensor networks effectively, the group-based intrusion detection scheme is proposed. This scheme partitions the sensor networks into many groups in which the sensors in each group are physically close to each other and are equipped with the same sensing capability. Then it detects the abnormal sensor nodes in the group using statistic based intrusion detection algorithm and segregates them from the networks. The group based intrusion detection scheme takes simultaneously into consideration of multiple attributes of the sensor nodes to detect malicious attackers precisely. Comparing with the existing schemes, this group based intrusion detection scheme can decrease the false alarm rate and increase the detection accuracy while lowering the computation and transmission power consumption.更多还原