2015 16th IEEE International Conference on Mobile Data Management

A Risk Assessment Framework for Wireless Sensor

Networks in a Sensor Cloud
Amartya Sen Sanjay Madria
Department of Computer Science Department of Computer Science
Missouri S&T Missouri S&T
Rolla, MO, USA Rolla, MO, USA
Email: [email protected] Email: [email protected]

Abstract—A Sensor cloud framework is composed of various between attacks. We adopted the works done in attack trees
heterogeneous wireless sensor networks (WSNs) integrated with and attack graphs for wired networks [3] and researched these
the cloud platform. Integration with the cloud platform, in ideas in a sensor cloud consisting of WSNs. But establishing
addition to the inherent resource and power constrained nature
of the sensor nodes makes these WSNs belonging to a sensor such relationships between attacks however, is not sufficient.
cloud susceptible to security attacks. As such there is a need Empirical evidence suggests that risk evaluation requires a
to formulate effective and efficient security measures for such quantitative perspective. Instead of saying that a network is
an environment. But in doing so, requires an understanding of secure, we are more interested in knowing the extent of this
the likelihood and impact of different attacks feasible on the security. As such, we must be able to numerically assess
WSNs. In this paper, we propose a risk assessment framework
for the WSNs belonging to a sensor cloud. The proposed risk both the likelihood and the impact of an attack. The National
assessment framework addresses the feasible set of attacks on Institute of Standards and Technology’s (NIST) Common
a WSN identifying the relationships between them and thus Vulnerability Scoring System (CVSS) [4] equips us with
estimating their likelihood and impact. This kind of assessment the means to calculate severity ratings of vulnerabilities in
will give the security administrator a better perspective of their
wired networks. We adopt these mechanisms and extend it
network and help formulating the required security measures.
to the WSNs scenario to quantify the attack nodes in our
I. I NTRODUCTION attack graph, merging them with the concepts of Bayesian
networks [3] [5]. In addition to quantitative perspectives, time
Sensor cloud [1] consists of several different wireless sen- frames are another estimate that help us reason better. We
sor networks (WSNs) which are provided as a service to adopted risk level estimations, modeled as a continuous-time
users through the cloud platform. These services are in the Markov process in Houmbs Misuse frequency model [6] for
form of gathering information such as temperature, humidity WSNs. These risk level estimations allowed us to predict the
and other sensitive data, as requested by user applications. degradation of WSN’s security parameters.
The integration of the cloud platform with WSNs coming
from different ownership entities, running a variety of user II. M OTIVATION
applications, increases the likelihood of feasible attacks on Risk assessment for wired networks using attack tree and
these WSNs. As such there is a need for a risk assessment attack graphs has been studied [3], but a sensor cloud con-
framework estimating the likelihood and impact of attacks on sisting of WSNs is inherently different and the existing works
these WSNs and evaluating the consequences of successful on attack graphs and trees cannot be applied for the follow-
attacks on the network. This will help in strengthening the ing reason: when we generate an attack graph for a wired
network security before we deploy a WSN in a sensor cloud. network, we scan the network using a vulnerability scanner
Although the complete safety of a network in sensor cloud is tool, for example, Saint [7] or Nessus [8]. These scanners can
an idealistic scenario, being able to predict the degradation of detect the list of vulnerabilities present on each system in a
WSN security parameters such as confidentiality, integrity and wired network. This list is then parsed into an attack graph
availability [2], and taking appropriate precautions is always generating tool [9]. No comparable vulnerability scanning tool
a better alternative. currently exists for WSNs.
The applicability of a risk assessment framework for WSNs Even generating such a list for sensor nodes comprising
in a sensor cloud environment will be limited unless it takes of a WSN in a sensor cloud would have been inadequate.
into account the logical dependencies between the feasible Since, these nodes work in collaboration with each other to
set of attacks. For example, a malware attack can lead to achieve a common goal and suffer from inherent energy and
node subversion and an adversary can use the compromised hardware limitations. These limitations are the primary cause
node to break the authentication scheme. This will prompt the of WSN vulnerabilities as they do not allow us to apply the
execution of other degenerate attacks like sinkhole or Sybil. desired security protocols to safeguard the network. As such
Attack graphs helps in understanding the logical dependencies the vulnerability list will be the same for all the nodes and

