Method and system for resilient packet traceback in wireless mesh and sensor networks
First Claim
1. A method for packet traceback in a network, comprising:
- maintaining an identity number (ID) for each forwarding node in a network, wherein each forwarding node includes a non-transitory computer readable storage medium for storing the ID;
generating a signature at each forwarding node using a secret key shared between the forwarding node and a sink;
marking each packet as each packet passes through each forwarding node in a forwarding path such that each added mark includes at least the ID and the signature of the node and protects all previously added marks;
upon receiving a packet at the sink, verifying correctness of the signatures as marked on each packet by the sink in reverse order in which the signatures were added; and
determining signature validity in the forwarding path to determine a location of a false data injection source, and/or a colluding compromised node.
8 Assignments
0 Petitions
Accused Products
Abstract
A system and method for packet traceback in a network includes maintaining an identity number (ID) for each node in a network and generating a signature (e.g., a message authentication code (MAC)) using a secret key shared between each node on a forwarding path and a sink. Each forwarding node leaves a mark by appending its ID and a signature in the packet, either in a deterministic manner or with a probability. Upon receiving a packet at the sink, correctness of the signatures included in each packet is verified in the reverse order by which these signatures were appended. A last valid MAC is determined in the forwarding path to determine the locations of compromised nodes that collude in false data injection attacks.
-
Citations
22 Claims
-
1. A method for packet traceback in a network, comprising:
-
maintaining an identity number (ID) for each forwarding node in a network, wherein each forwarding node includes a non-transitory computer readable storage medium for storing the ID; generating a signature at each forwarding node using a secret key shared between the forwarding node and a sink; marking each packet as each packet passes through each forwarding node in a forwarding path such that each added mark includes at least the ID and the signature of the node and protects all previously added marks; upon receiving a packet at the sink, verifying correctness of the signatures as marked on each packet by the sink in reverse order in which the signatures were added; and determining signature validity in the forwarding path to determine a location of a false data injection source, and/or a colluding compromised node. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product for packet traceback in a network comprising a non-transitory computer readable storage medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform the steps of:
-
maintaining an identity number (ID) for each forwarding node in a network; generating a signature at each forwarding node using a secret key shared between the forwarding node and a sink; marking each packet as each packet passes through each forwarding node in a forwarding path such that each added mark includes at least the ID and the signature of the forwarding node and protects all previously added marks; upon receiving a packet at the sink, verifying correctness of the signatures as marked on each packet by the sink in reverse order in which the signatures were added; and determining signature validity in the forwarding path to determine a false data injection source.
-
-
16. A method for packet traceback in a wireless mesh or sensor network, comprising:
-
maintaining a real identity number (ID) for each forwarding node in a network, wherein each forwarding node includes a non-transitory computer readable storage medium for storing the ID; computing an anonymous ID from the real ID based on a secret key known only to a current forwarding node and a sink; generating a message authentication code (MAC) using the secret key for each forwarding node in a forwarding path to mark each packet with at least two probabilities, wherein each packet is marked, said mark including at least the node'"'"'s MAC, such that each mark added protects all previously added marks; tracing back the path to discover false data injection sources by; determining the real ID from the anonymous ID for nodes in the network; reconstructing a node route using marks present in each packet; and verifying correctness of the MAC of each packet back through each forwarding node of the forwarding path using the real ID and the secret key to determine a last valid MAC in the forwarding path. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A computer program product for packet traceback in wireless mesh or sensor networks comprising a non-transitory computer readable storage medium including a computer readable program, wherein the computer readable program when executed on a computer causes the computer to perform the steps of:
-
maintaining a real identity number (ID) for each forwarding node in a network; computing an anonymous ID from the real ID based on a secret key known only to a current forwarding node and a sink; generating a message authentication code (MAC) using the secret key for each forwarding node in a forwarding path to mark each packet with at least two probabilities, wherein each packet is marked, said mark including at least the node'"'"'s MAC, such that each mark added protects all previously added marks; tracing back the path to discover false data injection sources by; determining the real ID from the anonymous ID for forwarding nodes in the network; reconstructing a node route using marks present in each packet; and verifying correctness of the MAC of each packet back through each forwarding node of the forwarding path using the real ID and the secret key to determine a last valid MAC in the forwarding path.
-
Specification