LIRT: A Lightweight Scheme for Indistinguishability, Reachability, and Timeliness in Wireless Sensor Control Networks

(1)

Volume 2013, Article ID 646781,7pages http://dx.doi.org/10.1155/2013/646781

Research Article

LIRT: A Lightweight Scheme for

Indistinguishability, Reachability, and Timeliness

in Wireless Sensor Control Networks

Wei Ren,

1

Liangli Ma,

2

and Yi Ren

3

1_{School of Computer Science, China University of Geosciences, Lumo Road 388, Wuhan 430074, China}

2_{Department of Computer Engineering, Naval University of Engineering, Jiefang Road 717, Wuhan 430033, China}

3_{Department of Computer Science, National Chiao Tung University, Hsinchu 30010, Taiwan}

Correspondence should be addressed to Wei Ren; [email protected] Received 30 June 2013; Accepted 25 September 2013

Academic Editor: Hongli Xu

Copyright © 2013 Wei Ren et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Wireless sensor control networks (WSCNs) are important scenarios and trends in mobile wireless sensor networks. Compared with traditional wireless sensor networks, WSCNs have two specific characteristics: entities in networks are extended from passive sensors to active sensors (e.g., actuators and actors) and the transmitting messages are extended from data only to data plus (e.g., data and control instructions). Thus new security problems arises. In this paper, we make the first attempt to specify the security requirements for WSCNs, namely, indistinguishability, reachability, and timeliness. In addition, several new attacks in WSCN, distinguishing risks, dropping attacks, and disordering attacks, are pointed out at the first time. A lightweight scheme LIRT is proposed with tailored design to guarantee the indistinguishability, reachability, and timeliness in WSCNs. Extensive and rigorous analysis on LIRT justifies its security strength and performance measures.

1. Introduction

Mobile wireless sensor networks are an extended form of traditional wireless sensor networks where nodes are not static but mobile. Recently, sensors in mobile wireless sensor networks become more and more versatile, for example, underwater sensors, body sensors, and control sensors. The control sensors are usually divided into two classes: actuators and actors. Those actuator and actor sensor networks extend traditional wireless sensor networks from passive networks to active networks, from data networks to control networks, via adding functionalities such as response and action. The actuator and actor sensor networks start to be applied in new applications such as smart grid, smart city, smart building, and factory automation, to name a few [1–3].

Wireless actuator and actor sensor networks can be viewed as wireless sensor control networks (WSCNs) over a group of sensors. WSCNs have two distinctions compared with traditional wireless sensor networks as follows.(1) The entities in networks are extended from sensors only to sensors

plus. For example, there exist sensors, actuators, and actors in WSCNs. Actuators may perform actively for controlling, but sensors in traditional wireless sensor networks usually act passively for collecting data.(2) The transmitting messages in networks are extended from data only to data plus, for example, data messages and control messages. Therefore, new security problems arise in WSCNs. If entities in WSCNs can be distinguished by adversaries, adversaries will be able to launch a target attack (that has been explored in our previous paper [4]); if data or control messages are dropped by adversaries, the control loop will be terminated; if data or control messages are disordered, the control status or sequences may be disturbed. We called them indistinguisha-bility, reachaindistinguisha-bility, and timeliness problems in WSCNs. Note that those security problems cannot be solved by previous security schemes for traditional wireless sensor networks due to the specialities of WSCNs. We thus have to explore new methods to solve them, especially, in a tailored design manner.

(2)

Concretely, security in wireless control networks starts to attract more and more attention [5–9]. Those work majorally address different contexts from WSCNs, so the solutions may not be able to tackle the aforementioned security require-ments. Moreover, the security problems in WSCNs are chal-lengeable due to the inherent properties: wireless lossy channels, jamming-sensitive links, resource-constraint sen-sor devices, control timing demands, and control sequence ordering requirements.

In this paper, we make the first attempt to clarify and ana-lyze the security requirements in WSCNs and then propose a lightweight scheme called LIRT to guarantee those require-ments, namely, indispensability, reachability, and timeliness in WSCNs. We formally prove the achievement of the proposed scheme. Different from other works and previous approaches, all presentations in the paper strictly follow formal expressions for better clarity and rigorous generality.