978-1-4799-9972-9/15 $31.00 © 2015 IEEE 38

DOI 10.1109/MDM.2015.52
we would not be able to draw any concrete conclusions from attack (pre-conditions) and network conditions arising due
them. Every system on a wired network however, is different to successful execution of an attack (post-conditions). We
with regard to security measures present, applications running formulated the attack patterns for the known set of attacks
on them and memory capacity. Thus, rather than just focusing (Table I) [10] on WSNs and captured their pre- and post-
on vulnerabilities in a sensor node or network, we focused conditions in an attack module database.
on the feasibility of attacks on a particular WSN in a sensor If the pre-condition of an attack A is the same as the post-
cloud. The successful execution of different attacks will vary condition of another attack B, both having the same attack
according to security measures used, tasks being carried out, pattern, then the node of attack A becomes the parent of the
and deployed environment of a WSN. node of attack B in the attack graph (Fig. 2). A node in such a
graph can have multiple children and given the required pre-
III. C URRENT W ORK
conditions, the attacker might have to successfully exploit all
A. Sensor Cloud Architecture child nodes (AND join) or any one of the child nodes (OR
We have designed and deployed a sensor cloud network join) to exploit the parent node successfully. Additionally, the
prototype at Missouri S&T. It is a hierarchical framework root node of these attack graphs is going to be one the WSN
consisting of a user centric layer, a middleware and a sensor security parameters that the attacker wants to exploit.
centric layer. The sensor centric layer consists of ten WSNs,
each consisting of three to five sensor nodes deployed across
two floors. The deployed WSNs have hierarchical architec-
ture, each of which communicates with their designated base
station. The services of these deployed WSNs can be availed
by the users through a web interface, acting as a middleware
between the users and WSNs. An overview of such a network
is depicted in Fig. 1. A more detailed description of this
architecture can be found in [1].

Fig. 2. Attack Graph Illustration

2) Quantitative Estimations using Bayesian Networks:

The generation of the attack graphs were followed with a
quantitative analysis to compute the net threat level on the
root nodes. This was done by assigning the nodes of the attack
graph with the probability of successful, P r(si ) exploitation
as shown in (1). This probability was derived from the Misuse
Frequency (MF) and Misuse Impact (MI) values of the attacks
which was scored according to the guidelines established by
the NIST’s Common Vulnerability Scoring System (CVSS).

P r(si ) = (1 − μ)M F + μ(M I) (1)

where, μ is a constant and is defined as the security administra-

Fig. 1. Sensor Cloud Architecture tor’s belief of the impact of the security measures of an attack
on its misuse frequency . It can vary from [0,0.5]. For example,
if there is no security measures present to suppress an attack,
B. Risk Assessment Framework μ will be zero and the impact of the attack will maximum,
The proposed risk assessment has a closely knit modular similarly a value of 0.5 is based on the belief that the attack
three tiered architecture. Its applicability is with respect to the under consideration will have no impact on the network. The
physical WSNs as shown in Fig. 1. The devised methodologies scoring metrics takes into account factors attack complexity,
have been discussed in the section III-B1, III-B2, and III-B3. authentication instances that needs to bypassed in order to
1) Attack Graphs for WSN: The pre-requisite to developing execute the attack, etc. After scoring the attack nodes, we
an attack graph is to generate attack patterns which identifies projected the attack graphs as Bayesian networks. Using the
the goal of an attacker. In addition to this, we need to establish concepts of forward propagation we were able to compute the
the network conditions (resources) required to execute an net threat level to the root nodes of the attack graphs. For an

