A Security Adaptation Reference Monitor for Wireless Sensor Network

Security in Wireless Sensor Network has become a hot research topic due to their wide deployment and the increasing new runtime attacks they are facing. We observe that traditional security protocols address conventional security problems and cannot deal with dynamic attacks such as sinkhole dynamic behavior. Moreover, they use resources, and limit the efficient use of sensor resources and inevitably the overall network efficiency is not guaranteed. Therefore, the requirements of new security mechanisms must be addressed in a flexible manner. Indeed, there is a lack of generic security adaptation protocols to deal with extremely dynamic security conditions and performances in a context of Wireless Sensor Network where reliability is a critical criterion for many applications. This paper proposes our Security Adaptation Reference Monitor for Wireless Sensor already validated in proximitybased wireless network. It is based on an autonomic computing security looped system, which fine-tunes security means based on the monitoring of the context. Extensive simulations using agent-based approach have been conducted to verify the performance of our system in the case of sensor network in the presence of sinkhole attacks. The results clearly show that we are efficient in terms of survivability, overall network utilization, and power consumption.


Introduction
A Wireless Sensor Network (WSN) consists of a large number of low-power, and multifunction sensor nodes that communicate as one hope, multihop, or cluster-based models to send data to one or many base stations (BSs) through wireless links [1]. These BSs are highly enriched with a large amount of energy. WSNs represent a challenging and an interesting research area due to the constraints involved. The small size of the sensors and the networking capability increase the appeal of WSNs for use in daily life. Distributed computing and routing could be well applied in case of multihope and cluster-based models. These capabilities enable WSNs to provide significant advantages for many applications that were not possible in the past. The WSN is built by deploying the sensing nodes in the area of interest to form a self-configured network and start acquiring the necessary information. The unique properties of WSNs increase flexibility and reduce user involvement in operational tasks. Battlefield surveillance, forest fire detection, and smart environments are some well-known applications. Since the nodes in WSN are battery operated and have a limited lifetime to operate, there is a growing need of energy aware security algorithm performing low computational load to preserve the network lifetime.
WSN involves a huge number of interactions with its environment where security is also difficult to ensure against dynamic changing attacks. Indeed, it is highly challenging to maintain the overall security at the highest level due to the configuration complexity and the runtime changing context. In addition to the security challenge, data transfer in WSNs is more susceptible to loss due to the nature of sensors (power and processing, etc.) and the high error rate of wireless links. Moreover, sinkhole attackers by means of dynamic changing behavior skyrocket the packet loss. Therefore, the most crucial constraint in WSN which is reliability is not at all guaranteed.
In general, most applications cannot operate in case of high packet loss. Thus, reliability, being a key issue in sensor networks, is definitely one of the important criteria 2 ISRN Communications and Networking to evaluate the quality of WSNs. Accordingly, the concept that must cope with this new security challenge in terms of availability has to be based on dynamic adaptation security system to satisfy an overall performance such as network reliability and energy loss. We have already proposed a generic Security Adaptation Reference Monitor (SARM) as a compelling solution for such problems [2]. In this paper, we will apply it for WSN under sinkhole attacks. Please note: we use security in general term including availability, reliability, and survivability.
In Section 2, we survey other related works. Section 3 gives the problem statement, highlighting the motivation of our work. Section 4 introduces SARM for WSN and explains its components and functionalities. Section 5 explains our experiments and simulation implementation to validate SARM in the case of sensor network. Our simulation results and performance analysis are presented in Section 6 and Section 7 concludes our paper.

