An Analytical Study on Eavesdropping Attacks in Wireless Nets of Things

The security of Internet of Things (IoT) has received extensive attention recently. This paper presents a novel analytical model to investigate the eavesdropping attacks in Wireless Net of Things (WNoT). Our model considers various channel conditions, including the path loss, the shadow fading effect, and Rayleigh fading effect. Besides, we also consider the eavesdroppers in WNoT equippedwith either omnidirectional antennas or directional antennas. Extensive simulation results show that ourmodel is accurate and effective to model the eavesdropping attacks in WNoT. Besides, our results also indicate that the probability of eavesdropping attacks heavily depends on the shadow fading effect, the path loss effect, Rayleigh fading effect, and the antenna models. In particular, we find that the shadow fading effect is beneficial to the eavesdropping attacks while both the path loss effect and Rayleigh fading effect are detrimental. Besides, using directional antennas at eavesdroppers can also increase the eavesdropping probability. Our results offer some useful implications on designing antieavesdropping schemes in WNoT.


Introduction
As one of the most promising information and communication technologies (ICT), IoT has received extensive attentions from both academia and industry recently.The basic idea of IoT is to integrate "smart" objects, the things into the Internet with provision of various services to users [1,2].The typical killer applications of IoT include the logistic management with RFID technology [3], environmental monitoring with wireless sensor networks [4], smart homes [5], e-health [6], smart grids [7], Maritime Industry [8], and so forth.There are a number of diverse smart objects ranging from small Radiofrequency Identification (RFID) tags to sensors, actuators, mobile phones, smart appliances, smart meters, and so forth.Due to the device heterogeneity, various wireless communication technologies (such as ISO/IEC 18000 [3], IEEE 802.15.4 [9], and Bluetooth [10]) are also exploited to interconnect the smart devices to form a Wireless Net of Things (WNoT).Note that the conventional wired communication technologies (Ethernets, fiber-optic communication, etc.) are also mandatory to connect the WNoT with the rest of the Internet.
Security is one of the fundamental issues in IoT since it is the prerequisite for most IoT applications [11][12][13][14].There raise a number of security threats in IoT, especially in WNoT, where the conventional security countermeasures used in wired networks may not work well in WNoT due to the following inherent constraints of WNoT: (i) the wireless medium is open for any nodes [15]; (ii) it is extremely difficult to deploy centralized control mechanisms in such distributed WNoT [2,16,17].Eavesdropping attack, as one of typical security threats in wireless communication systems, has attracted considerable attention recently [18][19][20][21][22][23][24] since many adversary attacks often follow the eavesdropping activity, for example, the man-in-the-middle attack [25] and the hearand-fire attack [19].
Figure 1 shows a typical example of eavesdropping attacks in a warehouse environment, where each product is attached with an RFID tag, which can passively communicate with RFID-readers.In this environment, the confidential communications between RFID-readers and RFID tags can be easily wiretapped by eavesdroppers since it is difficult to apply antieavesdropping countermeasures (e.g., encryptions) in this scenario due to the limited computational capability and the energy-constraint of RFID tags.Note that we consider the far-field wireless communications in this scenario [26].
1.1.Related Works.Most of current studies have been concentrated on protecting the confidential communications of smart objects in WNoT, which are also named as good nodes in this paper.Encryption is one of the most commonly used techniques to protect the confidential communications in wireless personal area networks [11], wireless local area networks (e.g., WEP [27], WPA, and WPA2 [28]), wireless cellular networks (e.g., Cellular Message Encryption Algorithm [29]), and encryption algorithms for wireless sensor networks [30].However, it is infeasible to apply cryptography-based techniques in WNoT due to the following reasons: (a) the inferior computational capability of smart objects [2], (b) the limited battery power of smart objects (e.g., the passive RFIDs can only harvest the energy from the readers) [1,31], and (c) the difficulty of managing the widely distributed smart objects in centralized manner, which is the necessity for the encryption algorithms [11,32,33].
An alternate approach is either to design light-weighted encryption schemes [34] or to generate noise to limit the amount of information that can be extracted by an eavesdropper [35,36].However, one of the most important premises of the above schemes is that we shall have enough knowledge of the channel condition of eavesdroppers as indicated in [37][38][39][40][41][42], which nevertheless has received little attention.Besides, the wireless channel in WNoT fluctuates from time to time and is affected by various fading effects including the path loss, the shadowing effect, and the multipath effect [43].Furthermore, most of current studies in WNoT only consider the nodes equipped with omnidirectional antennas, which radiate/receive RF signals in all directions (i.e., a less efficient way to propagate RF signals).As shown in some of the most recent studies [44,45], directional antennas can be used at readers.Compared with omnidirectional antennas, directional antennas can concentrate the transmissions to some desired directions so that the performance can be further improved.
However, little attention has been paid to investigating the eavesdropping behaviors conducted by the eavesdroppers in WNoT, which is nevertheless important for us to offer better protection on the confidential communications since we can design antieavesdropping schemes with clearer targets if we have a better knowledge on the eavesdroppers, although we conducted a preliminary study on the eavesdropping probability of wireless ad hoc networks in [46].But this paper is significantly different from our previous work [46] in the following aspects: (1) we are concerned with the eavesdropping activities in WNoT in this paper while the previous paper investigated the eavesdropping attacks in wireless ad hoc networks; (2) we propose a novel analytical model on the eavesdropping probability in this paper, where the channel randomness (including Rayleigh fading effect and the shadowing effects) is considered while the previous paper only considered a simplified geometric model; (3) we conduct extensive simulations to verify the accuracy of our proposed model in this paper while the previous paper only presented the numerical results.

