Sage Journals: Discover world-class research

Abstract

Wireless sensor control networks (WSCNs) are important scenarios and trends in mobile wireless sensor networks. Compared with traditional wireless sensor networks, WSCNs have two specific characteristics: entities in networks are extended from passive sensors to active sensors (e.g., actuators and actors) and the transmitting messages are extended from data only to data plus (e.g., data and control instructions). Thus new security problems arises. In this paper, we make the first attempt to specify the security requirements for WSCNs, namely, indistinguishability, reachability, and timeliness. In addition, several new attacks in WSCN, distinguishing risks, dropping attacks, and disordering attacks, are pointed out at the first time. A lightweight scheme LIRT is proposed with tailored design to guarantee the indistinguishability, reachability, and timeliness in WSCNs. Extensive and rigorous analysis on LIRT justifies its security strength and performance measures.

1. Introduction

Mobile wireless sensor networks are an extended form of traditional wireless sensor networks where nodes are not static but mobile. Recently, sensors in mobile wireless sensor networks become more and more versatile, for example, underwater sensors, body sensors, and control sensors. The control sensors are usually divided into two classes: actuators and actors. Those actuator and actor sensor networks extend traditional wireless sensor networks from passive networks to active networks, from data networks to control networks, via adding functionalities such as response and action. The actuator and actor sensor networks start to be applied in new applications such as smart grid, smart city, smart building, and factory automation, to name a few [1–3].

Wireless actuator and actor sensor networks can be viewed as wireless sensor control networks (WSCNs) over a group of sensors. WSCNs have two distinctions compared with traditional wireless sensor networks as follows. (1) The entities in networks are extended from sensors only to sensors plus. For example, there exist sensors, actuators, and actors in WSCNs. Actuators may perform actively for controlling, but sensors in traditional wireless sensor networks usually act passively for collecting data. (2) The transmitting messages in networks are extended from data only to data plus, for example, data messages and control messages. Therefore, new security problems arise in WSCNs. If entities in WSCNs can be distinguished by adversaries, adversaries will be able to launch a target attack (that has been explored in our previous paper [4]); if data or control messages are dropped by adversaries, the control loop will be terminated; if data or control messages are disordered, the control status or sequences may be disturbed. We called them indistinguishability, reachability, and timeliness problems in WSCNs. Note that those security problems cannot be solved by previous security schemes for traditional wireless sensor networks due to the specialities of WSCNs. We thus have to explore new methods to solve them, especially, in a tailored design manner.

Concretely, security in wireless control networks starts to attract more and more attention [5–9]. Those work majorally address different contexts from WSCNs, so the solutions may not be able to tackle the aforementioned security requirements. Moreover, the security problems in WSCNs are challengeable due to the inherent properties: wireless lossy channels, jamming-sensitive links, resource-constraint sensor devices, control timing demands, and control sequence ordering requirements.

In this paper, we make the first attempt to clarify and analyze the security requirements in WSCNs and then propose a lightweight scheme called LIRT to guarantee those requirements, namely, indispensability, reachability, and timeliness in WSCNs. We formally prove the achievement of the proposed scheme. Different from other works and previous approaches, all presentations in the paper strictly follow formal expressions for better clarity and rigorous generality.

The contributions of the paper are listed as follows. (i)

We make the first attempt to define formal attacks and security requirements in WSCNs, namely, indistinguishability, reachability, and timeliness in WSCNs.

(ii)

We make the first attempt to propose a lightweight scheme to guarantee those security requirements and formally prove the security goals that are achieved.

The rest of the paper is organized as follows. Section 2 gives an overview on relevant prior work. In Section 3 we discuss the basic assumption and models used throughout the paper. Section 4 provides the detailed description and analysis of our proposed scheme. Finally, Section 5 concludes the paper.