The contributions of the paper are listed as follows. (i) We make the first attempt to define formal attacks and

security requirements in WSCNs, namely, indistin-guishability, reachability, and timeliness in WSCNs. (ii) We make the first attempt to propose a lightweight

scheme to guarantee those security requirements and formally prove the security goals that are achieved. The rest of the paper is organized as follows.Section 2

gives an overview on relevant prior work. InSection 3 we discuss the basic assumption and models used throughout the paper. Section 4 provides the detailed description and analysis of our proposed scheme. Finally,Section 5concludes the paper.

2. Related Work

Wireless sensor networks for automation control have attracted more and more attention in recent years [5, 8,

10–12]. Yen et al. [5] proposed packet loss problem in wireless networked control system over IEEE 802.15.4e. They proposed redundant transmission. de Filippi et al. [7] pro-posed single-sensor control strategies for semiactive steering damper control in two-wheeled vehicles. Thurman et al. [9] explored acoustic sensors in an unmanned underwater vehi-cle to provide full autonomy control. Au et al. [13] proposed energy-efficient classification algorithms for wearable sensor systems. All the above work focuses on control performance but not control security.

The security problems in WSCNs have not been thor-oughly explored in recent work. Target attacks for wireless machine-to-machine control networks are first pointed out by our previous work [4]. We also proposed a scheme called RISE to mitigate target attacks. Stealthy deception attacks in water SCADA systems are first pointed out by Amin et al. [6]. They discuss sensor networks but mainly in wired SCADA networks. Zheng et al. [3] discussed reliable problem in wireless communication networks that support demand and response control. They proposed several methods for deriving reliability performance. Short et al. [2] discussed burst errors in wireless control networks.

Actor Actor Actor Actor Sensor Sensor Sensor Sensor Actuator Actuator

Figure 1: Wireless sensor control networks. Sensors collect sensing data; actuators respond corresponding instructions; actors execute those instructions.

They proposed application-level strategies for ameliorating the effects of packet losses and burst errors in sampled-data control systems. Above related work are independent with our discussion and solution in the following, as our analysis for the security requirements are different from them.

3. Problem Formulation

3.1. Network Model and Attack Model. There exist three major

entities (denoted asE) in WSCNs: sensors (denoted as S), actuator (denoted asU), and actors (denoted as C). Usually, sensors send data to actuators. Actuators send instructions to actors. Actors execute instructions. The number of sensors is usually more than that of actuators. The number of actuators is usually less than that of actors.Figure 1depicts the entities in WSCNs.

We assume that the links among sensors, actuators, and actors are not secure. The adversaries (denoted asA) in the links can launch the following attacks. We assume that the security boundary is out of the entities of WSCNs. That is, we assume entities are trustworthy. The trust models in WSCN scenarios are analyzed in detail in our previous work [14].

Definition 1 (message distinguishing risk (R_𝑚)). Adversaries may distinguish data and instructions in transmitting mes-sages in WSCNs, after viewing the behavior and mesmes-sages among entities in WSCNs.

The observation is the only advantage of adversaries, as we suppose the links are not secure. It can be formally described as follows:

R𝑚= Pr {A correctly guesses 𝑚∗∈ 𝐷 ‖ 𝑚∗∈ 𝐼

| 𝑚∗⇐󳨐 𝐷 ∪ 𝐼, 2E𝑖→ E𝑖:{𝑚∗}, A ⇐󳨐 𝑚∗} ,

(1)

where Pr{𝐴 | 𝐵} denotes the probability that 𝐴 happens after event𝐵 happens; 𝐷 means data; 𝐼 means instructions; 𝑚∗is any message in𝐷 or 𝐼; 2𝜙means the power set of a set𝜙.

Definition 2 (entity distinguishing risk (R_𝑒)). Adversaries may distinguish sensors, actuators, and actors among entities in WSCNs, after viewing the behavior and messages among entities in WSCNs.

(3)

It can be formally described as follows: R_𝑒= Pr {A correctly guesses E_𝑖∈ S (‖U‖ C)

| 𝐸_𝑖⇐󳨐 S (‖U‖ C) , 2E𝑖→ E𝑗:{𝑚∗}_{, A ⇐󳨐 𝑚}∗_{} .}

(2)

Definition 3 (dropping attack (A_𝑑)). Adversaries may drop data that are sent from sensors to actuators and instructions that are sent from actuators to actors.

