Content uploaded by Bruno Crispo
Author content
All content in this area was uploaded by Bruno Crispo on Jan 13, 2019
Content may be subject to copyright.
WISE: Lightweight Intelligent Swarm Attestation
Scheme for IoT (The Verifier’s Perspective)
Mahmoud Ammar
imec-DistriNet, KU Leuven
mahmoud.ammar@cs.kuleuven.be
Mahdi Washha
IRIT, Toulouse University
mahdi.washha@irit.fr
Bruno Crispo
Trento University, Italy
bruno.crispo@unitn.it
Abstract—The growing pervasiveness of Internet of Things
(IoT) expands the attack surface by connecting more and more
attractive attack targets, i.e. embedded devices, to the Internet.
One key component in securing these devices is software integrity
checking, which typically attained with Remote Attestation (RA).
RA is realized as an interactive protocol, whereby a trusted
party, verifier, verifies the software integrity of a potentially
compromised remote device, prover. In the vast majority of IoT
applications, smart devices operate in swarms, thus triggering
the need for efficient swarm attestation schemes.
In this paper, we present WISE, the first intelligent swarm
attestation protocol that aims to minimize the communication
overhead while preserving an adequate level of security. WISE
depends on a resource-efficient smart broadcast authentication
scheme where devices are organized in fine-grained multi-
clusters, and whenever needed, the most likely compromised
devices are attested. The candidate devices are selected intelli-
gently taking into account the attestation history and the diverse
characteristics (and constraints) of each device in the swarm.
We show that WISE is very suitable for resource-constrained
embedded devices, highly efficient and scalable in heterogenous
IoT networks, and offers an adjustable level of security.
Index Terms—Internet of Things (IoT), security, remote at-
testation, swarm, scalability, online learning, malware detection.
I. INTRODUCTION
Nowadays, Internet-connected embedded devices are in-
creasingly deployed in many aspects of modern life. Unfor-
tunately, such devices represent attractive targets for cyber
attacks as they are used in a wide range of applications
where they process privacy-sensitive information and perform
safety-critical tasks. Furthermore, the specialized nature of
these devices in terms of limited resources and computing
power hinders the realization of strong security mechanisms
to prevent cyber attacks. Hence, attacking such devices would
result in very severe consequences, exemplified by Stuxnet [1].
Remote attestation (RA) is a well-known security service
that enables the detection of malware-infected devices. It
allows a trusted entity, denoted as a Verifier, to verify the
internal state of remote untrusted IoT device, denoted as
aProver, by measuring its software integrity. Traditional
attestation protocols [2]–[4] consider only a single prover
device. However, the diverse applications of IoT are naturally
distributed and often embedded in numerous heterogeneous
computing devices deployed over wide geographical areas,
forming self-organizing mesh networks or swarms. Therefore,
applying traditional attestation protocols in such scenarios is
inefficient and entails a significant overhead, as the verifier has
to run the attestation protocol with each device individually.
Problem Statement. Recently, a number of research pro-
posals have been introduced to address swarm attestation
[5]–[11]. To this end, all of these attestation schemes are
efficient and reduce the communication overhead compared
to the naive approach of applying many times single prover
attestation. Nevertheless, they are sill rigid and not smart
enough to adapt the different requirements of the various IoT
devices, as whenever attestation takes place, all devices in the
swarm are involved without any distinction. However, in real
scenarios, connected devices in a mesh network have different
software configurations and possess heterogenous hardware
capabilities. Therefore, the equality approach followed by
existing attestation schemes still incurs substantial overheads.
First, it is harmful to engage safety-critical and time-sensitive
devices in periodic and potentially expensive (in terms of time
and energy) RA, especially when the attestation history shows
that they have never been compromised or rarely so. Second,
efficiency as a feature of scalable attestation is maintained
through many factors, and one of them is the aggregation of
attestation reports to reduce the message size. Larger the net-
work the bigger is the size of the aggregate. Many IoT devices
(such as IETF Class-1 [12]) have very limited memories that
are not sufficient enough to authenticate and store a big-sized
aggregate before propagating it till reaching the verifier. Third,
the vast majority of available attestation schemes assume time
synchronization which is difficult to handle in heterogenous
environments and incurs an extra overhead. Last, the nature
of some devices (due to their locations, time-sensitivity, tasks,
being previously compromised, etc.) requires to be more
frequently attested than others and vice versa.
Contribution. We present WISE, a lightweight, intelligent,
and scalable attestation protocol that is very suitable for
static heterogenous IoT networks, aiming for minimizing the
communication overhead and thus power consumption. In
WISE, the attestation of the entire swarm is distributed over a
large time window, where a subset of devices is attested every
time interval. The time window can be variable for each device
or subset of devices as it is adjusted dynamically at the verifier
side. WISE is smart in the sense that the verifier outputs a
candidate subset of devices to be attested after performing
online learning from the history of previous attestation periods
depending on Hidden Markov Model (HMM) [13], and taking
into account the various individual needs and characteristics
of connected devices in the swarm as conditions (or features).
Paper outline. The remainder of this paper is organized
as follows. § II reviews the related work. A system model is
presented in § III. § IV describes WISE in details, whereas
§ V highlights on the analytical model of the intelligence part
of WISE. The security analysis of WISE is discussed in § VI.
Implementation details and evaluations are reported in § VII.
§ VIII concludes.
II. RE LATE D WOR K
Single Device Attestation. Prior work in single-prover RA
can be divided into three main categories: hardware-based
techniques [2] that rely on a built-in secure hardware (e.g.
