Unity is strength!: combining attestation and measurements inspection to handle malicious data injections in WSNs

Attestation and measurements inspection are different but complementary approaches towards the same goal: ascertaining the integrity of sensor nodes in wireless sensor networks. In this paper we compare the benefits and drawbacks of both techniques and seek to determine how to best combine them. However, our study shows that no single solution exists, as each choice introduces changes in the measurements collection process, affects the attestation protocol, and gives a different balance between the high detection rate of attestation and the low power overhead of measurements inspection. Therefore, we propose three strategies that combine measurements inspection and attestation in different ways, and a way to choose between them based on the requirements of different applications. We analyse their performance both analytically and in a simulator. The results show that the combined strategies can achieve a detection rate close to attestation, in the range 96–99%, whilst keeping a power overhead close to measurements inspection, in the range 1–10%.


Vittorio P. Illiano, Rodrigo V. Steiner and Emil C. Lupu: Unity is strength!: combining attestation and measurements inspection to handle malicious data injections in WSNs.

ACM WiSec ’17 link (open access)

Direct Download

Hassan Chizari

Dr. Hassan Chizari has joined the RISS Group in February 2017, coming from Universiti Teknologi Malaysia (UTM). Hassan is a Post Doctorate Research Associate (PDRA) in Imperial College London. He did his bachelor and master degree in Shiraz University (IRAN) on ‘Computer Hardware’ and ‘Artificial Intelligence and Robotics’ respectively. He was a PhD candidate in UTM studying on Wireless Sensor Networks and he was awarded the PhD on Computer Networks. He worked in Imam Khomeini International University (IKIU) and Universiti Teknologi Malaysia (UTM) as a Lecturer and a Senior Lecturer for about 9 years. His main research interest is Wireless Sensor Network both in hardware and software perspectives and mainly in cyber-security area.


Google scholar profile is here.

Research Gate link is here.

ORCiD link is here.

Enabling Data Sharing in Contextual Environments: Policy Representation and Analysis

The paper “Enabling Data Sharing in Contextual Environments: Policy Representation and Analysis” was accepted at SACMAT 2017.

ACM Symposium on Access Control Models and Technologies (SACMAT 2017)

Authors: Erisa Karafili and Emil Lupu

Abstract: Internet of Things environments enable us to capture more and more data about the physical environment we live in and about ourselves. The data enable us to optimise resources, personalise services and offer unprecedented insights into our lives. However, to achieve these insights data need to be shared (and sometimes sold) between organisations imposing rights and obligations upon the sharing parties and in accordance with multiple layers of sometimes conflicting legislation at international, national and organisational levels. In this work, we show how such rules can be captured in a formal representation called “Data Sharing Agreements”. We introduce the use of abductive reasoning and argumentation based techniques to detect inconsistencies in the rules  applicable and resolve them by assigning priorities to the rules. We show how through the use of argumentation based techniques use-cases taken from real life application are handled flexibly addressing trade-offs between confidentiality, privacy, availability and safety.

Detecting Malicious Data Injections in Wireless Sensor Networks

Wireless Sensor Networks (WSNs) have become popular for monitoring critical infrastructures, military applications, and Internet of Things (IoT) applications.

However, WSNs carry several vulnerabilities in the sensor nodes, the wireless medium, and the environment. In particular, the nodes are vulnerable to tampering on the field, since they are often unattended, physically accessible, and use of tamper-resistant hardware is often too expensive.

Malicious data injections consist of manipulations of the measurements-related data, which threaten the WSN’s mission since they enable an attacker to solicit a wrong system’s response, such as concealing the presence of problems, or raising false alarms.

Measurements inspection is a method for counteracting malicious measurements by exploiting internal correlations in the measurements themselves. Since it does not need extra data it is a lightweight approach, and since it makes no assumption on the attack vector it is caters for several attacks at once.