39
 TABLE I
S ET OF E XAMINED ATTACKS ON WSN S

Types of Security Attacks

Active Attacks Passive Attacks
Routing Attacks (Spoof, Alter and Replay, Selective Forwarding,
Passive information Gathering (Eavesdropping)
Sinkhole, Sybil, Wormhole, HELLO Flood)
Denial of Service (Frequency Jamming) Traffic Analysis
Fabrication (Node Subversion and Node Malfunction) Camouflaged Adversaries
Lack of Cooperation (Node Outage)
Modification (Physical Tampering and Message Corruption)
Impersonation (Node Replication)

AND join in the attack graph it is computed as shown in (2), Where, the values used for computation in (4) and (5) are the
 misuse frequency of the attack nodes, based off the CVSS
0, ∃sj ∈ P a[si ] | si = 0. metrics.
P r(si | P a[si ]) =  (2)
P r( si =1 si ), otherwise.

For an OR join is it computed as shown in (3),


0, ∀sj ∈ P a[si ], si = 0.
P r(si | P a[si ]) =  (3)
P r( si =1 si ), otherwise.

where, P r(si ) is the probability of successful execution of

a node si and P r[si ] is aggregated probability of successful
execution of all children nodes of si . An instantiation of such
an attack graph depicted as an Bayesian network is shown
in Fig. 3 for the WSN security parameter, confidentiality.
The attack nodes in the graph are accompanied with their
probability of success values. When a node has child nodes, its
probability of success varies based on the attack graph JOIN
type. If the JOIN type is an AND join, the probability of
success of the parent node is update according to (2). Whereas
if the JOIN type is an OR, the probability of success of the
parent node is updated as specified in (3). For example, the
attack node, Sybil (Sy), in Fig. 3 has two child nodes, Node
Subversion (N S) and Spoofing (S), connected to Sybil via an
AND join type. Hence the unconditional probability of Sybil
is computed as shown in (4).

Syuncond = P r(Sy|(P r(N S, S)T ))

= P r(Sy) ∗ P r(N S) ∗ P r(S)
(4)
= 0.78 ∗ 0.761 ∗ 0.82
= 0.486
Fig. 3. Attack Graph for WSN Security Parameter - Confidentiality
Similarly, if we consider attack node, Sinkhole/Selective
Forwarding (SF wd), it is connected to its children, Sybil
(Sy) and Wormhole (W orm), via an AND join. Hence, the 3) Time Frame Estimations: We computed time frames
unconditional probability of Sinkhole will be computed using predicting the degradation of WSN security parameters by
(3) as shown in (5). modeling our risk level estimations as a continuous-time
Markov process. Such a model will consist of n service levels
 - SL0 to SLn Attacks having the same misuse impact were
= ((P r(SF wd)T ) ∗ P r(Sy) ∗ P r(W orm)) grouped into the same service level in the Markov model. The
(Sy,W orm)∈{T,F } transition from one service level to another was then computed
=0.612 based on the misuse frequency of the attacks. The first service
(5) level, SL0 , has no impact on a WSN security parameter.