2. Related Work

Wireless sensor networks for automation control have attracted more and more attention in recent years [5, 8, 10–12]. Yen et al. [5] proposed packet loss problem in wireless networked control system over IEEE 802.15.4e. They proposed redundant transmission. de Filippi et al. [7] proposed single-sensor control strategies for semiactive steering damper control in two-wheeled vehicles. Thurman et al. [9] explored acoustic sensors in an unmanned underwater vehicle to provide full autonomy control. Au et al. [13] proposed energy-efficient classification algorithms for wearable sensor systems. All the above work focuses on control performance but not control security.

The security problems in WSCNs have not been thoroughly explored in recent work. Target attacks for wireless machine-to-machine control networks are first pointed out by our previous work [4]. We also proposed a scheme called RISE to mitigate target attacks. Stealthy deception attacks in water SCADA systems are first pointed out by Amin et al. [6]. They discuss sensor networks but mainly in wired SCADA networks. Zheng et al. [3] discussed reliable problem in wireless communication networks that support demand and response control. They proposed several methods for deriving reliability performance. Short et al. [2] discussed burst errors in wireless control networks. They proposed application-level strategies for ameliorating the effects of packet losses and burst errors in sampled-data control systems. Above related work are independent with our discussion and solution in the following, as our analysis for the security requirements are different from them.

3. Problem Formulation

3.1. Network Model and Attack Model

There exist three major entities (denoted as $E$ ) in WSCNs: sensors (denoted as $S$ ), actuator (denoted as $U$ ), and actors (denoted as $C$ ). Usually, sensors send data to actuators. Actuators send instructions to actors. Actors execute instructions. The number of sensors is usually more than that of actuators. The number of actuators is usually less than that of actors. Figure 1 depicts the entities in WSCNs.

Figure 1

Wireless sensor control networks. Sensors collect sensing data; actuators respond corresponding instructions; actors execute those instructions.

We assume that the links among sensors, actuators, and actors are not secure. The adversaries (denoted as $A$ ) in the links can launch the following attacks. We assume that the security boundary is out of the entities of WSCNs. That is, we assume entities are trustworthy. The trust models in WSCN scenarios are analyzed in detail in our previous work [14].

Definition 1 (message distinguishing risk ( $R_{m}$ )).

Adversaries may distinguish data and instructions in transmitting messages in WSCNs, after viewing the behavior and messages among entities in WSCNs.

The observation is the only advantage of adversaries, as we suppose the links are not secure. It can be formally described as follows: $\begin{array}{l} R_{m} = Pr {A correctly guesses m^{*} \in D ∥ m^{*} \in I \\ ∣ m^{*} ⟸ D \cup I, 2^{E_{i} \to E_{i} : {m^{*}}}, A ⟸ m^{*}}, \end{array}$ (1) where $Pr {A ∣ B}$ denotes the probability that A happens after event B happens; D means data; I means instructions; $m^{*}$ is any message in D or I; $2^{ϕ}$ means the power set of a set ϕ.

Definition 2 (entity distinguishing risk ( $R_{e}$ )).

Adversaries may distinguish sensors, actuators, and actors among entities in WSCNs, after viewing the behavior and messages among entities in WSCNs.

It can be formally described as follows: $\begin{array}{l} R_{e} = Pr {A correctly guesses E_{i} \in S (∥ U ∥ C) \\ ∣ E_{i} ⟸ S (∥ U ∥ C), 2^{E_{i} \to E_{j} : {m^{*}}}, A ⟸ m^{*}} . \end{array}$ (2)

Definition 3 (dropping attack ( $A_{d}$ )).

Adversaries may drop data that are sent from sensors to actuators and instructions that are sent from actuators to actors.

Definition 4 (disordering attack ( $A_{i}$ )).

Adversaries may disturb the arrival time of data at actuators and the arrival time of instructions at actors.

It is natural to see that the prerequisite for dropping attack is message distinguishing risk and entity distinguishing risk.