Trusted Platform Module (TPM) [14]) in the prover device,
software-based techniques [3] that do not require any hardware
and depend only on some strict assumptions (e.g. accurate
time measurements), and hybrid approaches [4] that build
atop minimal hardware modifications to the existing low-
end IoT platforms [15]. Abstractly speaking, each of these
categories has pros and cons. Nevertheless, all of them target
a single-device attestation. Accordingly, they are not efficient
for swarm attestation.
Swarm Attestation. The recently proposed attestation
schemes [5]–[11] have addressed the attestation problem at
a large scale where a significant number of devices have to be
attested efficiently and securely. These proposals differ from
each other in various ways: (i) the attestation protocol imple-
mented (e.g. interactive [5]–[8], [10], [11] or non-interactive
[9]), (ii) the methodology followed in attesting the entire
swarm (e.g. tree-based approaches [5]–[10] or distributed ones
[11]), (iii) the adversary model considered (e.g. remote-only
attacker [5], [6], [8], [9], or remote and physical attackers
[7], [10], [11]), (iv) type of the mesh network (e.g. highly
dynamic networks [11], or fairly dynamic and static topologies
[5]–[10]), (v) the consideration of the mesh network (e.g.
neighbour discovery, heterogeneity, broadcasting, unicasting,
etc.), and (vi) the cryptography employed (symmetric key [8],
[10], public key [6], [11], or both [5], [7]).
To the best of our knowledge, all existing swarm attesta-
tion protocols attest all devices in the swarm whenever the
attestation routine is conducted.
III. SYS TE M MOD EL
Overview. We consider a mesh network with various het-
erogenous low-end embedded devices. The network should be
static or quasi-static 1which we argue that this is the case of
the majority of IoT application domains (e.g. smart buildings,
etc.). The verifier should know in advance the exact network
topology. Henceforth, we refer to the verifier as υand the
prover as ρ.
Device Requirements. We assume that each device Diin a
swarm Ssatisfies the minimum hardware properties required
for secure RA [15] which are ROM and memory protection
1Devices only move within the same covering communication range as
when they are static.
unit (MPU). The ROM is needed to store the attestation
routine and cryptographic keys, whereas the MPU is required
to enforce access control over secret data. Also, we assume
that υis a powerful device, i.e. Raspberry PI class or higher.
Adversary Model. We consider a software-only adversary,
adv, who has the ability to perform remote attacks (Dolev-Yao
model [16]). Thus, adv has full access to the network and can
either perform passive (e.g. eavesdrop on communication, etc.)
or active (e.g. inject a malware, etc.) attacks. In line with the
majority of existing swarm attestation techniques, We rule out
all kinds of DoS and physical attacks.
IV. WISE: PROTO CO L DESCRIPTION
Overview. WISE is a smart scalable attestation protocol
which consists of two different phases. The first phase (§ IV-A)
takes place once before the deployment where all devices
are initialized by a trusted party (in our case, υ) with some
public and private data, and distributed logically over different
clusters. In the second phase (§ IV-B), whenever needed, υ
performs the collective attestation over a subset of devices
(instead of the entire swarm) that are wisely selected depend-
ing on the attestation history of every device and taking into
account the individual characteristics of these devices. In the
remaining of this section, we informally explain both phases,
whereas in § V, we highlight on the analytical model.
A. Initialization Phase
υinitializes each ρwith two device-specific keys for mutual
authentication (dki) and attestation (aki) purposes, and one
master key that is shared among all devices at the swarm-
level (km). Also, each ρstores its own unique ID (Di), and
the message authentication code (MAC) of the correct software
state (Ms) of its memory (MeM), computed using aki.
Based on the recent taxonomies of addressing security
challenges and IoT attacks [17], [18], we identify five main
categories to classify IoT devices, where each category has
different clusters and every cluster has a unique ID (ci):
•Geographical Location: ρ’s are divided into clusters based
on their geographical locations.
•Software Configurations: ρ’s are grouped into clusters
according to partial or full similarities in their software.
•Hardware Capabilities: ρ’s are grouped into clusters ac-
cording to the type of hardware they possess.
•Security & Safety: its application dependent feature
which classifies ρ’s according to how critical they are to
Di
Geographical
Location
Software
Configuration
Hardware
Capabilities
Security and
Safety
Time
Sensetivity
G1
G2
Gt
S1
S2
Sk
H1
H2
HF
F1
F2
FL
T1
T2
TP
Dj
Fig. 1: An example of classifying two devices into clusters
Verifier (v)
Attestreq
Device DiDevices Dj, Dk, ...
Attestreq
Dj & Dk proceeds like Di ...
Attestrep
Attestrep
Verify(Attestrep) & UpdateRecords()
All messages exchanged are authenticated by computing MAC using km
5
T ← max. waiting time for aggregates
Nonce ← generateNonce()
Attestreq ← (Nonce || T || Cattest || Cbridge)
Broadcast(Attestreq)
Intelligence Part
Nattest ← getSubsetDevicesToAttest(S, threshold)
Nbridge ← exploreBestPath(Nattest)
Cattest, Cbridge ← clusters(Nattest,Nbridge)
1
2
IF ∃ Ci ∈ (Cattest || Cbridge) ∋ Di
Broadcast(Attestreq)
startTimer(T)
IF ∃ Ci ∈ Cattest ∋ Di
ackToSender()
attest ← MAC(aki||Nonce||MeM)
repi ← Report(Di, Attest)
Execute Securely (e.g. in TEE)
3
Execute Securely (e.g. in TEE)
IF allChildrenReplied || isOver(T)
Attestrep ← aggregateReports()
Propagate(Attestrep)
4
Interactive Part
Fig. 2: An overview of the attestation phase in WISE
the application domain considering a combination of the
task they perform and the security mechanism employed
by the hosting hardware.