Definition 4 (disordering attack (A_𝑖)). Adversaries may dis-turb the arrival time of data at actuators and the arrival time of instructions at actors.

It is natural to see that the prerequisite for dropping attack is message distinguishing risk and entity distinguishing risk. The disordering attack can be launched without any prerequisite information about message distinguishing risk and entity distinguishing risk. It is thus much easier to be launched via just jamming arbitrary packets into channels, and it is thus more difficult to be defended against.

3.2. Security Definition and Design Goal. The security

re-quirements are defined as follows.

Definition 5 (indistinguishability). The data and instruction

cannot be distinguished from messages by adversaries from all their observations. The sensors, actuators, and actors cannot be distinguished from entities by adversaries from their observations.

Indistinguishability is formally described as 𝐻 (S | 𝑂) = 𝐻 (U | 𝑂) = 𝐻 (C | 𝑂) = 𝐻 (S) = 𝐻 (U)

= 𝐻 (C) , (3)

where𝑂 is the observation of adversaries; 𝐻 is the entropy of correctly guessing on entities.

Definition 6 (reachability). The data can arrive at designated

actuators finally, and instructions can arrive at designated actors finally.

Definition 7 (timeliness). The data can arrive at actuators

timely, and instructions can arrive at actors timely.

Therefore, the design goal is to propose a scheme for guar-anteeing indistinguishability, reachability, and timeliness in a lightweight way.

4. Proposed Schemes

We list major notations used in the remainder of the paper in

Table 1.

4.1. Indistinguishability. As message distinguishing risk,R_𝑚, and entity distinguishing risk, R_𝑒, are the prerequisite of dropping attack,A_𝑑, we first propose a method to eliminate those risks.

Table 1: Notations.

WSCNs Wireless sensor control networks

E Entities

S Sensors

U Actuators

C Actors

A Adversaries

R_𝑚 Message distinguishing risk

R_𝑒 Entity distinguishing risk

A𝑑 Dropping attack

A_𝑖 Disordering attack

Proposition 8. Entity indistinguishability is equivalent to

message indistinguishability.

Proof (straightforward). If entities are distinguishable,

mes-sages will be distinguishable via the entities who send; if messages are distinguishable, entities will be distinguishable by analyzing their sending messages.

Thus, we discuss two risks together. We firstly analyze the information or advantages that can be obtained by adversaries. Adversaries can observe the following behavior and messages in WSCNs.

The messages that can be observed for message distin-guishing are as follows:

(M-O1) the length of the messages that are sent among entities,

(M-O2) the format and semantics of the messages that are sent among entities.

The behavior that can be observed for distinguishing entities is as follows.

(B-O1) The sending sequence of the messages and entities, it is a list of messages and entities which send messages in an observing time span. For example, in an observation time span with 𝑘 minutes, the sending sequences of messages are{𝑚₁, 𝑚₂, . . . , 𝑚_𝑛}. In an observation time span with 𝑘 minutes, the sending sequences of entities who send messages are {𝐸₁, 𝐸₂, . . . , 𝐸_𝑛}, where 𝐸_𝑖 ∈ E, 𝑖 = 1, . . . , 𝑛. The sequences can be observed for distinguishing entities. For example, sensors may always stand at the head of the sequence, and actors may always stand at the rear of the sequence.

(B-O2) The interval of two sequentially sending mes-sages at any two entities; for example,𝐸_𝑖sends𝑚_𝑝, and then𝐸_𝑗 sends𝑚_𝑝+1.𝑚_𝑝,𝑚_𝑝+1are two consecutively sending messages. The time interval between these two messages can be observed for distinguishing entities. For example, actuators may always send a message after sensors send a message, and actors may always send a message after actuator sends a message. (B-O3) The interval of two consecutively sending messages at one entity, for example,𝐸_𝑖sends𝑚_𝑝and

(4)

𝑚_𝑝+1 sequentially, where𝐸_𝑖 ∈ E, 𝑚_𝑝, 𝑚_𝑝+1. That is, 𝑚_𝑝,𝑚_𝑝+1are two sequential messages sent from𝐸_𝑖. The time interval between these two messages can be observed for distinguishing entities. For example, sensors may always send messages in a fixed interval. (B-O4) The interval of𝑘 sequentially sending mes-sages at any 𝑘 entities, it is a generalization of (B-O2). For example, suppose𝑘 entities send 𝑘 messages sequentially. They are𝐸₁, 𝐸₂, . . . , 𝐸_𝑘. The time interval among them can be observed for distinguishing entities. For example, sensors, actuators, and actors may form a control loop. Observing loops may infer the entity observed.