The disordering attack can be launched without any prerequisite information about message distinguishing risk and entity distinguishing risk. It is thus much easier to be launched via just jamming arbitrary packets into channels, and it is thus more difficult to be defended against.

3.2. Security Definition and Design Goal

The security requirements are defined as follows.

Definition 5 (indistinguishability).

The data and instruction cannot be distinguished from messages by adversaries from all their observations. The sensors, actuators, and actors cannot be distinguished from entities by adversaries from their observations.

Indistinguishability is formally described as $\begin{matrix} H (S ∣ O) = H (U ∣ O) = H (C ∣ O) = H (S) = H (U) \\ = H (C), \end{matrix}$ (3) where O is the observation of adversaries; H is the entropy of correctly guessing on entities.

Definition 6 (reachability).

The data can arrive at designated actuators finally, and instructions can arrive at designated actors finally.

Definition 7 (timeliness).

The data can arrive at actuators timely, and instructions can arrive at actors timely.

Therefore, the design goal is to propose a scheme for guaranteeing indistinguishability, reachability, and timeliness in a lightweight way.

4. Proposed Schemes

We list major notations used in the remainder of the paper in Table 1.

Table 1

Notations.

WSCNs	Wireless sensor control networks
$E$	Entities
$S$	Sensors
$U$	Actuators
$C$	Actors
$A$	Adversaries
$R_{m}$	Message distinguishing risk
$R_{e}$	Entity distinguishing risk
$A_{d}$	Dropping attack
$A_{i}$	Disordering attack

4.1. Indistinguishability

As message distinguishing risk, $R_{m}$ , and entity distinguishing risk, $R_{e}$ , are the prerequisite of dropping attack, $A_{d}$ , we first propose a method to eliminate those risks.

Proposition 8.

Entity indistinguishability is equivalent to message indistinguishability.

Proof (straightforward).

If entities are distinguishable, messages will be distinguishable via the entities who send; if messages are distinguishable, entities will be distinguishable by analyzing their sending messages.

Thus, we discuss two risks together. We firstly analyze the information or advantages that can be obtained by adversaries. Adversaries can observe the following behavior and messages in WSCNs.

The messages that can be observed for message distinguishing are as follows:

(M-O1) the length of the messages that are sent among entities,

(M-O2) the format and semantics of the messages that are sent among entities.

The behavior that can be observed for distinguishing entities is as follows.

(B-O1) The sending sequence of the messages and entities, it is a list of messages and entities which send messages in an observing time span. For example, in an observation time span with k minutes, the sending sequences of messages are ${m_{1}, m_{2}, \dots, m_{n}}$ . In an observation time span with k minutes, the sending sequences of entities who send messages are ${E_{1}, E_{2}, \dots, E_{n}}$ , where $E_{i} \in E$ , $i = 1, \dots, n$ . The sequences can be observed for distinguishing entities. For example, sensors may always stand at the head of the sequence, and actors may always stand at the rear of the sequence.

(B-O2) The interval of two sequentially sending messages at any two entities; for example, $E_{i}$ sends $m_{p}$ , and then $E_{j}$ sends $m_{p + 1}$ . $m_{p}$ , $m_{p + 1}$ are two consecutively sending messages. The time interval between these two messages can be observed for distinguishing entities. For example, actuators may always send a message after sensors send a message, and actors may always send a message after actuator sends a message.

(B-O3) The interval of two consecutively sending messages at one entity, for example, $E_{i}$ sends $m_{p}$ and $m_{p + 1}$ sequentially, where $E_{i} \in E, m_{p}, m_{p + 1}$ . That is, $m_{p}$ , $m_{p + 1}$ are two sequential messages sent from $E_{i}$ . The time interval between these two messages can be observed for distinguishing entities. For example, sensors may always send messages in a fixed interval.

(B-O4) The interval of k sequentially sending messages at any k entities, it is a generalization of (B-O2). For example, suppose k entities send k messages sequentially. They are $E_{1}, E_{2}, \dots, E_{k}$ . The time interval among them can be observed for distinguishing entities. For example, sensors, actuators, and actors may form a control loop. Observing loops may infer the entity observed.