•Time Sensitivity: ρ’s are classified into clusters according
to their time constraints and how critical is it to deviate
them frequently from doing their tasks.
Number of clusters in each category is application-
dependent value. Each ρshould virtually belong to one cluster
of each category by storing its identifier (ci) in its memory as
shown in Figure 1. The goal of the multi-clustering technique
is twofold; First, it significantly reduces the communication
overhead in terms of number and sizes of exchanged packets,
as explained in § V. Second, over time, υcan learn from the
attestation history the behavior of adv by realizing the clusters
that have frequently compromised devices, thus being able to
patch common vulnerabilities. Please note that two important
points. First, considering the attacker model in § III, the master
key approach is secure (in spite of its simplicity) since the
remote attacker can not access the protected memory area.
Therefore, for now, there is no need to identify secret keys at
the cluster-level. Second, The selection criteria of categories
and clusters is flexible as more or less categories can be
considered depending on the application domain.
B. Attestation Phase
Initially, υinitiates the attestation routine for all devices
as there is still no history and thus all ρ’s in the swarm
are attested. Depending on authenticated broadcast messages,
υpropagates an attestation request (Attestreq ), containing a
nonce to avoid replay attacks, to all ρ’s in the vicinity, which
is then further propagated in the network via broadcasting too,
thus forming a virtual spanning tree. Attestreq contains also
the maximum time (T), through which, each ρhas to send a
valid reply, where Tis adjusted w.r.t the slowest ρincluded in
that attestation. The calculation of various time values takes
place once all classes of devices are in a healthy state at
deployment time to avoid delay-related attacks (e.g. down-
grade or black hole attacks) [19]. Therefore, every receiver ρ
acknowledges receiving Attestreq to the sender device, thus
determining the number of replies that should be received.
Each ρanswers Attestreq by producing an attestation report
(repi). repiconsists of the device identifier (Di) in addition
to an attest value reflecting its state. All attestation reports are
propagated back after being aggregated at every intermediate
ρusing a secure aggregation scheme [20] till reaching υ.
After running the attestation routine few times 2,υstarts
behaving smartly by distributing the attestation over a dynam-
ically variable time window, where each time the most likely
compromised devices are only attested (see 1
in Figure 2). In
the selection process of the candidates, υtakes into account
the following factors: (i) the attestation history of each ρand
its direct neighbours, (ii) the ratio of compromised devices in
every cluster that ρbelongs to, (iii) the maximum time that
ρcould stay without being attested (this is specified in the
initialization phase), (iv) the degree of importance of ρ’s task
to be attested more often (this can be inferred from Security
& Safety category), and (v) the time constraints of ρw.r.t
real time tasks that should not be interrupted (or rarely so).
In principle, other criteria can be considered in the selection
process of devices and the frequency of performing attestation.
The minimum number of candidates (i.e. threshold) is an
2Number of times is an application-dependent value that determines the
level of confidence. In our case, we consider the worst scenario when the
attacker behaves randomly. Therefore, a high number of times, e.g. thousands
of times, does not really enhance the accuracy. In the experiment section later
on, we adjust this number to be only 100 times.
application-dependent value.
In order to keep the size of Attestreq small, the attestation
target will be at the cluster-level. Therefore, upon learning, υ
finds out the near-optimal set of clusters (Cattest) (in terms
of number of devices and number of hops) that cover the
output candidates in order to minimize the communication
overhead (given the network topology). Furthermore, if some
of the selected devices are not directly reachable by υor by
other selected devices, υfinds out the minimal set of clusters
(Cbridge ) that would participate in the attestation routine as
bridges. Their goal is only broadcasting the received Attestreq
and then propagating the delivered attestation reports. Unless
there are no other alternatives to reach some or all devices
in Cattest,υavoids including the clusters that contain time-
sensitive devices in Cbridge.
Once both sets of clusters are generated, υcreates Attestreq
containing them along with the nonce value and T. Any
receiver ρre-broadcasts Attestreq if it belongs to one of the
clusters included in either sets, and computes its attestation
report if it is only a member in one of the clusters in
Cattest (see 2
). Finally, each ρpropagates the aggregate
of attestation reports if either all children are replied or the
maximum waiting time is over (see 4
). υverifies the delivered
aggregates and accordingly updates the history records of each
ρ, and then measures are taken against compromised devices.
V. WISE: ANALYTICAL MODEL
In this section, we describe the formal mathematical model
of the intelligence part of WISE, whereas in the next section
(§ VI), we analyze the security of our protocol.
A. Notations and Definitions
Let G(S, L)be a graph of an IoT mesh network where
S(the swarm) is a finite set of devices (nodes) represented
as S={D1, D2, . . . , Dn}, and Lis the set of direct links
between nodes. We define kuncorrelated categories as Cats =
{C1, C2, . . . , Ck}where C•represents the category name (i.e.
geographical). Each C•contains a set of clusters, defined as
C•={c•1, c•2, . . . , c•m}where mis the number of clusters.
Each Di∈Sshould belong to only one c•iin every C•. In
nutshell, the following properties must be satisfied:
1) Non-overlapping: For each C•,T
1≤i≤|C•|
c•i=∅.