Contributions.
The aforementioned issues motivate us to conduct an investigation on the eavesdropping attacks in WNoT.In this paper, we analyze the eavesdropping activities (i) We formally establish an analytical framework to investigate the probability of eavesdropping attacks in WNoT with consideration of channel randomness.
In particular, we consider the path loss effect, the shadow fading effect, and Rayleigh fading effect in our model.Besides, we also take both omnidirectional antennas and directional antennas into account of our analytical framework.
(ii) Extensive simulations show that the simulation results match the analytical results, indicating that our analytical model is accurate and effective.Our results also show that both the path loss effect and Rayleigh fading effect are detrimental to the probability of eavesdropping attacks while the shadow fading effect is beneficial to the eavesdropping attacks in WNoT.Besides, our results also indicate that using directional antennas at eavesdroppers can significantly improve the probability of eavesdropping attacks.We summarize our major findings in Table 1.
(iii) Our results can provide many useful implications on designing antieavesdropping schemes in WNoT.This is because we can provide the better protection on the confidential communications if we have the better knowledge about the eavesdroppers as implied in the previous studies [37][38][39][40][41][42].For example, we can design light-weight encryption algorithms by exploiting the known channel features [47,48].Besides, we only need to encrypt the communications in the area or the direction that is vulnerable to eavesdropping attacks so that the security cost due to the computational complexity can be greatly saved.
The rest of this paper is organized as follows.Section 2 presents the models used in this paper.We then give the analysis on the eavesdropping attacks in Section 3. The impacts of channel randomness with consideration of the shadow fading effect and Rayleigh fading effect are discussed in Section 4. Finally, we conclude the paper in Section 5.

Models
In this section, we present the models used in this paper.(See Notations and Symbols section.)

Node Distribution.
In this paper, we assume that all the smart objects (or nodes) are randomly distributed in a 2D area A according to a homogeneous Poisson point process with density .We denote the number of nodes in an area A by a random variable .Then, the probability mass function of  is given as follows: where A is the expected number of nodes in area A.