(B-O5) The interval of k sequential sending messages at one entity, it is a generalization of (B-O3). For example, $E_{i}$ sends k messages: $m_{1}, m_{2}, \dots, m_{k}$ , where $E_{i} \in E$ . The time interval among them can be observed for distinguishing entities. For example, intervals for message sending at sensors, at actuators, or at actors may be quite different. Observing those difference may infer the entity observed.

Proposition 9.

If and only if the observation is indistinguishable, the message and entity are indistinguishable.

Proof.

The observation at adversaries is the only knowledge to distinguish message and entity. If and only if the observation is indistinguishable, the message and entity are indistinguishable.

Therefore, we propose the following strategies via randomization to make observation indistinguishable. Each strategy addresses one observation.

(IND-S1) All messages that are sent among entities have the same length.

(IND-S2) All messages that are sent among entities are encrypted for hiding semantics.

(IND-S3) The sending sequence of the messages among entities is randomized.

(IND-S4) The interval of two sequentially sending messages at any two entities is randomized.

(IND-S5) The interval of two sequentially sending messages at one entity is randomized.

(IND-S6) The intervals of k sequentially sending messages at any k entities are randomized.

(IND-S7) The intervals of k sequentially sending messages at one entity are randomized.

Proposition 10.

Strategy (IND-S6) can be guaranteed by (IND-S4).

Proof (straightforward).

As any interval of two sequentially sending messages at any two entities is randomized, and the intervals of k sequentially sending messages at any k entities in k are also randomized.

Proposition 11.

Strategy (IND-S7) can be guaranteed by (IND-S5).

Proof (straightforward).

The interval of two sequentially sending messages at one entity is randomized, the intervals of k sequentially sending messages at one entity are thus also randomized.

Thus, the sending algorithm for indistinguishability (called SAI algorithm) at each entity is proposed in Algorithm 1.

Algorithm 1: Sending algorithm for indistinguishability (SAI algorithm).

Date: $M = {D ∥ I ∥ N U L L}, W$

Result: Sending Packets with Indistinguishability

Initialization;

While T do

$M \Leftarrow G e t O u t Q u e u e B u f f e r ()$ ;

//Get packet from Outgoing Queue

$t \Leftarrow R a n d o m () % W$ ;

//W is the suspended time slot

$S u s p e n d (t)$ ;

if $(M < > N U L L)$ then

$T e m p P k t \Leftarrow E x t e n d T o F i x L e n (M)$ ;

//Maintain the same length

else

$T e m p P k t \Leftarrow C r e a t e F i x L e n D u m m y ()$ ;

//Create dummy packet

end

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

//Encryption before sending

$S e n d M s g (M^{'})$ ;

end

4.2. Reachability

As adversaries cannot distinguish messages and entities, they have to drop messages (e.g., by jamming channels) randomly to launch a dropping attack.

To guarantee the reachability of the data and instruction messages, we propose the following strategies via redundancy.

(RCH-S1) Data and instruction are sent for α times.

Proposition 12.

If the dropping probability of a packet is p, strategy (RCH-S1) can guarantee the reachability with probability $1 - p^{α}$ .

Proof.

As the dropping probability of one packet is p, its reachability is $1 - p$ . The probability of α packets that are dropped is $p^{α}$ , and the reachability of at least one in α packets is thus $1 - p^{α}$ .

The repeat sending for α times can increase the probability of reachability, but it also causes communication overhead. In the following strategies, we will tackle the communication overhead by optimization.

(RCH-S2) Data and instruction are sent for random times in $[β_{1}, β_{2}]$ . The repeat times are varied. Usually, we have $α = β_{2}$ . Therefore, it can both increase the probability of reachability and tackle the communication overhead.

Proposition 13.