Related Work
The concept of adaptive security in wireless network is used to mitigate the consequences of a substantial number of runtime threats, when it does not completely eliminate them.
Many systems rated at the higher levels of security for data are implemented according to the reference monitor concept. First introduced by Anderson [3], a reference monitor is a concept that has proven to be a useful tool for computer security experts. It is the only effective tool known for describing the abstract requirements of secure system design and implementation.
Reference [4] has also proposed an adaptive security application in wireless ad hoc and sensor networks, where network conditions play a role in choosing relevant security mechanisms at runtime.
Chiang et al. [5] have proposed an approach to increase the availability of WSNs but they need additional hardware which generates more cost. Consequently, a suitable security service is must be provisioned in a progressive way to achieve the maximum overall security services against network performance services throughout the course of sensor networks operation. Security in sensor networks is complicated by the constrained capabilities of the sensor node hardware and the deployment properties [6][7][8].
All aspects of the wireless sensor network are being examined including secure and efficient routing [9][10][11][12], data aggregation [13][14][15][16], and group formation [17,18]. Although there are some existing architectures for WSN that partially solve these problems, it is still possible to point out the neglected aspects that can be considered crucial for creating a satisfactory security system.
Other security issues include [19] security-energy assessment, data assurance, survivability, trust, end to end security, security and privacy support for data centric sensor networks (DCS), and node compromise distribution. It is very important to study these areas due to the sensor network's special character, such as battery limitation, high-failure probability nodes, easier compromised nodes, and unreliable transmission media. Until now, there have been only a few approaches available, and more studies are needed in these areas. Furthermore, trust [20] is a good path to explore because it gives in some cases better results.

Motivation for Our Framework
We argue that the spare processing and transmission resources are wasted in sensor environments if security is overprovisioned. Hence, the trade-off between security and performance is essential in the choice of security services. Adaptive security mechanisms are also found in flexible protocol stacks for wireless networks [21], context-aware access control systems [22], and security architectures [23]. This prompted us for the implementation of a completely reconfigurable architecture [24], which is adapted to terminal and network context variability, particularly in the security field [25]. Seigneur [20] has introduced autonomic security pattern in his security design but only at the authentication level.
Flexible security mechanisms are needed to respond to new types of attacks and to meet different network requirements by setting specific protection. The required flexible security assessment can be achieved by introducing a generic autonomic computing security framework according to Chess in [26,27]. He describes the importance of automatically configuring the security of various parts of the system and automatically making various security trade-offs according to the value of the assets being protected and the cost of the measures being employed to protect them.
Because of the following limitations [17], layered security solutions are inadequate and/or inefficient: (i) Redundant Security Provisioning: systematic security at each layer consumes more resources than necessary; (ii) Nonadaptive Security Services: because attacks on a WSN come from any layer and any protocol, a countermeasure scheme at only one layer is unlikely to guarantee security all the time; (iii) Power Inefficiency: energy efficiency must be addressed because it is a crucial issue in WSN. The power efficiency design cannot be addressed completely at any single layer in the networking stack.
In WSN case, the sensors have limited resources in terms of energy. Since the spending of energy dramatically increases with the range of transmission, the sensors usually forward their messages to a Base Station (BS) [28] in a hop-by-hop fashion. It is quite easy for an attacker as a sinkhole [29] to defeat the WSN purpose by dropping messages when received rather than forwarding them or to consume energy of other sensors by requesting them to continuously send information.
As mentioned earlier, it is highly challenging to keep the overall security due to the configuration complexity and the runtime changing context. Moreover, assuring reliable data delivery between the sensor nodes and the BS in wireless ISRN Communications and Networking 3 sensor networks is also a challenging task as it affects the ability to sense event. In fact, the reliability of data transfer is impacted by data loss due to nature of sensors in addition to high error rate of wireless links. The problem of achieving reliable communication between nodes is further aggravated by the presence of sinkhole attackers whenever they are changing dynamically their behavior. Therefore, the most crucial constraint in WSN, which is reliability, cannot be guaranteed.
In addition, most applications cannot operate in case of high packet loss. Thus, reliability, being a key issue especially in sensor networks, is definitely one of the important criteria to evaluate the quality of wireless sensor networks. Thereby, the concept that must cope with this new security challenge in term of availability has to be based on dynamic adaptive security system to satisfy an overall performance such as network reliability and energy loss.
Thus, to lengthen the lifetime of wireless sensor network, an efficient protocol needs to support reliable network in most energy efficient manner under sinkhole attacks.
We propose a generic framework called Security Adaptation Reference Monitor (SARM) as a compelling solution for this problem, because it is a looped system developed especially for highly dynamic wireless network.
Implementing this security scheme at each application level is not feasible because the change will interfere in each communication program in each sensor. The best way to overcome this constraint is to implement it in the kernel which leads to an overall security control.
Since the following constraints: energy limitation, decentralized collaboration, and fault tolerance are imposed in sensor networks, algorithms for network security tend to be quite complex and usually defy analytical methods that have been proved to be fairly effective for traditional networks. Furthermore, applying new methods and mechanisms in real networks is very difficult and not operational. It appears that simulation is the only feasible approach to the quantitative analysis of new algorithms in the wireless networks.
We propose SARM for wireless environments based on an autonomic computing security looped system, which fine-tunes security means based on the monitoring of the context including the application environment and energy consumption aspects. It is aimed to offer a global adaptation security scheme for any application instead of a classical layered security mechanism.