(B-O5) The interval of𝑘 sequential sending messages at one entity, it is a generalization of (B-O3). For example,𝐸_𝑖sends𝑘 messages: 𝑚₁, 𝑚₂, . . . , 𝑚_𝑘, where 𝐸𝑖 ∈ E. The time interval among them can be

observed for distinguishing entities. For example, intervals for message sending at sensors, at actuators, or at actors may be quite different. Observing those difference may infer the entity observed.

Proposition 9. If and only if the observation is

indistinguish-able, the message and entity are indistinguishable.

Proof. The observation at adversaries is the only

knowl-edge to distinguish message and entity. If and only if the observation is indistinguishable, the message and entity are indistinguishable.

Therefore, we propose the following strategies via ran-domization to make observation indistinguishable. Each strategy addresses one observation.

(IND-S1) All messages that are sent among entities have the same length.

(IND-S2) All messages that are sent among entities are encrypted for hiding semantics.

(IND-S3) The sending sequence of the messages among entities is randomized.

(IND-S4) The interval of two sequentially sending messages at any two entities is randomized.

(IND-S5) The interval of two sequentially sending messages at one entity is randomized.

(IND-S6) The intervals of 𝑘 sequentially sending messages at any𝑘 entities are randomized.

(IND-S7) The intervals of 𝑘 sequentially sending messages at one entity are randomized.

Proposition 10. Strategy (IND-S6) can be guaranteed by

(IND-S4).

Proof (straightforward). As any interval of two sequentially

sending messages at any two entities is randomized, and the intervals of𝑘 sequentially sending messages at any 𝑘 entities in𝑘 are also randomized.

Date: 𝑀 = {𝐷‖𝐼‖ 𝑁𝑈𝐿𝐿}, 𝑊

Result: Sending Packets with Indistinguishability

Initialization;

While 𝑇 do

𝑀 ⇐ 𝐺𝑒𝑡 𝑂𝑢𝑡 𝑄𝑢𝑒𝑢𝑒 𝐵𝑢𝑓𝑓𝑒𝑟(); //Get packet from Outgoing Queue 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊;

//𝑊 is the suspended time slot 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡);

if (𝑀 < > 𝑁𝑈𝐿𝐿) then

𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐸𝑥𝑡𝑒𝑛𝑑𝑇𝑜𝐹𝑖𝑥𝐿𝑒𝑛(𝑀); //Maintain the same length

else

𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐶𝑟𝑒𝑎𝑡𝑒 𝐹𝑖𝑥𝐿𝑒𝑛 𝐷𝑢𝑚𝑚𝑦(); //Create dummy packet

end

𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);}

//Encryption before sending 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_);

end

Algorithm 1: Sending algorithm for indistinguishability (SAI algorithm).

Proposition 11. Strategy (IND-S7) can be guaranteed by

(IND-S5).

Proof (straightforward). The interval of two sequentially

sending messages at one entity is randomized, the intervals of𝑘 sequentially sending messages at one entity are thus also randomized.

Thus, the sending algorithm for indistinguishability (called SAI algorithm) at each entity is proposed in

Algorithm 1.

4.2. Reachability. As adversaries cannot distinguish

mes-sages and entities, they have to drop mesmes-sages (e.g., by jamming channels) randomly to launch a dropping attack.

To guarantee the reachability of the data and instruction messages, we propose the following strategies via redun-dancy.

(RCH-S1) Data and instruction are sent for𝛼 times.

Proposition 12. If the dropping probability of a packet is

𝑝, strategy (RCH-S1) can guarantee the reachability with

probability1 − 𝑝𝛼.

Proof. As the dropping probability of one packet is 𝑝, its

reachability is 1 − 𝑝. The probability of 𝛼 packets that are dropped is𝑝𝛼, and the reachability of at least one in𝛼 packets is thus1 − 𝑝𝛼.

The repeat sending for𝛼 times can increase the probabil-ity of reachabilprobabil-ity, but it also causes communication overhead. In the following strategies, we will tackle the communication overhead by optimization.