If the dropping probability of a packet is p, strategy (RCH-S2) can guarantee the reachability with probability at least $(1 / (β_{2} - β_{1})) \sum_{β_{1}}^{β_{2}} (1 - p^{i})$ .

Proof.

The reachability of one packet in $[β_{1}, β_{2}]$ is $1 - p^{i}$ , $i \in [β_{1}, β_{2}]$ . The expectation of this probability for all i, $i \in [β_{1}, β_{2}]$ is thus $(1 / (β_{2} - β_{1})) \sum_{β_{1}}^{β_{2}} (1 - p^{i})$ .

Proposition 14.

The average communication overhead in (RCH-S2) is less than (RCH-S1) by $1 - (β_{1} + β_{2}) / 2 α$ .

Proof (straightforward).

The communication overhead in (RCH-S1) is $O (α)$ ; the communication overhead in (RCH-S2) is $O ((β_{1} + β_{2}) / 2)$ . Thus, the advantages in (RCH-S2) compared with (RCH-S1) are $(α - (β_{1} + β_{2}) / 2) / α$ . That is, $1 - (β_{1} + β_{2}) / 2 α$ .

(RCH-S3) The repeating times at originators for data or instruction are $γ_{1}$ . The repeating times at forwarders for dummy packets are $γ_{2}$ . Usually, $γ_{1} ≪ β_{1}$ , $γ_{1} + γ_{2} \approx α$ .

Originators are the entities where data or instruction are originated from. For example, the first sensor who sends the data is the originator for that data. Forwarders are the entities between originators and designated destination entities. That is, forwarders forward the data or instruction to packet destination. The dummy packets at immediate forwarders are not created from meaningless dummy string (NULL) but created from data or instruction received previously by immediate forwarders. That is, before forwarders send dummy packets, they choose the last one in received data or instruction as a dummy packet. This strategy can both improve the reachability of data or instruction and mitigate the communication overhead.

Proposition 15.

If the dropping probability of a packet is p, strategy (RCH-S3) can guarantee the reachability with probability $1 - p^{γ_{1} + γ_{2}}$ . The communication overhead is $γ_{1} / α$ of that in strategy (RCH-S1).

Proof (straightforward).

The proof is similar to the former proposition.

The sending algorithm for reachability (SAR algorithm) at each entity is given in Algorithm 2.

Algorithm 2: Sending algorithm for reachability (SAR algorithm).

Date: $M = {D ∥ I ∥ N U L L}, γ_{1}, γ_{2}, W$

Result: Sending Packets for Reachability

//at Originators:

Initialization;

while T then

$M \Leftarrow G e t O u t Q u e u e B u f f e r ()$ ;

if $(M < > N U L L)$ then

$C o u n t \Leftarrow 0$ ;

while $C o u n t < γ_{1}$ do

$t \Leftarrow R a n d o m () % W$ ;

//W is suspended time slot

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow E x t e n d T o F i x L e n (M)$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

$C o u n t + +$ ;

end

else

$t \Leftarrow R a n d o m () % W$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow C r e a t e F i x L e n D u m m y ()$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

end

//at Forwarders:

Initialization;

while T do

$M \Leftarrow G e t I n Q u e u e B u f f e r ()$ ;

//Get packet from ingress queue

if $(M < > N U L L)$ then

$C o u n t \Leftarrow 0$ ;

while $(C o u n t < γ_{2})$ do

$t \Leftarrow R a n d o m () % W$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow E x t e n d T o F i x L e n (M)$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

$C o u n t + +$ ;

end

else

$t \Leftarrow R a n d o m () % W$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow C r e a t e F i x L e n D u m m y ()$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

end

4.3. Timeliness

Adversaries cannot distinguish messages and entities. The dropping attack cannot aim at designated messages or entities. The dropping is thus randomly dropping, for example, by jamming channels. The jamming subsequently results in disordering attack. The timeliness of the control operations is damaged. To guarantee the timeliness of the data and instruction messages, we propose following strategies.