SARM Description
We would like with SARM to fine-tune security means as best as possible taking into account the risk of the current environment and the performance of the system especially regarding the optimization of its energy consumption. Thereby, our system differs from others by its [2]: The concept of isolating various functions and restricting their access to specific system can also be applied to security in wireless environment integrated in the operating system itself. The best way to overcome the nonrealistic constraint of implementing the framework in each communication program is to integrate it in the kernel and consequently having an overall security control. Thus, all communication programs go through SARM at some stage in order to gain access to communication resources.
The key challenge of SARM is the adaptation of Reference Monitor (RM) [3] concept for wireless communication and beyond data access control. The goal of a RM is to enforce security by forcing all processes and also to prevent users from accessing any data but only through the reference itself. The security kernel is managed by security policies. We have also chosen to apply the autonomic computing security pattern [27] to design SARM by dividing it into a functional unit and a monitoring unit.
To reduce the system complexity and to make the system incremental, we propose a looped framework as introduced in [20] at the authentication level, that is, the system automatically tunes to its best configuration based on the current monitored context, thus avoiding any static decision making. Hence, we split SARM into two units looped as a servo control system model to fine tune the adequate security measures/means, which we will discuss later. One unit called management or monitor unit is for monitoring the context by evaluating and analyzing risks, performances, and energy consumption, which are significant for detecting attacks and tuning the adequate security means using the second module called functional unit.
We have depicted in Figure 1 the different components of SARM and their interconnections.
Security means are defined as any algorithm or mechanism that could ensure security but it could also be a no security action when it is not necessary. It includes also the choice of the adequate network access too because some network communication technologies are more secure with higher energy consumption and others less secure with lower energy consumption. Security means can be application dependent such as a localized trust [30,31] or a distributed trust [32] or application independent such as cryptographic protocols. Indeed, localized and distributed trusts are good paths to explore because they generate lowcomputing charge (less energy consumption) and give in some cases better results. Thereof, we are fitting perfectly the context of WSN. Firstly, the application uses communication means. The default preferences related to the chosen application are taken. Secondly, the context gathering module will collect all information about the current context of the application. This information is sent to the Monitoring/Management Unit, which is responsible for all security analysis in accordance with the security policies based on log files in a first stage, risks, vulnerabilities, and energy consumption in a second stage. The Logs are used to store all the information about the system: mainly the security problems. Risks, performances, and energy consumption analysis with policies is a key issue in the framework because it is responsible for detecting a potential unsecure context, a probable energy wasting environment, and/or a very vulnerable application.
Thereby, the analysis could trade-off between all these constraints to choose an efficient action to tune the functional unit. Individual sensor nodes in a WSN have the inherent limitations in resources, which make the design of security procedures more complicated.