(RCH-S2) Data and instruction are sent for random times in[𝛽₁, 𝛽₂]. The repeat times are varied. Usually,

(5)

we have𝛼 = 𝛽₂. Therefore, it can both increase the probability of reachability and tackle the communi-cation overhead.

probability at least(1/(𝛽₂− 𝛽₁)) ∑𝛽2

𝛽1(1 − 𝑝

𝑖_).

Proof. The reachability of one packet in [𝛽₁, 𝛽₂] is 1 − 𝑝𝑖, 𝑖 ∈ [𝛽₁, 𝛽₂]. The expectation of this probability for all 𝑖, 𝑖 ∈ [𝛽₁, 𝛽₂] is thus (1/(𝛽₂− 𝛽₁)) ∑𝛽2

𝛽1(1 − 𝑝

𝑖_).

Proposition 14. The average communication overhead in

(RCH-S2) is less than (RCH-S1) by1 − (𝛽₁+ 𝛽₂)/2𝛼.

Proof (straightforward). The communication overhead in

(RCH-S1) is𝑂(𝛼); the communication overhead in (RCH-S2) is 𝑂((𝛽₁ + 𝛽₂)/2). Thus, the advantages in (RCH-S2) compared with (RCH-S1) are(𝛼 − (𝛽₁ + 𝛽₂)/2)/𝛼. That is, 1 − (𝛽₁+ 𝛽₂)/2𝛼.

(RCH-S3) The repeating times at originators for data or instruction are 𝛾₁. The repeating times at forwarders for dummy packets are𝛾₂. Usually,𝛾₁ ≪ 𝛽₁,𝛾₁+ 𝛾₂≈ 𝛼.

Originators are the entities where data or instruction are originated from. For example, the first sensor who sends the data is the originator for that data. Forwarders are the entities between originators and designated destination entities. That is, forwarders forward the data or instruction to packet destination. The dummy packets at immediate forwarders are not created from meaningless dummy string (NULL) but created from data or instruction received previously by immediate forwarders. That is, before forwarders send dummy packets, they choose the last one in received data or instruction as a dummy packet. This strategy can both improve the reachability of data or instruction and mitigate the communication overhead.

probability1 − 𝑝𝛾1+𝛾2_{. The communication overhead is}𝛾

1/𝛼 of

that in strategy (RCH-S1).

Proof (straightforward). The proof is similar to the former

proposition.

The sending algorithm for reachability (SAR algorithm) at each entity is given inAlgorithm 2.

4.3. Timeliness. Adversaries cannot distinguish messages and

entities. The dropping attack cannot aim at designated mes-sages or entities. The dropping is thus randomly dropping, for example, by jamming channels. The jamming subsequently results in disordering attack. The timeliness of the control

Date: 𝑀 = {𝐷‖𝐼‖ 𝑁𝑈𝐿𝐿}, 𝛾1, 𝛾2, 𝑊

Result: Sending Packets for Reachability

//at Originators: Initialization; while 𝑇 then 𝑀 ⇐ 𝐺𝑒𝑡 𝑂𝑢𝑡 𝑄𝑢𝑒𝑢𝑒 𝐵𝑢𝑓𝑓𝑒𝑟(); if (𝑀 < > 𝑁𝑈𝐿𝐿) then 𝐶𝑜𝑢𝑛𝑡 ⇐ 0; while 𝐶𝑜𝑢𝑛𝑡 < 𝛾1do 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; //𝑊 is suspended time slot 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐸𝑥𝑡𝑒𝑛𝑑𝑇𝑜𝐹𝑖𝑥𝐿𝑒𝑛(𝑀); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); 𝐶𝑜𝑢𝑛𝑡 + +; end else 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐶𝑟𝑒𝑎𝑡𝑒𝐹𝑖𝑥𝐿𝑒𝑛𝐷𝑢𝑚𝑚𝑦(); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); end end //at Forwarders: Initialization; while 𝑇 do 𝑀 ⇐ 𝐺𝑒𝑡 𝐼𝑛 𝑄𝑢𝑒𝑢𝑒 𝐵𝑢𝑓𝑓𝑒𝑟(); //Get packet from ingress queue

if (𝑀 < > 𝑁𝑈𝐿𝐿) then 𝐶𝑜𝑢𝑛𝑡 ⇐ 0; while (𝐶𝑜𝑢𝑛𝑡 < 𝛾₂) do 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐸𝑥𝑡𝑒𝑛𝑑 𝑇𝑜 𝐹𝑖𝑥𝐿𝑒𝑛(𝑀); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); 𝐶𝑜𝑢𝑛𝑡 + +; end else 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐶𝑟𝑒𝑎𝑡𝑒 𝐹𝑖𝑥𝐿𝑒𝑛 𝐷𝑢𝑚𝑚𝑦(); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); end end

Algorithm 2: Sending algorithm for reachability (SAR algorithm).

operations is damaged. To guarantee the timeliness of the data and instruction messages, we propose following strategies.