Our first achievement was to identify the benefits and shortcomings of the current measurements inspection techniques and produce a literature survey, which was published in ACM Computing Surveys: V. P. Illiano and E. C. Lupu. ”Detecting malicious data injections in wireless sensor networks: A survey”, Oct. 2015 . The survey has revealed a large number of algorithms proposed for measurements inspection in sensor measurements. However, malicious data injections are usually tackled together with faulty measurements. Nevertheless, malicious measurements are, by and large, more difficult to detect than faulty measurements, especially when multiple malicious sensors collude and produce measurements that are consistent with each other.

We have designed an initial algorithm, which detects effectively malicious data injections in the presence of sophisticated collusion strategies among a subset of sensor nodes when a single event of interest (e.g. fire, earthquake, power outage) occurs at a time. The detection algorithm selects only information that appears reliable. Colluding sensors are not allowed to compensate for each other in the detection metric whilst still injecting malicious data thanks to an aggregation operator that is accurate in the presence of genuine measurements as well as resistant to malicious data. This work was published in IEEE Transactions on Network and Service Management, V. Illiano and E. Lupu, Detecting malicious data injections in event detection wireless sensor networks, Sept 2015

When multiple events manifest, more complex attack strategies are possible, such as creating false events near legitimate ones, transforming a severe event into several mild events etc. We have then reviewed and re-developed the initial approach to cope with such complex scenarios. Furthermore, we have dealt with the problem of characterisation, i.e. identification of the compromised sensors, and diagnosis, i.e. inferring when the anomaly is most likely malicious or faulty. This work has been published in IEEE Transactions on Dependable and Secure Computing, V. P. Illiano, L. Munoz-Gonzalez, and E. Lupu, Don t fool me!: Detection, characterisation and diagnosis of spoofed and masked events in wireless sensor networks, 2016

Whilst detection proved highly reliable also in the presence of several colluding nodes, we have witnessed that more genuine nodes are needed to make a correct characterisation of malicious nodes. Hence, we have studied techniques to increase the reliability in identifying malicious nodes through occasional recourse to Software Attestation, a technique that is particularly reliable in detecting compromised software, but is also expensive for the limited computation and energy resources of the sensor nodes. Based on a thorough analysis of the aspects that make measurements inspection and software attestation complementary, we have designed the methods that allow to achieve a reliability as high as for attestation with an overhead as low as for measurements inspection.
This work will appear in the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017).

More recently, we are working on the evaluation of the technique against evasion, i.e. an attacker that maximises the chance to stay undetected whilst causing damage.

Don’ t fool me!: Detection, Characterisation and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

Wireless Sensor Networks carry a high risk of being compromised, as their deployments are often unattended, physically accessible and the wireless medium is difficult to secure. Malicious data injections take place when the sensed measurements are maliciously altered to trigger wrong and potentially dangerous responses. When many sensors are compromised, they can collude with each other to alter the measurements making such changes difficult to detect. Distinguishing between genuine and malicious measurements is even more difficult when significant variations may be introduced because of events, especially if more events occur simultaneously. We propose a novel methodology based on wavelet transform to detect malicious data injections, to characterise the responsible sensors, and to distinguish malicious interference from faulty behaviours. The results, both with simulated and real measurements, show that our approach is able to counteract sophisticated attacks, achieving a significant improvement over state-of-the-art approaches.


Vittorio P. Illiano, Luis Muñoz-González and Emil C. Lupu: Don’ t fool me!: Detection, Characterisation and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks.

To appear in IEEE Transactions on Dependable and Secure Computing
IEEE TNSM link (open access)

Attestation in Wireless Sensor Networks: A Survey

Attestation is a mechanism used by a trusted entity to validate the software integrity of an untrusted platform. Over the past few years, several attestation techniques have been proposed. While they all use variants of a challenge-response protocol, they make different assumptions about what an attacker can and cannot do. …

Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim’s system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu. In ArXiv e-prints, arXiv:1609.03020, September 2016.