Sensors Energy Consumption.
A typical sensor node processor is of 4-8 MHz, having 4 KB of RAM, 128 KB flash, and ideally 916 MHz of radio frequency. Each of these limitations is due in part to the two greatest constraints: limited energy and physical size [33]. Table 1 shows that receiving costs almost half the energy of sending.

WSN-SARM.
To validate SARM, we have applied an adapted version of SARM, called WSN-SARM, to the application domain of wireless sensor network.

Validation Application Domain Main Problem.
In Wireless Sensor Networks (WSN), one of the main constraints is to minimize energy consumption in order to maximize the lifespan of the network. Indeed, sensor nodes are usually battery powered [34][35][36]. In order to increase the lifetime of sensor networks, various energy saving schemes have been proposed.
One of known possibility for prolonging network lifetime is energy balancing, which is the approach that we have implemented in our framework SARM for WSN. In an energy balanced network, all the nodes deplete their energy at the same rate. It is an efficient method to implement a datagathering algorithm for WSN's.
Indeed, a data-gathering WSN is deployed over a region to be monitored and when a sensor detects an event, it needs to report to the BS which is not limited in energy in our case study.
We send messages to the BS in a hop-by-hope routing method. While this method searches to minimize the overall network utilization of energy, since the power cost is in function of distance to the power of a parameter ranged from 2 to 5.
This heavy load of traffic on nodes near the BS brings them to deplete their energy rapidly.
Thus, it creates bottleneck region in the network. Unfortunately, when too many of those nodes run out of energy, the sink becomes disconnected from the network, This leads to put the network down while there may be plenty of energy remaining in nodes away from the sink. Therefore, it seems that energy balancing is a particularly promising way of maximizing the lifespan of networks accomplishing a datagathering task.
Another problem that challenges all the proposed solution is sinkhole attack. Indeed, it compromises the balancing effect on the lifespan of any WSN. That's why a countermeasure is necessary in this case We propose as an efficient solution our SARM with its feedback mechanisms and its Trust Function to balance the energy through all reachable nodes to overcome sinkhole attacks. Then, we compare it with simple equidistribution (uniform packet repartition) without any feedback.

Validation.
The goal of this validation is to show that SARM adapts security as efficiently as possible by (a) keeping an appropriate level of security depending on the context, (b) whilst maximizing the overall utilization, (c) and minimizing the power consumption.

WSN-SARM Description.
In Figure 2, we describe module by module, how SARM is applied to the application domain of our validation, becoming the WSN-SARM version.
First of all, the security means, which can be tuned by SARM, are uniform packet repartition or unbalanced neighbors packet repartition or a set of suboptimal distance paths. The application preference is to maximize the usage time whilst keeping enough security. The gathering context module is used to collect and distribute trust values between the Base Station and nodes (sensors). These values represent the trust of a sensor about its neighbors. They are summarized in Table 2.
The values are sent to the management unit for analysis using a Trust Function (TF) that will assert the fact which algorithm has to be used or not. In addition, the performance  is fixed as energy saving in accordance with Application Preference, which is lifespan maximizing. Each sensor sends packets uniformly to a number of Sensors within a defined range according to threshold used as policy. Thanks to its context gathering module the Trust Function has all information to evaluate the trust. Figure 3 gives a representation of the context of each Sensor and behavior of some of them.
The management unit will integrate the Trust Function TF that predicts whether or not to use uniform or unbalanced connections depending on the output of the TF depending on historical values v i, j (i packets) sent by the BS to sensor z about his neighbor sensor j within defined range.

End for
The system consists of one to many sensors with different behaviors that could change randomly. Therefore, we should have analyzed the overall system characteristics in a real world but that was very difficult. The complexity of analysis comes from the fact that every nodes acts independently from others. Therefore, our model will be studied using simulation tools in order to compare it with reference cases.

Implementation and Validation Methodology
We have implemented WSN-SARM and validated it in a Sensor wireless network simulation developed with AnyLogic, which is a simulation tool that supports all different simulation methodologies: System Dynamics, Process-centric (a.k.a. Discrete Event), and Agent-Based modeling. It is based on Real-time UML and Java object-oriented language.