(TML-S1) The suspended time is randomly chosen from a time slot that is shortened exponentially. That is, 𝑊_𝑠 ⇐ 1/2𝑟 𝑛 ∗ 𝑊, where 𝑊 is the maximal suspended time slot at the first time; 𝑛 is the sus-pending times;⇐ means “is randomly chosen from”;𝑟

(6)

𝑊_𝑠is the actual suspended time. The timeliness can be improved with the exponentially shortening of suspended time. This strategy is corresponding to (RCH-S1).

Proposition 16. If the suspended time slot 𝑊 in 𝛼 times is

shortened to 1/2𝛼𝑊, strategy (TML-S1) can guarantee the timeliness with total suspended time∑𝛼_𝑖=1(1/2𝑖) ∗ 𝑊.

Proof. Suppose the suspended time slot is𝑊, the suspended

time in expectation is 1/2𝑊. If the suspended time slot is shortened to1/2𝑛 ∗ 𝑊, the suspended time in expectation is1/2𝑛+1∗ 𝑊. If first 𝛼 − 1 are all dropped by adversaries, the worst suspended time is∑𝛼_𝑖=1(1/2𝑖) ∗ 𝑊.

Similarly, (TML-S2) can be proposed corresponding to (RCH-S2). That is, when data and instruction are sent for random times in[𝛽₁, 𝛽₂], the suspending time between two consecutively sending is randomly chosen from a time slot that is shortened exponentially. That is,𝑊_𝑠⇐ 1/2𝑟 𝑛∗ 𝑊.

(TML-S3) We propose to shorten the suspended time slot exponentially at forwarders. The minimum is lower bounded by a threshold value, denoted as Th. The sending algorithm for timeliness (SAT algorithm) at each entity is given inAlgorithm 3.

Proposition 17. Strategy (TML-S3) does not damage

indistin-guishability.

Proof. Everyone in WSCNs may be originators or forwarders.

It depends on messages to forwarder or originator. Orig-inators or forwarders both shorten suspended time slot exponentially. Thus, strategy (TML-S3) does not damage indistinguishability.

Proposition 18. If the suspended time slot 𝑊 in 𝛾₁ times is

shortened to1/2𝛾1𝑊 at originators and in 𝛾

2times is shortened

to1/2𝛾2𝑊, strategy (TML-S1) can guarantee the timeliness with

time(∑𝛾1

𝑖=1(1/2𝑖) + ∑𝛾𝑖=12 (1/2𝑖)) ∗ 𝑊.

Proof (straightforward). The proof is similar to the proof of

the former proposition.

The proposed scheme—LIRT—is the combination of strategies for indistinguishability, reachability, and timeliness. As the strategy (TML-S3) includes SAI, SAR, and SAT, it can be viewed as an appropriate version of LIRT. As the scheme is described intentionally in an incremental manner in this section, the advantages of LIRT are clear to follow for its advantages due to the improvements step by step.

5. Discussion

In former discussion, feedback information such as network-ing status and receiver’s acknowledgement is not used for simplicity. If feedback information is available, it can be used to enhance previous strategies by achieving adaptive and

Date: 𝑀 = {𝐷‖𝐼‖ 𝑁𝑈𝐿𝐿}, 𝛾1, 𝛾2, 𝑊

Result: Sending Packets for Timeliness

//at Originators: Initialization;