2) Network Coverage: For each C•,S
1≤i≤|C•|
c•i=S.
3) Uniformity: ∀D•∈S,Pk
i=1 |{D•}∩ S
1≤j≤|Ci|
cij |=k.
Given the network topology, each Di∈Sis represented
as a < key, value > map, where key is the unique Di
and value is an 8-tuple of metadata represented as fol-
lows: hDclusters, Tmax , Dhistory , Dattest,t, Tlast , Dneighbors ,
Dpaths, Ddegr eei. Each attribute is defined as follows:
•Dclusters :the kclusters where Diis a member in.
•Tmax ∈Z+:the maximum time (in minutes) that Di
can stay without attestation.
•Dhistory :the attestation history of Di, represented as
an ordered finite set {a0, a1, . . . , at−1}, where a•∈
{0,1, x}as 0 means that Diwas compromised, 1 refers
to a healthy state, and xmeans that Dihas not been
attested in the considered iteration.
•Dattest,t ∈ {0,1, x}:the predicted attestation response
in the current iteration (t).
•Tlast ∈Z+:it is the last time (in minutes) that Dihas
been attested.
•Dneighbors ⊂S:it is the set of devices that are
directly connected with Di, represented as Dneighbors =
{Dj|lij ∈L, Dj∈S}where lij is an undirected link.
•Dpaths :an ordered set of the top mshortest paths that
υcan follow to reach Di. Each path is represented as a
set of devices from source (υ) to destination (Di).
•Ddegree ∈[1,|Ck|]: it represents the degree of sensitivity
w.r.t real time tasks where 1 means extremely sensitive.
B. Problem Formalization
Given the < key, value > map of devices, the intelligence
part of WISE (see 1
in Figure 2) can be represented as multi-
objective optimization problem.
1) Candidates Selection: υleverages the attestation history
of each Dias a heuristic information for computing the
probability of being uncompromised in the next attestation
iteration. Considering the calculated probabilities of devices
along with their time constraints, the candidates selection
problem is formalized as follows:
minimize
α1,...,α|S|
|S|
X
j=1
αj∗P r(Dj.Dattest,t = 1|Ot)s.t.
|S|
X
i=1
αi
|S|≥T hcov,
Min{(1 −αi)∗(Di.Tlast +Di.Tmax −Tcurrent ):1≤i≤ |S|} >0
(1)
where |S|is the number of devices in the swarm, α∈ {0,1}
is a binary free variable at which the optimization step
is performed for either excluding (0) or including (1) Dj
in the attestation, P r(Dj.Dattest,t = 1|Ot)represents the
probability of the jth device being uncompromised in the
current attestation iteration (once the interactive part takes
place) given Otas a set of features (observations), Tcurrent
is the time (in minutes) of running the interactive part of
the current iteration. T hcov is a constraint in the objective
function which represents the minimum ratio of devices to be
covered. The second constraint guarantees attesting all devices
within the predefined time window. The output is a set of the
most likely compromised devices that is formally defined as
Nattest ={Di:Di∈S, αi= 1}.
2) Best Route Exploration (gap bridging): WISE depends
on an authenticated broadcast technique to emit Attestreq .
Getting Attestreq delivered to all candidates selected in
§ V-B1 should incur a minimal communication and runtime
overhead. Therefore, a minimum number of devices should
be involved in delivering Attestreq to the candidates and
then propagating their aggregated reports to υ. Unless there
are no other alternatives, time-sensitive devices should not be
involved and deviated from doing their main tasks. The gap
bridging problem is formalized as follows:
minimize
β1,...β|Pcomb|X
hP1,...,P|Nattest|ij∈Pcomb
βj∗X
D•∈UDi
D•.Ddegree
s.t.
|Pcomb|
X
i=1
βi= 1
(2)
where Pcomb =Q|Nattest|
a=1 Da.Dpaths is the Cartesian product
of the set of paths of each candidate device, |Pcomb|is the car-
dinality (length) of path combinations set, hP1, . . . , P|Nattest|ij
is the jth tuple element in Pcomb which corresponds to best
(shortest) paths combination among |Pcomb|different possibil-
ities, βj∈ {0,1}is a binary free optimization variable for the
jth paths combination, and UDi=Si=|Nattest|
i=1 Pirepresents
a set of nodes resulted by unifying a combination of shortest
paths associated with the jth tuple hP1, . . . , P|Nattest|ij. The
imposed constraint is to ensure the selection of a single
combination of paths. The output is a set of nodes, defined
as Nbridge ={D•:hP1, . . . , P|Nattest |ij∈Pcomb, D•∈
Si=|Nattest|
i=1 Pi, βj= 1}.
3) Clusters Selection: adding the IDs of candidate devices
(along with bridge devices) to Attestreq hinders the scalability
as the message size will be big. This also sharply increases
the communication overhead as well as the processing time at
ρside. We overcome this limitation by targeting the cluster-
level. In such case, Attestreq will include the identifiers of the
minimal set of clusters that cover the selected devices w.r.t.
the communication overhead. This is formalized as follows:
minimize
γ11,γ12 ,...γ|Ck|m
k
X
j=1
|Cj|
X
i=1
γji ∗ComOverhead(cji )s.t.
