Content uploaded by Ali Chehab
Author content
All content in this area was uploaded by Ali Chehab on Aug 02, 2014
Content may be subject to copyright.
The Second International Conference on Innovations in Information Technology (IIT’05)
1
DAWWSEN: A DEFENSE MECHANISM AGAINST WORMHOLE
ATTACKS IN WIRELESS SENSOR NETWORKS
Rouba El Kaissi, Ayman Kayssi, Ali Chehab and Zaher Dawy
Department of Electrical and Computer Engineering
American University of Beirut
Beirut, Lebanon.
{rze03, ayman, chehab, zaher.dawy}@aub.edu.lb
ABSTRACT
Many obstacles impede the successful deployment of sensor networks. In addition to the limited resources
issue, security is a major concern especially for applications such as home security monitoring, military,
and battle field applications. In this paper we present a defense mechanism against wormhole attacks in
wireless sensor networks. Specifically, a simple routing tree protocol is proposed and shown to be effective
in defending against wormhole attacks through ns-2 simulations.
Keywords: Wireless sensor and ad hoc networks, wormhole attack, routing tree protocol.
1. INTRODUCTION
Wireless sensor networks (WSNs) constitute a rapidly emerging area of interest [1-6]. They have
a wide range of potential applications including habitat monitoring [3], indoor sensor networks
with sensor-enabled user interfaces [4], nuclear power plants and battlefield monitoring [5], target
tracking, and seismic monitoring of buildings [6].
WSNs are built with a large number of tiny and inexpensive sensor nodes that are typically
resource constrained, with low-power sensors, limited memory, slow embedded processors, and
low-bandwidth radios.
Due to their limited power and short range, sensor nodes need to collaboratively work in multi-
hop wireless communication architectures to allow the transmission of their sensed and collected
data to the nearest base station. Unlike wired networks where the physical wires prevent an
attacker from compromising the security of the network, wireless sensor networks face many
security challenges that represent a prerequisite to a successful deployment of wireless sensor
networks especially for military applications. Moreover, the resource-starved nature of sensor
nodes makes the security issue very critical; in fact, the deployment of maximum security
services in each node will produce a significant drain on the system resources, and thus reduce
the node’s lifetime.
This paper addresses the security concerns in wireless sensor networks. More specifically, we
address the wormhole attack, which is a severe attack in wireless sensor networks whereby an
attacker stores transmitted packets and then replays them into the network. Defending against
such an attack is challenging because it can be launched even if all network communication is
authentic and confidential.
The rest of this paper is organized in the following way. Section 2 presents the possible attacks on
sensor networks. Related previous work is provided in Section 3. Our proposed design of setting
up a secure wireless sensor network and defending against the wormhole attack is detailed in
Section 4. Simulation results are shown in Section 5. Conclusions and future work are presented
in Section 6.
The Second International Conference on Innovations in Information Technology (IIT’05)
2
2. ATTACKS ON WIRELESS SENSOR NETWORKS
This section describes possible attacks on wireless sensor networks. Two types of attacks can be
distinguished; the insider attacks and the outsider attacks.
The insider attack or node compromise is a real threat for the sensor network; a compromised
node is actually a legitimate node in the sensor network that was captured by an adversary. This
node may possess all the secret keys in the case of encrypted and authenticated communications
and thus, will be capable of participating in the communications and disrupting the network.
The outsider attacks are achieved by unauthorized nodes that can easily eavesdrop on the packets
exchanged between sensor nodes due to the shared wireless medium, in an attempt to get access
to private information. The attacker in this case is also capable of altering or spoofing the
information, and injecting erroneous packets. Furthermore, it may refuse to forward every packet
it receives and simply drops them; this attack is called the selective forwarding attack.
Some outsider attacks can only be achieved by an attacker that includes itself on the route that
packets take. This is possible for example through the construction of sophisticated attacks that
tend to eventually destroy the routing protocol [7].