Model Setup.
The basic element of an Agent-Based model is the agent itself. By using an Agent-Based model, we have created a new class that behaves as Sensor. Each Sensor is associated to a given agent matching with its location. As a sensor is placed randomly, we have modeled its coordinates using X and Y random variables. Setting up our security model using Table 2, we can take advantage of state chart by monitoring the behavior of agents. The state of our agents is controlled by state charts, which represents the exact behavior of sensors, as shown in Figure 4.
Setting up our security model using Table 2, one can take advantage of state charts to control the behavior of Sensors. Using AnyLogic as implementation platform agents and especially state-charts can be programmed very conveniently. In particular modifications and/or extensions of the final model can be handled in a simple way.  In Figure 4, each agent (sensor) starts simultaneously in a "Transmission" state in the "SensorStateR" and "Trust Function" state-charts. The agents are switched to their relative state (Sinkhole, Base Station, sensors). They are then added to a list of the sensor whenever they are within his range.
We used agents having one of the following behaviors: (a) normal state, (b) sinkhole.
Each agent is then processed depending on the decision of the monitor unit to choose a security means or not. Therefore, the agent could transit to another state or stand in the same state. When completing the transfer, the Agent returns to its initial state and so on. The state-chart trust updates the trust each time the Base Station sends an Ack. Of course, the BS is not limited in energy and thus is not subject to an attack by any sinkhole.

Validation Methodology.
We have carried out simulations under 0%, 20%, and 50% sinkhole attackers. Furthermore, the network topology was set to random spreading or arranged uniform spreading of sensors. We have taken as a reference uniform packet distribution over the neighbors. In addition, a Time-To-Live TTL counter is used to avoid that a packet stay forever in the network and to guarantee that the consumed energy is limited to a maximum value when a packet is sent from the farthest sensor to the BS.
To minimize the transit delay and the energy consumption, we have also introduced suboptimal routing paths as all paths that have the shortest Euclidian distance to the BS. Indeed, if the topology of sensors is uniformly distributed and the sensors are not in the border of the square, there are 3 possible sensors that have the near-shortest distance to the BS.
Normally, the BS is in the middle of the network to minimize the distance to the farthest sensor. Additionally, 90 degree sector antennas are used to cover each of four squares to lengthen the BS range and minimizing the energy consumption. Sector directional antennas can be also added to sensors to take advantage of this technique in term of energy consumption [37] Therefore, we do not lose any generality if we put the BS in the upper left side of the square; rather we gain in survivability of WSN.
In our experiments, we have validated our proposed solution and analyzed the extended performance under a range of various scenarios. All sensors are spread over a square (520 m of each side) topology and operating over one day of simulation time. In our simulations, we considered that the Base Station was taken at the origin. The Base Station coverage is over the entire network. We fix the connection number of neighbors from 1 to 7. Indeed, depending on the topology of the network (arranged or random distributed sensors positions), each sensor was configured to have a maximum communication range equal to 50 meters. We deployed the sensors in an incremental mode, from S 1 to S n .
We have also used an algorithm in the Base Station to calculate for each sensor his suboptimal routing hops to the BS. It needs to send packet step-by-step power emission and could be implemented by a sector antenna.
The number of sensors can be selected from 10 to 1000 and their display can be selected between arranged uniformly or randomly. Figure 5 shows a very powerful animation interface using AnyLogic. Note that the BS and sensors' forms are described in Figure 3. Arranged sensors means that they are placed in an equidistant manner as depicted in Figure 3. Random distributed sensors means that the sensors are placed physically in a random manner as depicted in Figure 5.
We carried out our experiments considering thirty cases. In each studied case, we ran our simulations with different conditions. Our performance evaluation was the result of different simulations.

