【作者】 张起元；

【导师】 周学海；

【作者基本信息】 中国科学技术大学 ， 计算机系统结构， 2010， 博士

【摘要】 微电子、计算机和无线通信等技术的不断进步,使得在微小体积内集成了信息采集、数据处理和无线通信等多种功能的低功耗传感器快速发展起来。无线传感器网络便是由部署在监测区域内的大量廉价的传感器节点组成,通过无线通信的方式形成一个多跳的自组织的网络系统。其目的是协作地感知、采集和处理网络覆盖区域中感知对象的信息,并发送给观察者。传感器网络极大地改变了人类与自然界交互的方式,提高了人类认识世界的能力,在军事、医疗保健和智能家居等领域得到了广泛部署和应用。无线传感器网络具有自组织、以数据为中心、分布式合作等特性。传感器节点在计算、存储、带宽和能量等方面是资源受限的,其在感知数据的同时还要承担路由的功能,为邻居节点转发数据。这些特点使得无线传感器网络面临很多新的安全威胁,也给设计适用于传感器网络的安全机制带来了极大的安全挑战。由于无线传感器网络经常被部署在恶劣甚至敌对的环境中,攻击者很容易俘获传感器节点,向网络中注入大量的虚假数据,不仅能够改变网络的拓扑和路由结构,还影响感知数据的准确性,破坏了传感器网络的正常运行。本文围绕着如何高效检测、丢弃虚假数据,并进一步检测排除发送虚假数据的源节点问题进行深入研究,建立了一套适用于无线传感器网络的基本安全框架。首先,分析指出了地理位置信息对无线传感器网络的重要性。为防止攻击者通过被俘获的节点,大量发送包含虚假地理位置信息的控制数据,提出了位置信息验证问题。由于通过定位算法获得的位置信息往往有较大误差,影响了节点间的邻居关系判定。在充分考虑了地理位置信息的误差基础之上,通过实验建立了传感器节点邻居关系模型,并设计提出了基于邻居节点信任监督关系的基本方案。为了进一步降低通信开销,又提出了基于Merkle哈希树的改进方案。其次,指出了尽可能早地丢弃虚假事件报告的必要性,并针对一般性途中过滤框架的漏洞,提出了能够抵御包丢弃的途中过滤方案。建立在基于位置的安全框架之上,在整个感知数据包的检测丢弃过程中引入了邻居节点的信任监督关系,有效抵御了攻击者恶意丢弃真实的事件报告。提出的扇形区域模型解决了现有无线传感器网络途中过滤方案无法应对汇聚节点移动的情况。最后,提出了适用于无线传感器网络的溯源追踪方案。先介绍并分析了Internet中现有的概率包标记PPM方案,然后提出了两种改进方案,大大降低了消息复杂度,并给出了任何基于PPM方案复杂度的下届。但基本的PPM方案未考虑中间节点被俘获所带来的安全隐患,在详细分析了攻击者通过俘获传感器节点可能发起的攻击后,提出了一种基于概率链式标记的溯源追踪方案。通过在标记中设置报文鉴别码,不仅保护了消息本身还保护了数据包中的已有标记,有效应对了被俘中间节点的影响。所提方案在保持较低通信复杂度的同时,大大提高了溯源追踪的健壮性和准确性。更多还原

【Abstract】 Tiny sensors integrated with various functionalities such as information collection, data processing and wireless communication have proliferated due to the development of MEMS (Micro-Electro-Mechanical System), computing and wireless communication technologies. Wireless sensor networks are made up of great amounts of low-cost sensor nodes deployed in the target sensing areas. These low power consuming sensors establish a multi-hop and ad-hoc network infrastructure to cooperatively sense, collect and process information of the covered sensing target. The final results are sent back to the observers for further processing. Wireless sensor networks have revolutionized the way we human interact with the nature and thus enhanced our ability to cognize the world. They have been widely deployed in areas such as military, healthcare and intelligent homes.It’s recognized that wireless sensor networks are ad-hoc, data-centric and distributed. Severely constrained in computation, storage, bandwidth and energy resources, sensor nodes act not only as data generators but also routers for neighboring sensors. These unique features have brought new security threats to wireless sensor networks. It’s a great challenge to design security mechanisms suitable for sensor networks.In many scenarios, wireless sensor networks are deployed in harsh even hostile environments. Adversaries could easily compromise sensor node due to its unattended nature. Large volume of bogus data could be injected into the network through the compromised sensors to maliciously change the topology/routing structures of the network and decrease the accuracy of the sensing data. Thus the normal operations of wireless sensor networks are severely disrupted. This thesis focuses on how to effectively and efficiently detect the false data injected by the adversaries and then eliminate the sources. The aim is to establish a basic security framework against false data injection for wireless sensor networks.Firstly, the importance of geographic location information is analyazed. To defend against the bogus control data containing forged location injected by the adversaries, the problem of location verification is proposed. Because of the inaccuracy of the location information obtained through localization, neighbor relationships among nearby sensors are influenced. A neighbor model is established by taking inaccuracies of location information into consideration. Based on this model, a basic scheme relying on trust among neighboring sensors is proposed. To further reduce the communication overhead, another improved scheme is proposed by utilizing a data structure called the Merkle hash tree.Then, the necessarity to detect and drop false event report as soon as possible to save the network bandwidth and energy resource is pointed out. A selective dropping resistance en-route filtering scheme is proposed to solve the disadvantage of the general en-route filtering framework. Basing on the so-called location-based security, trust and monitor are introduced into the process of event report verification to effectively deter the attackers from dropping normal data packet maliciously. The proposed fan model effectively solves the problem of sink mobility, which is a deficiency of the existing en-route filtering schemes. The influence of sensor compromises on location-based security is also analyzed.In the last, highly efficient traceback schemes for wireless sensor networks are proposed. The probabilistic packet marking (PPM) schemes for the Internet are thoroughly analyzed. Two improved schemes are then proposed to reduce the message complexity. By analysis, the lower bound for any PPM-based schemes is obtained. However, PPM hasn’t considered the threat of sensor compromise. The various potential attacks that could be launched by the adversaries are analyzed in detail and a traceback scheme based on probabilistic chain marking is proposed. Due to the protection of message authentication code, not only the message per se but also any existing markers in the packet could remain intact. Thus robustness and accuracy are enhanced while communication overhead is reduced.更多还原