(TML-S1) The suspended time is randomly chosen from a time slot that is shortened exponentially. That is, $W_{s} \overset{r}{\Leftarrow} 1 / 2^{n} * W$ , where W is the maximal suspended time slot at the first time; n is the suspending times; $\overset{r}{\Leftarrow}$ means “is randomly chosen from”; $W_{s}$ is the actual suspended time. The timeliness can be improved with the exponentially shortening of suspended time. This strategy is corresponding to (RCH-S1).

Proposition 16.

If the suspended time slot W in α times is shortened to $1 / 2^{α} W$ , strategy (TML-S1) can guarantee the timeliness with total suspended time $\sum_{i = 1}^{α} ‍ (1 / 2^{i}) * W$ .

Proof.

Suppose the suspended time slot is W, the suspended time in expectation is $1 / 2 W$ . If the suspended time slot is shortened to $1 / 2^{n} * W$ , the suspended time in expectation is $1 / 2^{n + 1} * W$ . If first $α - 1$ are all dropped by adversaries, the worst suspended time is $\sum_{i = 1}^{α} (1 / 2^{i}) * W$ .

Similarly, (TML-S2) can be proposed corresponding to (RCH-S2). That is, when data and instruction are sent for random times in $[β_{1}, β_{2}]$ , the suspending time between two consecutively sending is randomly chosen from a time slot that is shortened exponentially. That is, $W_{s} \overset{r}{\Leftarrow} 1 / 2^{n} * W$ .

(TML-S3) We propose to shorten the suspended time slot exponentially at forwarders. The minimum is lower bounded by a threshold value, denoted as Th.

The sending algorithm for timeliness (SAT algorithm) at each entity is given in Algorithm 3.

Algorithm 3: Sending algorithm for timeliness (SAT algorithm).

Date: $M = {D ∥ I ∥ N U L L}, γ_{1}, γ_{2}, W$

Result: Sending Packets for Timeliness

//at Originators: Initialization;

While T do

$M \Leftarrow G e t O u t Q u e u e B u f f e r ()$ ;

if $(M < > N U L L)$ then

$C o u n t \Leftarrow 0$ ;

$W^{'} \Leftarrow W$ ;

While $(C o u n t < γ_{1})$ do

$t \Leftarrow R a n d o m () % W^{'}$ ;

$W^{'} \Leftarrow \max (1 / 2 * W^{'}, T h)$ ;

//Exponentially suspending

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow E x t e n d T o F i x L e n (M)$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

$C o u n t + +$ ;

end

else

$t \Leftarrow R a n d o m () % W$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow C r e a t e F i x L e n D u m m y ()$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

end

//at Forwarders: Initialization;

while T do

$M \Leftarrow G e t I n Q u e u e B u f f e r ()$ ;

if $(M < > N U L L)$ then

$C o u n t \Leftarrow 0$ ;

$W^{'} \Leftarrow W$ ;

while $(C o u n t < γ_{2})$ do

$t \Leftarrow R a n d o m () % W^{'}$ ;

$W^{'} \Leftarrow \max (1 / 2 * W^{'}, T h)$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow E x t e n d T o F i x L e n (M)$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

$C o u n t + +$ ;

end

else

$t \Leftarrow R a n d o m () % W$ ;

$S u s p e n d (t)$ ;

$T e m p P k t \Leftarrow C r e a t e F i x L e n D u m m y ()$ ;

$M^{'} \Leftarrow M a s k M s g (T e m p P k t)$ ;

$S e n d M s g (M^{'})$ ;

end

Proposition 17.

Strategy (TML-S3) does not damage indistinguishability.

Proof.

Everyone in WSCNs may be originators or forwarders. It depends on messages to forwarder or originator. Originators or forwarders both shorten suspended time slot exponentially. Thus, strategy (TML-S3) does not damage indistinguishability.