One of these attacks is the sinkhole attack which is started by an attacker aiming to attract all the
traffic destined to the base station by simply replaying a high quality routing advertisement. The
transmission of this routing advertisement lets each neighboring node of the attacker forward the
packets intended to the base station through this attacker. Note that the effect of this high quality
route will propagate to the nodes located many hops away from the attacker. As an example, a
laptop-class adversary has a strong power radio transmitter that allows it to provide a high-quality
route by transmitting with enough power to reach a wide area of the network. The sinkhole attack
in the case of routing tree protocol is shown in Figure 1.
Figure 1: Sinkhole Attack.
Another attack is the Sybil attack where a node illegitimately presents multiple identities to the
nodes in the network. This attack is most critical in a routing protocol where a node selects with
equal probability an upstream neighbor as the next hop towards the base station. Therefore, by
pretending to have multiple identities, the Sybil attacker will be chosen with high probability as
the next hop. Hence, a sinkhole will be created and the attacker will be capable of performing
selective forwarding, spoofing and altering the packets, etc.
Base Station
Attacker
The Second International Conference on Innovations in Information Technology (IIT’05)
3
Another attack is the acknowledgment spoofing attack which has a serious impact on the routing
protocol. This attack is launched by an attacker that attempts to encourage the nodes to transmit
packets on weak or dead links; this can be achieved by convincing the sender that a weak link is
strong by spoofing acknowledgement packets for “overheard packets” that are destined to
neighboring nodes.
Finally, the wormhole attack which will be the core of this paper is a very critical attack that can
be launched by an attacker that records the transmitted packets and then replays them into the
network. The attacker can be either an ordinary sensor or a stronger node (eg. laptop-class node).
This attack is very dangerous against the routing protocol since the attacker might launch these
attacks during the neighbor discovery phase. Consider for instance the case where an attacker is
placed in the neighborhood of Node A (see Figure 2); when A broadcasts the routing request
packet, the attacker receives this packet and replays it in its neighborhood. Each node receiving
this replayed packet will consider itself to be in the range of Node A, and will mark this node as
its parent. Hence, the attacker is capable of convincing the nodes that would normally be multiple
hops from A that they are only one hop away as shown in Figure 2.
Figure 2: Normal Network (left), Network under Wormhole Attack (right).
Note that an attacker with a high power radio transmitter is capable of transmitting to a longer
range compared to an ordinary sensor attacker, and therefore it disrupts more sensor nodes.
3. PREVIOUS WORK
Recently, the problem of securing ad-hoc networks has become a major concern, and many
solutions have been proposed in the literature [9-13]. Unfortunately, due to the resource
constrained nature of the sensor nodes, the solutions proposed for the latter cannot be applied to
sensor networks. This fact has given rise to new research in order to address the security issues in
wireless sensor networks.
Perrig et al. present a collection of security protocols for sensor networks [2]. The model
integrates two major components, SNEP (Secure Network Encryption Protocol) and Tesla (Timed
Efficient Stream Loss-tolerant Authentication). SNEP is a protocol for data confidentiality and
two party data authentication, while Tesla is a protocol for broadcast data authentication. This
scheme provides a light authenticated routing protocol which increases the difficulty of launching
many possible attacks on sensor networks.
LEAP (localized encryption and authentication protocol) is an efficient protocol for inter-node
traffic authentication which is developed by Zhu et al. [14]. This protocol relies on a key sharing
approach that authorizes in-network processing, and at the same time mitigates a number of
possible attacks.
Node A
Node B
Node C Node A
Node B
Node C
Wormhole link
Attacker
The Second International Conference on Innovations in Information Technology (IIT’05)
4
In [15], two security protocols for real-world applications are proposed by Chen et al. The first
one addresses the base station to mote confidentiality and authentication; it recommends that the
authenticity and the confidentiality of the messages can be provided by the use of a shared-key
algorithm, e.g. RC5. The second protocol is close to the one used by TESLA [16] which aims to
achieve mote authentication.
Park and Shin present LISP (a Lightweight Security Protocol for wireless sensor networks) [17]
which is an efficient protocol that proposes a new re-keying mechanism in order to make a
tradeoff between security and resource consumption of sensor nodes. It is shown that this
protocol was capable of defending against various attacks.
