Attack detectors for data aggregation in clustered sensor networks

Among many security threats to sensor networks, compromised sensing is particularly challenging due to the fact that it cannot be addressed by standard authentication approaches. We consider a clustered scenario for data aggregation in which an attacker injects a disturbance in sensor readings. Casting the problem in an estimation framework, we systematically apply the Generalized Likelihood Ratio approach to derive attack detectors. The analysis under different attacks reveals that detectors based on similarity of means across clusters are suboptimal, with Bartlett's test for homoscedasticity constituting a good candidate when lacking a priori knowledge of the variance of the underlying distribution.


INTRODUCTION
Sensor networks typically consist of a large number of lowcost sensor nodes measuring some physical phenomena and reporting their readings to a fusion center (FC) [1,2]. As the overall data volume may be large, it is common to adopt clustered topologies in which cluster heads (CH) aggregate individual readings into compact reports sent to the FC, which in turn computes a global aggregated value. The average, count, min and max are typical aggregation functions [3,4].
Security has long been recognized as a major challenge: sensor networks are susceptible to a variety of attacks such as physical tampering, node capture, denial of service, eavesdropping, etc. [5,6]. In particular, sensor readings may be compromised before they reach a CH if an attacker alters the contents of data packets after capturing a node, or modifies the environmental parameters around some sensors; the latter need not be hard to achieve and does not require node capture. The effect of such malicious attacks (which cannot be detected by standard cryptographic means) on data aggregation was originally posed as an estimation problem and analyzed in [7], concluding that typical aggregation functions are very sensitive: the adversary can inflict very large distortion in the global aggregated value by compromising just a Supported by the Spanish Government and the European Regional Development Fund (ERDF) (projects TACTICA, COMPASS (TEC2013-47020-C2-1-R) and FPU Grant AP2010-0149) and by the Galician Regional Government and ERDF (projects GRC2013/009, R2014/037 and AtlantTIC). few nodes. Resilient aggregation functions based on robust statistics [8] were advocated in [7] as a means of defense, e.g. replacing the average by the sample median at the FC. In this way, robustness is achieved at the price of some performance loss. For example, in the absence of an attack, and assuming independent and identically distributed (i.i.d.) observations, the asymptotic Mean Squared Error (MSE) degradation when estimating the mean of the underlying distribution by using the sample median rather than the average is of 4.8 and 2 dB with uniform and Gaussian data, respectively [9].
Alternatively, it may be desirable to actually detect whether an attack is taking place, implementing mechanisms for this task in an initial step. Then, the usual aggregation function is applied if no attack is detected, as initially suggested in [10] and further developed in [11][12][13][14]; when an attack is declared, the FC may fall back on some resilient aggregation function as in [7]. In this way, the adversary faces a tradeoff between distortion and detectability.
We analyze different choices for attack detectors in this scenario. Following [7], we adopt an estimation viewpoint, regarding the average as a Maximum Likelihood estimator (MLE) for a Gaussian model. Attack detection is then posed as a hypothesis test at the FC based on local values aggregated at CHs. Adopting the Generalized Likelihood Ratio Test (GLRT) framework, previous ad hoc schemes [10][11][12][13] can be derived in this more rigorous way. Among these, some require a priori knowledge of the variance of the underlying distribution, whereas some others have poor performance. The GLRT approach also leads to other detectors not previously proposed in this context, such as Bartlett's test for homoscedasticity, which results in a better tradeoff in terms of a priori knowledge and attack detection performance.

SYSTEM MODEL
As in [7], we cast the data aggregation problem in an estimation theory framework. Consider a network of n sensors, divided into c clusters with n i nodes each (n = c i=1 n i ). Sensor j in cluster i, denoted S ij , acquires a measurement x ij ∈ R and sends it to the corresponding cluster head CH i , i = 1, . . . , c, which appropriately aggregates the collected data and reports to an FC. The FC computes a global value summarizing the readings of all n sensors in the network, with the goal of estimating the value of an unknown parameter of interest θ of the physical environment. Thus, x ij is modeled as a random variable whose distribution depends on θ. In particular we assume that, in the absence of attacks, the x ij are i.i.d. and follow a normal distribution with mean θ and variance σ 2 , denoted N (θ, σ 2 ). In that case, the MLE of θ is the (global) sample mean: In (1),μ i is the local sample mean at cluster i. Thus, in this benign scenario, it suffices for each CH i to send (n i ,μ i ) to the FC, which in turn computes (1) as a weighted average. Threat model. We assume a myopic adversary [7] which is able to observe and alter the readings of a subset K of sensors (|K| = k n), not all necessarily in the same cluster, and selected before the attack. The cluster heads and their communication links to the FC are assumed secure, so that the adversary cannot modify local computations at the CH i 's or their reports. Sensor readings can therefore be written as where z ij is an attacker-injected disturbance (therefore If the attack goes unnoticed, the estimation performance of (1) will deteriorate. This can be quantified in terms of the MSE misadjustment, defined as where . Let x c , e c and z ∈ R k comprise respectively the values ofx ij , e ij and z ij for sensors in set K. It is readily checked that with K zz E{zz T }, K ez E{e c z T }, and 1 ∈ R k the allones vector. Thus, the attacker is able to degrade performance by increasing the correlation of the injected disturbance (first term in (4)), and/or its cross-correlation with measurement noise (second term). Depending on the setting, the adversary may only have the ability to inject disturbances z in the compromised nodes without being able to observe the corresponding 'clean' valuesx c ; in that case, e c , z are necessarily statistically independent and K ez = 0. This was the case considered in [10][11][12][13], which constrained z = η1 k , with η a constant. On the other hand, if the adversary can observe the sensor readingsx c of the k captured nodes 1 , he may synthesize the injected disturbance z as a function of those readings.