Proposition 18.

If the suspended time slot W in $γ_{1}$ times is shortened to $1 / 2^{γ_{1}} W$ at originators and in $γ_{2}$ times is shortened to $1 / 2^{γ_{2}} W$ , strategy (TML-S1) can guarantee the timeliness with time $(\sum_{i = 1}^{γ_{1}} (1 / 2^{i}) + \sum_{i = 1}^{γ_{2}} (1 / 2^{i})) * W$ .

Proof (straightforward).

The proof is similar to the proof of the former proposition.

The proposed scheme—LIRT—is the combination of strategies for indistinguishability, reachability, and timeliness. As the strategy (TML-S3) includes SAI, SAR, and SAT, it can be viewed as an appropriate version of LIRT. As the scheme is described intentionally in an incremental manner in this section, the advantages of LIRT are clear to follow for its advantages due to the improvements step by step.

5. Discussion

In former discussion, feedback information such as networking status and receiver's acknowledgement is not used for simplicity. If feedback information is available, it can be used to enhance previous strategies by achieving adaptive and optimal overall performance. The feedback information that can be gathered by senders is as follows. (i)

The network feedback on network status, it is sent by intermediate forwarders or detectors, and it reports congestion, risks, and dropping rate of messages.

(ii)

The feedback from receivers, it is sent by designated destination of messages, and it reports message arrival, delay, jitter, and timeliness.

If the feedback information is available in WSCNs, the strategies can be enhanced by intelligent method for adaptivity and optimization.

6. Conclusions

WSCNs are important types in mobile wireless sensor networks and present their own characteristics compared with traditional wireless sensor networks. In this paper, we made the first attempt to specify the security requirements for WSCNs, in which of the upmost importance are indistinguishability, reachability, and timeliness. To clarify and illustrate the security requirements, several new attacks in WSCNs were pointed out at the first time, for example, distinguishing risks, dropping attacks, and disordering attacks. To defend against those attacks, a lightweight scheme LIRT was proposed. LIST can guarantee the indistinguishability, reachability, and timeliness in WSCNs, which is justified by extensive and rigorous analysis on security strength. The performance of LIRT is also measured by communication overhead, to confirm its applicability in realistic scenarios.

Footnotes

Acknowledgments

Wei Ren's research was financially supported by the National Natural Science Foundation of China (61170217),the Open Research Fund from the Shandong Provincial Key Laboratory of Computer Network (SDKLCN-2011-01),Fundamental Research Funds for the Central Universities (CUG120109),and Wuhan Planning Project of Science and Technology (2013010501010144). Yi Ren's research was sponsored in part by the “Aim for the Top University Project” of the National Chiao Tung University and the Ministry of Education,Taiwan.

References

Masoum

M. A. S.

Moses

P. S.

Smedley

K. M.

Distribution transformer losses and performance in smart grids with residential plug-in electric vehicles

Proceedings of the IEEE PES Innovative Smart Grid Technologies (ISGT '11)

January 2011

1 7

2-s2.0-79958006867

10.1109/ISGT.2011.5759174

Short

Abrar

Abugchem

Application level compensation for burst errors in wireless control networks

Proceedings of the 17th IEEE Conference on Emerging Technologies Factory Automation (ETFA '12)

2012

1 8

Zheng

Cai

Reliable wireless communication networks for demand response control

IEEE Transactions on Smart Grid 2013 4 1 133 140

10.1109/TSG.2012.2224892

Ren

RISE: a reliable and secure scheme for wireless machine to machine communications

Tsinghua Science & Technology 2013 18 1 100 117

Yen

Hop

Yoo

Redundant transmission in wireless networked control system over IEEE 802.15.4e

Proceedings of the International Conference on Information Networking (ICOIN '13)

2013

628 631

Amin

Litrico

Sastry

Bayen

A. M.

Cyber security of water scada systems—part I: analysis and experimentation of stealthy deception attacks