In [18], Jones et al. propose a novel solution to the problem of securing WSNs; the proposed
model is based on the use of the frequency hopping technique that leads to a lightweight and
strong mechanism for securing wireless sensor networks. A distinguishing feature of this model is
that it is applicable to networks in which the sensor nodes are unaware of their location.
The papers listed above propose different protocols that provide the sensor network with a high
level of security since they are capable of defending against various types of attacks. However,
none of them has effectively handled the wormhole attack.
The wormhole attack in wireless sensor networks was first introduced by C. Karlof and D.
Wagner who analyze in [7] the security issues of different routing protocols in WSNs, and discuss
for each routing protocol the possible attacks (e.g. Sybil, sinkhole, selective forwarding,
wormhole, etc.). Then, they propose the countermeasures that should be applied in order to
defend against these attacks.
For the wormhole attack, C. Karlof and D. Wagner mentioned the geographic routing protocol
[19] as a resistant protocol to this attack; this protocol is actually an on-demand routing protocol
based on the exchange of coordinate information used to route geographically addressed packets.
Hence, the wormhole attack can be detected if a route was noticed to be created between two
consecutive nodes that are actually distant in geographic location, and the integrity of this route is
thus suspected. However this routing protocol requires that each node is aware of its own
location, its immediate one hop neighbors, and the destination location.
On the other hand, ways of defending against this attack in ad-hoc networks have received a great
deal of well-deserved attention in the literature. They were mentioned by Dahill et al. [20],
Papadimitratos et al. [21], and Hu et al. [22]. One way of defending against this attack is to
improve the signal processing technique; however, this technique cannot be readily applied in the
case of sensor networks due to their processing constraints.
Another solution [23] proposes the adoption of directional antennas; each couple of nodes has to
examine the directions of the received signals from each other and from a shared witness. Hence,
the neighbor relation is set only if the directions of both pairs match.
Recognizing the position of a node [24, 25] is also helpful to prevent wormhole attacks. Actually,
the regular nodes or a centralized controller will be capable of discovering the presence of an
attacker by the detection of two conflicting positions in the original packet and the sent packet.
However, it is not easy to apply this method in outdoor environments.
Capkun et al. propose a new approach to detect the wormhole attack without the need of clock
synchronization [26]. Each node is asked to respond to a one bit challenge without any delay.
Then, the challenger has to measure the round trip time of the signal very accurately in order to
calculate the distance between the nodes
Hu et al. present the packet leash solution [22] which requires that, for each transmitted packet,
the leash should be added in order to restrict the transmission distance.
The Second International Conference on Innovations in Information Technology (IIT’05)
5
It can be seen that due to the difference in characteristics between ad hoc networks and sensor
networks, it will be very expensive to employ these approaches in a wireless sensor network.
4. BUILDING A SECURE WSN
In this section, we design DAWWSEN (Defense mechanism Against Wormhole attacks in
Wireless SEnsor Networks). First, we describe our network model, and then present how the
routing tree is hierarchically constructed and how it can defend against the wormhole attack.
4.1 Network Model
The network model we use is as follows. We consider a network composed of a small number of
base stations, and a massive number of wireless sensor nodes randomly distributed in the target
area. These nodes have limited processing power, energy and bandwidth while the base stations
are resource-rich in terms of their computational capabilities, storage capacity, and energy
lifetime. Another assumption is that sensor nodes are not mobile during the duration of their
lifetime and are equipped with omni-directional antennas. Moreover, the deployed sensor nodes
are trustworthy and cannot be compromised by attackers. This means that an internal attack is
impossible and hence, the attack can be achieved only by hostile nodes or anti-nodes which are
generally capable of performing various kinds of outside attacks as discussed in Section 2.
Most of the outside attacks can be avoided by a simple encryption and authentication of the
messages (routing and data packets); the encryption and authentication prevent an attacker from
injecting packets in the network, they also eliminate the possibility of altering packets, as well as
creating sinkholes and making selective forwarding, etc.
However, the resource-starved nature of sensor networks poses great challenges for security.
