Sensor networks enable real-time gathering of large amounts of data that can be mined and analyzed for taking critical actions. As such, sensor networks are a key component of decision-making infrastructures. A critical issue in this context is the trustworthiness of the data being collected. Data integrity and quality decide the trustworthiness of data. Data integrity can be undermined not only because of errors by users, measurement devices and applications, but also because of malicious subjects who may inject inaccurate data with the goal of deceiving the data users. A fundamental tradeoff exists between data quality and the cost to gather and protect this data, e.g., in terms of sensor node energy. This project focuses on a multi-faceted solution to the problem of assessing integrity of data streams in sensor networks, taking into account cost and energy constraints. Key elements of the solution are: (a) a cyclic framework supporting the assessment of sensor data trustworthiness based on provenance, and sensor trustworthiness based on data that sensors provide; (b) strategies for continuously updating trust scores of sensor data and nodes; (c) a game-theoretic model to analyze and mitigate the risks due to active adversaries that try to undermine data integrity; (d) protocols for sensor network sleep/wake scheduling and routing that balance the data quality and energy efficiency tradeoff. The project also includes the development of tools for assessing data trustworthiness, and experimental evaluation of the system performance. The research has impact on healthcare, homeland security, and applications in several other domains.
Availability of low cost sensor nodes has made Wireless Sensor Networks (WSNs) a viable choice for monitoring critical infrastructure such as power grid, civil structures and others. There has been recent interest in using WSNs to monitor pipelines (water, gas, oil, and various other types of pipelines) and power grid. The primary goal of all these protocols is to detect device malfunctions such as pipe leakage, oil spillage, power grid failure etc. However, none of these protocols are specifically designed to handle a malicious active adversary. We classify the activities of an active adversary into two broad categories. However, the ultimate objective of an adversary for both these categories is to disrupt the normal operation of a critical infrastructure to achieve some predefined attack goal. Direct Attacks: Attack on Critical Infrastructure. This category includes all the direct attacks on a critical infrastructure by an active adversary. Vandalism, creating holes or leaks on gas pipes, etc. are all examples of such attacks. Indirect Attacks: Attack on Critical Infrastructure Monitoring System. In these attacks, an adversary does not directly attack the critical infrastructure. Rather, an attacker compromises a few sensor nodes and injects false data to deceive the monitoring system. This leads to false state estimation by the control system and may result in unwanted consequences. Most of the existing protocols are primarily designed to sense device malfunctions such as leakage, blockage, rupture, malfunction etc. in the critical infrastructure. We believe that most of these protocols are able to detect direct attacks like that of pipeline vandalism. This is true because these attacks usually result in a device malfunction regardless of the attack type. However, it yet remains to be a question whether these protocols are smart enough to handle more subtle indirect attacks. In fact, it has been shown in the past that an adversary can bypass these approaches if he/she systematically injects bad data into the power monitoring system. As a part of this project, we also showed that such findings are equally applicable to the context of pipeline monitoring system. That is, an adversary can bypass almost all the existing WSN based monitoring protocols by systematically injecting false data into the monitoring system. However, more sophisticated ‘systematic false data injection’ attacks require more dynamic monitoring system to be in place. In fact, an active adversary is capable of changing its attack strategy depending upon the defense mechanism in place. Therefore, thwarting an active adversary is significantly more challenging than dealing with device malfunctions. Game theory has been extensively used in different domains to model rational entities and how they behave including homeland security scenarios. Quite naturally, we find it appropriate to model the attacker-defender interaction as a strategic game. In this project, we show how game theory can be used to identify the key monitoring requirements for a critical infrastructure and protect them against an active adversary that tries to launch fake data injection attacks. Especially, as a part of this project, we provide a game theoretic approach to monitoring critical infrastructures using WSNs in the adversarial context. More specifically, we use Stackelberg leader-follower games to model attacker- defender interaction and derive the equilibrium condition of such a game under appropriate utility functions. Finally, we show that a monitoring system can do no better by deviating from its equilibrium strategy if the adversary acts rationally. Using the hazardous liquid pipeline information for Austin County via extensive simulations, we show that game theoretic WSN based monitoring protocols can increase resistance to attacks compared to baseline approaches. We believe that this project is likely to have an important broader impact by advocating game theoretic WSN based monitoring protocols especially for oil and gas pipelines which can reduce the impact of any future false data injection attacks on such critical infrastructure.