ATTACK DETECTORS: A GLRT APPROACH
In the absence of attacks, the fact that x ij ∼ N (θ, σ 2 ) ∀i, j implies uniformity of the mean (µ i ) and variance (σ 2 i ) of the data across clusters: µ i = θ and σ 2 i = σ 2 ∀i. Based on this observation, different attack detectors can be devised.

Mean-based Detectors
If disparity of the means is considered as an indicator of the presence of an attack, an hypothesis test can be posed as: with µ i the true mean of data from cluster i. Assuming a Gaussian model under both hypotheses, different tests result depending on knowledge about σ 2 . An attack is declared if the corresponding statistic is larger than some threshold. Common known variance. Assuming the variance σ 2 is the same under both hypotheses, the GLRT statistic is T . This is readily seen to yield withμ 0 andμ i as in (1). For clusters with equal sizes (n 1 = · · · = n c = n c ), this test was proposed in an ad hoc manner in [10] (for c = 2) 2 and [12, Sec. III-A] (for general c).
By Cochran's theorem [15], (7) follows a χ 2 c−1 distribution under H 0 . This holds true even if the {x ij } are not Gaussian, provided that the n i 's are sufficiently large so that {μ i } are approximately Gaussian by the Central Limit Theorem, and allows to set the threshold for a given probability of false alarm P FA as long as σ 2 is known. Note that the FC can compute (7) directly from the (n i ,μ i ) data sent from the CH i 's.
Common unknown variance. If σ 2 is regarded as a nuisance parameter under both hypotheses, the numerator and denominator in (6) must be maximized w.r.t. {µ 1 , . . . , µ c , σ 2 } and {µ, σ 2 } respectively, yielding the following test statistic: i denotes the local sample variance at cluster i: 2 For c = 2 and n 1 = n 2 = n 2 , (7) can be written as 2 log L G (x) = n 4σ 2 (μ 1 −μ 2 ) 2 , which is the "Split & Check" detector from [10]. Now the CH i 's must transmit (n i ,μ i ,σ 2 i ) to the FC. This is the case as well for all detectors in the sequel.
Note that (8) is equivalent to the "analysis of variance" (ANOVA) F -test statistic [16,17] which, under H 0 , follows an F distribution with c − 1 and n − c degrees of freedom. For c = 2, the F -test reduces to Student's t-test [17]. In [13], such t-test was proposed for detecting attacks concentrated in a given cluster, by combining data from all remaining clusters in a single "supercluster".

Variance-Based Detectors
A different approach to attack detection is to test for equality of variances across different clusters (homoscedasticity), i.e., whereas the means {µ i } are regarded as nuisance parameters.
Known variance under H 0 . If under H 0 the common variance is known to be σ 2 , the GLRT statistic becomes resulting in which, under H 0 and for large n, is χ 2 c -distributed. The first term in (13) corresponds to the ad hoc test proposed in [12, Sec. III-B], which follows a χ 2 n−c distribution under H 0 : Unknown variance under H 0 . Regarding σ 2 as a nuisance parameter under H 0 , the denominator in (12) must be maximized w.r.t. {µ i } and σ 2 , yielding Bartlett's test [18]: Under H 0 and for large n, (15) is χ 2 c−1 -distributed.

Mean and Variance-Based Detector
Testing for equality of means and variances simultaneously, results in the GLRT statistic given by which is χ 2 2(c−1) -distributed under H 0 and for large n. Note that the first term in (18) is Bartlett's test statistic (15).