∀D•∈Nattest ∪Nbridge
k
X
j=1
|Cj|
X
i=1
γji ∗ |cji ∩ {D•}| ≥ 1
(3)
where kis the number of categories, |Cj|is the number
of clusters in the jth category, cj i represents the ith
cluster in the jth category, C omOverhead(•)is a
function that computes the communication overhead in
terms of number of hops, γji ∈ {0,1}is a binary free
variable at which the optimization process is performed
so that 1value means that the cluster cji is selected. The
constraint imposes selecting the most relevant clusters to
the unified set of Nattest ∪Nbridge . The output is two sets
of clusters represented as Cattest ={cji :cji ∈Cj, j ∈
{1, . . . , k}, i ∈ {1,...,|Cj|}, γj i = 1, cji ∩Nattest 6=∅},
and Cbridge ={cji :cji ∈Cj, j ∈ {1, . . . , k}, i ∈
{1,...,|Cj|}, γji = 1, cji ∩Nattest =∅} respectively.
Solvers. We identify three heuristic approaches as solvers
to provide near-optimal solutions for each of the formalized
optimization problems. Due to the limited space, we omit
the description of these approaches. However, to guarantee
the reproducibility and verifiability of our results, we make
the pseudo code of these solvers in addition to the full
source code of the intelligence part publicly available at
https://github.com/Mahmoud-Ammar/wise.
C. Probabilistic Model
To compute the probability component,
P r(D•.Dattest,t|Ot), in the candidates selection problem,
we use HMM for two main reasons. First, it computes
the probability distribution of discrete hidden (unknown)
states (i.e. compromised or uncompromised) over sequences
(time-series) of observations (i.e. number of compromised
neighbours). Accordingly, it is suitable to deal with the worst
case scenario when the attacker works randomly. Seconds,
in spite of assuming a powerful verifier, it is compact
and very fast to use, compared to other techniques (i.e.
Recurrent Neural Networks) which are very time-consuming
(iterative-based) and require a very big memory to store the
< key, value > map when considering large mesh networks.
HMM notations. At any iteration t, two hidden states
are identified: compromised (Dattest,t = 0) and uncompro-
mised (Dattest,t = 1). Considering the < key, value >
map, a vector of observations Otis formed for each D•by
selecting Mrandom independent variables (features). Given
a sequence of observations {O1,...,Ot}, learning Dattest,t
requires computing the following HMM parameters θ=
{π, H, b0,f1,...b0,fM, b1,f1, . . . b1,fM}:
•The state transition matrix (H): it has the probabilities
of transitioning from a state to the other. For instance,
h0,1is the probability of D•to be healthy given that
D•’s previous state is compromised (i.e. P r (Dattest,t =
1|Dattest,t−1= 0)).
•The initial state probability distribution (π): it initializes
the probability distribution over |Q|values, where Qis
the set of hidden states and |Q|is its cardinality.
•The emission (observation) probability distributions
({b1,f1,...b1,fM, b0,f1,...b0,fM}): it requires |Q| × M
distributions for inferring values. For instance, b0,f1is the
probability distribution of observing the value of feature
f1(i.e. number of compromised devices in a joint cluster)
when D•is predicted to be compromised.
Probability Computation. By leveraging the D•’s attesta-
tion history set (Dhistory ), we estimate the HMM parameters,
θ, using the Maximum Likelihood Estimation (MLE) method
for a given set of observations. More precisely, the MLE finds
the values that maximize the likelihood of generating the given
observations. This is formalized as:
θmle =arg max
θ∈Θ
P r(L|θ)s.t. X
i∈Q
πi= 1,
Y
j∈QX
i∈Q
hi,j = 1,Y
i∈QY
v∈{1,...,M}ZR
bi,v(x)dx = 1
(4)
where Θis the search space of HMM parameters, L=
{(x1, y1), ..., (xm, ym)}is a set of mdistinct groups of paired
sets of observation and D•’s attestation responses, (x•, y•) =
({Ot1, ..., Ot2},{at1, ..., at2}),1≤t1< t2,x•is a sequence
of observation (feature) vectors, and y•is a sequence of true
hidden states from iteration t1to t2. The first two constraints
should equal 1 according to the HMM. The last constraint is
associated to |Q|× Memission probability distributions where
the area under each distribution should equal 1 and accordingly
the multiplication of the |Q| × Mdistributions area equals 1.
The probability of generating any sequence of observations
can be written using the HMM parameters θas follows:
P r((x•, y•)|θ) = Y
i∈Q
πf(i,y•)
i∗Y
i∈QY
j∈Q
hf(i,j,y•)
i,j
∗Y
i∈QY
Ot∈x•Y
ot,v∈Ot
bi,v(ot,v )f(i,v,ot,v,x•,y•)(5)
where f(i, y•)is an integer ∈[0,1] representing the occur-
rence of the state igiven a sequence y•,f(i, j, y•)is the
number of occurrences of having a transition from the state j
to iin the given true states sequence y•, and f(i, v, ot,v, x•, y•)
is the number of times of observing the value ot,v of feature
vin the given sequence of observations x•and true hidden
states y•when the HMM process is in the state i.
The values of θparameters can be obtained by assuming that
for each sequence of the training mgroups, the probability
of generating Lequals to the probability multiplication of
generating each sequence individually, formalized as:
P r(L|θ) =
m
Y
l=1
P r((xl, yl)|θ) =
m
Y
l=1 Y
i∈Q
πf(i,y•)
i
∗Y
i∈QY
j∈Q
hf(i,j,y•)
i,j Y
i∈QY
Ot∈x•Y
ot,v∈Ot
bi,v(ot,v )f(i,v,ot,v,x•,y•)!