Channel Model.
We assume that all nodes use the common transmission power P  similar to [49].The channel gain from a node  to an eavesdropper  at a distance  is denoted by   ().Thus, the received power at the eavesdropper is P  ⋅   ().The signal-to-interference-plus-noise ratio (SINR) at the eavesdropper denoted by Λ is defined to be where  is the power of the white noise and  denoted the number of good nodes.
The transmission from node  can be successfully eavesdropped by an eavesdropper if and only if where  is the minimum signal to interference and noise ratio.
In our analysis of eavesdropping activities, we ignore the impact of interference due to the following reasons.First, the passive eavesdroppers in WNoT do not transmit actively and therefore contribute nothing to the interference.Second, the interference is proved to converge when efficient MAC schemes are exploited and the traffic is low in a large-scale network [50,51].Thus, our analytical results in this paper can be regarded as the upper bound of the eavesdropping probability.We then have

Antennas.
There are different types of antennas used in wireless communication systems: omnidirectional antennas (named Omni in short) and directional antennas (named Dir in short).Most of conventional smart objects are typically equipped with omnidirectional antennas, which radiate/collect radio signals into/from all directions equally.Different from an omnidirectional antenna, a directional antenna can concentrate transmitting or receiving capability on some desired directions consequently leading to the improved network performance.To model the transmitting or receiving capability of an antenna, we denote the antenna gain by .It is obvious that an omnidirectional antenna has a constant antenna gain; that is,   = 1 in all directions.We next give the antenna gain of a directional antenna.Since it is difficult to model a realistic directional antenna with precise values of antenna gain in each direction [52], we use an approximate antenna model, which was first proposed in [53].This model is also named as Keyhole due to the geometrical analogy to the archaic keyhole in 2D plane, as shown in Figure 2. In this model, the sector with angle   represents the main lobe of the antenna, which has the maximum gain denoted by   (where   is also called the antenna beamwidth), and the circular part represents the side-lobes and back-lobes with lower antenna gain denoted by   .In particular, when   and   are given [53,54], we can calculate   as follows:

Analysis on Eavesdropping Attacks
This section presents our analytical framework to model the eavesdropping activities in WNoT.In particular, we first analyze effective eavesdropping area in Section 3.1 which is then used to derive the probability of eavesdropping attacks in Section 3.2.Section 3.3 presents the empirical results.

Deterministic Path Loss Model.
We first consider that the channel gain is mainly determined by the large-scale path loss effect [43].Thus, the channel gain is given by where  is a constant,  is the distance between the good node and the eavesdropper,   and   are the antenna gains for the good node and the eavesdropper, respectively, and  is the path loss exponent ranging from 2 to 4 [43].
As shown in Section 2.2, an eavesdropper can successfully wiretap a transmission if and only if its Λ ≥ .In other words, the probability of no transmission eavesdropped is given by (Λ < ).Substituting (6) into inequality (4) and rearranging (Λ < ), we have We then define a random variable  as which is referred to the eavesdropping range of an eavesdropper.After substituting (8) into inequality (7), we have (Λ < ) = ( > ), which implies that a transmission cannot be eavesdropped by an eavesdropper if and only if the transmitter falls outside the eavesdropping range  of the eavesdropper.
We then analyze the effective eavesdropping area of an eavesdropper, which is defined as where [ 2 ] is the second moment of the eavesdropping range .The effective eavesdropping area is a critical region that only when the good node falls in this region, its transmission can be eavesdropped by eavesdroppers.We then have ] . (9)

Probability of Eavesdropping Attacks.
We model the successful chance of eavesdropping attacks by the probability of eavesdropping attacks, denoted by ().To derive (), we need to analyze the probability of no good node being eavesdropped first.We denote the number of good nodes falling in the eavesdropping area by a random variable .Since good nodes are randomly distributed according to a homogeneous Poisson point process (as shown in Section 2.1), we then have the probability of no good node falling in the eavesdropping area, which is given by the following equation: We then can calculate () as follows: After substituting [ 2 ] in (11) by Right-Hand Side (RHS) of (9), we have The physical meaning of () is the probability that an eavesdropper can successfully eavesdrop at least one transmission in WNoT.Besides, as shown in (12), the probability of eavesdropping attacks heavily depends on the path loss effect.Note that this model can be extended to a more general case with consideration of the shadow fading effect and the Rayleigh fading effect, which will be analyzed in Section 4.