NUMERICAL RESULTS
The detectors from Secs. 3.1-3.3 are studied under different kinds of attacks. The network has n = 128 sensor nodes in c clusters, c ∈ {2, 4, 8}, all of the same size n c . The SNR is θ 2 /σ 2 = 10 dB, and for all detectors considered, the thresholds are set for P FA = 0.05. The attacker has control over k = 5 nodes and no knowledge of the network cluster structure; thus, at each Monte Carlo run, the k compromised nodes are chosen randomly and independently among the n network nodes. Three different attack types are considered: • Type A: The injected disturbance values are i.i.d. with z ij ∼ N (0, δ 2 ) for S ij ∈ K, and independent of sensor readings. Thus K zz = δ 2 I k , K ez = 0 and M = k n δ 2 σ 2 . • Type B: The disturbance is proportional to the sensor reading, i.e., z ij = a · x ij for S ij ∈ K. This yields K zz = a 2 (θ 2 11 T + σ 2 I k ), K ez = aσ 2 I k , so that M = a 2 k 2 n θ 2 σ 2 + (a 2 + 2a) k n ≈ a 2 k 2 n θ 2 σ 2 in high SNR. • Type C: The disturbance is constant across compromised nodes: z ij = b ∀S ij ∈ K, with b a deterministic constant. Thus, K zz = b 2 11 T , K ez = 0, and M = k 2 n b 2 σ 2 . Results are shown in Fig. 1 for c = 2, 4, and 8 clusters. The following observations can be made: 1. The variance-based detectors (13) (GLRT for homoscedasticity) and (14) (Luo's χ 2 test [12]) consistently outperform the remaining schemes. However, they require knowledge of σ 2 to set the threshold for a given P FA . If, e.g., the target is P FA = 0.05 and σ 2 is underestimated in just 1 dB, in this setting Luo's detector (14) yields P FA ≈ 0.56, 0.5 and 0.4 for c = 2, 4 and 8 clusters, respectively.
2. The F -test (10) is not adequate for attack detection. To further illustrate this observation, suppose a single node, say S 11 , is compromised (k = 1). In that case, it can be easily shown that, for large values of z 2 11 , (10) becomes  whereμ i ,σ 2 i are the values ofμ i ,σ 2 i in the absence of attack (z 11 = 0). From (19), F → (n−c)(n−n1) (c−1)n(n1−1) as z 2 11 → ∞. If, e.g., n 1 = n c , then F → 1, which will be below the detection threshold for practical P FA values. Hence, the attacker can inflict an arbitrarily large distortion with a small probability of detection, even with a single compromised node.
3. In contrast with the F -test, the GLRT detector (7) (equality of means) [10,12], is responsive to attacks, but it is outperformed by the remaining schemes. In addition, it requires knowledge of σ 2 in order to set the threshold.
4. Bartlett's test (15) outperforms the GLRT for equality of means and variances (18): the addition of the second term in (18) is seen to be detrimental. This term can be seen as a test for equality of means 3 . Thus, it is concluded that equality 3 Note the similarity of the second term in (18) with (10): the arithmetic mean of the sample variances is replaced by the geometric mean. of means across clusters is not a good attack detection criterion. To see this, suppose that the adversary compromises k i nodes in cluster i and launches a Type C attack. It can be easily shown that if ki ni = k n ∀i, then the differencesμ i −μ 0 are unaltered by the attack. Due to this kind of events, for mean-based schemes P D remains bounded away from 1 as the distortion becomes arbitrarily large, even when the compromised nodes are picked at random. 5. For all detectors considered, Type C attacks have more power (larger distortion for a given P D ) than Type B attacks, which in turn have more power than Type A attacks. 6. Whereas detectors (13)- (14) remain insensitive to the number of clusters, the performance of detectors (7), (15) and (18) degrades with too few clusters. The explanation is as follows. Suppose the adversary captures exactly one node per cluster, launching a Type C attack. Thenμ i =μ i + 1 ni b, and for large b 2 ,σ 2 i ≈σ 2 i +b 2 ni−1 n 2 i , withμ i ,σ 2 i the sample means and variances, respectively, in the absence of attack. Since one can expect theμ i 's, and also theσ 2 i 's, to be close to each other, with equal-size clusters (n i = n c ∀i) so will theμ i 's andσ 2 i 's; and even more so as |b| increases, since in that casê µ i → c n b andσ 2 i → b 2 c n (1 − c n ), which are independent of i. Thus, the attack is likely to go undetected, with arbitrarily large distortion. This explains why some of the P D curves of these detectors in Fig. 1 for c = 2 and c = 4 seem to saturate at a value less than 1. For c > k, this kind of event is no longer feasible and detection performance significantly improves.

CONCLUSIONS
We have systematically applied a GLRT approach to sensor attack detection, revealing a variety of tests. Some of them had been previously proposed in an ad hoc manner, and some others are novel in this context. It has been shown that exploiting uniformity of means across clusters is outperformed by homoscedasticity based schemes, with Bartlett's test achieving good performance as long as the number of clusters in the network is not too low, without requiring a priori knowledge about the variance of the underlying distribution. The power of different attack types has also been discussed.
Future work will address more sophisticated data models, including spatial correlation among sensor readings [14] and different parametric dependencies of the readings' pdf and the parameters of interest. Also, Bartlett's test is known to be sensitive to deviations from normality [17]. Levene's test [19] is a popular robust alternative in statistics, but since it is posed as an F -test on a transformed data set, it is not well suited to attack detection, similarly to the standar F -test (10).