Resilient aggregations: Statistical approach

Abstract

Sensor networks are distributed systems, consisting of hundreds or thousands of tiny, low-cost, low-power sensor nodes and one (or a few) more powerful base station(s). These networks are designed to interact with the physical environment. Typically, sensors measure some physical phenomena (e.g., temperature and humidity) and send their measurements to the base station using wireless communications. The base station performs data processing functions and provides gateway services to other networks (e.g., the Internet). Sensor nodes are able to transmit messages only within a short communication range, therefore, it is envisioned that the sensors form a multi-hop network in which the nodes forward messages on behalf of other nodes toward the base station. The typical toplogy of a sensor network is a tree with the base station at the root (see Fig. 10.1 for illustration). In order to reduce the total number of messages sent by the sensors, in-network processing may be employed, whereby some sensor nodes perform data aggregation functions. Aggregator nodes collect data from surrounding sensors, process the collected data locally, and transmit only a single, aggregated message toward the base station. Finally, the base station computes a single aggregated value (e.g., average, minimum, or maximum) from the data received from the network. After deployment, sensors are typically left unattended for a long period of time. In order to keep their cost acceptable, common sensor nodes are not tamper resistant. This means that they can be captured and compromised at a reasonable cost. Therefore, we cannot assume that common sensors attacked by a determined adversary are able to protect any secret cryptographique elements (e.g., secret keys). Once a sensor is compromised, it can send authentique messages to other nodes and to the base station, but those messages may contain arbitrary data created by the adversray (e.g., bogus measurments). Note that even if we assumed that the adversary is less powerful or that the nodes are tamper resistant, the adversary can still perform input based attacks, meaning that it can directly manipulate the physical environment monitored by some of the sensors, and in this way, it can distort their measurements and the output of the aggregation mechanism at the base station. © Springer-Verlag Berlin Heidelberg 2007.