Public key cryptography such as RSA was proved to be infeasible at present for sensor nodes [2],
as it is computationally expensive for them. Instead, lightweight symmetric key cryptography
such as RC5 has been shown to be effective [8].
We propose to use a global key that is shared by all nodes in the network. Using a global key for
encrypting information is attractive in terms of storage requirements and ease of use. However,
due to the use of a lightweight symmetric key cryptography, it will be necessary to periodically
refresh the global key.
With the above model in mind, we can effectively prevent all attacks that rely on the alteration of
packets and impersonation of other nodes. However, the routing protocol is seriously threatened
by the wormhole attack that can eventually disrupt routing in the WSN.
4.2 DAWWSEN
In order to combat the wormhole attack, we design DAWWSEN, a proactive routing protocol
based on the construction of a hierarchical tree where the base station is the root node, and the
sensor nodes are the internal or the leaf nodes of the tree. The tree construction is initiated by the
base station which broadcasts a request packet in order to discover its children nodes.
A request packet contains the ID of the node that originates the request packet and the hop count
which is equal to one in the case of a request packet sent by the base station.
The nodes receiving the first request packet cannot immediately decide its parent; they still have
to wait for a period of time in order to collect a number of request packets since it is still
impossible to know if a received request packet is replayed by a wormhole attacker or not.
Therefore, each node receiving a request packet inserts a new entry in its “request list” that
contains the IDs of all the nodes from which it has received a request packet, and their
The Second International Conference on Innovations in Information Technology (IIT’05)
6
corresponding hop count. The insertion of a new entry is done in a sorted way; the one with the
lowest hop count will be placed at the head of the list (Figure 3).
Hop Count 1 ≤ Hop Count 2 ≤ Hop Count 3
Figure 3: Request List of a Node Receiving three Request Packets.
A “Reply Timer” is set to expire after a period of REPLY_DELAY seconds from the reception of
the first received request packet. When the timer expires, the node sends a reply packet which
contains its ID, the destination ID which is the ID of the first node in its request list and its
corresponding hop count, and then updates its “replay table” which contains the following fields:
destination ID, hop count, number of replayed packets (Num_Rep) and the Recv_Accept field.
The first 2 fields are respectively set to the values of the destination ID and hop count in the reply
packet, and the last 2 fields are set to zero (Figure 4).
Figure 4: Replay Table of a Node after the Transmission of a Reply Packet.
Then, it sets another timer, the “Check Timer”, which expires after a period of CHECK_DELAY
seconds from the transmission of the reply packet.
During this period, the node sending this reply packet keeps listening to the transmitted reply
packets, and increments the Num_Rep field for each received packet with source ID and
destination ID respectively equal to its own ID and to the destination ID in the replay table
(NodeID1).
On the other hand, the node receiving a reply packet inserts in its “reply list” (Figure 5) a new
entry which contains the ID of the node sending the reply packet, its hop count, and the number
of the identical received reply packets (Num_reply) which is set to one for a new received reply
packet.
Figure 5: Reply List of a Node Receiving Three Reply Packets.
Upon the reception of the first reply packet, the node sets the “Accept Timer” which expires after
a period of ACCEPT_DELAY seconds from the reception of this packet.
For each received reply packet during this period, the node navigates over the reply list for a
match of the NodeID. If an entry was found, its Num_reply field will be incremented by one;
otherwise a new entry will be added to the list with Num_reply equal to one.
Hop Count 1
NodeID1 Num_Rep
= 0
Recv_Accept
= 0
Num_replyc
NodeIDc
NodeID
b
NodeIDa
Hop Countc
Hop Count
b
Num_replya
Hop Counta
Num_reply
b
NodeID3
NodeID2 NodeID1
Hop Count 3
Hop Count 2
Hop Count 1
The Second International Conference on Innovations in Information Technology (IIT’05)
7
Once its Accept Timer expires, the node sends for each entry in its reply list an equivalent accept
packet which contains its own ID as a source ID, the NodeID in the reply list as the destination
ID, and the Num_reply field which designated the number of repeated reply packets received by
the destination node.