Empirical Results
. We conduct extensive simulations to verify the effectiveness and the accuracy of our proposed model.In our simulations, the probability of eavesdropping attacks in a WNoT is calculated by where Ω and Ψ denote the number of total WNoT topologies and the number of WNoT topologies that have been eavesdropped, respectively.We say that a WNoT topology is eavesdropped when any smart object (node) in this topology is eavesdropped.Note that we denote the simulation results by   () in order to differentiate it from the analytical value ().To minimize the impacts of the border effects, we conduct the simulations within an  ×  area with the exclusion of the nodes falling in the outer box   ×   , where   shall be significantly larger than  [55].Note that  is chosen as 3000 m in our simulations.We fix the number of eavesdroppers and choose the node density  for the good nodes ranging from 10 −5 to 10 −1 .The other system parameters are selected as follows:  = 10, P  = 1 mWatt,  = 0.01 mWatt, and  = 10 dB.We consider eavesdroppers equipped with either omnidirectional antenna (Omni) or directional antenna (Dir) while the good nodes are equipped with omnidirectional antennas only.
Figure 3 shows both the analytical results and the simulation results of the probability of eavesdropping attacks with the path loss effect only.The curves and the markers represent the analytical results and simulation results, respectively.It is shown in Figure 3 that the simulation results have a good agreement with the analytical results, implying that our model is quite accurate.
As shown in Figure 3, we also find that the probability of eavesdropping attacks decreases with the increased path loss exponent , implying that the path loss effect has the negative impact on eavesdropping attacks.Besides, we also find that using directional antennas at eavesdroppers can increase the probability of eavesdropping attacks although this effect is not that significant when the path loss effect is increased (e.g.,  = 3.5).

Impacts of Channel Randomness on Eavesdropping Attacks
In this section, we extend our analytical model in Section 3 to more general cases in consideration of two different effects of channel randomness: (1) shadow fading effect and (2) Rayleigh fading effect, which will be presented in Sections 4.1 and 4.2, respectively.We then give the empirical results in Section 4.3.In order to model the two random effects, we introduce the packet eavesdropping probability denoted by  |Λ (), which is defined as the probability that a packet is successfully eavesdropped by an eavesdropper when the average signalto-interference-noise ratio Λ = .
We then extend the analysis of eavesdropping range in Section 3.1 with consideration of the packet eavesdropping probability  |Λ ().We first consider the case that the packet eavesdropping probability  |Λ () tends to approach a step function if good long code is used [56].In particular, we have the cumulative distribution function (CDF) of eavesdropping range , which is defined as follows: In a more general case when  |Λ () is not a step function, the cumulative distribution function is where   is the probability density function (PDF) of .

Shadow Fading Effect.
Following the similar approach [51], we can derive the probability density function of  with consideration of the shadow fading effect as follows: where  is the distance between a good node and an eavesdropper and  is the standard deviation of the Gaussian distribution describing the shadow fading effect.We then have the second moment of random variable  given as follows: After substituting [1 −   (/P    )] in (17) with RHS of (15) and RHS of ( 16) (note that  |Λ () = 1), we finally have where   = [(    ) 2/ ], which is defined as the effective antenna gain factor.It is obvious that the effective antenna gain factor depends on both the antenna gains and the path loss effect.Let  = (ln  − ln  − )/ = ln(  /)/; we then have Since the integrals converge absolutely, applying Fubini's theorem [57], we next get Finally, we have the probability of eavesdropping attacks, which is given as the following equation: ) . ( The probability of eavesdropping attacks in ( 21) is more general than that in (12).This is because ( 21) becomes (12) when  becomes 0, implying that there is no shadow fading effect and SINR is completely determined by the path loss effect.