IEEE Transactions on Control Systems and Technology 2012 21 1963 1970

10.1109/TCST.2012.2211873

de Filippi

Corno

Tanelli

Savaresi

S. M.

Single-sensor control strategies for semi-active steering damper control in two-wheeled vehicles

IEEE Transactions on Vehicular Technology 2012 61 2 813 820

2-s2.0-84857319332

10.1109/TVT.2011.2180031

Ploennigs

Vasyutynskyy

Kabitzsch

Comparative study of energy-efficient sampling approaches for wireless control networks

IEEE Transactions on Industrial Informatics 2010 6 3 416 424

2-s2.0-77955709887

10.1109/TII.2010.2051812

Thurman

Riordan

Toal

Real-time adaptive control of multiple colocated acoustic sensors for an unmanned underwater vehicle

IEEE Journal of Oceanic Engineering 2013 38 3 419 432

10.1109/JOE.2012.2227585

10.

Lee

Kim

Synchronization algorithm for hybrid control networks: can and wireless control networks

Proceedings of the IEEE 54th International Midwest Symposium on Circuits and Systems (MWSCAS '11)

2011

1 4

11.

Son

Tan

Kim

Backoff algorithm for time critical sporadic data in industrial wireless sensor networks

Proceedings of the International Conference on Advanced Technologies for Communications (ATC '12)

2012

255 258

12.

Swartz

R. A.

Lynch

J. P.

Loh

C.-H.

Near real-time system identification in a wireless sensor network for adaptive feedback control

Proceedings of the American Control Conference (ACC '09)

June 2009

3914 3919

2-s2.0-70449638456

10.1109/ACC.2009.5160493

13.

L. K.

Bui

A. A. T.

Batalin

M. A.

Kaiser

W. J.

Energy-efficient context classification with dynamic sensor control

IEEE Transactions on Biomedical Circuits and Systems 2012 6 2 167 178

2-s2.0-84860437418

10.1109/TBCAS.2011.2166073

14.

Ren

How to authenticate a device? Formal authentication models for M2M communications defending against ghost compromising attack

International Journal of Distributed Sensor Networks 2013 2013 9

679450

10.1155/2013/679450

LIRT: A Lightweight Scheme for Indistinguishability,Reachability,and Timeliness in Wireless Sensor Control Networks

Abstract

1. Introduction

2. Related Work

3. Problem Formulation

3.1. Network Model and Attack Model

Definition 1 (message distinguishing risk ( R m )).

Definition 2 (entity distinguishing risk ( R e )).

Definition 3 (dropping attack ( A d )).

Definition 4 (disordering attack ( A i )).

3.2. Security Definition and Design Goal

Definition 5 (indistinguishability).

Definition 6 (reachability).

Definition 7 (timeliness).

4. Proposed Schemes

4.1. Indistinguishability

Proposition 8.

Proof (straightforward).

Proposition 9.

Proof.

Proposition 10.

Proof (straightforward).

Proposition 11.

Proof (straightforward).

Algorithm 1: Sending algorithm for indistinguishability (SAI algorithm).

4.2. Reachability

Proposition 12.

Proof.

Proposition 13.

Proof.

Proposition 14.

Proof (straightforward).

Proposition 15.

Proof (straightforward).

Algorithm 2: Sending algorithm for reachability (SAR algorithm).

4.3. Timeliness

Proposition 16.

Proof.

Algorithm 3: Sending algorithm for timeliness (SAT algorithm).

Proposition 17.

Proof.

Proposition 18.

Proof (straightforward).

5. Discussion

6. Conclusions

Footnotes

Acknowledgments

References

Definition 1 (message distinguishing risk ( $R_{m}$ )).

Definition 2 (entity distinguishing risk ( $R_{e}$ )).

Definition 3 (dropping attack ( $A_{d}$ )).

Definition 4 (disordering attack ( $A_{i}$ )).