(6)
P r(L|θ)is a concave function having only one global
maximum value. Hence, we compute the partial derivatives
of P r(L|θ)w.r.t each free parameter in θ. Thus, the values
of HMM parameters that make each of the partial derivatives
equals to zero ( ∂P r (L|θ)
∂a1,1= 0,∂ P r(L|θ)
∂π1= 0,∂ P r(L|θ)
∂b0,f1
= 0,
. . . ) are computed as follows:
πi=Pm
l=1 f(i, yl)
Pk∈QPm
l=1 f(k, yl)hi,j =Pm
l=1 f(i, j, yl)
Pk∈QPm
l=1 f(i, k, yl)
(7)
bi,v(o) = Pm
l=1 f(i, v, o, xl, yl)
Pm
l=1 RRf(i, v, o0, xl, yl)do0(8)
The resulted values are normalized and accordingly they
implicitly satisfy the constraints in eq. (4).
Inference. Given the resulted HMM parameters, for any
D•, the probability of being uncompromised at iteration tis
computed as:
P r(D•.Dattest,t = 1|Ot) = X
j∈Q
πjh1,j Y
ov∈Ot
b1,v(ov)(9)
VI. WISE: SECURITY ANALYSIS
In principle, the time constraint in eq. (1), that is demon-
strated by either a variable time window for each device or a
fixed one for all, makes WISE (in spite of being operating in
Attest. Iteration
1 2 3 4
Time
Attested
Not-attested
(a) A fixed time window of 4 iterations for a group of devices.
D2
D2
D1
D1
D2
D1
D1
D2D2
D1D1
D2
D1
D2D2
D1
Time
12345678
Attested
Not-attested
(b) An example of variable time window for two devices, where it
is 3 for D1and 4 for D2.
Fig. 3: An overview of the timing technique used in WISE
that ensures covering all devices in the attestation within a
variable/ fixed time window.
a smart probabilistic way that maintains a minimum commu-
nication overhead) at the same deterministic security level as
other existing swarm attestation schemes. For instance, these
schemes verify the integrity of the entire swarm each particular
period of time (e.g. every 6 hours). During this period (the
time between two successive attestation routines), the status of
devices is unknown as some of them might be compromised
and accordingly they will remain compromised till the next
attestation routine is launched. WISE takes advantages of this
long silent time period (time window) by distributing the
attestation over it and thus minimizing the communication
overhead. Furthermore, The approach followed by WISE
has two other main advantages. First, it complies with the
individual differences and characteristic of devices (e.g. some
devices has to be more frequently attested than others and vice
versa as shown in Figure 3 where both fixed and variable time
window techniques are illustrated). Second, it is robust against
a roving malware 3, whereas all other existing schemes are
not. In WISE, such kind of malware can not be aware of the
attestation schedule because the time window of any device
could be variable and represents only the upper bound, by
which, the device should be attested at least once, whereas it
could be many times as shown for some devices in Figure 3a,
depending on the output of the intelligence mechanism.
In particular, the communication cost in WISE depends
on the tolerated latency of detecting (possibly) compromised
devices, where in each attestation iteration Ai,mout of n
devices are attested, and mis an application-dependent value
referring to the likelihood of a device to be compromised.
WISE avoid starvation cases by identifying a (variable) max-
imum time window (W), through which, each Diis attested
at least once. We elaborate on the security of WISE in two
streams: (i) per time window, and (ii) per attestation iteration.
3Roving malware is an advanced kind of malware that is always aware of
the attestation schedule of the IoT device and thus it is only active between
any two successive attestation routines which deletes itself at the beginning
of the attestation to evade detection.
A. Security of WISE per time window.
This is formalized by the following adversarial experiment
AT T n,c
adv(j), where adv interacts with ndevices, and compro-
mises up to cdevices in Saccording to the adversarial model
presented in § III, where 0≤c≤n. Considering that adv
is computationally bounded to the capabilities of the devices
deployed in S,adv interacts with the devices a polynomial
number of times j, where jis a security parameter. υverifies
the attestation aggregates received in all Ai’s within the time
window (W) and outputs a decision as 0 or 1. Denoting the
decision made as A,A= 1 means that all devices are attested
and compromised ones are detected, or A= 0 otherwise.
Theorem 1. WISE is secure if P r[A= 1 |AT T n,c
adv(j)==
A] is negligible for 0 < c ≤n.
Proof. Considering eq. (1), ∀D•∈S:
W
[
i=1
{Dattest,i}∩{0,1} 6=∅(10)
In other words, each D•in Swill be attested gtimes within
Ww.r.t Tmax (see § V-A), where 1≤g≤ |Ai|. It is important
to mention that this is valid under the assumption that both
MAC and aggregation schemes are secure and the attestation
routine in the device itself is atomic.
B. Security of WISE per attestation iteration (Ai).
The security of WISE per Aiis a probabilistic value which
range from (1−m
n) to 1, where (1−m
n) is the worst
case when all unselected devices in the current attestation
are compromised. Considering the probabilities calculated in
eq. (9), we calculate the probability of having a secure swarm
(no undetected compromised devices) as: P r[Ai= 1] ≥T hsec,
where T hsec is a security threshold computed as:
T hsec =m
n+PD•/∈AiP r(D•.Dattest,t = 1|Ot)
n(11)
VII. IMPLEMENTATION & EVALUATION
A. Implementation
A prototype of WISE has been implemented over a hetero-
geneous mesh network consisting of 12 nodes with different
hardware and software configurations where each node be-
longs to Raspberry PI, Arduino Uno, Arduino Due, Arduino
Zero, Microship STK 600 with AVR Atmega644P MCU, or
MicroPnP IoT platform [21]. Each platform is equipped with
IEEE 802.15.4e radio transceiver for wireless communication.