The node receiving an accept packet should check the source ID that should be the same as the
NodeID in its replay table. If this is not the case, this will mean that this packet was stored by an
attacker during a previous construction of the routing tree and replayed now, and therefore should
be dropped. If not, the node receiving this packet updates its replay table by setting the
“Recv_accept” field to one and checks if the “Num_reply” field in the accept packet is one value
greater than “Num_Rep” in the replay table of this node.
Num_reply = Num_Rep + 1 (1)
If the above condition is not verified, a wormhole attack is detected by this node which will:
1- Drop the received accept packet.
2- Add the ID of the originator of the accept packet to its NAP (Not Accepted Packets)
table.
3- Update its replay table by setting all the values to zero.
4- Send another reply which corresponds to the second entry in its request list or wait for
another request packet if not available.
Hence, the NAP table of a node contains the IDs of all the nodes that cannot be a parent of this
node. It is important to mention that the IDs in this table can be kept forever since we are
assuming that the nodes are fixed; therefore, if a node was added to the NAP table of a node, it
can never be a neighbor of this node and each request packet received afterward from a node
whose ID is in the NAP table will be immediately dropped.
Until now, nothing was mentioned about the Check Timer which is of major importance. To
illustrate its role, consider the case of an attacker that replays request and reply packets only.
Hence, a node receiving a replayed request packet will send a reply packet and keeps waiting for
the accept packet. Here comes the importance of the Check Timer which expires after a period of
CHECK_DELAY seconds from the transmission of the reply packet. At this moment, the node
sending the reply packet checks the Recv_Accept field in its replay table. If equal to zero, this
means that no accept packet was received for the transmitted reply packet, and a new reply packet
has to be sent. It is worth mentioning that the Accept Timer should be set to expire before the
Check Timer.
On the other hand, if equation (1) is verified, the node receiving the accept packet marks the
originator of this packet as its parent, updates its routing table with the ID and the hop count of
this parent and rebroadcasts a request packet with a hop count field incremented.
Consequently, a hierarchical 3-way handshake routing tree for a multi-hop wireless sensor
network can be rapidly created. A distinguishing feature of DAWWSEN is that it is the
responsibility of the node receiving the accept packet to mark its parent and that the sensor nodes
are not aware of their children. However, this does not have any influence on the network since
all the data packets are sent only from the child to its parent. It is also noticeable that although the
tree is rooted at the base station, each node has no idea of which base station it is routing to. This
means that such a scheme can also be deployed in the case of the presence of more than a single
base station.
Finally, it is important to mention that the base station waits Trefresh seconds before the
retransmission of a new request packet and thus the construction of a new routing tree. This
The Second International Conference on Innovations in Information Technology (IIT’05)
8
parameter should be set according to the energy consumption of the sensor nodes. Actually, it is
important to ensure that we do not starve the nodes so that all data packets are guaranteed to be
transmitted and processed if necessary. Remember that each node has a single route to the base
station; hence, if the battery of a node is depleted, all the data that are usually transmitted through
this node will be lost.
5. SIMULATION
To evaluate the performance of our routing protocol, we used ns-2 simulation environment [26]
to run the simulations described in this section. First, we define the parameters used in our
scenario, and then we show our simulation results.
5.1 Simulation Setup
This protocol was tested on 18 sensor nodes randomly distributed over a square field of 200m by
200m. The deployed nodes have fixed positions during the entire simulation. Node 0 is chosen as
a base station, node 3 as an attacker, while the other 16 nodes are normal sensor nodes (Figure 6).
Our simulation uses the IEEE 802.11 physical and MAC layers which are fully simulated in ns-2
and each node has a fixed radio range of 50 meters.
The parameters Trefresh, REPLY_DELAY, CHECK_DELAY, ACCEPT_DELAY and the duration
of the simulation are respectively set to 120, 0.005, 0.08, 0.025, 400 seconds.
5.2 Simulation Results
In order to evaluate the performance of our routing protocol, 3 scenarios were tested. In the first
one, the attacker (node 3) replays only the request packet received from the base station (node 0).