Rayleigh Fading Effect.
Rayleigh fading effect is a stochastic model for wireless propagation when there are a large number of statistically independent reflected and scattered paths from the transmitters to the receivers (or the eavesdroppers).
In the following procedure, we consider the channel condition with superimposed shadow fading and Rayleigh fading effects.We then derive the second moment of random variable .Since (17) still holds, we have where   ((/P      ) | ), which can be calculated by (16).
We next derive  |Λ ().Since the instantaneous SINR is exponentially distributed with mean Λ =  [51], with the given average SINR value Λ and the given SINR threshold , the packet eavesdropping probability  |Λ () can be calculated by After substituting the corresponding parts in ( 22) by ( 16) and ( 23), we finally have the effective eavesdropping range as follows: where   = [(    ) 2/ ] is the effective antenna gain factor.The integral in ( 24) can be calculated by the following equation [58]: where Γ(⋅) represents the general Gamma function.Substituting ( 25) into (24) and applying it to (11), we finally have

Empirical Results.
We have conducted extensive simulations to evaluate the accuracy of our extended model.In order to compare the new results with those under the case without shadowing effects in Section 3.3, we choose the same system parameters as those in Section 3.3.Note that in order to eliminate the impacts of the border effect, the border area of the simulation area shall be slightly increased.Similarly, we also consider eavesdroppers equipped with either omnidirectional antennas or directional antennas.Figure 4 shows the empirical results of the probability of eavesdropping attacks with shadow fading effects, where the shadow fading deviation  = 3.Note that the curves and the markers represent the analytical results and simulation results, respectively.Figure 3 also indicates that the simulation results match the analytical results, implying the accuracy of our model.
As shown in Figure 4, we find that the probability of eavesdropping attacks is affected by both the path loss effect and the shadow fading effect.In particular, () decreases with the increased path loss exponent , implying that the path loss effect is detrimental.In other words, the path loss effect will decrease the probability of eavesdropping attacks, which agrees with the previous results without the shadowing effect (see Figure 3).On the contrary, the shadow fading effect is beneficial.More specifically, if we compare Figure 4 with Figure 3, we can find that () increases with the increased values of the shadow fading deviation  (e.g.,  is increased from 0 to 3).This effect is remarkable when the path loss effect is less notable (e.g.,  = 2.5).However, () does not increase Table 2: Comparison between the results under the channel with shadow fading effect only and the results under the channel with superimposed shadowing and Rayleigh fading effects when  = 3,  = 3, and SINR threshold  = 10 dB.

Node density
Shadow fading effect only (Figure 4) Superimposed shadow fading and Rayleigh fading effects (Figure 5  significantly with the increased values of  when  = 3.5.Furthermore, we also find that using directional antennas at eavesdroppers can increase the probability of eavesdropping attacks with consideration of the shadowing effect.We then investigate the probability of eavesdropping attacks under the channel with the superimposed shadow fading and Rayleigh fading effects.Figure 5 shows the results with the presence of both shadow fading and Rayleigh fading effects, where the shadow fading deviation  = 3.As shown in Figure 5, we find that the probability of eavesdropping attacks is affected by both the shadow fading effect and the Rayleigh fading effect.Moreover, Figure 5 also indicates that Rayleigh fading effect has a negative impact on the probability of eavesdropping attacks even though it is not that noticeable compared with the path loss effect. To illustrate the detrimental effect of Rayleigh fading effect, we conduct comparative study on the numerical results of the probability of eavesdropping attacks ().In particular, Table 2 illustrates the comparison between the results of () under the channel with shadow fading effect only and the results under the channel with the superimposed shadow fading effect and Rayleigh fading effect when  = 3 and  = 3 corresponding to Figures 4 and 5, respectively.To make it clearer, we italicize the results with directional antennas in Table 2.It is shown in Table 2 that Rayleigh fading effect will decrease the probability of eavesdropping attacks compared with the results under the channel with the shadow fading effect only.For example, Rayleigh fading effect leads to the decrement of nearly 10% in terms of the probability of eavesdropping attacks when the node density  = 10 −5 .Besides, Table 2 also indicates that using directional antennas at eavesdroppers can increase the probability of eavesdropping attacks, which is similar to the previous findings.
We also give the results under the scenario of eavesdropping attacks with Rayleigh fading effect only. Figure 6 shows the empirical results of the probability of eavesdropping attacks under the channel with Rayleigh fading effect only, where  = 0 indicating no shadow fading effect.Similar to the previous results, we also denote the analytical results by the curves and the simulation results by the markers, as shown in Figure 6.It is shown in Figure 6 that the simulation results have a good agreement with the analytical results, implying that our analytical model is quite accurate.As shown in Figure 6, we can see that the probability of eavesdropping attacks also depends on both the path loss effect and Rayleigh fading effect.In particular, () drops significantly when the path loss effect becomes more notable (e.g.,  = 3.5), as shown in Figure 6.Besides, under the wireless channel with Rayleigh fading effect, () in Figure 6 is even lower than that without Rayleigh fading effect in Figure 3, implying that Rayleigh fading effect is also detrimental to the eavesdropping attacks.The reason may owe to the counteracting effect of the multipath scattering signals under the channel with Rayleigh fading effect [43].