While 𝑇 do 𝑀 ⇐ 𝐺𝑒𝑡 𝑂𝑢𝑡 𝑄𝑢𝑒𝑢𝑒 𝐵𝑢𝑓𝑓𝑒𝑟(); if (𝑀 < > 𝑁𝑈𝐿𝐿) then 𝐶𝑜𝑢𝑛𝑡 ⇐ 0; 𝑊󸀠_{⇐ 𝑊;} While (𝐶𝑜𝑢𝑛𝑡 < 𝛾₁) do 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚()% 𝑊󸀠_; 𝑊󸀠_{⇐ max(1/2 ∗ 𝑊}󸀠_{, 𝑇ℎ);} //Exponentially suspending 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐸𝑥𝑡𝑒𝑛𝑑 𝑇𝑜 𝐹𝑖𝑥𝐿𝑒𝑛(𝑀); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); 𝐶𝑜𝑢𝑛𝑡 + +; end else 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐶𝑟𝑒𝑎𝑡𝑒 𝐹𝑖𝑥𝐿𝑒𝑛 𝐷𝑢𝑚𝑚𝑦(); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); end end

//at Forwarders: Initialization;

while 𝑇 do 𝑀 ⇐ 𝐺𝑒𝑡 𝐼𝑛 𝑄𝑢𝑒𝑢𝑒 𝐵𝑢𝑓𝑓𝑒𝑟(); if (𝑀 < > 𝑁𝑈𝐿𝐿) then 𝐶𝑜𝑢𝑛𝑡 ⇐ 0; 𝑊󸀠_{⇐ 𝑊;} while (𝐶𝑜𝑢𝑛𝑡 < 𝛾₂) do 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊󸀠_; 𝑊󸀠_{⇐ max(1/2 ∗ 𝑊}󸀠_{, 𝑇ℎ);} 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐸𝑥𝑡𝑒𝑛𝑑 𝑇𝑜 𝐹𝑖𝑥𝐿𝑒𝑛(𝑀); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); 𝐶𝑜𝑢𝑛𝑡 + +; end else 𝑡 ⇐ 𝑅𝑎𝑛𝑑𝑜𝑚() %𝑊; 𝑆𝑢𝑠𝑝𝑒𝑛𝑑(𝑡); 𝑇𝑒𝑚𝑝𝑃𝑘𝑡 ⇐ 𝐶𝑟𝑒𝑎𝑡𝑒 𝐹𝑖𝑥𝐿𝑒𝑛 𝐷𝑢𝑚𝑚𝑦(); 𝑀󸀠_{⇐ 𝑀𝑎𝑠𝑘𝑀𝑠𝑔(𝑇𝑒𝑚𝑝𝑃𝑘𝑡);} 𝑆𝑒𝑛𝑑𝑀𝑠𝑔(𝑀󸀠_); end end

Algorithm 3: Sending algorithm for timeliness (SAT algorithm).

optimal overall performance. The feedback information that can be gathered by senders is as follows.

(i) The network feedback on network status, it is sent by intermediate forwarders or detectors, and it reports congestion, risks, and dropping rate of messages.

(7)

(ii) The feedback from receivers, it is sent by desig-nated destination of messages, and it reports message arrival, delay, jitter, and timeliness.

If the feedback information is available in WSCNs, the strategies can be enhanced by intelligent method for adap-tivity and optimization.

6. Conclusions

WSCNs are important types in mobile wireless sensor net-works and present their own characteristics compared with traditional wireless sensor networks. In this paper, we made the first attempt to specify the security requirements for WSCNs, in which of the upmost importance are indis-tinguishability, reachability, and timeliness. To clarify and illustrate the security requirements, several new attacks in WSCNs were pointed out at the first time, for example, dis-tinguishing risks, dropping attacks, and disordering attacks. To defend against those attacks, a lightweight scheme LIRT was proposed. LIST can guarantee the indistinguishability, reachability, and timeliness in WSCNs, which is justified by extensive and rigorous analysis on security strength. The performance of LIRT is also measured by communication overhead, to confirm its applicability in realistic scenarios.

Acknowledgments

Wei Ren’s research was financially supported by the National Natural Science Foundation of China (61170217), the Open Research Fund from the Shandong Provincial Key Labora-tory of Computer Network (SDKLCN-2011-01), Fundamental Research Funds for the Central Universities (CUG120109), and Wuhan Planning Project of Science and Technology (2013010501010144). Yi Ren’s research was sponsored in part by the “Aim for the Top University Project” of the National Chiao Tung University and the Ministry of Education, Tai-wan.