Therefore, each node receiving this packet:
• Updates its request list and sets the Reply Timer
• Transmits a reply packet after 0.005 seconds
• Updates its replay table and sets its Check Timer
• Checks its replay table after 0.08 seconds.
Since the Recv_Accept field in their replay table is equal to zero, and no other request packet was
received till this moment, the nodes that are more than 50m away from the Base Station wait for
another request packet which will be sent later by node 2 with a hop count equal to 2 and update
their NAP tables with the ID of the Base Station.
In the second scenario, the attacker replays the request packet sent by the base station and the
reply packet sent by node 9. The same procedures are performed by the nodes, and the wormhole
attack can be detected the same way.
In the third scenario, the attacker replays the 3 packets transmitted between the base station and
node 9. In this case, node 9 checks equation (1) after the reception of the accept packet replayed
by the attacker and thus detects a wormhole attack and waits for another request packet.
Finally, after checking the routing tables of all the sensor nodes, it was possible to sketch the
equivalent routing tree of our scenario as shown in Figure 7.
The Second International Conference on Innovations in Information Technology (IIT’05)
9
Figure 6: The Simulated Scenario Figure 7: The Routing Tree
As a conclusion, DAWWSEN has showed its ability to detect and defend against the wormhole
attack in all the 3 cases described above and needed only 0.14 seconds to accomplish the
construction of the tree.
CONCLUSION AND FUTURE WORK
In this paper, we have presented a new protocol called DAWWSEN that incorporates a detection
and defense mechanism against the wormhole attack, a powerful attack that has serious
consequences on sensor routing protocols. A great advantage of DAWWSEN is that it doesn’t
require any geographical information about the sensor nodes, and doesn’t take the time stamp of
the packet as an approach for detecting a wormhole attack, which is very important for the
resource constrained nature of the sensor nodes.
Finally, we have examined the performance of DAWWSEN through ns-2 simulations, and the
results have shown that our routing protocol can efficiently defend against the wormhole attack
and achieve low delay.
In future work, we will try to introduce some modifications to our routing protocol in order to get
a balanced tree where the load would be fairly distributed among the nodes since this will
considerably help in reducing the value of Trefresh. We will also try to test our routing protocol in
the case of 2 or more collaborating attackers.
REFERENCES
[1] J. Deng, R. Han, and S. Mishra, “INSENS: Intrusion-Tolerant Routing in Wireless Sensor Networks”,
In proceedings of the 23rd IEEE International Conference on Distributed Computing Systems
(ICDCS 2003), Providence, May 2004.
[2] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. Tygar, “SPINS: Security Protocols for Sensor
Networks”, In proceedings of the Seventh Annual International Conference on Mobile Computing and
Networks (MOBICOM 2001), July 2001.
[3] A. Mainwaring, J. Polastre, R. Szewczyk, D. Culler, and J. Anderson, “Wireless Sensor Networks
for Habitat Monitoring”, In proceedings of WSNA’02, 2002.
[4] J. Carlson, R. Han, and et.al, “Rapid Prototyping of Mobile Input Devices Using Wireless Sensor
Nodes”, In proceedings of WMCSA’03, Monterey, California, USA, October 2004.
[5] U. A. F. ARGUS, “Advanced Remote Ground Unattended Sensor Systems”, Department of Defense,
Argus, http://www.globalsecurity.org/intell/systems/arguss.htm.
Base Station(0)
Attacker (3)
42
15
6
7
9
8
10
13
12
11 15 16
17
14
The Second International Conference on Innovations in Information Technology (IIT’05)
10
[6] J. Hill, R. Szewczyk, A.Woo, S. Hollar, D. Culler, K. Pister, “System Architecture Directions for
Networked Sensors”, Architectural Support for Programming Languages and Operating Systems,
2000.
[7] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and
Countermeasures”, In proceedings of IEEE International Workshop on Wireless Sensor Network
Protocols and Applications, 2004.
[8] J. Deng, R. Han, and S. Mishra, ”The performance evaluation of intrusion-tolerant routing in wireless
sensor networks”, In proceedings of IPSN’03, Palo Alto, CA, USA, April 2004.