Discussions and Implications of Our Results
. Our simulation results imply that using directional antennas at eavesdroppers in WNoT can significantly increase the probability of eavesdropping.Thus, directional antennas are beneficial to eavesdroppers.The improvement mainly owes to the effect that a directional antenna can accumulate the receiving capability of desired directions.However, we can not ignore another effect that a directional antenna can also narrow the angle of the receiving directions.More specifically, with the increased path loss (i.e., the larger ), the second effect can even counteract the first effect.Take Figure 6 as an example.The gap between the results of omnidirectional eavesdroppers and the results of directional eavesdroppers with  = 2.5 is significantly bigger than that with  = 3.5.
Secondly, as shown in our results, both the path loss effect and Rayleigh fading are always detrimental to the eavesdropping probability while shadowing effect and directional antennas are beneficial to the eavesdropping probability.Our findings are useful to help to design more effective antieavesdropping schemes in WNoT.This is because we need the knowledge of eavesdroppers (such as the channel characteristics) so that we can design the light-weight encryption algorithms as indicated in the previous studies [37][38][39][40][41][42].Besides, we only need to take antieavesdropping measures in the area or the direction that is vulnerable to eavesdropping attacks so that the security cost due to the computational complexity can be greatly saved.For example, we can generate the noise only in the direction of eavesdroppers when the eavesdroppers are equipped with directional antennas while there is no noise in other directions.This new scheme may have a better performance than the existing one [35].

Conclusion
In this paper, we propose an analytical model to investigate the eavesdropping probability in Wireless Net of Things (WNoT) with consideration of channel randomness including the path loss effect, the shadow fading effect, and Rayleigh fading effect.After conducting extensive simulations, we show that our model is quite accurate.Besides, we have also shown that the eavesdropping probability heavily depends on the path loss effect, the shadow fading effect, and Rayleigh fading effect.More specifically, we find that the eavesdropping probability increases when the shadow fading factor  increases and decreases when the path loss effect increases, implying that the path loss effect is detrimental to the eavesdropping attacks while the shadow fading is beneficial to the eavesdropping attacks.Moreover, similar to the path loss effect, Rayleigh fading is also destructive to the eavesdropping attacks.Furthermore, our results also indicate that using directional antennas at eavesdroppers can significantly improve the probability of eavesdropping attacks.

A:
2D area that nodes are randomly distributed : Density of the homogeneous Poisson point process P  : Transmission power of nodes : Distance between the good node and the eavesdropper   (): Channel gain from a good node  to an eavesdropper  at a distance  Λ: SINR at an eavesdropper : Threshold value of SINR for eavesdropping a node successfully : P owerofthewhitenoise : Number of good nodes : Path loss exponent   ,   : Antenna gain of main lobe, antenna gain of side-lobe   : Main lobe beam-width of the keyhole antenna   ,   : Antenna gain of good node, antenna gain of eavesdropper (): Probability of eavesdropping attacks : Side length of topology area : Eavesdropping range of an eavesdropper Ω: NumberoftotalWNoTtopologies Ψ: Number of WNoT topologies that have been eavesdropped Λ: Average SINR value  |Λ (): Packet eavesdropping probability when the average SINR is  : Standard deviation of the Gaussian distribution describing the shadow fading effect   : Effective antenna gain factor.

Figure 1 :
Figure 1: An example of eavesdropping activities in WNoT, where there are several eavesdroppers who are wiretapping the confidential ongoing communications between RFID tags and RFID-readers.

Table 1 :
Summary of effects on eavesdropping attacks.