Metrics.
Energy metrics are packet loss ratio that affects energy loss per node and the whole network energy loss which is important to evaluate energy efficiency at transport protocol.
Assuming dropped packets have a direct relation with energy wastage, the energy loss per node can be measured by [38] E(i) = nbr of packets dropped by node all packets rvd node . (1) Reliability of the entire network is defined as R net = nbr of packets rvd by BS total packets send by all .

Scenarios.
We have used three scenarios to validate our model. In our scenarios, sensors (agents) were divided in two categories. A normal behavior, they are composed of x% of all sensors.
An energy wasting behavior sinkhole attackers are composed of (1 − x)% of all sensors.
In the first scenario, we fixed the percentage as 100% of normal behavior and 0% of sinkhole attackers.
In the second scenario, we fixed the percentages as 80% of normal behavior and 20% of Sinkhole behavior.
In the third scenario, we fixed the percentages as: 50% of normal behavior and 50% of sinkhole behavior.

Results Analysis
During our analysis, we firstly studied the performance of WSN-SARM in the three defined scenarios where sensors were arranged uniformly or at random. The performance metrics are network Reliability Ratio and overall network energy loss within the constraints: (a) thanks to TTL almost the same average energy consumption for any packet and (b) balancing overall traffic over all the neighbors to guaranteed the network survivability.
Secondly, we studied the rapidity of convergence to 100% (how WSN-SARM tends to 1) and compared it to suboptimal routing paths.
Thirdly, we studied long-run convergence of TF used in WSN-SARM.
For comparison purpose, we plotted the WSN SARM in Figure 6 and the uniform balancing (no trust: uniform distribution of parquets over neighbors) in Figure 7 for the same three predefined scenarios. We can easily conclude that SARM is largely better than uniform balancing; a ratio of 20 is reached in short time 50 s. Indeed, we have obtained the desire effect of the feedback mechanism of the SARM.
In Figure 8, we plotted the long-term convergence trend of SARM for the second scenario. Unfortunately, the convergence is very long due to the use of links with many hops. Moreover, in the second and third scenarios with respectively 20% and 50% of sinkhole attackers reliability of SARM is exceeding the case of 0% sinkhole because sensors within the Base Station detect any sinkhole neighbor and eliminate it from its connections.
For comparison purpose, we plotted the WSN-SARM under 20% of sinkhole attackers (the second scenario) using   our Trust Function and also without trust in Figure 9. We have used all suboptimal routing paths to the Base Station. The results clearly demonstrate that the convergence is boosted.
In Figure 10, we have depicted the network energy loss as defined by our metrics. We have an average ratio of 5.2 between the two cases. We can conclude that using SARM with trust Function converges rapidly than without trust. Thereby, the reliability is guaranteed and the overall energy cost is minimized even under a number of 20% of sinkhole attackers.
Please note: there are significant differences between Trust used by WSN-SARM and uniform packet distribution reference. We have depicted in Figure 11 the proof that WSN-SARM is converging to 100% in term of reliability and to a 0% in term of network energy loss.
All the results show clear advantages of WSN-SARM arranged sensor network or random sensor network even at 50% of sinkhole attackers. We can conclude that our security monitor helps the WSN to operate even under 50% of sinkhole attackers thanks to the looping system connected to the context gathering monitor and the Trust Function.

Conclusion and Future Work
We have proposed a Security Adaptation Reference Monitor based on the reference monitor concept and the autonomic computing Security pattern to support both context monitor and behavior control. This paper presents also the validation ISRN Communications and Networking  of SARM in WSN. The results clearly show that WSN-SARM copes with reliability and network energy loss under sinkhole attack even at 50% of attackers. Indeed, WSN-SARM constitutes a good platform within the Base Station to detect any sinkhole and eliminate it from its connections and put it into log file, thanks to the context gathering monitor and the looped regulation system. Therefore, we show that our framework is efficient in this context and is tuning to achieve the best trade-off between security and performance according to application preferences. In addition, the network is well energy balanced. These results encourage us to further research on other strategies that could automatically optimize the trade-off between security and energy consumption under other important attacks.