SHA-256 is employed as a keyed-hash message authentication
code (HMAC) to measure the software integrity during the
attestation phase. The precise time consumed by the various
cryptographic and interactive operations in each platform is
measured in order to simulate large mesh networks. A Rasp-
berry PI 3 is selected to act as a verifier. In the implementation
of HMM, the ratio of compromised neighbours along with the
ratio of compromised devices in each corresponding cluster
are selected as features (observations) for each device.
B. Evaluation
OMNeT++ framework [22] is used to simulate large net-
works with different configurations. The computational and
network delays are adjusted according to the experimentally
measured values in the prototype implemented. Three different
scenarios are simulated, where each scenario composes of 10
different-sized networks ranging from 1k to 10k devices. The
various mesh networks in all scenarios are deployed randomly.
In scenario 1, the number of neighbours of each node is set
to be a random value from 1 to 5, whereas it is set to be from
1 to 7 in scenario 2 and from 2 to 10 in scenario 3.
Each contiguous group of devices are selected to be in the
same geographical cluster with a random size of 10, 20, or
30 devices. The devices are deployed randomly over other
clusters in other categories. We assigned 6 different clusters
in the hardware category and 40 clusters in the software one.
The last two categories are composed of 10 different clusters.
For each network in each scenario, we first run the attes-
tation routine in a uniform state (all devices are attested) 100
times, where each time, we set up an adversarial model to
attack randomly a number of devices ranging from 0 to 30%
of the network size. After then, WISE takes place.
In all following figures, we set the minimum coverage of
candidate devices per attestation iteration to be 20% of the
network size, and the number of attacked devices is random
in each iteration (0 to 30% of the network size).
Security and Robustness. Figure 4a and 4b represent two
examples of two different-sized networks, where in each one,
we show two cases of detecting high and low number of
compromised devices. In these figures, the attack took place
once before the first iteration. All compromised devices are
detected by the 5th iteration (half of the longest time window
as we modeled the variable time window as a discrete event
in terms of number of iterations, where for each device, we
set it to be a random value from 4 to 10).
Figure 4c shows the worst, average, and best ratio of de-
tected compromised devices (per iteration) after running WISE
30 times in each network. Each time, a different number of
devices is randomly compromised. The worst ratio was almost
higher than 25%, whereas the average ratio was around 45%
(with 20% coverage). Figure 4f shows the ratio of detected
compromised devices if the attacker was targeting a specific
class of devices (in our case, we modeled it to attack Arduino-
zero cluster). Results show that the detection ratio with a
targeted attacker is higher than the random one where in many
iterations it was 100% at best, with an average of about 62%.
Scalability and Efficiency. Figure 4d and 4e illustrate
the average size of aggregated reports and the number of
exchanged messages in WISE respectively (compared to the
traditional approach of attesting the entire swarm). Both fig-
ures show how efficient and scalable WISE is. We do not show
the total runtime of WISE as it is hardware-dependent. Please
note that WISE is always faster than other existing swarm
attestation schemes as it only targets a subset of devices.
Memory footprint and Computation Time. At ρside,
WISE requires less than 100 bytes of permanent storage for
Attested (high comp.)
Attested (low comp.)
Compromised
Detected
Number of Devices
0
100
200
300
400
Iteration Number
0 1 2 3 4 5
(a) Scenario of a 1000-node network
Attested (high comp.)
Attested (low comp.)
Compromised
Detected
Number of Devices
0
1000
2000
3000
4000
Iteration Number
0 1 2 3 4 5
(b) Scenario of a 10000-node network
Scen.1 (best)
Scen.1 (avg)
Scen.1 (worst)
Scen.2 (best)
Scen.2 (avg)
Scen.2 (worst)
Scen.3 (best)
Scen.3 (avg)
Scen.3 (worst)
Detection Ratio
0
0.25
0.50
0.75
1.00
Number of Devices
5k 10k
Random Attacker
(c) Detection rate with Random Attacker
Traditional (full coverage)
Scen.1 (min. 20% coverage)
Scen.2 (min. 20% coverage)
Scen.3 (min. 20% coverage)
Average size of aggregates (KB)
10k
20k
30k
Number of Devices
2k 4k 6k 8k 10k
(d) Average size of Aggregates
Scen.1 (full)
Scen.2 (full)
Scen.3 (full)
Scen.1 (min. 20%)
Scen.2 (min. 20%)
Scen.3 (min. 20%)
Number of Packets
20k
40k
60k
80k
100k
Number of Devices
5k 10k
(e) Average number of exchanged Packets
Scen.1 (best)
Scen.1 (avg)
Scen.1 (worst)
Scen.2 (best)
Scen.2 (avg)
Scen.2 (worst)
Scen.3 (best)
Scen.3 (avg)
Scen.3 (worst)
Detection Ratio
0
0.25
0.50
0.75
1.00
Number of Devices
5k 10k
Targeted Attacker
(f) Detection rate with Targeted Attacker
Fig. 4: Evaluation of WISE
storing the secret keys and clusters IDs, whereas it requires
no more than 5 MB at υside to store a knowledge base
(< key, value > map) for a network consisting of 10k devices
regardless the length of the attestation history. Computation-
ally, for a network of 10k devices, the initial step that occurs
once at υside (computing the shortest paths, etc.) requires
no more than 6 minutes. Then, the intelligence part of WISE
requires less than 9 seconds each time. The verification of the
attestation aggregates of 10K devices and updating the records
in the knowledge base consumes no more than 3.5 seconds.