40
Whereas, the final service level, SLx has full impact on a estimating the net threat level to WSN security parameters
WSN security parameter.Thus, given these time frames we - confidentiality, integrity and availability. Additionally, we
can take precautionary measures and perform maintenance in developed time frames estimating the degradation of these
an unattended WSNs before they reach an irreparable state. WSN security parameters. We would like to extend this work
For example, if we want to estimate the degradation of to supplement the current intrusion detection systems and
the WSN security parameter, confidentiality, we start off with validate the proposed risk assessment framework. Further-
constructing the service levels for confidentiality. Service level more, use this risk assessment framework to assess security
construction for a particular WSN security parameter requires measures used for the network, determining the efficiency and
us to identify the attacks whose end goal is to exploit the effectiveness of security measures.
security parameter in question. This is done by referring to the
R EFERENCES
attack patterns that were generated prior to the attack graph
constructions. Once all the relevant attacks are identified, we [1] S. Madria, V. Kumar, and R. Dalvi, “Sensor cloud: A cloud of virtual
sensors,” IEEE Software, vol. 99, no. PrePrints, p. 1, 2013.
estimate their misuse impact (MI). Every unique MI value will [2] J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, “Wireless sensor net-
contribute towards a new service level, in addition to service work security: A survey, in book chapter of security,” in in Distributed,
levels, SL0 and SLx . Attacks having the same MI will belong Grid, and Pervasive Computing, Yang Xiao (Eds. CRC Press, 2007,
pp. 0–849.
to that service level. The instantiation of such a service level [3] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic security risk man-
creation for confidentiality is depicted via Table II. agement using bayesian attack graphs,” IEEE Trans. Dependable Secur.
Comput., vol. 9, no. 1, pp. 61–74, Jan. 2012.
[4] NationalVulnerabilityDatabase, “nvd.nist.gov.”
TABLE II [5] M. Frigault and L. Wang, “Measuring network security using bayesian
S ERVICE L EVELS FOR C ONFIDENTIALITY network-based attack graphs,” in Proceedings of the 2008 32nd Annual
IEEE International Computer Software and Applications Conference,
Service levels Attacks ser. COMPSAC ’08. Washington, DC, USA: IEEE Computer Society,
SL0(0) - 2008, pp. 698–703.
SL1(0.14) Node Subversion, Spoofing, Sinkhole, Blackhole, [6] S. Houmb and V. Nunes Leal Franqueira, “Estimating toe risk level
Node Replication/False Node, Malware attack using cvss,” in Proceedings of the Fourth International Conference
SL2(0.33) Eavesdropping, Sybil, Selective Forwarding on Availability, Reliability and Security (ARES 2009 The International
SLx(1) - Dependability Conference), ser. IEEE Conference Proceedings. Los
Alamitos: IEEE Computer Society Press, March 2009, pp. 718–725.
[7] SaintVulnerabilityScanner, “www.saintcorporation.com.”
Creation of the service levels is followed by the compu- [8] NessusVulnerabilityScanner, “www.tenable.com.”
tations of the transition from service level SL0 to SLx . As [9] O. Sheyner and J. Wing, “Tools for generating and analyzing attack
described earlier, these computations are based off the misuse graphs,” in proceedings of formal methods for components and objects,
lecture notes in computer science, 2004, pp. 344–371.
frequency (MF) values of the attacks belonging to a particular [10] G. Padmavathi and D. Shanmugapriya, “A survey of attacks, security
service level. An instantiation of the Transition rate matrix for mechanisms and challenges in wireless sensor networks,” CoRR, vol.
confidentiality is given in Table III. abs/0909.0576, 2009.

TABLE III
R ATE T RANSITION M ATRIX FOR C ONFIDENTIALITY

SL0 SL1 SL2 SLx

SL0 0 0.8216 0.8066 0
SL1 0 0 0.6627 0
SL2 0 0 0 0.4391
SLx 0 0 0 0

As shown in Table III, the transition rate for confidentiality

to reach an unrepairable state is 43.91%. Using a time perspec-
tive of say 12 months, the time frame resulting in the complete
degradation of confidentiality will result in about 5 months
(43.91% of 12 months). Thus, utilizing this information, the
security administrator can perform a periodic check in about 3
or 4 months to check for attacks exploiting confidentiality, in
the absence of any evidence of attacks before that time period.

IV. C ONCLUSION AND F UTURE W ORK

In this paper, we have presented a risk assessment frame-
work for WSNs in a sensor cloud environment which depicts
the logical relationship between attacks on WSNs using attack
graphs. The attacks were quantified based on CVSS scoring
guidelines and were then depicted as Bayesian networks

41