[9] Y.-C. Hu, A. Perrig, and D. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad-Hoc
Networks”, In proceedings of the 8th ACM International Conference on Mobile Computing and
Networking (MOBICOM 2002), ACM, Atlanta, GA, September 2002.
[10] P. Ning and K. Sun, “How to misuse AODV: A Case Study of Insider Attacks against Mobile Ad-hoc
Routing Protocols”, In proceedings of IEEE Workshop on Information Assurance United States
Military Academy, June 2003
[11] Y.-C. Hu, D. Johnson, and A. Perrig, “SEAD: Secure Efficient Distance Vector Routing for Mobile
Wireless Ad Hoc Networks”, In proceedings of the 4th IEEE Workshop on Mobile Computing Systems
and Applications, June 2002.
[12] K. Sanzgiri, B. Dahill, B.Levine, C. Shields, and E. Royer, “A Secure Routing Protocol for Ad Hoc
Networks”, In proceedings of the 10th IEEE International Conference on Network Protocols (ICNP
’02), November 2002.
[13] L. Zhou and Z. Haas, “Securing Ad Hoc Networks”, IEEE Network Magazine, vol. 13, no. 6, pages
24-30, November/December 1999.
[14] S. Zhu, S. Setia and S. Jajodia, “LEAP: Efficient Security Mechanisms for Large-Scale Distributed
Sensor Networks”, In proceedings of the 10th ACM Conference on Computer and Communications
Security (CCS '03), Washington D.C., October, 2004.
[15] M. Chen, W. Cui, V. Wen, and A.Woo (2000): “Security and Deployment Issues in a Sensor
Network”, http://www.cs.berkeley.edu/ wdc/classes/cs294-1- report.pdf, December 2000.
[16] A. Perrig, R. Canetti, J. D. Tygar, Dawn Xiaodong Song, “Efficient Authentication and Signing of
Multicast Streams over Lossy Channels”, In proceedings of IEEE Symposium on Security and
Privacy, May 2000.
[17] T. Park and K. Shin, “LISP: A Lightweight Security Protocol for Wireless Sensor Networks”, In
proceedings of ACM transaction on Embedded Computing systems, August 2004.
[18] K.Jones, A. Wadaa, S. Olanu, L.Wison, M. Eloweissy, “Towards a New Paradigm for Securing
Wireless Sensor Networks”, In proceedings of ACM, 2004.
[19] Y. Yu, R. Govindan, D. Estrin, “Geographical and energy aware routing: a recursive data
dissemination protocol for wireless sensor networks”, Tech. Rep. UCLA/CSD-TR-01- 0023, Computer
Science Department, University of California at Los Angeles, May 2001.
[20] B. Dahill, B. Levine, E. Royer, and C. Shields, “A Secure Routing Protocol for Ad hoc Networks”,
Tech Report 02-32, Dept. of Computer Science, University of Massachusetts, Amherst, 2001.
[21] P. Papadimitratos and Z. Haas, “Secure Routing for Mobile Ad Hoc Networks”, In proceedings of
SCS Communication Networks and Distributed Systems Modeling and Simulation Conference
(CNDS), 2002.
[22] Y. Hu, A. Perrig, and D. Johnson, “Packet Leashes: A Defense against Wormhole Attacks in Wireless
Ad Hoc Networks”, In proceedings of INFOCOM, 2004.
[23] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole Attacks”, In proceedings of
Network and Distributed System Security Symposium (NDSS), 2004.
[24] P. Bahl and V. Padmanabhan, “RADAR: An In-Building RF-Based User Location and Tracking
System”, In proceedings of INFOCOM, 2000.
[25] N. Sastry, U. Shanker, and D. Wagner, “Secure Verification of Location Claims”, In proceedings of
ACM Workshop on Wireless Security (WiSe), 2003.
[26] S. Capkun, L. Buttyan, and J. Hubaux, “SECTOR: Secure Tracking of Node Encounters in Multi-hop
Wireless Networks”, In proceedings of ACM Workshop on Security of Ad Hoc and Sensor Networks,
2003.