VIII. CONCLUSION
This paper presented WISE, the first smart swarm attestation
protocol for the Internet of Things that relies on a resource-
efficient machine learning technique using Hidden Markov
Model. WISE is scalable and highly efficient to be used in
(quasi-) static networks consisting of thousands of heteroge-
nous IoT devices. The minimized communication overhead
depends on the tolerated latency of detecting (unlikely) com-
promised devices. This makes WISE very suitable to be used
in various application domains, especially, in time-sensitive
and safety-critical ones such as smart factories.
REFERENCES
[1] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Security
& Privacy, vol. 9, no. 3, pp. 49–51, 2011.
[2] B. Parno, J. M. McCune, and A. Perrig, “Bootstrapping trust in commod-
ity computers,” in Security and privacy (SP), IEEE symposium, 2010.
[3] Y. Li, J. M. McCune, and A. Perrig, “SBAP: Software-Based Attestation
for Peripherals,” in Proceedings of the 3rd International Conference on
Trust and Trustworthy Computing, pp. 16–29, Springer-Verlag, 2010.
[4] K. Eldefrawy, G. Tsudik, A. Francillon, and D. Perito, “SMART: Secure
and Minimal Architecture for (Establishing Dynamic) Root of Trust.,”
in 19th Annual NDSS Symposium, The Internet Society, 2012.
[5] N. Asokan, F. Brasser, A. Ibrahim, A.-R. Sadeghi, M. Schunter,
G. Tsudik, and C. Wachsmann, “Seda: Scalable embedded device
attestation,” in Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security, pp. 964–975, ACM, 2015.
[6] M. Ambrosin, M. Conti, A. Ibrahim, G. Neven, A.-R. Sadeghi, and
M. Schunter, “Sana: secure and scalable aggregate network attestation,”
in Proceedings of the 2016 ACM CCS Conference, pp. 731–742, 2016.
[7] A. Ibrahim, A.-R. Sadeghi, G. Tsudik, and S. Zeitouni, “Darpa: Device
attestation resilient to physical attacks,” in Proceedings of the 9th ACM
WiSec Conference, pp. 171–182, ACM, 2016.
[8] X. Carpent, K. ElDefrawy, N. Rattanavipanon, and G. Tsudik,
“Lightweight swarm attestation: a tale of two lisa-s,” in Proceedings
of the 2017 AsiaCCS Conference, pp. 86–100, ACM, 2017.
[9] A. Ibrahim, A.-R. Sadeghi, and S. Zeitouni, “”seed: secure non-
interactive attestation for embedded devices”,” in Proceedings of the
10th ACM WiSec Conference, pp. 64–74, ACM, 2017.
[10] F. Kohnh¨
auser, N. B¨
uscher, S. Gabmeyer, and S. Katzenbeisser, “Scapi:
a scalable attestation protocol to detect software and physical attacks,”
in Proceedings of the 10th ACM WiSec Conference, pp. 75–86, 2017.
[11] F. Kohnh¨
auser, N. B¨
uscher, and S. Katzenbeisser, “Salad: Secure and
lightweight attestation of highly dynamic and disruptive networks,” in
Proceedings of the 2018 AsiaCCS Conference, ACM, 2018.
[12] C. Bormann, M. Ersue, and A. Keranen tech. rep., IETF.
[13] L. R. Rabiner, “A tutorial on hidden markov models and selected
applications in speech recognition,” Proceedings of the IEEE, vol. 77,
no. 2, pp. 257–286, 1989.
[14] Trusted Computing Group, “TPM Main Specification Level 2 Version
1.2.” http://www.trustedcomputinggroup.org/tpm-main- specification/,
2011. [Online; accessed 13-February-2017].
[15] A. Francillon, Q. Nguyen, K. B. Rasmussen, and G. Tsudik, “A
minimalist approach to remote attestation,” in Design, Automation and
Test in Europe Conference and Exhibition (DATE), IEEE, 2014.
[16] I. Cervesato, “The dolev-yao intruder is the most powerful attacker,” in
16th Annual Symposium on Logic in Computer Science—LICS, 2001.
[17] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security,
privacy and trust in internet of things: The road ahead,” Computer
networks, vol. 76, pp. 146–164, 2015.
[18] R. V. Steiner and E. Lupu, “Attestation in wireless sensor networks: A
survey,” ACM Computing Surveys (CSUR), vol. 49, no. 3, p. 51, 2016.
[19] P. Pongle and G. Chavan, “A survey: Attacks on rpl and 6lowpan in
iot,” in Pervasive Computing (ICPC), 2015 International Conference
on, pp. 1–6, IEEE, 2015.
[20] J. Katz and A. Y. Lindell, “Aggregate message authentication codes,” in
Topics in Cryptology–CT-RSA 2008, pp. 155–169, Springer, 2008.
[21] N. Matthys, F. Yang, W. Daniels, W. Joosen, and D. Hughes, “Demon-
stration of micropnp: the zero-configuration wireless sensing and actu-
ation platform,” in SECON, 13th Annual IEEE Conference, 2016.
[22] A. Varga, “The omnet++ discrete event simulation system (http://www.
omnetpp. org). european simulation multiconference, prague,” 2001.