References

[1] M. A. S. Masoum, P. S. Moses, and K. M. Smedley, “Distribution transformer losses and performance in smart grids with resi-dential plug-in electric vehicles,” in Proceedings of the IEEE PES

Innovative Smart Grid Technologies (ISGT ’11), pp. 1–7, January

2011.

[2] M. Short, U. Abrar, and F. Abugchem, “Application level com-pensation for burst errors in wireless control networks,” in

Pro-ceedings of the 17th IEEE Conference on Emerging Technologies Factory Automation (ETFA ’12), pp. 1–8, 2012.

[3] L. Zheng, N. Lu, and L. Cai, “Reliable wireless communication networks for demand response control,” IEEE Transactions on

Smart Grid, vol. 4, no. 1, pp. 133–140, 2013.

[4] W. Ren, L. Yu, L. Ma, and Y. Ren, “RISE: a reliable and secure scheme for wireless machine to machine communications,”

Tsinghua Science & Technology, vol. 18, no. 1, pp. 100–117, 2013.

[5] B. Yen, D. Hop, and M. Yoo, “Redundant transmission in wireless networked control system over IEEE 802.15.4e,” in

Proceedings of the International Conference on Information Networking (ICOIN ’13), pp. 628–631, 2013.

[6] S. Amin, X. Litrico, S. Sastry, and A. M. Bayen, “Cyber security of water scada systems—part I: analysis and experimentation of stealthy deception attacks,” IEEE Transactions on Control

Systems and Technology, vol. 21, no. 1963, p. 1970, 2012.

[7] P. de Filippi, M. Corno, M. Tanelli, and S. M. Savaresi, “Single-sensor control strategies for semi-active steering damper con-trol in two-wheeled vehicles,” IEEE Transactions on Vehicular

Technology, vol. 61, no. 2, pp. 813–820, 2012.

[8] J. Ploennigs, V. Vasyutynskyy, and K. Kabitzsch, “Comparative study of energy-efficient sampling approaches for wireless control networks,” IEEE Transactions on Industrial Informatics, vol. 6, no. 3, pp. 416–424, 2010.

[9] E. Thurman, J. Riordan, and D. Toal, “Real-time adaptive control of multiple colocated acoustic sensors for an unmanned underwater vehicle,” IEEE Journal of Oceanic Engineering, vol. 38, no. 3, pp. 419–432, 2013.

[10] G. Lee, J. Lee, E. Lee, and D. Kim, “Synchronization algorithm for hybrid control networks: can and wireless control networks,” in Proceedings of the IEEE 54th International Midwest

Sympo-sium on Circuits and Systems (MWSCAS ’11), pp. 1–4, 2011.

[11] N. Son, D. Tan, and D. Kim, “Backoff algorithm for time critical sporadic data in industrial wireless sensor networks,” in Proceedings of the International Conference on Advanced

Technologies for Communications (ATC ’12), pp. 255–258, 2012.

[12] R. A. Swartz, J. P. Lynch, and C.-H. Loh, “Near real-time system identification in a wireless sensor network for adaptive feedback control,” in Proceedings of the American Control Conference

(ACC ’09), pp. 3914–3919, June 2009.

[13] L. K. Au, A. A. T. Bui, M. A. Batalin, and W. J. Kaiser, “Energy-efficient context classification with dynamic sensor control,”

IEEE Transactions on Biomedical Circuits and Systems, vol. 6,

no. 2, pp. 167–178, 2012.

[14] W. Ren, L. Yu, L. Ma, and Y. Ren, “How to authenticate a device? Formal authentication models for M2M communications defending against ghost compromising attack,” International

Journal of Distributed Sensor Networks, vol. 2013, Article ID

(8)

Submit your manuscripts at

http://www.hindawi.com

VLSI Design

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Machinery

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Hindawi Publishing Corporation http://www.hindawi.com

Journal of

Engineering

Volume 2014

Shock and Vibration

Mechanical Engineering Advances in

Civil Engineering

Advances in

Acoustics and VibrationAdvances in

Electrical and Computer Engineering

Journal of

http://www.hindawi.com Volume 2014 Distributed Sensor Networks International Journal of

The Scientific

World Journal

Sensors

Journal of

Modelling & Simulation in Engineering

Active and Passive Electronic Components

Advances in OptoElectronics

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Robotics

Journal of

Chemical Engineering International Journal of

Control Science and Engineering Journal of

Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014 Antennas and

Propagation

International Journal of

Navigation and Observation